Imported Upstream version 5.5.0

author: Yves-Alexis Perez <corsac@debian.org> 2016-07-16 15:19:53 +0200
committer: Yves-Alexis Perez <corsac@debian.org> 2016-07-16 15:19:53 +0200
commit: bf372706c469764d59e9f29c39e3ecbebd72b8d2 (patch)
tree: 0f0e296e2d50e4a7faf99ae6fa428d2681e81ea1 /src/libcharon
parent: 518dd33c94e041db0444c7d1f33da363bb8e3faf (diff)
download: vyos-strongswan-bf372706c469764d59e9f29c39e3ecbebd72b8d2.tar.gz
vyos-strongswan-bf372706c469764d59e9f29c39e3ecbebd72b8d2.zip
359 files changed, 12853 insertions, 4380 deletions
diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk
index 55e6bc58b..4f3d78c6d 100644
--- a/src/libcharon/Android.mk
+++ b/src/libcharon/Android.mk
@@ -10,6 +10,7 @@ attributes/mem_pool.c attributes/mem_pool.h \
 bus/bus.c bus/bus.h \
 bus/listeners/listener.h \
 bus/listeners/logger.h \
+bus/listeners/custom_logger.h \
 bus/listeners/file_logger.c bus/listeners/file_logger.h \
 config/backend_manager.c config/backend_manager.h config/backend.h \
 config/child_cfg.c config/child_cfg.h \
diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
index 9f0707813..550f6eb9c 100644
--- a/src/libcharon/Makefile.am
+++ b/src/libcharon/Makefile.am
@@ -154,12 +154,15 @@ AM_CPPFLAGS = \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
+AM_CFLAGS = \
+  @COVERAGE_CFLAGS@
+
 AM_LDFLAGS = \
   -no-undefined
 
 libcharon_la_LIBADD = \
   $(top_builddir)/src/libstrongswan/libstrongswan.la \
-  -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB)
+  -lm $(PTHREADLIB) $(ATOMICLIB) $(DLLIB) $(SOCKLIB)
 
 if USE_WINDOWS
   libcharon_la_LIBADD += -lws2_32
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
index 2ccae216e..3ea9b8089 100644
--- a/src/libcharon/Makefile.in
+++ b/src/libcharon/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -284,8 +294,6 @@ host_triplet = @host@
 @USE_ATTR_SQL_TRUE@am__append_146 = plugins/attr_sql
 @MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_147 = plugins/attr_sql/libstrongswan-attr-sql.la
 subdir = src/libcharon
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -299,6 +307,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -336,31 +345,32 @@ am__DEPENDENCIES_1 =
 libcharon_la_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) $(am__append_7) \
-	$(am__append_9) $(am__append_11) $(am__append_13) \
-	$(am__append_15) $(am__append_17) $(am__append_19) \
-	$(am__append_21) $(am__append_23) $(am__append_25) \
-	$(am__append_27) $(am__append_29) $(am__append_31) \
-	$(am__append_33) $(am__append_35) $(am__append_37) \
-	$(am__append_39) $(am__append_41) $(am__append_43) \
-	$(am__append_45) $(am__append_47) $(am__append_49) \
-	$(am__append_51) $(am__append_53) $(am__append_54) \
-	$(am__append_56) $(am__append_58) $(am__append_60) \
-	$(am__append_62) $(am__append_64) $(am__append_66) \
-	$(am__append_68) $(am__append_70) $(am__append_72) \
-	$(am__append_73) $(am__append_74) $(am__append_76) \
-	$(am__append_78) $(am__append_79) $(am__append_81) \
-	$(am__append_83) $(am__append_85) $(am__append_87) \
-	$(am__append_89) $(am__append_91) $(am__append_93) \
-	$(am__append_95) $(am__append_97) $(am__append_99) \
-	$(am__append_101) $(am__append_103) $(am__append_105) \
-	$(am__append_107) $(am__append_109) $(am__append_111) \
-	$(am__append_113) $(am__append_115) $(am__append_117) \
-	$(am__append_119) $(am__append_121) $(am__append_123) \
-	$(am__append_125) $(am__append_127) $(am__append_129) \
-	$(am__append_131) $(am__append_133) $(am__append_135) \
-	$(am__append_137) $(am__append_139) $(am__append_141) \
-	$(am__append_143) $(am__append_145) $(am__append_147)
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1) $(am__append_7) $(am__append_9) \
+	$(am__append_11) $(am__append_13) $(am__append_15) \
+	$(am__append_17) $(am__append_19) $(am__append_21) \
+	$(am__append_23) $(am__append_25) $(am__append_27) \
+	$(am__append_29) $(am__append_31) $(am__append_33) \
+	$(am__append_35) $(am__append_37) $(am__append_39) \
+	$(am__append_41) $(am__append_43) $(am__append_45) \
+	$(am__append_47) $(am__append_49) $(am__append_51) \
+	$(am__append_53) $(am__append_54) $(am__append_56) \
+	$(am__append_58) $(am__append_60) $(am__append_62) \
+	$(am__append_64) $(am__append_66) $(am__append_68) \
+	$(am__append_70) $(am__append_72) $(am__append_73) \
+	$(am__append_74) $(am__append_76) $(am__append_78) \
+	$(am__append_79) $(am__append_81) $(am__append_83) \
+	$(am__append_85) $(am__append_87) $(am__append_89) \
+	$(am__append_91) $(am__append_93) $(am__append_95) \
+	$(am__append_97) $(am__append_99) $(am__append_101) \
+	$(am__append_103) $(am__append_105) $(am__append_107) \
+	$(am__append_109) $(am__append_111) $(am__append_113) \
+	$(am__append_115) $(am__append_117) $(am__append_119) \
+	$(am__append_121) $(am__append_123) $(am__append_125) \
+	$(am__append_127) $(am__append_129) $(am__append_131) \
+	$(am__append_133) $(am__append_135) $(am__append_137) \
+	$(am__append_139) $(am__append_141) $(am__append_143) \
+	$(am__append_145) $(am__append_147)
 am__libcharon_la_SOURCES_DIST = attributes/attributes.c \
 	attributes/attributes.h attributes/attribute_provider.h \
 	attributes/attribute_handler.h attributes/attribute_manager.c \
@@ -747,6 +757,7 @@ DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \
 	plugins/xauth_generic plugins/xauth_eap plugins/xauth_pam \
 	plugins/xauth_noauth plugins/resolve plugins/attr \
 	plugins/attr_sql tests
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -778,6 +789,7 @@ ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -827,6 +839,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -861,6 +874,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -972,6 +986,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -1112,12 +1127,15 @@ AM_CPPFLAGS = \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
+AM_CFLAGS = \
+  @COVERAGE_CFLAGS@
+
 AM_LDFLAGS = \
   -no-undefined
 
 libcharon_la_LIBADD =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la -lm \
-	$(PTHREADLIB) $(DLLIB) $(SOCKLIB) $(am__append_4) \
+	$(PTHREADLIB) $(ATOMICLIB) $(DLLIB) $(SOCKLIB) $(am__append_4) \
 	$(am__append_7) $(am__append_9) $(am__append_11) \
 	$(am__append_13) $(am__append_15) $(am__append_17) \
 	$(am__append_19) $(am__append_21) $(am__append_23) \
@@ -1233,7 +1251,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -2231,6 +2248,8 @@ uninstall-am: uninstall-ipseclibLTLIBRARIES
 	pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \
 	uninstall-ipseclibLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 daemon.lo :		$(top_builddir)/config.status
 
diff --git a/src/libcharon/attributes/mem_pool.c b/src/libcharon/attributes/mem_pool.c
index 833c3e950..a2b7c2803 100644
--- a/src/libcharon/attributes/mem_pool.c
+++ b/src/libcharon/attributes/mem_pool.c
@@ -142,7 +142,7 @@ static host_t* offset2host(private_mem_pool_t *pool, int offset)
 {
 	chunk_t addr;
 	host_t *host;
-	u_int32_t *pos;
+	uint32_t *pos;
 
 	offset--;
 	if (offset > pool->size)
@@ -153,11 +153,11 @@ static host_t* offset2host(private_mem_pool_t *pool, int offset)
 	addr = chunk_clone(pool->base->get_address(pool->base));
 	if (pool->base->get_family(pool->base) == AF_INET6)
 	{
-		pos = (u_int32_t*)(addr.ptr + 12);
+		pos = (uint32_t*)(addr.ptr + 12);
 	}
 	else
 	{
-		pos = (u_int32_t*)addr.ptr;
+		pos = (uint32_t*)addr.ptr;
 	}
 	*pos = htonl(offset + ntohl(*pos));
 	host = host_create_from_chunk(pool->base->get_family(pool->base), addr, 0);
@@ -171,7 +171,7 @@ static host_t* offset2host(private_mem_pool_t *pool, int offset)
 static int host2offset(private_mem_pool_t *pool, host_t *addr)
 {
 	chunk_t host, base;
-	u_int32_t hosti, basei;
+	uint32_t hosti, basei;
 
 	if (addr->get_family(addr) != pool->base->get_family(pool->base))
 	{
@@ -189,8 +189,8 @@ static int host2offset(private_mem_pool_t *pool, host_t *addr)
 		host = chunk_skip(host, 12);
 		base = chunk_skip(base, 12);
 	}
-	hosti = ntohl(*(u_int32_t*)(host.ptr));
-	basei = ntohl(*(u_int32_t*)(base.ptr));
+	hosti = ntohl(*(uint32_t*)(host.ptr));
+	basei = ntohl(*(uint32_t*)(base.ptr));
 	if (hosti > basei + pool->size)
 	{
 		return -1;
@@ -634,7 +634,7 @@ static private_mem_pool_t *create_generic(char *name)
  */
 static u_int network_id_diff(host_t *host, int hostbits)
 {
-	u_int32_t last;
+	uint32_t last;
 	chunk_t addr;
 
 	if (!hostbits)
@@ -705,7 +705,7 @@ mem_pool_t *mem_pool_create_range(char *name, host_t *from, host_t *to)
 {
 	private_mem_pool_t *this;
 	chunk_t fromaddr, toaddr;
-	u_int32_t diff;
+	uint32_t diff;
 
 	fromaddr = from->get_address(from);
 	toaddr = to->get_address(to);
diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c
index 53ded6be7..e17d629d2 100644
--- a/src/libcharon/bus/bus.c
+++ b/src/libcharon/bus/bus.c
@@ -688,7 +688,7 @@ METHOD(bus_t, child_rekey, void,
 }
 
 METHOD(bus_t, children_migrate, void,
-	private_bus_t *this, ike_sa_id_t *new, u_int32_t unique)
+	private_bus_t *this, ike_sa_id_t *new, uint32_t unique)
 {
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa;
diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h
index b6757b140..305cbe4ae 100644
--- a/src/libcharon/bus/bus.h
+++ b/src/libcharon/bus/bus.h
@@ -101,9 +101,13 @@ enum alert_t {
 	/** received IKE message with invalid body, argument is message_t*,
 	 *  followed by a status_t result returned by message_t.parse_body(). */
 	ALERT_PARSE_ERROR_BODY,
-	/** sending a retransmit for a message, argument is packet_t, if the message
-	 *  got fragmented only the first fragment is passed */
+	/** sending a retransmit for a message, arguments are packet_t and number
+	 * of the retransmit, if the message got fragmented only the first fragment
+	 * is passed */
 	ALERT_RETRANSMIT_SEND,
+	/** received response for retransmitted request, argument is packet_t, if
+	 * the message got fragmented only the first fragment is passed */
+	ALERT_RETRANSMIT_SEND_CLEARED,
 	/** sending retransmits timed out, argument is packet_t, if available and if
 	 *  the message got fragmented only the first fragment is passed */
 	ALERT_RETRANSMIT_SEND_TIMEOUT,
@@ -432,7 +436,7 @@ struct bus_t {
 	 * @param new		ID of new SA when called for the old, NULL otherwise
 	 * @param uniue		unique ID of new SA when called for the old, 0 otherwise
 	 */
-	void (*children_migrate)(bus_t *this, ike_sa_id_t *new, u_int32_t unique);
+	void (*children_migrate)(bus_t *this, ike_sa_id_t *new, uint32_t unique);
 
 	/**
 	 * Virtual IP assignment hook.
diff --git a/src/libcharon/bus/listeners/listener.h b/src/libcharon/bus/listeners/listener.h
index c7a8d8d1e..be2726ede 100644
--- a/src/libcharon/bus/listeners/listener.h
+++ b/src/libcharon/bus/listeners/listener.h
@@ -200,7 +200,7 @@ struct listener_t {
 	 * @return			TRUE to stay registered, FALSE to unregister
 	 */
 	bool (*children_migrate)(listener_t *this, ike_sa_t *ike_sa,
-							 ike_sa_id_t *new, u_int32_t unique);
+							 ike_sa_id_t *new, uint32_t unique);
 
 	/**
 	 * Hook called to invoke additional authorization rules.
diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
index 3d3c7419b..76d7f2c58 100644
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@@ -1,8 +1,9 @@
 /*
- * Copyright (C) 2008-2015 Tobias Brunner
+ * Copyright (C) 2016 Andreas Steffen
+ * Copyright (C) 2008-2016 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -110,12 +111,12 @@ struct private_child_cfg_t {
 	/**
 	 * Inactivity timeout
 	 */
-	u_int32_t inactivity;
+	uint32_t inactivity;
 
 	/**
 	 * Reqid to install CHILD_SA with
 	 */
-	u_int32_t reqid;
+	uint32_t reqid;
 
 	/**
 	 * Optional mark to install inbound CHILD_SA with
@@ -130,7 +131,17 @@ struct private_child_cfg_t {
 	/**
 	 * Traffic Flow Confidentiality padding, if enabled
 	 */
-	u_int32_t tfc;
+	uint32_t tfc;
+
+	/**
+	 * Optional manually-set IPsec policy priorities
+	 */
+	uint32_t manual_prio;
+
+	/**
+	 * Optional restriction of IPsec policy to a given network interface
+	 */
+	char *interface;
 
 	/**
 	 * set up IPsec transport SA in MIPv6 proxy mode
@@ -145,7 +156,7 @@ struct private_child_cfg_t {
 	/**
 	 * anti-replay window size
 	 */
-	u_int32_t replay_window;
+	uint32_t replay_window;
 };
 
 METHOD(child_cfg_t, get_name, char*,
@@ -200,25 +211,40 @@ METHOD(child_cfg_t, get_proposals, linked_list_t*,
 
 METHOD(child_cfg_t, select_proposal, proposal_t*,
 	private_child_cfg_t*this, linked_list_t *proposals, bool strip_dh,
-	bool private)
+	bool private, bool prefer_self)
 {
-	enumerator_t *stored_enum, *supplied_enum;
-	proposal_t *stored, *supplied, *selected = NULL;
+	enumerator_t *prefer_enum, *match_enum;
+	proposal_t *proposal, *match, *selected = NULL;
 
-	stored_enum = this->proposals->create_enumerator(this->proposals);
-	supplied_enum = proposals->create_enumerator(proposals);
+	if (prefer_self)
+	{
+		prefer_enum = this->proposals->create_enumerator(this->proposals);
+		match_enum = proposals->create_enumerator(proposals);
+	}
+	else
+	{
+		prefer_enum = proposals->create_enumerator(proposals);
+		match_enum = this->proposals->create_enumerator(this->proposals);
+	}
 
-	/* compare all stored proposals with all supplied. Stored ones are preferred. */
-	while (stored_enum->enumerate(stored_enum, &stored))
+	while (prefer_enum->enumerate(prefer_enum, &proposal))
 	{
-		stored = stored->clone(stored);
-		while (supplied_enum->enumerate(supplied_enum, &supplied))
+		proposal = proposal->clone(proposal);
+		if (prefer_self)
+		{
+			proposals->reset_enumerator(proposals, match_enum);
+		}
+		else
+		{
+			this->proposals->reset_enumerator(this->proposals, match_enum);
+		}
+		while (match_enum->enumerate(match_enum, &match))
 		{
 			if (strip_dh)
 			{
-				stored->strip_dh(stored, MODP_NONE);
+				proposal->strip_dh(proposal, MODP_NONE);
 			}
-			selected = stored->select(stored, supplied, private);
+			selected = proposal->select(proposal, match, private);
 			if (selected)
 			{
 				DBG2(DBG_CFG, "received proposals: %#P", proposals);
@@ -227,17 +253,15 @@ METHOD(child_cfg_t, select_proposal, proposal_t*,
 				break;
 			}
 		}
-		stored->destroy(stored);
+		proposal->destroy(proposal);
 		if (selected)
 		{
 			break;
 		}
-		supplied_enum->destroy(supplied_enum);
-		supplied_enum = proposals->create_enumerator(proposals);
 	}
-	stored_enum->destroy(stored_enum);
-	supplied_enum->destroy(supplied_enum);
-	if (selected == NULL)
+	prefer_enum->destroy(prefer_enum);
+	match_enum->destroy(match_enum);
+	if (!selected)
 	{
 		DBG1(DBG_CFG, "received proposals: %#P", proposals);
 		DBG1(DBG_CFG, "configured proposals: %#P", this->proposals);
@@ -405,7 +429,7 @@ METHOD(child_cfg_t, get_hostaccess, bool,
  * Note: The distribution of random values is not perfect, but it
  * should get the job done.
  */
-static u_int64_t apply_jitter(u_int64_t rekey, u_int64_t jitter)
+static uint64_t apply_jitter(uint64_t rekey, uint64_t jitter)
 {
 	if (jitter == 0)
 	{
@@ -417,10 +441,14 @@ static u_int64_t apply_jitter(u_int64_t rekey, u_int64_t jitter)
 #define APPLY_JITTER(l) l.rekey = apply_jitter(l.rekey, l.jitter)
 
 METHOD(child_cfg_t, get_lifetime, lifetime_cfg_t*,
-	private_child_cfg_t *this)
+	private_child_cfg_t *this, bool jitter)
 {
 	lifetime_cfg_t *lft = malloc_thing(lifetime_cfg_t);
 	memcpy(lft, &this->lifetime, sizeof(lifetime_cfg_t));
+	if (!jitter)
+	{
+		lft->time.jitter = lft->bytes.jitter = lft->packets.jitter = 0;
+	}
 	APPLY_JITTER(lft->time);
 	APPLY_JITTER(lft->bytes);
 	APPLY_JITTER(lft->packets);
@@ -456,7 +484,7 @@ METHOD(child_cfg_t, get_dh_group, diffie_hellman_group_t,
 {
 	enumerator_t *enumerator;
 	proposal_t *proposal;
-	u_int16_t dh_group = MODP_NONE;
+	uint16_t dh_group = MODP_NONE;
 
 	enumerator = this->proposals->create_enumerator(this->proposals);
 	while (enumerator->enumerate(enumerator, &proposal))
@@ -476,13 +504,13 @@ METHOD(child_cfg_t, use_ipcomp, bool,
 	return this->use_ipcomp;
 }
 
-METHOD(child_cfg_t, get_inactivity, u_int32_t,
+METHOD(child_cfg_t, get_inactivity, uint32_t,
 	private_child_cfg_t *this)
 {
 	return this->inactivity;
 }
 
-METHOD(child_cfg_t, get_reqid, u_int32_t,
+METHOD(child_cfg_t, get_reqid, uint32_t,
 	private_child_cfg_t *this)
 {
 	return this->reqid;
@@ -494,29 +522,34 @@ METHOD(child_cfg_t, get_mark, mark_t,
 	return inbound ? this->mark_in : this->mark_out;
 }
 
-METHOD(child_cfg_t, get_tfc, u_int32_t,
+METHOD(child_cfg_t, get_tfc, uint32_t,
 	private_child_cfg_t *this)
 {
 	return this->tfc;
 }
 
-METHOD(child_cfg_t, get_replay_window, u_int32_t,
+METHOD(child_cfg_t, get_manual_prio, uint32_t,
 	private_child_cfg_t *this)
 {
-	return this->replay_window;
+	return this->manual_prio;
 }
 
-METHOD(child_cfg_t, set_replay_window, void,
-	private_child_cfg_t *this, u_int32_t replay_window)
+METHOD(child_cfg_t, get_interface, char*,
+	private_child_cfg_t *this)
 {
-	this->replay_window = replay_window;
+	return this->interface;
+}
+
+METHOD(child_cfg_t, get_replay_window, uint32_t,
+	private_child_cfg_t *this)
+{
+	return this->replay_window;
 }
 
-METHOD(child_cfg_t, set_mipv6_options, void,
-	private_child_cfg_t *this, bool proxy_mode, bool install_policy)
+METHOD(child_cfg_t, set_replay_window, void,
+	private_child_cfg_t *this, uint32_t replay_window)
 {
-	this->proxy_mode = proxy_mode;
-	this->install_policy = install_policy;
+	this->replay_window = replay_window;
 }
 
 METHOD(child_cfg_t, use_proxy_mode, bool,
@@ -532,7 +565,7 @@ METHOD(child_cfg_t, install_policy, bool,
 }
 
 #define LT_PART_EQUALS(a, b) ({ a.life == b.life && a.rekey == b.rekey && a.jitter == b.jitter; })
-#define LIFETIME_EQUALS(a, b) ({  LT_PART_EQUALS(a.time, b.time) && LT_PART_EQUALS(a.bytes, b.bytes) && LT_PART_EQUALS(a.packets, b.packets); })
+#define LIFETIME_EQUALS(a, b) ({ LT_PART_EQUALS(a.time, b.time) && LT_PART_EQUALS(a.bytes, b.bytes) && LT_PART_EQUALS(a.packets, b.packets); })
 
 METHOD(child_cfg_t, equals, bool,
 	private_child_cfg_t *this, child_cfg_t *other_pub)
@@ -576,10 +609,12 @@ METHOD(child_cfg_t, equals, bool,
 		this->mark_out.value == other->mark_out.value &&
 		this->mark_out.mask == other->mark_out.mask &&
 		this->tfc == other->tfc &&
+		this->manual_prio == other->manual_prio &&
 		this->replay_window == other->replay_window &&
 		this->proxy_mode == other->proxy_mode &&
 		this->install_policy == other->install_policy &&
-		streq(this->updown, other->updown);
+		streq(this->updown, other->updown) &&
+		streq(this->interface, other->interface);
 }
 
 METHOD(child_cfg_t, get_ref, child_cfg_t*,
@@ -597,10 +632,8 @@ METHOD(child_cfg_t, destroy, void,
 		this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
 		this->my_ts->destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy));
 		this->other_ts->destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy));
-		if (this->updown)
-		{
-			free(this->updown);
-		}
+		free(this->updown);
+		free(this->interface);
 		free(this->name);
 		free(this);
 	}
@@ -609,12 +642,7 @@ METHOD(child_cfg_t, destroy, void,
 /*
  * Described in header-file
  */
-child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
-							  char *updown, bool hostaccess,
-							  ipsec_mode_t mode, action_t start_action,
-							  action_t dpd_action, action_t close_action,
-							  bool ipcomp, u_int32_t inactivity, u_int32_t reqid,
-							  mark_t *mark_in, mark_t *mark_out, u_int32_t tfc)
+child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data)
 {
 	private_child_cfg_t *this;
 
@@ -634,12 +662,13 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
 			.get_close_action = _get_close_action,
 			.get_lifetime = _get_lifetime,
 			.get_dh_group = _get_dh_group,
-			.set_mipv6_options = _set_mipv6_options,
 			.use_ipcomp = _use_ipcomp,
 			.get_inactivity = _get_inactivity,
 			.get_reqid = _get_reqid,
 			.get_mark = _get_mark,
 			.get_tfc = _get_tfc,
+			.get_manual_prio = _get_manual_prio,
+			.get_interface = _get_interface,
 			.get_replay_window = _get_replay_window,
 			.set_replay_window = _set_replay_window,
 			.use_proxy_mode = _use_proxy_mode,
@@ -649,35 +678,30 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
 			.destroy = _destroy,
 		},
 		.name = strdup(name),
-		.updown = strdupnull(updown),
-		.hostaccess = hostaccess,
-		.mode = mode,
-		.start_action = start_action,
-		.dpd_action = dpd_action,
-		.close_action = close_action,
-		.use_ipcomp = ipcomp,
-		.inactivity = inactivity,
-		.reqid = reqid,
-		.proxy_mode = FALSE,
-		.install_policy = TRUE,
+		.updown = strdupnull(data->updown),
+		.hostaccess = data->hostaccess,
+		.reqid = data->reqid,
+		.mode = data->mode,
+		.proxy_mode = data->proxy_mode,
+		.start_action = data->start_action,
+		.dpd_action = data->dpd_action,
+		.close_action = data->close_action,
+		.mark_in = data->mark_in,
+		.mark_out = data->mark_out,
+		.lifetime = data->lifetime,
+		.inactivity = data->inactivity,
+		.use_ipcomp = data->ipcomp,
+		.tfc = data->tfc,
+		.manual_prio = data->priority,
+		.interface = strdupnull(data->interface),
+		.install_policy = !data->suppress_policies,
 		.refcount = 1,
 		.proposals = linked_list_create(),
 		.my_ts = linked_list_create(),
 		.other_ts = linked_list_create(),
-		.tfc = tfc,
 		.replay_window = lib->settings->get_int(lib->settings,
-				"%s.replay_window", DEFAULT_REPLAY_WINDOW, lib->ns),
+							"%s.replay_window", DEFAULT_REPLAY_WINDOW, lib->ns),
 	);
 
-	if (mark_in)
-	{
-		this->mark_in = *mark_in;
-	}
-	if (mark_out)
-	{
-		this->mark_out = *mark_out;
-	}
-	memcpy(&this->lifetime, lifetime, sizeof(lifetime_cfg_t));
-
 	return &this->public;
 }
diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h
index 22641f77e..e736b2737 100644
--- a/src/libcharon/config/child_cfg.h
+++ b/src/libcharon/config/child_cfg.h
@@ -1,8 +1,9 @@
 /*
- * Copyright (C) 2008-2015 Tobias Brunner
+ * Copyright (C) 2016 Andreas Steffen
+ * Copyright (C) 2008-2016 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -25,6 +26,7 @@
 
 typedef enum action_t action_t;
 typedef struct child_cfg_t child_cfg_t;
+typedef struct child_cfg_create_t child_cfg_create_t;
 
 #include <library.h>
 #include <selectors/traffic_selector.h>
@@ -98,10 +100,12 @@ struct child_cfg_t {
 	 * @param proposals		list from which proposals are selected
 	 * @param strip_dh		TRUE strip out diffie hellman groups
 	 * @param private		accept algorithms from a private range
+	 * @param prefer_self	whether to prefer configured or supplied proposals
 	 * @return				selected proposal, or NULL if nothing matches
 	 */
 	proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals,
-								   bool strip_dh, bool private);
+								   bool strip_dh, bool private,
+								   bool prefer_self);
 
 	/**
 	 * Add a traffic selector to the config.
@@ -155,9 +159,10 @@ struct child_cfg_t {
 	 * The rekey limits automatically contain a jitter to avoid simultaneous
 	 * rekeying. These values will change with each call to this function.
 	 *
+	 * @param jitter		subtract jitter value to randomize lifetimes
 	 * @return				lifetime_cfg_t (has to be freed)
 	 */
-	lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this);
+	lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this, bool jitter);
 
 	/**
 	 * Get the mode to use for the CHILD_SA.
@@ -210,14 +215,14 @@ struct child_cfg_t {
 	 *
 	 * @return				inactivity timeout in s
 	 */
-	u_int32_t (*get_inactivity)(child_cfg_t *this);
+	uint32_t (*get_inactivity)(child_cfg_t *this);
 
 	/**
 	 * Specific reqid to use for CHILD_SA.
 	 *
 	 * @return				reqid
 	 */
-	u_int32_t (*get_reqid)(child_cfg_t *this);
+	uint32_t (*get_reqid)(child_cfg_t *this);
 
 	/**
 	 * Optional mark for CHILD_SA.
@@ -232,30 +237,35 @@ struct child_cfg_t {
 	 *
 	 * @return				TFC padding, 0 to disable, -1 for MTU
 	 */
-	u_int32_t (*get_tfc)(child_cfg_t *this);
+	uint32_t (*get_tfc)(child_cfg_t *this);
 
 	/**
-	 * Get anti-replay window size
+	 * Get optional manually-set IPsec policy priority
 	 *
-	 * @return				anti-replay window size
+	 * @return				manually-set IPsec policy priority (automatic if 0)
 	 */
-	u_int32_t (*get_replay_window)(child_cfg_t *this);
+	uint32_t (*get_manual_prio)(child_cfg_t *this);
 
 	/**
-	 * Set anti-replay window size
+	 * Get optional network interface restricting IPsec policy
 	 *
-	 * @param window		anti-replay window size
+	 * @return				network interface)
 	 */
-	void (*set_replay_window)(child_cfg_t *this, u_int32_t window);
+	char* (*get_interface)(child_cfg_t *this);
 
 	/**
-	 * Sets two options needed for Mobile IPv6 interoperability.
+	 * Get anti-replay window size
 	 *
-	 * @param proxy_mode	use IPsec transport proxy mode (default FALSE)
-	 * @param install_policy install IPsec kernel policies (default TRUE)
+	 * @return				anti-replay window size
 	 */
-	void (*set_mipv6_options)(child_cfg_t *this, bool proxy_mode,
-												 bool install_policy);
+	uint32_t (*get_replay_window)(child_cfg_t *this);
+
+	/**
+	 * Set anti-replay window size
+	 *
+	 * @param window		anti-replay window size
+	 */
+	void (*set_replay_window)(child_cfg_t *this, uint32_t window);
 
 	/**
 	 * Check whether IPsec transport SA should be set up in proxy mode.
@@ -297,38 +307,56 @@ struct child_cfg_t {
 	void (*destroy) (child_cfg_t *this);
 };
 
+
+/**
+ * Data passed to the constructor of a child_cfg_t object.
+ */
+struct child_cfg_create_t {
+	/** Specific reqid to use for CHILD_SA, 0 for auto assignment */
+	uint32_t reqid;
+	/** Optional inbound mark */
+	mark_t mark_in;
+	/** Optional outbound mark */
+	mark_t mark_out;
+	/** Mode to propose for CHILD_SA */
+	ipsec_mode_t mode;
+	/** Use IPsec transport proxy mode */
+	bool proxy_mode;
+	/** Use IPComp, if peer supports it */
+	bool ipcomp;
+	/** TFC padding size, 0 to disable, -1 to pad to PMTU */
+	uint32_t tfc;
+	/** Optional manually-set IPsec policy priority */
+	uint32_t priority;
+	/** Optional network interface restricting IPsec policy (cloned) */
+	char *interface;
+	/** lifetime_cfg_t for this child_cfg */
+	lifetime_cfg_t lifetime;
+	/** Inactivity timeout in s before closing a CHILD_SA */
+	uint32_t inactivity;
+	/** Start action */
+	action_t start_action;
+	/** DPD action */
+	action_t dpd_action;
+	/** Close action */
+	action_t close_action;
+	/** updown script to execute on up/down event (cloned) */
+	char *updown;
+	/** TRUE to allow access to the local host */
+	bool hostaccess;
+	/** Don't install IPsec policies */
+	bool suppress_policies;
+};
+
 /**
  * Create a configuration template for CHILD_SA setup.
  *
- * The "name" string gets cloned.
- *
- * The lifetime_cfg_t object gets cloned.
- * To prevent two peers to start rekeying at the same time, a jitter may be
- * specified. Rekeying of an SA starts at (x.rekey - random(0, x.jitter)).
- *
  * After a call to create, a reference is obtained (refcount = 1).
  *
- * @param name				name of the child_cfg
- * @param lifetime			lifetime_cfg_t for this child_cfg
- * @param updown			updown script to execute on up/down event
- * @param hostaccess		TRUE to allow access to the local host
- * @param mode				mode to propose for CHILD_SA, transport, tunnel or BEET
- * @param start_action		start action
- * @param dpd_action		DPD action
- * @param close_action		close action
- * @param ipcomp			use IPComp, if peer supports it
- * @param inactivity		inactivity timeout in s before closing a CHILD_SA
- * @param reqid				specific reqid to use for CHILD_SA, 0 for auto assign
- * @param mark_in			optional inbound mark (can be NULL)
- * @param mark_out			optional outbound mark (can be NULL)
- * @param tfc				TFC padding size, 0 to disable, -1 to pad to PMTU
+ * @param name				name of the child_cfg (cloned)
+ * @param data				data for this child_cfg
  * @return					child_cfg_t object
  */
-child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
-							  char *updown, bool hostaccess,
-							  ipsec_mode_t mode, action_t start_action,
-							  action_t dpd_action, action_t close_action,
-							  bool ipcomp, u_int32_t inactivity, u_int32_t reqid,
-							  mark_t *mark_in, mark_t *mark_out, u_int32_t tfc);
+child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data);
 
 #endif /** CHILD_CFG_H_ @}*/
diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c
index a720e1493..7d52ac88f 100644
--- a/src/libcharon/config/ike_cfg.c
+++ b/src/libcharon/config/ike_cfg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2015 Tobias Brunner
+ * Copyright (C) 2012-2016 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -83,12 +83,12 @@ struct private_ike_cfg_t {
 	/**
 	 * our source port
 	 */
-	u_int16_t my_port;
+	uint16_t my_port;
 
 	/**
 	 * destination port
 	 */
-	u_int16_t other_port;
+	uint16_t other_port;
 
 	/**
 	 * should we send a certificate request?
@@ -108,7 +108,7 @@ struct private_ike_cfg_t {
 	/**
 	 * DSCP value to use on sent IKE packets
 	 */
-	u_int8_t dscp;
+	uint8_t dscp;
 
 	/**
 	 * List of proposals to use
@@ -143,7 +143,7 @@ METHOD(ike_cfg_t, fragmentation, fragmentation_t,
 /**
  * Common function for resolve_me/other
  */
-static host_t* resolve(linked_list_t *hosts, int family, u_int16_t port)
+static host_t* resolve(linked_list_t *hosts, int family, uint16_t port)
 {
 	enumerator_t *enumerator;
 	host_t *host = NULL;
@@ -192,7 +192,7 @@ static u_int match(linked_list_t *hosts, linked_list_t *ranges, host_t *cand)
 	traffic_selector_t *ts;
 	char *str;
 	host_t *host;
-	u_int8_t mask;
+	uint8_t mask;
 	u_int quality = 0;
 
 	/* try single hosts first */
@@ -261,19 +261,19 @@ METHOD(ike_cfg_t, get_other_addr, char*,
 	return this->other;
 }
 
-METHOD(ike_cfg_t, get_my_port, u_int16_t,
+METHOD(ike_cfg_t, get_my_port, uint16_t,
 	private_ike_cfg_t *this)
 {
 	return this->my_port;
 }
 
-METHOD(ike_cfg_t, get_other_port, u_int16_t,
+METHOD(ike_cfg_t, get_other_port, uint16_t,
 	private_ike_cfg_t *this)
 {
 	return this->other_port;
 }
 
-METHOD(ike_cfg_t, get_dscp, u_int8_t,
+METHOD(ike_cfg_t, get_dscp, uint8_t,
 	private_ike_cfg_t *this)
 {
 	return this->dscp;
@@ -310,42 +310,57 @@ METHOD(ike_cfg_t, get_proposals, linked_list_t*,
 }
 
 METHOD(ike_cfg_t, select_proposal, proposal_t*,
-	private_ike_cfg_t *this, linked_list_t *proposals, bool private)
+	private_ike_cfg_t *this, linked_list_t *proposals, bool private,
+	bool prefer_self)
 {
-	enumerator_t *stored_enum, *supplied_enum;
-	proposal_t *stored, *supplied, *selected;
+	enumerator_t *prefer_enum, *match_enum;
+	proposal_t *proposal, *match, *selected = NULL;
 
-	stored_enum = this->proposals->create_enumerator(this->proposals);
-	supplied_enum = proposals->create_enumerator(proposals);
-
-
-	/* compare all stored proposals with all supplied. Stored ones are preferred.*/
-	while (stored_enum->enumerate(stored_enum, (void**)&stored))
+	if (prefer_self)
+	{
+		prefer_enum = this->proposals->create_enumerator(this->proposals);
+		match_enum = proposals->create_enumerator(proposals);
+	}
+	else
 	{
-		proposals->reset_enumerator(proposals, supplied_enum);
+		prefer_enum = proposals->create_enumerator(proposals);
+		match_enum = this->proposals->create_enumerator(this->proposals);
+	}
 
-		while (supplied_enum->enumerate(supplied_enum, (void**)&supplied))
+	while (prefer_enum->enumerate(prefer_enum, (void**)&proposal))
+	{
+		if (prefer_self)
+		{
+			proposals->reset_enumerator(proposals, match_enum);
+		}
+		else
 		{
-			selected = stored->select(stored, supplied, private);
+			this->proposals->reset_enumerator(this->proposals, match_enum);
+		}
+		while (match_enum->enumerate(match_enum, (void**)&match))
+		{
+			selected = proposal->select(proposal, match, private);
 			if (selected)
 			{
-				/* they match, return */
-				stored_enum->destroy(stored_enum);
-				supplied_enum->destroy(supplied_enum);
 				DBG2(DBG_CFG, "received proposals: %#P", proposals);
 				DBG2(DBG_CFG, "configured proposals: %#P", this->proposals);
 				DBG2(DBG_CFG, "selected proposal: %P", selected);
-				return selected;
+				break;
 			}
 		}
+		if (selected)
+		{
+			break;
+		}
 	}
-	/* no proposal match :-(, will result in a NO_PROPOSAL_CHOSEN... */
-	stored_enum->destroy(stored_enum);
-	supplied_enum->destroy(supplied_enum);
-	DBG1(DBG_CFG, "received proposals: %#P", proposals);
-	DBG1(DBG_CFG, "configured proposals: %#P", this->proposals);
-
-	return NULL;
+	prefer_enum->destroy(prefer_enum);
+	match_enum->destroy(match_enum);
+	if (!selected)
+	{
+		DBG1(DBG_CFG, "received proposals: %#P", proposals);
+		DBG1(DBG_CFG, "configured proposals: %#P", this->proposals);
+	}
+	return selected;
 }
 
 METHOD(ike_cfg_t, get_dh_group, diffie_hellman_group_t,
@@ -353,7 +368,7 @@ METHOD(ike_cfg_t, get_dh_group, diffie_hellman_group_t,
 {
 	enumerator_t *enumerator;
 	proposal_t *proposal;
-	u_int16_t dh_group = MODP_NONE;
+	uint16_t dh_group = MODP_NONE;
 
 	enumerator = this->proposals->create_enumerator(this->proposals);
 	while (enumerator->enumerate(enumerator, &proposal))
@@ -545,9 +560,9 @@ int ike_cfg_get_family(ike_cfg_t *cfg, bool local)
  * Described in header.
  */
 ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
-						  char *me, u_int16_t my_port,
-						  char *other, u_int16_t other_port,
-						  fragmentation_t fragmentation, u_int8_t dscp)
+						  char *me, uint16_t my_port,
+						  char *other, uint16_t other_port,
+						  fragmentation_t fragmentation, uint8_t dscp)
 {
 	private_ike_cfg_t *this;
 
diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h
index a72960f4f..5655a3497 100644
--- a/src/libcharon/config/ike_cfg.h
+++ b/src/libcharon/config/ike_cfg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2015 Tobias Brunner
+ * Copyright (C) 2012-2016 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -128,21 +128,21 @@ struct ike_cfg_t {
 	 *
 	 * @return				source address port, host order
 	 */
-	u_int16_t (*get_my_port)(ike_cfg_t *this);
+	uint16_t (*get_my_port)(ike_cfg_t *this);
 
 	/**
 	 * Get the port to use as destination port.
 	 *
 	 * @return				destination address, host order
 	 */
-	u_int16_t (*get_other_port)(ike_cfg_t *this);
+	uint16_t (*get_other_port)(ike_cfg_t *this);
 
 	/**
 	 * Get the DSCP value to use for IKE packets send from connections.
 	 *
 	 * @return				DSCP value
 	 */
-	u_int8_t (*get_dscp)(ike_cfg_t *this);
+	uint8_t (*get_dscp)(ike_cfg_t *this);
 
 	/**
 	 * Adds a proposal to the list.
@@ -165,16 +165,17 @@ struct ike_cfg_t {
 	linked_list_t* (*get_proposals) (ike_cfg_t *this);
 
 	/**
-	 * Select a proposed from suggested proposals.
+	 * Select a proposal from a list of supplied proposals.
 	 *
 	 * Returned proposal must be destroyed after use.
 	 *
 	 * @param proposals		list of proposals to select from
 	 * @param private		accept algorithms from a private range
+	 * @param prefer_self	whether to prefer configured or supplied proposals
 	 * @return				selected proposal, or NULL if none matches.
 	 */
 	proposal_t *(*select_proposal) (ike_cfg_t *this, linked_list_t *proposals,
-									bool private);
+									bool private, bool prefer_self);
 
 	/**
 	 * Should we send a certificate request in IKE_SA_INIT?
@@ -250,9 +251,9 @@ struct ike_cfg_t {
  * @return					ike_cfg_t object.
  */
 ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
-						  char *me, u_int16_t my_port,
-						  char *other, u_int16_t other_port,
-						  fragmentation_t fragmentation, u_int8_t dscp);
+						  char *me, uint16_t my_port,
+						  char *other, uint16_t other_port,
+						  fragmentation_t fragmentation, uint8_t dscp);
 
 /**
  * Determine the address family of the local or remtoe address(es).  If multiple
diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c
index d28a79507..6463c7a36 100644
--- a/src/libcharon/config/peer_cfg.c
+++ b/src/libcharon/config/peer_cfg.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2007-2015 Tobias Brunner
+ * Copyright (C) 2007-2016 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -88,7 +88,7 @@ struct private_peer_cfg_t {
 	/**
 	 * number of tries after giving up if peer does not respond
 	 */
-	u_int32_t keyingtries;
+	uint32_t keyingtries;
 
 	/**
 	 * enable support for MOBIKE
@@ -108,32 +108,32 @@ struct private_peer_cfg_t {
 	/**
 	 * Time before starting rekeying
 	 */
-	u_int32_t rekey_time;
+	uint32_t rekey_time;
 
 	/**
 	 * Time before starting reauthentication
 	 */
-	u_int32_t reauth_time;
+	uint32_t reauth_time;
 
 	/**
 	 * Time, which specifies the range of a random value subtracted from above.
 	 */
-	u_int32_t jitter_time;
+	uint32_t jitter_time;
 
 	/**
 	 * Delay before deleting a rekeying/reauthenticating SA
 	 */
-	u_int32_t over_time;
+	uint32_t over_time;
 
 	/**
 	 * DPD check intervall
 	 */
-	u_int32_t dpd;
+	uint32_t dpd;
 
 	/**
 	 * DPD timeout intervall (used for IKEv1 only)
 	 */
-	u_int32_t dpd_timeout;
+	uint32_t dpd_timeout;
 
 	/**
 	 * List of virtual IPs (host_t*) to request
@@ -455,13 +455,13 @@ METHOD(peer_cfg_t, get_unique_policy, unique_policy_t,
 	return this->unique;
 }
 
-METHOD(peer_cfg_t, get_keyingtries, u_int32_t,
+METHOD(peer_cfg_t, get_keyingtries, uint32_t,
 	private_peer_cfg_t *this)
 {
 	return this->keyingtries;
 }
 
-METHOD(peer_cfg_t, get_rekey_time, u_int32_t,
+METHOD(peer_cfg_t, get_rekey_time, uint32_t,
 	private_peer_cfg_t *this, bool jitter)
 {
 	if (this->rekey_time == 0)
@@ -475,7 +475,7 @@ METHOD(peer_cfg_t, get_rekey_time, u_int32_t,
 	return this->rekey_time - (random() % this->jitter_time);
 }
 
-METHOD(peer_cfg_t, get_reauth_time, u_int32_t,
+METHOD(peer_cfg_t, get_reauth_time, uint32_t,
 	private_peer_cfg_t *this, bool jitter)
 {
 	if (this->reauth_time == 0)
@@ -489,7 +489,7 @@ METHOD(peer_cfg_t, get_reauth_time, u_int32_t,
 	return this->reauth_time - (random() % this->jitter_time);
 }
 
-METHOD(peer_cfg_t, get_over_time, u_int32_t,
+METHOD(peer_cfg_t, get_over_time, uint32_t,
 	private_peer_cfg_t *this)
 {
 	return this->over_time;
@@ -513,13 +513,13 @@ METHOD(peer_cfg_t, use_pull_mode, bool,
 	return this->pull_mode;
 }
 
-METHOD(peer_cfg_t, get_dpd, u_int32_t,
+METHOD(peer_cfg_t, get_dpd, uint32_t,
 	private_peer_cfg_t *this)
 {
 	return this->dpd;
 }
 
-METHOD(peer_cfg_t, get_dpd_timeout, u_int32_t,
+METHOD(peer_cfg_t, get_dpd_timeout, uint32_t,
 	private_peer_cfg_t *this)
 {
 	return this->dpd_timeout;
@@ -724,29 +724,22 @@ METHOD(peer_cfg_t, destroy, void,
 /*
  * Described in header-file
  */
-peer_cfg_t *peer_cfg_create(char *name,
-							ike_cfg_t *ike_cfg, cert_policy_t cert_policy,
-							unique_policy_t unique, u_int32_t keyingtries,
-							u_int32_t rekey_time, u_int32_t reauth_time,
-							u_int32_t jitter_time, u_int32_t over_time,
-							bool mobike, bool aggressive, bool pull_mode,
-							u_int32_t dpd, u_int32_t dpd_timeout,
-							bool mediation, peer_cfg_t *mediated_by,
-							identification_t *peer_id)
+peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg,
+							peer_cfg_create_t *data)
 {
 	private_peer_cfg_t *this;
 
-	if (rekey_time && jitter_time > rekey_time)
+	if (data->rekey_time && data->jitter_time > data->rekey_time)
 	{
-		jitter_time = rekey_time;
+		data->jitter_time = data->rekey_time;
 	}
-	if (reauth_time && jitter_time > reauth_time)
+	if (data->reauth_time && data->jitter_time > data->reauth_time)
 	{
-		jitter_time = reauth_time;
+		data->jitter_time = data->reauth_time;
 	}
-	if (dpd && dpd_timeout && dpd > dpd_timeout)
+	if (data->dpd && data->dpd_timeout && data->dpd > data->dpd_timeout)
 	{
-		dpd_timeout = dpd;
+		data->dpd_timeout = data->dpd;
 	}
 
 	INIT(this,
@@ -789,33 +782,29 @@ peer_cfg_t *peer_cfg_create(char *name,
 		.ike_cfg = ike_cfg,
 		.child_cfgs = linked_list_create(),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
-		.cert_policy = cert_policy,
-		.unique = unique,
-		.keyingtries = keyingtries,
-		.rekey_time = rekey_time,
-		.reauth_time = reauth_time,
-		.jitter_time = jitter_time,
-		.over_time = over_time,
-		.use_mobike = mobike,
-		.aggressive = aggressive,
-		.pull_mode = pull_mode,
-		.dpd = dpd,
-		.dpd_timeout = dpd_timeout,
+		.cert_policy = data->cert_policy,
+		.unique = data->unique,
+		.keyingtries = data->keyingtries,
+		.rekey_time = data->rekey_time,
+		.reauth_time = data->reauth_time,
+		.jitter_time = data->jitter_time,
+		.over_time = data->over_time,
+		.use_mobike = !data->no_mobike,
+		.aggressive = data->aggressive,
+		.pull_mode = !data->push_mode,
+		.dpd = data->dpd,
+		.dpd_timeout = data->dpd_timeout,
 		.vips = linked_list_create(),
 		.pools = linked_list_create(),
 		.local_auth = linked_list_create(),
 		.remote_auth = linked_list_create(),
 		.refcount = 1,
-	);
-
 #ifdef ME
-	this->mediation = mediation;
-	this->mediated_by = mediated_by;
-	this->peer_id = peer_id;
-#else /* ME */
-	DESTROY_IF(mediated_by);
-	DESTROY_IF(peer_id);
+		.mediation = data->mediation,
+		.mediated_by = data->mediated_by,
+		.peer_id = data->peer_id,
 #endif /* ME */
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h
index b612a2ef1..8e4d5331c 100644
--- a/src/libcharon/config/peer_cfg.h
+++ b/src/libcharon/config/peer_cfg.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2007-2015 Tobias Brunner
+ * Copyright (C) 2007-2016 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -26,6 +26,7 @@
 typedef enum cert_policy_t cert_policy_t;
 typedef enum unique_policy_t unique_policy_t;
 typedef struct peer_cfg_t peer_cfg_t;
+typedef struct peer_cfg_create_t peer_cfg_create_t;
 
 #include <library.h>
 #include <utils/identification.h>
@@ -222,30 +223,30 @@ struct peer_cfg_t {
 	 *
 	 * @return			max number retries
 	 */
-	u_int32_t (*get_keyingtries) (peer_cfg_t *this);
+	uint32_t (*get_keyingtries) (peer_cfg_t *this);
 
 	/**
 	 * Get a time to start rekeying.
 	 *
-	 * @param jitter	remove a jitter value to randomize time
+	 * @param jitter	subtract a jitter value to randomize time
 	 * @return			time in s when to start rekeying, 0 disables rekeying
 	 */
-	u_int32_t (*get_rekey_time)(peer_cfg_t *this, bool jitter);
+	uint32_t (*get_rekey_time)(peer_cfg_t *this, bool jitter);
 
 	/**
 	 * Get a time to start reauthentication.
 	 *
-	 * @param jitter	remove a jitter value to randomize time
+	 * @param jitter	subtract a jitter value to randomize time
 	 * @return			time in s when to start reauthentication, 0 disables it
 	 */
-	u_int32_t (*get_reauth_time)(peer_cfg_t *this, bool jitter);
+	uint32_t (*get_reauth_time)(peer_cfg_t *this, bool jitter);
 
 	/**
 	 * Get the timeout of a rekeying/reauthenticating SA.
 	 *
 	 * @return			timeout in s
 	 */
-	u_int32_t (*get_over_time)(peer_cfg_t *this);
+	uint32_t (*get_over_time)(peer_cfg_t *this);
 
 	/**
 	 * Use MOBIKE (RFC4555) if peer supports it?
@@ -273,14 +274,14 @@ struct peer_cfg_t {
 	 *
 	 * @return			dpd_delay in seconds
 	 */
-	u_int32_t (*get_dpd) (peer_cfg_t *this);
+	uint32_t (*get_dpd) (peer_cfg_t *this);
 
 	/**
 	 * Get the DPD timeout interval (IKEv1 only)
 	 *
 	 * @return			dpd_timeout in seconds
 	 */
-	u_int32_t (*get_dpd_timeout) (peer_cfg_t *this);
+	uint32_t (*get_dpd_timeout) (peer_cfg_t *this);
 
 	/**
 	 * Add a virtual IP to request as initiator.
@@ -367,42 +368,52 @@ struct peer_cfg_t {
 };
 
 /**
+ * Data passed to the constructor of a peer_cfg_t object.
+ */
+struct peer_cfg_create_t {
+	/** Whether to send a certificate payload */
+	cert_policy_t cert_policy;
+	/** Uniqueness of an IKE_SA */
+	unique_policy_t unique;
+	/** How many keying tries should be done before giving up */
+	uint32_t keyingtries;
+	/** Timeout in seconds before starting rekeying */
+	uint32_t rekey_time;
+	/** Timeout in seconds before starting reauthentication */
+	uint32_t reauth_time;
+	/** Time range in seconds to randomly subtract from rekey/reauth time */
+	uint32_t jitter_time;
+	/** Maximum overtime in seconds before closing a rekeying/reauth SA */
+	uint32_t over_time;
+	/** Disable MOBIKE (RFC4555) */
+	bool no_mobike;
+	/** Use/accept aggressive mode with IKEv1 */
+	bool aggressive;
+	/** TRUE to use modeconfig push, FALSE for pull */
+	bool push_mode;
+	/** DPD check interval, 0 to disable */
+	uint32_t dpd;
+	/** DPD timeout interval (IKEv1 only), if 0 default applies */
+	uint32_t dpd_timeout;
+#ifdef ME
+	/** TRUE if this is a mediation connection */
+	bool mediation;
+	/** peer_cfg_t of the mediation connection to mediate through (adopted) */
+	peer_cfg_t *mediated_by;
+	/** ID that identifies our peer at the mediation server (adopted) */
+	identification_t *peer_id;
+#endif /* ME */
+};
+
+/**
  * Create a configuration object for IKE_AUTH and later.
  *
- * name-string gets cloned, ID's not.
- * Virtual IPs are used if they are != NULL. A %any host means the virtual
- * IP should be obtained from the other peer.
- * Lifetimes are in seconds. To prevent to peers to start rekeying at the
- * same time, a jitter may be specified. Rekeying of an SA starts at
- * (rekeylifetime - random(0, jitter)).
- *
- * @param name				name of the peer_cfg
- * @param ike_cfg			IKE config to use when acting as initiator
- * @param cert_policy		should we send a certificate payload?
- * @param unique			uniqueness of an IKE_SA
- * @param keyingtries		how many keying tries should be done before giving up
- * @param rekey_time		timeout before starting rekeying
- * @param reauth_time		timeout before starting reauthentication
- * @param jitter_time		timerange to randomly subtract from rekey/reauth time
- * @param over_time			maximum overtime before closing a rekeying/reauth SA
- * @param mobike			use MOBIKE (RFC4555) if peer supports it
- * @param aggressive		use/accept aggressive mode with IKEv1
- * @param pull_mode			TRUE to use modeconfig pull, FALSE for push
- * @param dpd				DPD check interval, 0 to disable
- * @param dpd_timeout		DPD timeout interval (IKEv1 only), if 0 default applies
- * @param mediation			TRUE if this is a mediation connection
- * @param mediated_by		peer_cfg_t of the mediation connection to mediate through
- * @param peer_id			ID that identifies our peer at the mediation server
+ * @param name				name of the peer_cfg (cloned)
+ * @param ike_cfg			IKE config to use when acting as initiator (adopted)
+ * @param data				data for this peer_cfg
  * @return					peer_cfg_t object
  */
-peer_cfg_t *peer_cfg_create(char *name,
-							ike_cfg_t *ike_cfg, cert_policy_t cert_policy,
-							unique_policy_t unique, u_int32_t keyingtries,
-							u_int32_t rekey_time, u_int32_t reauth_time,
-							u_int32_t jitter_time, u_int32_t over_time,
-							bool mobike, bool aggressive, bool pull_mode,
-							u_int32_t dpd, u_int32_t dpd_timeout,
-							bool mediation, peer_cfg_t *mediated_by,
-							identification_t *peer_id);
+peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg,
+							peer_cfg_create_t *data);
 
 #endif /** PEER_CFG_H_ @}*/
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index 95b6a00ea..a83acec23 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2014 Tobias Brunner
+ * Copyright (C) 2008-2016 Tobias Brunner
  * Copyright (C) 2006-2010 Martin Willi
  * Copyright (C) 2013-2015 Andreas Steffen
  * Hochschule fuer Technik Rapperswil
@@ -61,7 +61,7 @@ struct private_proposal_t {
 	/**
 	 * senders SPI
 	 */
-	u_int64_t spi;
+	uint64_t spi;
 
 	/**
 	 * Proposal number
@@ -76,14 +76,14 @@ typedef struct {
 	/** Type of the transform */
 	transform_type_t type;
 	/** algorithm identifier */
-	u_int16_t alg;
+	uint16_t alg;
 	/** key size in bits, or zero if not needed */
-	u_int16_t key_size;
+	uint16_t key_size;
 } entry_t;
 
 METHOD(proposal_t, add_algorithm, void,
 	private_proposal_t *this, transform_type_t type,
-	u_int16_t alg, u_int16_t key_size)
+	uint16_t alg, uint16_t key_size)
 {
 	entry_t entry = {
 		.type = type,
@@ -97,8 +97,8 @@ METHOD(proposal_t, add_algorithm, void,
 /**
  * filter function for peer configs
  */
-static bool alg_filter(uintptr_t type, entry_t **in, u_int16_t *alg,
-					   void **unused, u_int16_t *key_size)
+static bool alg_filter(uintptr_t type, entry_t **in, uint16_t *alg,
+					   void **unused, uint16_t *key_size)
 {
 	entry_t *entry = *in;
 
@@ -127,7 +127,7 @@ METHOD(proposal_t, create_enumerator, enumerator_t*,
 
 METHOD(proposal_t, get_algorithm, bool,
 	private_proposal_t *this, transform_type_t type,
-	u_int16_t *alg, u_int16_t *key_size)
+	uint16_t *alg, uint16_t *key_size)
 {
 	enumerator_t *enumerator;
 	bool found = FALSE;
@@ -147,7 +147,7 @@ METHOD(proposal_t, has_dh_group, bool,
 {
 	bool found = FALSE, any = FALSE;
 	enumerator_t *enumerator;
-	u_int16_t current;
+	uint16_t current;
 
 	enumerator = create_enumerator(this, DIFFIE_HELLMAN_GROUP);
 	while (enumerator->enumerate(enumerator, &current, NULL))
@@ -193,7 +193,7 @@ static bool select_algo(private_proposal_t *this, proposal_t *other,
 						proposal_t *selected, transform_type_t type, bool priv)
 {
 	enumerator_t *e1, *e2;
-	u_int16_t alg1, alg2, ks1, ks2;
+	uint16_t alg1, alg2, ks1, ks2;
 	bool found = FALSE, optional = FALSE;
 
 	if (type == INTEGRITY_ALGORITHM &&
@@ -210,7 +210,7 @@ static bool select_algo(private_proposal_t *this, proposal_t *other,
 
 	e1 = create_enumerator(this, type);
 	e2 = other->create_enumerator(other, type);
-	if (!e1->enumerate(e1, NULL, NULL))
+	if (!e1->enumerate(e1, &alg1, NULL))
 	{
 		if (!e2->enumerate(e2, &alg2, NULL))
 		{
@@ -219,12 +219,23 @@ static bool select_algo(private_proposal_t *this, proposal_t *other,
 		else if (optional)
 		{
 			do
-			{	/* if the other peer proposes NONE, we accept the proposal */
+			{	/* if NONE is proposed, we accept the proposal */
 				found = !alg2;
 			}
 			while (!found && e2->enumerate(e2, &alg2, NULL));
 		}
 	}
+	else if (!e2->enumerate(e2, NULL, NULL))
+	{
+		if (optional)
+		{
+			do
+			{	/* if NONE is proposed, we accept the proposal */
+				found = !alg1;
+			}
+			while (!found && e1->enumerate(e1, &alg1, NULL));
+		}
+	}
 
 	e1->destroy(e1);
 	e1 = create_enumerator(this, type);
@@ -244,7 +255,6 @@ static bool select_algo(private_proposal_t *this, proposal_t *other,
 						 "but peer implementation is unknown, skipped");
 					continue;
 				}
-				/* ok, we have an algorithm */
 				selected->add_algorithm(selected, type, alg1, ks1);
 				found = TRUE;
 				break;
@@ -288,9 +298,7 @@ METHOD(proposal_t, select_proposal, proposal_t*,
 	}
 
 	DBG2(DBG_CFG, "  proposal matches");
-
 	selected->set_spi(selected, other->get_spi(other));
-
 	return selected;
 }
 
@@ -301,12 +309,12 @@ METHOD(proposal_t, get_protocol, protocol_id_t,
 }
 
 METHOD(proposal_t, set_spi, void,
-	private_proposal_t *this, u_int64_t spi)
+	private_proposal_t *this, uint64_t spi)
 {
 	this->spi = spi;
 }
 
-METHOD(proposal_t, get_spi, u_int64_t,
+METHOD(proposal_t, get_spi, uint64_t,
 	private_proposal_t *this)
 {
 	return this->spi;
@@ -319,7 +327,7 @@ static bool algo_list_equals(private_proposal_t *this, proposal_t *other,
 							 transform_type_t type)
 {
 	enumerator_t *e1, *e2;
-	u_int16_t alg1, alg2, ks1, ks2;
+	uint16_t alg1, alg2, ks1, ks2;
 	bool equals = TRUE;
 
 	e1 = create_enumerator(this, type);
@@ -418,7 +426,7 @@ static void check_proposal(private_proposal_t *this)
 {
 	enumerator_t *e;
 	entry_t *entry;
-	u_int16_t alg, ks;
+	uint16_t alg, ks;
 	bool all_aead = TRUE;
 	int i;
 
@@ -445,6 +453,16 @@ static void check_proposal(private_proposal_t *this)
 			}
 		}
 		e->destroy(e);
+		/* remove MODP_NONE from IKE proposal */
+		e = array_create_enumerator(this->transforms);
+		while (e->enumerate(e, &entry))
+		{
+			if (entry->type == DIFFIE_HELLMAN_GROUP && !entry->alg)
+			{
+				array_remove_at(this->transforms, e);
+			}
+		}
+		e->destroy(e);
 	}
 
 	if (this->protocol == PROTO_ESP)
@@ -516,7 +534,7 @@ static int print_alg(private_proposal_t *this, printf_hook_data_t *data,
 {
 	enumerator_t *enumerator;
 	size_t written = 0;
-	u_int16_t alg, size;
+	uint16_t alg, size;
 
 	enumerator = create_enumerator(this, kind);
 	while (enumerator->enumerate(enumerator, &alg, &size))
@@ -861,16 +879,18 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 			case MODP_768_BIT:
 				/* weak */
 				break;
-			case MODP_2048_BIT:
-			case MODP_2048_256:
 			case MODP_2048_224:
 			case MODP_1536_BIT:
-			case MODP_1024_BIT:
 			case MODP_1024_160:
 			case ECP_224_BIT:
 			case ECP_224_BP:
 			case ECP_192_BIT:
 			case NTRU_112_BIT:
+				/* rarely used */
+				break;
+			case MODP_2048_BIT:
+			case MODP_2048_256:
+			case MODP_1024_BIT:
 				add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
 				break;
 			default:
diff --git a/src/libcharon/config/proposal.h b/src/libcharon/config/proposal.h
index 78b868868..f9f277820 100644
--- a/src/libcharon/config/proposal.h
+++ b/src/libcharon/config/proposal.h
@@ -78,13 +78,13 @@ struct proposal_t {
 	 * @param key_size		key size to use
 	 */
 	void (*add_algorithm) (proposal_t *this, transform_type_t type,
-						   u_int16_t alg, u_int16_t key_size);
+						   uint16_t alg, uint16_t key_size);
 
 	/**
 	 * Get an enumerator over algorithms for a specifc algo type.
 	 *
 	 * @param type			kind of algorithm
-	 * @return				enumerator over u_int16_t alg, u_int16_t key_size
+	 * @return				enumerator over uint16_t alg, uint16_t key_size
 	 */
 	enumerator_t *(*create_enumerator) (proposal_t *this, transform_type_t type);
 
@@ -99,7 +99,7 @@ struct proposal_t {
 	 * @return				TRUE if algorithm of this kind available
 	 */
 	bool (*get_algorithm) (proposal_t *this, transform_type_t type,
-						   u_int16_t *alg, u_int16_t *key_size);
+						   uint16_t *alg, uint16_t *key_size);
 
 	/**
 	 * Check if the proposal has a specific DH group.
@@ -141,14 +141,14 @@ struct proposal_t {
 	 *
 	 * @return				spi for proto
 	 */
-	u_int64_t (*get_spi) (proposal_t *this);
+	uint64_t (*get_spi) (proposal_t *this);
 
 	/**
 	 * Set the SPI of the proposal.
 	 *
 	 * @param spi			spi to set for proto
 	 */
-	void (*set_spi) (proposal_t *this, u_int64_t spi);
+	void (*set_spi) (proposal_t *this, uint64_t spi);
 
 	/**
 	 * Get the proposal number, as encoded in SA payload
diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
index 6dd54b473..93ff70bf3 100644
--- a/src/libcharon/control/controller.c
+++ b/src/libcharon/control/controller.c
@@ -105,7 +105,7 @@ struct interface_listener_t {
 	/**
 	 * unique ID, used for various methods
 	 */
-	u_int32_t id;
+	uint32_t id;
 
 	/**
 	 * semaphore to implement wait_for_listener()
@@ -272,6 +272,28 @@ METHOD(listener_t, ike_state_change, bool,
 			}
 #endif /* ME */
 			case IKE_DESTROYING:
+				return listener_done(this);
+			default:
+				break;
+		}
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, ike_state_change_terminate, bool,
+	interface_listener_t *this, ike_sa_t *ike_sa, ike_sa_state_t state)
+{
+	ike_sa_t *target;
+
+	this->lock->lock(this->lock);
+	target = this->ike_sa;
+	this->lock->unlock(this->lock);
+
+	if (target == ike_sa)
+	{
+		switch (state)
+		{
+			case IKE_DESTROYING:
 				if (ike_sa->get_state(ike_sa) == IKE_DELETING)
 				{	/* proper termination */
 					this->status = SUCCESS;
@@ -304,10 +326,6 @@ METHOD(listener_t, child_state_change, bool,
 			case CHILD_DESTROYING:
 				switch (child_sa->get_state(child_sa))
 				{
-					case CHILD_DELETING:
-						/* proper delete */
-						this->status = SUCCESS;
-						break;
 					case CHILD_RETRYING:
 						/* retrying with a different DH group; survive another
 						 * initiation round */
@@ -331,6 +349,38 @@ METHOD(listener_t, child_state_change, bool,
 	return TRUE;
 }
 
+METHOD(listener_t, child_state_change_terminate, bool,
+	interface_listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+	child_sa_state_t state)
+{
+	ike_sa_t *target;
+
+	this->lock->lock(this->lock);
+	target = this->ike_sa;
+	this->lock->unlock(this->lock);
+
+	if (target == ike_sa)
+	{
+		switch (state)
+		{
+			case CHILD_DESTROYING:
+				switch (child_sa->get_state(child_sa))
+				{
+					case CHILD_DELETING:
+						/* proper delete */
+						this->status = SUCCESS;
+						break;
+					default:
+						break;
+				}
+				return listener_done(this);
+			default:
+				break;
+		}
+	}
+	return TRUE;
+}
+
 METHOD(job_t, destroy_job, void,
 	interface_job_t *this)
 {
@@ -493,7 +543,7 @@ METHOD(job_t, terminate_ike_execute, job_requeue_t,
 	interface_job_t *job)
 {
 	interface_listener_t *listener = &job->listener;
-	u_int32_t unique_id = listener->id;
+	uint32_t unique_id = listener->id;
 	ike_sa_t *ike_sa;
 
 	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
@@ -528,7 +578,7 @@ METHOD(job_t, terminate_ike_execute, job_requeue_t,
 }
 
 METHOD(controller_t, terminate_ike, status_t,
-	controller_t *this, u_int32_t unique_id,
+	controller_t *this, uint32_t unique_id,
 	controller_cb_t callback, void *param, u_int timeout)
 {
 	interface_job_t *job;
@@ -537,8 +587,8 @@ METHOD(controller_t, terminate_ike, status_t,
 	INIT(job,
 		.listener = {
 			.public = {
-				.ike_state_change = _ike_state_change,
-				.child_state_change = _child_state_change,
+				.ike_state_change = _ike_state_change_terminate,
+				.child_state_change = _child_state_change_terminate,
 			},
 			.logger = {
 				.public = {
@@ -582,7 +632,7 @@ METHOD(job_t, terminate_child_execute, job_requeue_t,
 	interface_job_t *job)
 {
 	interface_listener_t *listener = &job->listener;
-	u_int32_t id = listener->id;
+	uint32_t id = listener->id;
 	child_sa_t *child_sa;
 	ike_sa_t *ike_sa;
 
@@ -630,7 +680,7 @@ METHOD(job_t, terminate_child_execute, job_requeue_t,
 }
 
 METHOD(controller_t, terminate_child, status_t,
-	controller_t *this, u_int32_t unique_id,
+	controller_t *this, uint32_t unique_id,
 	controller_cb_t callback, void *param, u_int timeout)
 {
 	interface_job_t *job;
@@ -639,8 +689,8 @@ METHOD(controller_t, terminate_child, status_t,
 	INIT(job,
 		.listener = {
 			.public = {
-				.ike_state_change = _ike_state_change,
-				.child_state_change = _child_state_change,
+				.ike_state_change = _ike_state_change_terminate,
+				.child_state_change = _child_state_change_terminate,
 			},
 			.logger = {
 				.public = {
diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h
index 5ffeac522..9524f53b9 100644
--- a/src/libcharon/control/controller.h
+++ b/src/libcharon/control/controller.h
@@ -111,7 +111,7 @@ struct controller_t {
 	 *						- NEED_MORE, if callback returned FALSE
 	 *						- OUT_OF_RES if timed out
 	 */
-	status_t (*terminate_ike)(controller_t *this, u_int32_t unique_id,
+	status_t (*terminate_ike)(controller_t *this, uint32_t unique_id,
 							  controller_cb_t callback, void *param,
 							  u_int timeout);
 
@@ -131,7 +131,7 @@ struct controller_t {
 	 *						- NEED_MORE, if callback returned FALSE
 	 *						- OUT_OF_RES if timed out
 	 */
-	status_t (*terminate_child)(controller_t *this, u_int32_t unique_id,
+	status_t (*terminate_child)(controller_t *this, uint32_t unique_id,
 								controller_cb_t callback, void *param,
 								u_int timeout);
 
diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index cef8b8992..532d0812e 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -1,9 +1,9 @@
 /*
- * Copyright (C) 2006-2015 Tobias Brunner
+ * Copyright (C) 2006-2016 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -54,6 +54,7 @@
 #include <library.h>
 #include <bus/listeners/sys_logger.h>
 #include <bus/listeners/file_logger.h>
+#include <collections/array.h>
 #include <config/proposal.h>
 #include <plugins/plugin_feature.h>
 #include <kernel/kernel_handler.h>
@@ -701,46 +702,68 @@ static void destroy(private_daemon_t *this)
  */
 static void run_scripts(private_daemon_t *this, char *verb)
 {
+	struct {
+		char *name;
+		char *path;
+	} *script;
+	array_t *scripts = NULL;
 	enumerator_t *enumerator;
 	char *key, *value, *pos, buf[1024];
 	FILE *cmd;
 
+	/* copy the scripts so we don't hold any locks while executing them */
 	enumerator = lib->settings->create_key_value_enumerator(lib->settings,
 												"%s.%s-scripts", lib->ns, verb);
 	while (enumerator->enumerate(enumerator, &key, &value))
 	{
-		DBG1(DBG_DMN, "executing %s script '%s' (%s):", verb, key, value);
-		cmd = popen(value, "r");
+		INIT(script,
+			.name = key,
+			.path = value,
+		);
+		array_insert_create(&scripts, ARRAY_TAIL, script);
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = array_create_enumerator(scripts);
+	while (enumerator->enumerate(enumerator, &script))
+	{
+		DBG1(DBG_DMN, "executing %s script '%s' (%s)", verb, script->name,
+			 script->path);
+		cmd = popen(script->path, "r");
 		if (!cmd)
 		{
 			DBG1(DBG_DMN, "executing %s script '%s' (%s) failed: %s",
-				 verb, key, value, strerror(errno));
-			continue;
+				 verb, script->name, script->path, strerror(errno));
 		}
-		while (TRUE)
+		else
 		{
-			if (!fgets(buf, sizeof(buf), cmd))
+			while (TRUE)
 			{
-				if (ferror(cmd))
+				if (!fgets(buf, sizeof(buf), cmd))
 				{
-					DBG1(DBG_DMN, "reading from %s script '%s' (%s) failed",
-						 verb, key, value);
+					if (ferror(cmd))
+					{
+						DBG1(DBG_DMN, "reading from %s script '%s' (%s) failed",
+							 verb, script->name, script->path);
+					}
+					break;
 				}
-				break;
-			}
-			else
-			{
-				pos = buf + strlen(buf);
-				if (pos > buf && pos[-1] == '\n')
+				else
 				{
-					pos[-1] = '\0';
+					pos = buf + strlen(buf);
+					if (pos > buf && pos[-1] == '\n')
+					{
+						pos[-1] = '\0';
+					}
+					DBG1(DBG_DMN, "%s: %s", script->name, buf);
 				}
-				DBG1(DBG_DMN, "%s: %s", key, buf);
 			}
+			pclose(cmd);
 		}
-		pclose(cmd);
+		free(script);
 	}
 	enumerator->destroy(enumerator);
+	array_destroy(scripts);
 }
 
 METHOD(daemon_t, start, void,
diff --git a/src/libcharon/encoding/generator.c b/src/libcharon/encoding/generator.c
index a0a508f53..41aacd4ed 100644
--- a/src/libcharon/encoding/generator.c
+++ b/src/libcharon/encoding/generator.c
@@ -68,22 +68,22 @@ struct private_generator_t {
 	/**
 	 * Buffer used to generate the data into.
 	 */
-	u_int8_t *buffer;
+	uint8_t *buffer;
 
 	/**
 	 * Current write position in buffer (one byte aligned).
 	 */
-	u_int8_t *out_position;
+	uint8_t *out_position;
 
 	/**
 	 * Position of last byte in buffer.
 	 */
-	u_int8_t *roof_position;
+	uint8_t *roof_position;
 
 	/**
 	 * Current bit writing to in current byte (between 0 and 7).
 	 */
-	u_int8_t current_bit;
+	uint8_t current_bit;
 
 	/**
 	 * Associated data struct to read informations from.
@@ -93,7 +93,7 @@ struct private_generator_t {
 	/**
 	 * Offset of the header length field in the buffer.
 	 */
-	u_int32_t header_length_offset;
+	uint32_t header_length_offset;
 
 	/**
 	 * Attribute format of the last generated transform attribute.
@@ -107,7 +107,7 @@ struct private_generator_t {
 	 * Depending on the value of attribute_format this field is used
 	 * to hold the length of the transform attribute in bytes.
 	 */
-	u_int16_t attribute_length;
+	uint16_t attribute_length;
 
 	/**
 	 * TRUE, if debug messages should be logged during generation.
@@ -142,7 +142,7 @@ static int get_length(private_generator_t *this)
 /**
  * Get current offset in buffer (in bytes).
  */
-static u_int32_t get_offset(private_generator_t *this)
+static uint32_t get_offset(private_generator_t *this)
 {
 	return this->out_position - this->buffer;
 }
@@ -179,7 +179,7 @@ static void write_bytes_to_buffer(private_generator_t *this, void *bytes,
 								  int number_of_bytes)
 {
 	int i;
-	u_int8_t *read_position = (u_int8_t *)bytes;
+	uint8_t *read_position = (uint8_t *)bytes;
 
 	make_space_available(this, number_of_bytes * 8);
 
@@ -195,7 +195,7 @@ static void write_bytes_to_buffer(private_generator_t *this, void *bytes,
  * Generates a U_INT-Field type and writes it to buffer.
  */
 static void generate_u_int_type(private_generator_t *this,
-								encoding_type_t int_type,u_int32_t offset)
+								encoding_type_t int_type,uint32_t offset)
 {
 	int number_of_bits = 0;
 
@@ -242,12 +242,12 @@ static void generate_u_int_type(private_generator_t *this,
 	{
 		case U_INT_4:
 		{
-			u_int8_t high, low;
+			uint8_t high, low;
 
 			if (this->current_bit == 0)
 			{
 				/* high of current byte in buffer has to be set to the new value*/
-				high = *((u_int8_t *)(this->data_struct + offset)) << 4;
+				high = *((uint8_t *)(this->data_struct + offset)) << 4;
 				/* low in buffer is not changed */
 				low = *(this->out_position) & 0x0F;
 				/* high is set, low_val is not changed */
@@ -264,7 +264,7 @@ static void generate_u_int_type(private_generator_t *this,
 				/* high in buffer is not changed */
 				high = *(this->out_position) & 0xF0;
 				/* low of current byte in buffer has to be set to the new value*/
-				low = *((u_int8_t *)(this->data_struct + offset)) & 0x0F;
+				low = *((uint8_t *)(this->data_struct + offset)) & 0x0F;
 				*(this->out_position) = high | low;
 				if (this->debug)
 				{
@@ -287,7 +287,7 @@ static void generate_u_int_type(private_generator_t *this,
 		case U_INT_8:
 		{
 			/* 8 bit values are written as they are */
-			*this->out_position = *((u_int8_t *)(this->data_struct + offset));
+			*this->out_position = *((uint8_t *)(this->data_struct + offset));
 			if (this->debug)
 			{
 				DBG3(DBG_ENC, "   => %d", *(this->out_position));
@@ -297,8 +297,8 @@ static void generate_u_int_type(private_generator_t *this,
 		}
 		case ATTRIBUTE_TYPE:
 		{
-			u_int8_t attribute_format_flag;
-			u_int16_t val;
+			uint8_t attribute_format_flag;
+			uint16_t val;
 
 			/* attribute type must not change first bit of current byte */
 			if (this->current_bit != 1)
@@ -308,7 +308,7 @@ static void generate_u_int_type(private_generator_t *this,
 			}
 			attribute_format_flag = *(this->out_position) & 0x80;
 			/* get attribute type value as 16 bit integer*/
-			val = *((u_int16_t*)(this->data_struct + offset));
+			val = *((uint16_t*)(this->data_struct + offset));
 			/* unset most significant bit */
 			val &= 0x7FFF;
 			if (attribute_format_flag)
@@ -321,7 +321,7 @@ static void generate_u_int_type(private_generator_t *this,
 				DBG3(DBG_ENC, "   => %d", val);
 			}
 			/* write bytes to buffer (set bit is overwritten) */
-			write_bytes_to_buffer(this, &val, sizeof(u_int16_t));
+			write_bytes_to_buffer(this, &val, sizeof(uint16_t));
 			this->current_bit = 0;
 			break;
 
@@ -330,33 +330,33 @@ static void generate_u_int_type(private_generator_t *this,
 		case PAYLOAD_LENGTH:
 		case ATTRIBUTE_LENGTH:
 		{
-			u_int16_t val = htons(*((u_int16_t*)(this->data_struct + offset)));
+			uint16_t val = htons(*((uint16_t*)(this->data_struct + offset)));
 			if (this->debug)
 			{
-				DBG3(DBG_ENC, "   %b", &val, sizeof(u_int16_t));
+				DBG3(DBG_ENC, "   %b", &val, sizeof(uint16_t));
 			}
-			write_bytes_to_buffer(this, &val, sizeof(u_int16_t));
+			write_bytes_to_buffer(this, &val, sizeof(uint16_t));
 			break;
 		}
 		case U_INT_32:
 		{
-			u_int32_t val = htonl(*((u_int32_t*)(this->data_struct + offset)));
+			uint32_t val = htonl(*((uint32_t*)(this->data_struct + offset)));
 			if (this->debug)
 			{
-				DBG3(DBG_ENC, "   %b", &val, sizeof(u_int32_t));
+				DBG3(DBG_ENC, "   %b", &val, sizeof(uint32_t));
 			}
-			write_bytes_to_buffer(this, &val, sizeof(u_int32_t));
+			write_bytes_to_buffer(this, &val, sizeof(uint32_t));
 			break;
 		}
 		case IKE_SPI:
 		{
 			/* 64 bit are written as-is, no host order conversion */
 			write_bytes_to_buffer(this, this->data_struct + offset,
-								  sizeof(u_int64_t));
+								  sizeof(uint64_t));
 			if (this->debug)
 			{
 				DBG3(DBG_ENC, "   %b", this->data_struct + offset,
-					 sizeof(u_int64_t));
+					 sizeof(uint64_t));
 			}
 			break;
 		}
@@ -372,10 +372,10 @@ static void generate_u_int_type(private_generator_t *this,
 /**
  * Generate a FLAG filed
  */
-static void generate_flag(private_generator_t *this, u_int32_t offset)
+static void generate_flag(private_generator_t *this, uint32_t offset)
 {
-	u_int8_t flag_value;
-	u_int8_t flag;
+	uint8_t flag_value;
+	uint8_t flag;
 
 	flag_value = (*((bool *) (this->data_struct + offset))) ? 1 : 0;
 	/* get flag position */
@@ -406,7 +406,7 @@ static void generate_flag(private_generator_t *this, u_int32_t offset)
 /**
  * Generates a bytestream from a chunk_t.
  */
-static void generate_from_chunk(private_generator_t *this, u_int32_t offset)
+static void generate_from_chunk(private_generator_t *this, uint32_t offset)
 {
 	chunk_t *value;
 
@@ -427,11 +427,11 @@ static void generate_from_chunk(private_generator_t *this, u_int32_t offset)
 }
 
 METHOD(generator_t, get_chunk, chunk_t,
-	private_generator_t *this, u_int32_t **lenpos)
+	private_generator_t *this, uint32_t **lenpos)
 {
 	chunk_t data;
 
-	*lenpos = (u_int32_t*)(this->buffer + this->header_length_offset);
+	*lenpos = (uint32_t*)(this->buffer + this->header_length_offset);
 	data = chunk_create(this->buffer, get_length(this));
 	if (this->debug)
 	{
@@ -537,7 +537,7 @@ METHOD(generator_t, generate_payload, void,
 					generate_u_int_type(this, U_INT_16, rules[i].offset);
 					/* this field hold the length of the attribute */
 					this->attribute_length =
-						*((u_int16_t *)(this->data_struct + rules[i].offset));
+						*((uint16_t *)(this->data_struct + rules[i].offset));
 				}
 				break;
 			case ATTRIBUTE_VALUE:
diff --git a/src/libcharon/encoding/generator.h b/src/libcharon/encoding/generator.h
index c2c0aad2a..375530776 100644
--- a/src/libcharon/encoding/generator.h
+++ b/src/libcharon/encoding/generator.h
@@ -57,7 +57,7 @@ struct generator_t {
 	 * @param lenpos		receives a pointer to fill in length value
 	 * @param return		chunk to internal buffer.
 	 */
-	chunk_t (*get_chunk) (generator_t *this, u_int32_t **lenpos);
+	chunk_t (*get_chunk) (generator_t *this, uint32_t **lenpos);
 
 	/**
 	 * Destroys a generator_t object.
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index bbdc4629d..1fd644203 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -829,7 +829,7 @@ typedef struct {
 	 * fragments we expect.
 	 * For IKEv2 we store the total number of fragment we received last.
 	 */
-	u_int16_t last;
+	uint16_t last;
 
 	/**
 	 * Length of all currently received fragments.
@@ -858,12 +858,12 @@ struct private_message_t {
 	/**
 	 * Minor version of message.
 	 */
-	u_int8_t major_version;
+	uint8_t major_version;
 
 	/**
 	 * Major version of message.
 	 */
-	u_int8_t minor_version;
+	uint8_t minor_version;
 
 	/**
 	 * First Payload in message.
@@ -903,7 +903,7 @@ struct private_message_t {
 	/**
 	 * Message ID of this message.
 	 */
-	u_int32_t message_id;
+	uint32_t message_id;
 
 	/**
 	 * ID of assigned IKE_SA.
@@ -953,7 +953,7 @@ struct private_message_t {
 typedef struct {
 
 	/** fragment number */
-	u_int8_t num;
+	uint8_t num;
 
 	/** fragment data */
 	chunk_t data;
@@ -1024,48 +1024,48 @@ METHOD(message_t, get_ike_sa_id, ike_sa_id_t*,
 }
 
 METHOD(message_t, set_message_id, void,
-	private_message_t *this,u_int32_t message_id)
+	private_message_t *this,uint32_t message_id)
 {
 	this->message_id = message_id;
 }
 
-METHOD(message_t, get_message_id, u_int32_t,
+METHOD(message_t, get_message_id, uint32_t,
 	private_message_t *this)
 {
 	return this->message_id;
 }
 
-METHOD(message_t, get_initiator_spi, u_int64_t,
+METHOD(message_t, get_initiator_spi, uint64_t,
 	private_message_t *this)
 {
 	return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
 }
 
-METHOD(message_t, get_responder_spi, u_int64_t,
+METHOD(message_t, get_responder_spi, uint64_t,
 	private_message_t *this)
 {
 	return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
 }
 
 METHOD(message_t, set_major_version, void,
-	private_message_t *this, u_int8_t major_version)
+	private_message_t *this, uint8_t major_version)
 {
 	this->major_version = major_version;
 }
 
-METHOD(message_t, get_major_version, u_int8_t,
+METHOD(message_t, get_major_version, uint8_t,
 	private_message_t *this)
 {
 	return this->major_version;
 }
 
 METHOD(message_t, set_minor_version, void,
-	private_message_t *this,u_int8_t minor_version)
+	private_message_t *this,uint8_t minor_version)
 {
 	this->minor_version = minor_version;
 }
 
-METHOD(message_t, get_minor_version, u_int8_t,
+METHOD(message_t, get_minor_version, uint8_t,
 	private_message_t *this)
 {
 	return this->minor_version;
@@ -1331,7 +1331,7 @@ static char* get_string(private_message_t *this, char *buf, int len)
 		if (payload->get_type(payload) == PLV2_EAP)
 		{
 			eap_payload_t *eap = (eap_payload_t*)payload;
-			u_int32_t vendor;
+			uint32_t vendor;
 			eap_type_t type;
 			char method[64] = "";
 
@@ -1790,7 +1790,7 @@ static status_t finalize_message(private_message_t *this, keymat_t *keymat,
 {
 	keymat_v1_t *keymat_v1 = (keymat_v1_t*)keymat;
 	chunk_t chunk;
-	u_int32_t *lenpos;
+	uint32_t *lenpos;
 
 	if (encrypted)
 	{
@@ -1893,7 +1893,7 @@ static message_t *clone_message(private_message_t *this)
  * Create a single fragment with the given data
  */
 static message_t *create_fragment(private_message_t *this, payload_type_t next,
-								  u_int16_t num, u_int16_t count, chunk_t data)
+								  uint16_t num, uint16_t count, chunk_t data)
 {
 	enumerator_t *enumerator;
 	payload_t *fragment, *payload;
@@ -1972,11 +1972,11 @@ METHOD(message_t, fragment, status_t,
 	message_t *fragment;
 	packet_t *packet;
 	payload_type_t next = PL_NONE;
-	u_int16_t num, count;
+	uint16_t num, count;
 	host_t *src, *dst;
 	chunk_t data;
 	status_t status;
-	u_int32_t *lenpos;
+	uint32_t *lenpos;
 	size_t len;
 
 	src = this->packet->get_source(this->packet);
@@ -2703,7 +2703,7 @@ METHOD(message_t, parse_body, status_t,
 /**
  * Store the fragment data for the fragment with the given fragment number.
  */
-static status_t add_fragment(private_message_t *this, u_int16_t num,
+static status_t add_fragment(private_message_t *this, uint16_t num,
 							 chunk_t data)
 {
 	fragment_t *fragment;
@@ -2777,7 +2777,7 @@ METHOD(message_t, add_fragment_v1, status_t,
 {
 	fragment_payload_t *payload;
 	chunk_t data;
-	u_int8_t num;
+	uint8_t num;
 	status_t status;
 
 	if (!this->frag)
@@ -2840,7 +2840,7 @@ METHOD(message_t, add_fragment_v2, status_t,
 	payload_t *payload;
 	enumerator_t *enumerator;
 	chunk_t data;
-	u_int16_t total, num;
+	uint16_t total, num;
 	status_t status;
 
 	if (!this->frag)
diff --git a/src/libcharon/encoding/message.h b/src/libcharon/encoding/message.h
index a03aa8e96..8c4372974 100644
--- a/src/libcharon/encoding/message.h
+++ b/src/libcharon/encoding/message.h
@@ -49,56 +49,56 @@ struct message_t {
 	 *
 	 * @param major_version	major version to set
 	 */
-	void (*set_major_version) (message_t *this, u_int8_t major_version);
+	void (*set_major_version) (message_t *this, uint8_t major_version);
 
 	/**
 	 * Gets the IKE major version of the message.
 	 *
 	 * @return				major version of the message
 	 */
-	u_int8_t (*get_major_version) (message_t *this);
+	uint8_t (*get_major_version) (message_t *this);
 
 	/**
 	 * Sets the IKE minor version of the message.
 	 *
 	 * @param minor_version	minor version to set
 	 */
-	void (*set_minor_version) (message_t *this, u_int8_t minor_version);
+	void (*set_minor_version) (message_t *this, uint8_t minor_version);
 
 	/**
 	 * Gets the IKE minor version of the message.
 	 *
 	 * @return				minor version of the message
 	 */
-	u_int8_t (*get_minor_version) (message_t *this);
+	uint8_t (*get_minor_version) (message_t *this);
 
 	/**
 	 * Sets the Message ID of the message.
 	 *
 	 * @param message_id	message_id to set
 	 */
-	void (*set_message_id) (message_t *this, u_int32_t message_id);
+	void (*set_message_id) (message_t *this, uint32_t message_id);
 
 	/**
 	 * Gets the Message ID of the message.
 	 *
 	 * @return				message_id type of the message
 	 */
-	u_int32_t (*get_message_id) (message_t *this);
+	uint32_t (*get_message_id) (message_t *this);
 
 	/**
 	 * Gets the initiator SPI of the message.
 	 *
 	 * @return				initiator spi of the message
 	 */
-	u_int64_t (*get_initiator_spi) (message_t *this);
+	uint64_t (*get_initiator_spi) (message_t *this);
 
 	/**
 	 * Gets the responder SPI of the message.
 	 *
 	 * @return				responder spi of the message
 	 */
-	u_int64_t (*get_responder_spi) (message_t *this);
+	uint64_t (*get_responder_spi) (message_t *this);
 
 	/**
 	 * Sets the IKE_SA ID of the message.
diff --git a/src/libcharon/encoding/parser.c b/src/libcharon/encoding/parser.c
index f8340367e..c9d6b0d8f 100644
--- a/src/libcharon/encoding/parser.c
+++ b/src/libcharon/encoding/parser.c
@@ -61,27 +61,27 @@ struct private_parser_t {
 	/**
 	 * major IKE version
 	 */
-	u_int8_t major_version;
+	uint8_t major_version;
 
 	/**
 	 * Current bit for reading in input data.
 	 */
-	u_int8_t bit_pos;
+	uint8_t bit_pos;
 
 	/**
 	 * Current byte for reading in input data.
 	 */
-	u_int8_t *byte_pos;
+	uint8_t *byte_pos;
 
 	/**
 	 * Input data to parse.
 	 */
-	u_int8_t *input;
+	uint8_t *input;
 
 	/**
 	 * Roof of input, used for length-checking.
 	 */
-	u_int8_t *input_roof;
+	uint8_t *input_roof;
 
 	/**
 	 * Set of encoding rules for this parsing session.
@@ -113,9 +113,9 @@ static bool bad_bitpos(private_parser_t *this, int number)
  * Parse a 4-Bit unsigned integer from the current parsing position.
  */
 static bool parse_uint4(private_parser_t *this, int rule_number,
-						u_int8_t *output_pos)
+						uint8_t *output_pos)
 {
-	if (this->byte_pos + sizeof(u_int8_t) > this->input_roof)
+	if (this->byte_pos + sizeof(uint8_t) > this->input_roof)
 	{
 		return short_input(this, rule_number);
 	}
@@ -150,9 +150,9 @@ static bool parse_uint4(private_parser_t *this, int rule_number,
  * Parse a 8-Bit unsigned integer from the current parsing position.
  */
 static bool parse_uint8(private_parser_t *this, int rule_number,
-						u_int8_t *output_pos)
+						uint8_t *output_pos)
 {
-	if (this->byte_pos + sizeof(u_int8_t) > this->input_roof)
+	if (this->byte_pos + sizeof(uint8_t) > this->input_roof)
 	{
 		return short_input(this, rule_number);
 	}
@@ -173,9 +173,9 @@ static bool parse_uint8(private_parser_t *this, int rule_number,
  * Parse a 15-Bit unsigned integer from the current parsing position.
  */
 static bool parse_uint15(private_parser_t *this, int rule_number,
-						 u_int16_t *output_pos)
+						 uint16_t *output_pos)
 {
-	if (this->byte_pos + sizeof(u_int16_t) > this->input_roof)
+	if (this->byte_pos + sizeof(uint16_t) > this->input_roof)
 	{
 		return short_input(this, rule_number);
 	}
@@ -185,11 +185,11 @@ static bool parse_uint15(private_parser_t *this, int rule_number,
 	}
 	if (output_pos)
 	{
-		memcpy(output_pos, this->byte_pos, sizeof(u_int16_t));
+		memcpy(output_pos, this->byte_pos, sizeof(uint16_t));
 		*output_pos = ntohs(*output_pos) & ~0x8000;
 		DBG3(DBG_ENC, "   => %hu", *output_pos);
 	}
-	this->byte_pos += sizeof(u_int16_t);
+	this->byte_pos += sizeof(uint16_t);
 	this->bit_pos = 0;
 	return TRUE;
 }
@@ -198,9 +198,9 @@ static bool parse_uint15(private_parser_t *this, int rule_number,
  * Parse a 16-Bit unsigned integer from the current parsing position.
  */
 static bool parse_uint16(private_parser_t *this, int rule_number,
-						 u_int16_t *output_pos)
+						 uint16_t *output_pos)
 {
-	if (this->byte_pos + sizeof(u_int16_t) > this->input_roof)
+	if (this->byte_pos + sizeof(uint16_t) > this->input_roof)
 	{
 		return short_input(this, rule_number);
 	}
@@ -210,20 +210,20 @@ static bool parse_uint16(private_parser_t *this, int rule_number,
 	}
 	if (output_pos)
 	{
-		memcpy(output_pos, this->byte_pos, sizeof(u_int16_t));
+		memcpy(output_pos, this->byte_pos, sizeof(uint16_t));
 		*output_pos = ntohs(*output_pos);
 		DBG3(DBG_ENC, "   => %hu", *output_pos);
 	}
-	this->byte_pos += sizeof(u_int16_t);
+	this->byte_pos += sizeof(uint16_t);
 	return TRUE;
 }
 /**
  * Parse a 32-Bit unsigned integer from the current parsing position.
  */
 static bool parse_uint32(private_parser_t *this, int rule_number,
-						 u_int32_t *output_pos)
+						 uint32_t *output_pos)
 {
-	if (this->byte_pos + sizeof(u_int32_t) > this->input_roof)
+	if (this->byte_pos + sizeof(uint32_t) > this->input_roof)
 	{
 		return short_input(this, rule_number);
 	}
@@ -233,11 +233,11 @@ static bool parse_uint32(private_parser_t *this, int rule_number,
 	}
 	if (output_pos)
 	{
-		memcpy(output_pos, this->byte_pos, sizeof(u_int32_t));
+		memcpy(output_pos, this->byte_pos, sizeof(uint32_t));
 		*output_pos = ntohl(*output_pos);
 		DBG3(DBG_ENC, "   => %u", *output_pos);
 	}
-	this->byte_pos += sizeof(u_int32_t);
+	this->byte_pos += sizeof(uint32_t);
 	return TRUE;
 }
 
@@ -245,7 +245,7 @@ static bool parse_uint32(private_parser_t *this, int rule_number,
  * Parse a given amount of bytes and writes them to a specific location
  */
 static bool parse_bytes(private_parser_t *this, int rule_number,
-						u_int8_t *output_pos, int bytes)
+						uint8_t *output_pos, int bytes)
 {
 	if (this->byte_pos + bytes > this->input_roof)
 	{
@@ -270,13 +270,13 @@ static bool parse_bytes(private_parser_t *this, int rule_number,
 static bool parse_bit(private_parser_t *this, int rule_number,
 					  bool *output_pos)
 {
-	if (this->byte_pos + sizeof(u_int8_t) > this->input_roof)
+	if (this->byte_pos + sizeof(uint8_t) > this->input_roof)
 	{
 		return short_input(this, rule_number);
 	}
 	if (output_pos)
 	{
-		u_int8_t mask;
+		uint8_t mask;
 		mask = 0x01 << (7 - this->bit_pos);
 		*output_pos = *this->byte_pos & mask;
 
@@ -312,7 +312,7 @@ static bool parse_list(private_parser_t *this, int rule_number,
 	}
 	while (length > 0)
 	{
-		u_int8_t *pos_before = this->byte_pos;
+		uint8_t *pos_before = this->byte_pos;
 		payload_t *payload;
 
 		DBG2(DBG_ENC, "  %d bytes left, parsing recursively %N",
@@ -368,7 +368,7 @@ METHOD(parser_t, parse_payload, status_t,
 	payload_t *pld;
 	void *output;
 	int payload_length = 0, spi_size = 0, attribute_length = 0, header_length;
-	u_int16_t ts_type = 0;
+	uint16_t ts_type = 0;
 	bool attribute_format = FALSE;
 	int rule_number, rule_count;
 	encoding_rule_t *rule;
@@ -468,7 +468,7 @@ METHOD(parser_t, parse_payload, status_t,
 					return PARSE_ERROR;
 				}
 				/* parsed u_int16 should be aligned */
-				payload_length = *(u_int16_t*)(output + rule->offset);
+				payload_length = *(uint16_t*)(output + rule->offset);
 				/* all payloads must have at least 4 bytes header */
 				if (payload_length < 4)
 				{
@@ -484,7 +484,7 @@ METHOD(parser_t, parse_payload, status_t,
 					pld->destroy(pld);
 					return PARSE_ERROR;
 				}
-				spi_size = *(u_int8_t*)(output + rule->offset);
+				spi_size = *(uint8_t*)(output + rule->offset);
 				break;
 			}
 			case SPI:
@@ -564,7 +564,7 @@ METHOD(parser_t, parse_payload, status_t,
 					pld->destroy(pld);
 					return PARSE_ERROR;
 				}
-				attribute_length = *(u_int16_t*)(output + rule->offset);
+				attribute_length = *(uint16_t*)(output + rule->offset);
 				break;
 			}
 			case ATTRIBUTE_LENGTH_OR_VALUE:
@@ -574,7 +574,7 @@ METHOD(parser_t, parse_payload, status_t,
 					pld->destroy(pld);
 					return PARSE_ERROR;
 				}
-				attribute_length = *(u_int16_t*)(output + rule->offset);
+				attribute_length = *(uint16_t*)(output + rule->offset);
 				break;
 			}
 			case ATTRIBUTE_VALUE:
@@ -595,7 +595,7 @@ METHOD(parser_t, parse_payload, status_t,
 					pld->destroy(pld);
 					return PARSE_ERROR;
 				}
-				ts_type = *(u_int8_t*)(output + rule->offset);
+				ts_type = *(uint8_t*)(output + rule->offset);
 				break;
 			}
 			case ADDRESS:
@@ -642,7 +642,7 @@ METHOD(parser_t, reset_context, void,
 }
 
 METHOD(parser_t, set_major_version, void,
-	private_parser_t *this, u_int8_t major_version)
+	private_parser_t *this, uint8_t major_version)
 {
 	this->major_version = major_version;
 }
diff --git a/src/libcharon/encoding/parser.h b/src/libcharon/encoding/parser.h
index 5fd3e86ee..8f073556e 100644
--- a/src/libcharon/encoding/parser.h
+++ b/src/libcharon/encoding/parser.h
@@ -68,7 +68,7 @@ struct parser_t {
 	 *
 	 * @param major_version	the major IKE version
 	 */
-	void (*set_major_version) (parser_t *this, u_int8_t major_version);
+	void (*set_major_version) (parser_t *this, uint8_t major_version);
 
 	/**
 	 * Destroys a parser_t object.
diff --git a/src/libcharon/encoding/payloads/auth_payload.c b/src/libcharon/encoding/payloads/auth_payload.c
index ee3ed54fd..9d03bb694 100644
--- a/src/libcharon/encoding/payloads/auth_payload.c
+++ b/src/libcharon/encoding/payloads/auth_payload.c
@@ -35,7 +35,7 @@ struct private_auth_payload_t {
 	/**
 	 * Next payload type.
 	 */
-	u_int8_t  next_payload;
+	uint8_t  next_payload;
 
 	/**
 	 * Critical flag.
@@ -50,17 +50,17 @@ struct private_auth_payload_t {
 	/**
 	 * Reserved bytes
 	 */
-	u_int8_t reserved_byte[3];
+	uint8_t reserved_byte[3];
 
 	/**
 	 * Length of this payload.
 	 */
-	u_int16_t payload_length;
+	uint16_t payload_length;
 
 	/**
 	 * Method of the AUTH Data.
 	 */
-	u_int8_t auth_method;
+	uint8_t auth_method;
 
 	/**
 	 * The contained auth data value.
diff --git a/src/libcharon/encoding/payloads/cert_payload.c b/src/libcharon/encoding/payloads/cert_payload.c
index 43993ae48..ea25ca73c 100644
--- a/src/libcharon/encoding/payloads/cert_payload.c
+++ b/src/libcharon/encoding/payloads/cert_payload.c
@@ -55,7 +55,7 @@ struct private_cert_payload_t {
 	/**
 	 * Next payload type.
 	 */
-	u_int8_t  next_payload;
+	uint8_t  next_payload;
 
 	/**
 	 * Critical flag.
@@ -70,12 +70,12 @@ struct private_cert_payload_t {
 	/**
 	 * Length of this payload.
 	 */
-	u_int16_t payload_length;
+	uint16_t payload_length;
 
 	/**
 	 * Encoding of the CERT Data.
 	 */
-	u_int8_t encoding;
+	uint8_t encoding;
 
 	/**
 	 * The contained cert data value.
diff --git a/src/libcharon/encoding/payloads/certreq_payload.c b/src/libcharon/encoding/payloads/certreq_payload.c
index 6ac90a2a0..09bfa2458 100644
--- a/src/libcharon/encoding/payloads/certreq_payload.c
+++ b/src/libcharon/encoding/payloads/certreq_payload.c
@@ -38,7 +38,7 @@ struct private_certreq_payload_t {
 	/**
 	 * Next payload type.
 	 */
-	u_int8_t  next_payload;
+	uint8_t  next_payload;
 
 	/**
 	 * Critical flag.
@@ -53,12 +53,12 @@ struct private_certreq_payload_t {
 	/**
 	 * Length of this payload.
 	 */
-	u_int16_t payload_length;
+	uint16_t payload_length;
 
 	/**
 	 * Encoding of the CERT Data.
 	 */
-	u_int8_t encoding;
+	uint8_t encoding;
 
 	/**
 	 * The contained certreq data value.
diff --git a/src/libcharon/encoding/payloads/configuration_attribute.c b/src/libcharon/encoding/payloads/configuration_attribute.c
index 4ecdf569d..32e4828ba 100644
--- a/src/libcharon/encoding/payloads/configuration_attribute.c
+++ b/src/libcharon/encoding/payloads/configuration_attribute.c
@@ -48,12 +48,12 @@ struct private_configuration_attribute_t {
 	/**
 	 * Type of the attribute.
 	 */
-	u_int16_t attr_type;
+	uint16_t attr_type;
 
 	/**
 	 * Length of the attribute, value if af_flag set.
 	 */
-	u_int16_t length_or_value;
+	uint16_t length_or_value;
 
 	/**
 	 * Attribute value as chunk.
@@ -272,7 +272,7 @@ METHOD(configuration_attribute_t, get_chunk, chunk_t,
 	return this->value;
 }
 
-METHOD(configuration_attribute_t, get_value, u_int16_t,
+METHOD(configuration_attribute_t, get_value, uint16_t,
 	private_configuration_attribute_t *this)
 {
 	if (this->af_flag)
@@ -328,7 +328,7 @@ configuration_attribute_t *configuration_attribute_create_chunk(
 
 	this = (private_configuration_attribute_t*)
 							configuration_attribute_create(type);
-	this->attr_type = ((u_int16_t)attr_type) & 0x7FFF;
+	this->attr_type = ((uint16_t)attr_type) & 0x7FFF;
 	this->value = chunk_clone(chunk);
 	this->length_or_value = chunk.len;
 
@@ -339,13 +339,13 @@ configuration_attribute_t *configuration_attribute_create_chunk(
  * Described in header.
  */
 configuration_attribute_t *configuration_attribute_create_value(
-					configuration_attribute_type_t attr_type, u_int16_t value)
+					configuration_attribute_type_t attr_type, uint16_t value)
 {
 	private_configuration_attribute_t *this;
 
 	this = (private_configuration_attribute_t*)
 					configuration_attribute_create(PLV1_CONFIGURATION_ATTRIBUTE);
-	this->attr_type = ((u_int16_t)attr_type) & 0x7FFF;
+	this->attr_type = ((uint16_t)attr_type) & 0x7FFF;
 	this->length_or_value = value;
 	this->af_flag = TRUE;
 
diff --git a/src/libcharon/encoding/payloads/configuration_attribute.h b/src/libcharon/encoding/payloads/configuration_attribute.h
index 946c1b500..417ba731b 100644
--- a/src/libcharon/encoding/payloads/configuration_attribute.h
+++ b/src/libcharon/encoding/payloads/configuration_attribute.h
@@ -57,7 +57,7 @@ struct configuration_attribute_t {
 	 *
 	 * @return 		attribute value
 	 */
-	u_int16_t (*get_value) (configuration_attribute_t *this);
+	uint16_t (*get_value) (configuration_attribute_t *this);
 
 	/**
 	 * Destroys an configuration_attribute_t object.
@@ -92,6 +92,6 @@ configuration_attribute_t *configuration_attribute_create_chunk(
  * @return			created PLV1_CONFIGURATION_ATTRIBUTE configuration attribute
  */
 configuration_attribute_t *configuration_attribute_create_value(
-					configuration_attribute_type_t attr_type, u_int16_t value);
+					configuration_attribute_type_t attr_type, uint16_t value);
 
 #endif /** CONFIGURATION_ATTRIBUTE_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/cp_payload.c b/src/libcharon/encoding/payloads/cp_payload.c
index ef9df84f7..d86693ee2 100644
--- a/src/libcharon/encoding/payloads/cp_payload.c
+++ b/src/libcharon/encoding/payloads/cp_payload.c
@@ -44,7 +44,7 @@ struct private_cp_payload_t {
 	/**
 	 * Next payload type.
 	 */
-	u_int8_t next_payload;
+	uint8_t next_payload;
 
 	/**
 	 * Critical flag.
@@ -59,17 +59,17 @@ struct private_cp_payload_t {
 	/**
 	 * Reserved bytes
 	 */
-	u_int8_t reserved_byte[3];
+	uint8_t reserved_byte[3];
 
 	/**
 	 * Length of this payload.
 	 */
-	u_int16_t payload_length;
+	uint16_t payload_length;
 
 	/**
 	 * Identifier field, IKEv1 only
 	 */
-	u_int16_t identifier;
+	uint16_t identifier;
 
 	/**
 	 * List of attributes, as configuration_attribute_t
@@ -79,7 +79,7 @@ struct private_cp_payload_t {
 	/**
 	 * Config Type.
 	 */
-	u_int8_t cfg_type;
+	uint8_t cfg_type;
 
 	/**
 	 * PLV2_CONFIGURATION or PLV1_CONFIGURATION
@@ -269,13 +269,13 @@ METHOD(cp_payload_t, get_config_type, config_type_t,
 	return this->cfg_type;
 }
 
-METHOD(cp_payload_t, get_identifier, u_int16_t,
+METHOD(cp_payload_t, get_identifier, uint16_t,
 			 private_cp_payload_t *this)
 {
 	return this->identifier;
 }
 METHOD(cp_payload_t, set_identifier, void,
-			 private_cp_payload_t *this, u_int16_t identifier)
+			 private_cp_payload_t *this, uint16_t identifier)
 {
 	this->identifier = identifier;
 }
diff --git a/src/libcharon/encoding/payloads/cp_payload.h b/src/libcharon/encoding/payloads/cp_payload.h
index d466989d6..3e4763fb6 100644
--- a/src/libcharon/encoding/payloads/cp_payload.h
+++ b/src/libcharon/encoding/payloads/cp_payload.h
@@ -82,14 +82,14 @@ struct cp_payload_t {
 	 *
 	 @param identifier	identifier to set
 	 */
-	void (*set_identifier) (cp_payload_t *this, u_int16_t identifier);
+	void (*set_identifier) (cp_payload_t *this, uint16_t identifier);
 
 	/**
 	 * Get the configuration payload identifier (IKEv1 only).
 	 *
 	 * @return			identifier
 	 */
-	u_int16_t (*get_identifier) (cp_payload_t *this);
+	uint16_t (*get_identifier) (cp_payload_t *this);
 
 	/**
 	 * Destroys an cp_payload_t object.
diff --git a/src/libcharon/encoding/payloads/delete_payload.c b/src/libcharon/encoding/payloads/delete_payload.c
index f11ea485c..584e6f22b 100644
--- a/src/libcharon/encoding/payloads/delete_payload.c
+++ b/src/libcharon/encoding/payloads/delete_payload.c
@@ -36,7 +36,7 @@ struct private_delete_payload_t {
 	/**
 	 * Next payload type.
 	 */
-	u_int8_t  next_payload;
+	uint8_t  next_payload;
 
 	/**
 	 * Critical flag.
@@ -51,27 +51,27 @@ struct private_delete_payload_t {
 	/**
 	 * Length of this payload.
 	 */
-	u_int16_t payload_length;
+	uint16_t payload_length;
 
 	/**
 	 * IKEv1 Domain of Interpretation
 	 */
-	u_int32_t doi;
+	uint32_t doi;
 
 	/**
 	 * Protocol ID.
 	 */
-	u_int8_t protocol_id;
+	uint8_t protocol_id;
 
 	/**
 	 * SPI Size.
 	 */
-	u_int8_t spi_size;
+	uint8_t spi_size;
 
 	/**
 	 * Number of SPI's.
 	 */
-	u_int16_t spi_count;
+	uint16_t spi_count;
 
 	/**
 	 * The contained SPI's.
@@ -257,7 +257,7 @@ METHOD(delete_payload_t, get_protocol_id, protocol_id_t,
 }
 
 METHOD(delete_payload_t, add_spi, void,
-	private_delete_payload_t *this, u_int32_t spi)
+	private_delete_payload_t *this, uint32_t spi)
 {
 	switch (this->protocol_id)
 	{
@@ -273,7 +273,7 @@ METHOD(delete_payload_t, add_spi, void,
 }
 
 METHOD(delete_payload_t, set_ike_spi, void,
-	private_delete_payload_t *this, u_int64_t spi_i, u_int64_t spi_r)
+	private_delete_payload_t *this, uint64_t spi_i, uint64_t spi_r)
 {
 	free(this->spis.ptr);
 	this->spis = chunk_cat("cc", chunk_from_thing(spi_i),
@@ -283,15 +283,15 @@ METHOD(delete_payload_t, set_ike_spi, void,
 }
 
 METHOD(delete_payload_t, get_ike_spi, bool,
-	private_delete_payload_t *this, u_int64_t *spi_i, u_int64_t *spi_r)
+	private_delete_payload_t *this, uint64_t *spi_i, uint64_t *spi_r)
 {
 	if (this->protocol_id != PROTO_IKE ||
-		this->spis.len < 2 * sizeof(u_int64_t))
+		this->spis.len < 2 * sizeof(uint64_t))
 	{
 		return FALSE;
 	}
-	memcpy(spi_i, this->spis.ptr, sizeof(u_int64_t));
-	memcpy(spi_r, this->spis.ptr + sizeof(u_int64_t), sizeof(u_int64_t));
+	memcpy(spi_i, this->spis.ptr, sizeof(uint64_t));
+	memcpy(spi_r, this->spis.ptr + sizeof(uint64_t), sizeof(uint64_t));
 	return TRUE;
 }
 
@@ -306,7 +306,7 @@ typedef struct {
 } spi_enumerator_t;
 
 METHOD(enumerator_t, spis_enumerate, bool,
-	spi_enumerator_t *this, u_int32_t *spi)
+	spi_enumerator_t *this, uint32_t *spi)
 {
 	if (this->spis.len >= sizeof(*spi))
 	{
@@ -322,7 +322,7 @@ METHOD(delete_payload_t, create_spi_enumerator, enumerator_t*,
 {
 	spi_enumerator_t *e;
 
-	if (this->spi_size != sizeof(u_int32_t))
+	if (this->spi_size != sizeof(uint32_t))
 	{
 		return enumerator_create_empty();
 	}
diff --git a/src/libcharon/encoding/payloads/delete_payload.h b/src/libcharon/encoding/payloads/delete_payload.h
index 6728718cd..06ed76c2e 100644
--- a/src/libcharon/encoding/payloads/delete_payload.h
+++ b/src/libcharon/encoding/payloads/delete_payload.h
@@ -51,7 +51,7 @@ struct delete_payload_t {
 	 *
 	 * @param spi			spi to add
 	 */
-	void (*add_spi) (delete_payload_t *this, u_int32_t spi);
+	void (*add_spi) (delete_payload_t *this, uint32_t spi);
 
 	/**
 	 * Set the IKE SPIs for an IKEv1 delete.
@@ -59,7 +59,7 @@ struct delete_payload_t {
 	 * @param spi_i			initiator SPI
 	 * @param spi_r			responder SPI
 	 */
-	void (*set_ike_spi)(delete_payload_t *this, u_int64_t spi_i, u_int64_t spi_r);
+	void (*set_ike_spi)(delete_payload_t *this, uint64_t spi_i, uint64_t spi_r);
 
 	/**
 	 * Get the IKE SPIs from an IKEv1 delete.
@@ -68,12 +68,12 @@ struct delete_payload_t {
 	 * @param spi_r			responder SPI
 	 * @return				TRUE if SPIs extracted successfully
 	 */
-	bool (*get_ike_spi)(delete_payload_t *this, u_int64_t *spi_i, u_int64_t *spi_r);
+	bool (*get_ike_spi)(delete_payload_t *this, uint64_t *spi_i, uint64_t *spi_r);
 
 	/**
 	 * Get an enumerator over the SPIs in network order.
 	 *
-	 * @return				enumerator over SPIs, u_int32_t
+	 * @return				enumerator over SPIs, uint32_t
 	 */
 	enumerator_t *(*create_spi_enumerator) (delete_payload_t *this);
 
diff --git a/src/libcharon/encoding/payloads/eap_payload.c b/src/libcharon/encoding/payloads/eap_payload.c
index ebdf8a3fe..8c3fc5933 100644
--- a/src/libcharon/encoding/payloads/eap_payload.c
+++ b/src/libcharon/encoding/payloads/eap_payload.c
@@ -38,7 +38,7 @@ struct private_eap_payload_t {
 	/**
 	 * Next payload type.
 	 */
-	u_int8_t  next_payload;
+	uint8_t  next_payload;
 
 	/**
 	 * Critical flag.
@@ -53,7 +53,7 @@ struct private_eap_payload_t {
 	/**
 	 * Length of this payload.
 	 */
-	u_int16_t payload_length;
+	uint16_t payload_length;
 
 	/**
 	 * EAP message data, if available
@@ -102,8 +102,8 @@ static encoding_rule_t encodings[] = {
 METHOD(payload_t, verify, status_t,
 	private_eap_payload_t *this)
 {
-	u_int16_t length;
-	u_int8_t code;
+	uint16_t length;
+	uint8_t code;
 
 	if (this->data.len < 4)
 	{
@@ -208,7 +208,7 @@ METHOD(eap_payload_t, get_code, eap_code_t,
 	return 0;
 }
 
-METHOD(eap_payload_t, get_identifier, u_int8_t,
+METHOD(eap_payload_t, get_identifier, uint8_t,
 	private_eap_payload_t *this)
 {
 	if (this->data.len > 1)
@@ -224,7 +224,7 @@ METHOD(eap_payload_t, get_identifier, u_int8_t,
  * @return	the new offset or 0 if failed
  */
 static size_t extract_type(private_eap_payload_t *this, size_t offset,
-					       eap_type_t *type, u_int32_t *vendor)
+					       eap_type_t *type, uint32_t *vendor)
 {
 	if (this->data.len > offset)
 	{
@@ -245,7 +245,7 @@ static size_t extract_type(private_eap_payload_t *this, size_t offset,
 }
 
 METHOD(eap_payload_t, get_type, eap_type_t,
-	private_eap_payload_t *this, u_int32_t *vendor)
+	private_eap_payload_t *this, uint32_t *vendor)
 {
 	eap_type_t type;
 
@@ -270,7 +270,7 @@ typedef struct {
 } type_enumerator_t;
 
 METHOD(enumerator_t, enumerate_types, bool,
-	type_enumerator_t *this, eap_type_t *type, u_int32_t *vendor)
+	type_enumerator_t *this, eap_type_t *type, uint32_t *vendor)
 {
 	this->offset = extract_type(this->payload, this->offset, type, vendor);
 	return this->offset;
@@ -281,7 +281,7 @@ METHOD(eap_payload_t, get_types, enumerator_t*,
 {
 	type_enumerator_t *enumerator;
 	eap_type_t type;
-	u_int32_t vendor;
+	uint32_t vendor;
 	size_t offset;
 
 	offset = extract_type(this, 4, &type, &vendor);
@@ -373,7 +373,7 @@ eap_payload_t *eap_payload_create_data_own(chunk_t data)
 /*
  * Described in header
  */
-eap_payload_t *eap_payload_create_code(eap_code_t code, u_int8_t identifier)
+eap_payload_t *eap_payload_create_code(eap_code_t code, uint8_t identifier)
 {
 	chunk_t data;
 
@@ -385,7 +385,7 @@ eap_payload_t *eap_payload_create_code(eap_code_t code, u_int8_t identifier)
 /**
  * Write the given type either expanded or not
  */
-static void write_type(bio_writer_t *writer, eap_type_t type, u_int32_t vendor,
+static void write_type(bio_writer_t *writer, eap_type_t type, uint32_t vendor,
 					   bool expanded)
 {
 	if (expanded)
@@ -403,12 +403,12 @@ static void write_type(bio_writer_t *writer, eap_type_t type, u_int32_t vendor,
 /*
  * Described in header
  */
-eap_payload_t *eap_payload_create_nak(u_int8_t identifier, eap_type_t type,
-									  u_int32_t vendor, bool expanded)
+eap_payload_t *eap_payload_create_nak(uint8_t identifier, eap_type_t type,
+									  uint32_t vendor, bool expanded)
 {
 	enumerator_t *enumerator;
 	eap_type_t reg_type;
-	u_int32_t reg_vendor;
+	uint32_t reg_vendor;
 	bio_writer_t *writer;
 	chunk_t data;
 	bool added_any = FALSE, found_vendor = FALSE;
diff --git a/src/libcharon/encoding/payloads/eap_payload.h b/src/libcharon/encoding/payloads/eap_payload.h
index e8ed1c5e7..abaefde28 100644
--- a/src/libcharon/encoding/payloads/eap_payload.h
+++ b/src/libcharon/encoding/payloads/eap_payload.h
@@ -72,7 +72,7 @@ struct eap_payload_t {
 	 *
 	 * @return			unique identifier
 	 */
-	u_int8_t (*get_identifier) (eap_payload_t *this);
+	uint8_t (*get_identifier) (eap_payload_t *this);
 
 	/**
 	 * Get the EAP method type.
@@ -80,13 +80,13 @@ struct eap_payload_t {
 	 * @param vendor	pointer receiving vendor identifier
 	 * @return			EAP method type, vendor specific if vendor != 0
 	 */
-	eap_type_t (*get_type) (eap_payload_t *this, u_int32_t *vendor);
+	eap_type_t (*get_type) (eap_payload_t *this, uint32_t *vendor);
 
 	/**
 	 * Enumerate the EAP method types contained in an EAP-Nak (i.e. get_type()
 	 * returns EAP_NAK).
 	 *
-	 * @return			enumerator over (eap_type_t type, u_int32_t vendor)
+	 * @return			enumerator over (eap_type_t type, uint32_t vendor)
 	 */
 	enumerator_t* (*get_types) (eap_payload_t *this);
 
@@ -136,7 +136,7 @@ eap_payload_t *eap_payload_create_data_own(chunk_t data);
  * @param identifier	EAP identifier to use in payload
  * @return 				eap_payload_t object
  */
-eap_payload_t *eap_payload_create_code(eap_code_t code, u_int8_t identifier);
+eap_payload_t *eap_payload_create_code(eap_code_t code, uint8_t identifier);
 
 /**
  * Creates an eap_payload_t EAP_RESPONSE containing an EAP_NAK.
@@ -147,7 +147,7 @@ eap_payload_t *eap_payload_create_code(eap_code_t code, u_int8_t identifier);
  * @param expanded		TRUE to send an expanded Nak
  * @return 				eap_payload_t object
  */
-eap_payload_t *eap_payload_create_nak(u_int8_t identifier, eap_type_t type,
-									  u_int32_t vendor, bool expanded);
+eap_payload_t *eap_payload_create_nak(uint8_t identifier, eap_type_t type,
+									  uint32_t vendor, bool expanded);
 
 #endif /** EAP_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/encodings.h b/src/libcharon/encoding/payloads/encodings.h
index 54830bc8c..442bf7489 100644
--- a/src/libcharon/encoding/payloads/encodings.h
+++ b/src/libcharon/encoding/payloads/encodings.h
@@ -289,10 +289,10 @@ enum encoding_type_t {
 	/**
 	 * Representating an IKE_SPI field in an IKEv2 Header.
 	 *
-	 * When generating the value of the u_int64_t pointing to
+	 * When generating the value of the uint64_t pointing to
 	 * is written (host and networ order is not changed).
 	 *
-	 * When parsing 8 bytes are read and written into the u_int64_t pointing to.
+	 * When parsing 8 bytes are read and written into the uint64_t pointing to.
 	 */
 	IKE_SPI,
 
@@ -342,7 +342,7 @@ struct encoding_rule_t {
 	 * When generating, data are read from this offset in the
 	 * data struct.
 	 */
-	u_int32_t offset;
+	uint32_t offset;
 };
 
 #endif /** ENCODINGS_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/encrypted_fragment_payload.h b/src/libcharon/encoding/payloads/encrypted_fragment_payload.h
index 1c2cc379f..6ff61dd65 100644
--- a/src/libcharon/encoding/payloads/encrypted_fragment_payload.h
+++ b/src/libcharon/encoding/payloads/encrypted_fragment_payload.h
@@ -42,14 +42,14 @@ struct encrypted_fragment_payload_t {
 	 *
 	 * @return			fragment number
 	 */
-	u_int16_t (*get_fragment_number)(encrypted_fragment_payload_t *this);
+	uint16_t (*get_fragment_number)(encrypted_fragment_payload_t *this);
 
 	/**
 	 * Get the total number of fragments.
 	 *
 	 * @return			total number of fragments
 	 */
-	u_int16_t (*get_total_fragments)(encrypted_fragment_payload_t *this);
+	uint16_t (*get_total_fragments)(encrypted_fragment_payload_t *this);
 
 	/**
 	 * Get the (decrypted) content of this payload.
@@ -80,6 +80,6 @@ encrypted_fragment_payload_t *encrypted_fragment_payload_create();
  * @return			encrypted_fragment_payload_t object
  */
 encrypted_fragment_payload_t *encrypted_fragment_payload_create_from_data(
-								u_int16_t num, u_int16_t total, chunk_t data);
+								uint16_t num, uint16_t total, chunk_t data);
 
 #endif /** ENCRYPTED_FRAGMENT_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/encrypted_payload.c b/src/libcharon/encoding/payloads/encrypted_payload.c
index d1a267836..a033f6081 100644
--- a/src/libcharon/encoding/payloads/encrypted_payload.c
+++ b/src/libcharon/encoding/payloads/encrypted_payload.c
@@ -43,17 +43,17 @@ struct private_encrypted_payload_t {
 	 * next_payload means here the first payload of the
 	 * contained, encrypted payload.
 	 */
-	u_int8_t next_payload;
+	uint8_t next_payload;
 
 	/**
 	 * Flags, including reserved bits
 	 */
-	u_int8_t flags;
+	uint8_t flags;
 
 	/**
 	 * Length of this payload
 	 */
-	u_int16_t payload_length;
+	uint16_t payload_length;
 
 	/**
 	 * Chunk containing the IV, plain, padding and ICV.
@@ -88,17 +88,17 @@ struct private_encrypted_fragment_payload_t {
 	 * the original encrypted payload, for all other fragments it MUST be set
 	 * to zero.
 	 */
-	u_int8_t next_payload;
+	uint8_t next_payload;
 
 	/**
 	 * Flags, including reserved bits
 	 */
-	u_int8_t flags;
+	uint8_t flags;
 
 	/**
 	 * Length of this payload
 	 */
-	u_int16_t payload_length;
+	uint16_t payload_length;
 
 	/**
 	 * Chunk containing the IV, plain, padding and ICV.
@@ -108,12 +108,12 @@ struct private_encrypted_fragment_payload_t {
 	/**
 	 * Fragment number
 	 */
-	u_int16_t fragment_number;
+	uint16_t fragment_number;
 
 	/**
 	 * Total fragments
 	 */
-	u_int16_t total_fragments;
+	uint16_t total_fragments;
 
 	/**
 	 * AEAD transform to use
@@ -366,7 +366,7 @@ static chunk_t generate(private_encrypted_payload_t *this,
 {
 	payload_t *current, *next;
 	enumerator_t *enumerator;
-	u_int32_t *lenpos;
+	uint32_t *lenpos;
 	chunk_t chunk = chunk_empty;
 
 	enumerator = this->payloads->create_enumerator(this->payloads);
@@ -402,9 +402,9 @@ METHOD(encrypted_payload_t, generate_payloads, void,
 static chunk_t append_header(private_encrypted_payload_t *this, chunk_t assoc)
 {
 	struct {
-		u_int8_t next_payload;
-		u_int8_t flags;
-		u_int16_t length;
+		uint8_t next_payload;
+		uint8_t flags;
+		uint16_t length;
 	} __attribute__((packed)) header = {
 		.next_payload = this->next_payload,
 		.flags = this->flags,
@@ -416,7 +416,7 @@ static chunk_t append_header(private_encrypted_payload_t *this, chunk_t assoc)
 /**
  * Encrypts the data in plain and returns it in an allocated chunk.
  */
-static status_t encrypt_content(char *label, aead_t *aead, u_int64_t mid,
+static status_t encrypt_content(char *label, aead_t *aead, uint64_t mid,
 							chunk_t plain, chunk_t assoc, chunk_t *encrypted)
 {
 	chunk_t iv, padding, icv, crypt;
@@ -486,7 +486,7 @@ static status_t encrypt_content(char *label, aead_t *aead, u_int64_t mid,
 }
 
 METHOD(encrypted_payload_t, encrypt, status_t,
-	private_encrypted_payload_t *this, u_int64_t mid, chunk_t assoc)
+	private_encrypted_payload_t *this, uint64_t mid, chunk_t assoc)
 {
 	generator_t *generator;
 	chunk_t plain;
@@ -512,7 +512,7 @@ METHOD(encrypted_payload_t, encrypt, status_t,
 }
 
 METHOD(encrypted_payload_t, encrypt_v1, status_t,
-	private_encrypted_payload_t *this, u_int64_t mid, chunk_t iv)
+	private_encrypted_payload_t *this, uint64_t mid, chunk_t iv)
 {
 	generator_t *generator;
 	chunk_t plain, padding;
@@ -869,13 +869,13 @@ METHOD2(payload_t, encrypted_payload_t, frag_get_length, size_t,
 	return this->payload_length;
 }
 
-METHOD(encrypted_fragment_payload_t, get_fragment_number, u_int16_t,
+METHOD(encrypted_fragment_payload_t, get_fragment_number, uint16_t,
 	private_encrypted_fragment_payload_t *this)
 {
 	return this->fragment_number;
 }
 
-METHOD(encrypted_fragment_payload_t, get_total_fragments, u_int16_t,
+METHOD(encrypted_fragment_payload_t, get_total_fragments, uint16_t,
 	private_encrypted_fragment_payload_t *this)
 {
 	return this->total_fragments;
@@ -906,11 +906,11 @@ static chunk_t append_header_frag(private_encrypted_fragment_payload_t *this,
 								  chunk_t assoc)
 {
 	struct {
-		u_int8_t next_payload;
-		u_int8_t flags;
-		u_int16_t length;
-		u_int16_t fragment_number;
-		u_int16_t total_fragments;
+		uint8_t next_payload;
+		uint8_t flags;
+		uint16_t length;
+		uint16_t fragment_number;
+		uint16_t total_fragments;
 	} __attribute__((packed)) header = {
 		.next_payload = this->next_payload,
 		.flags = this->flags,
@@ -922,7 +922,7 @@ static chunk_t append_header_frag(private_encrypted_fragment_payload_t *this,
 }
 
 METHOD(encrypted_payload_t, frag_encrypt, status_t,
-	private_encrypted_fragment_payload_t *this, u_int64_t mid, chunk_t assoc)
+	private_encrypted_fragment_payload_t *this, uint64_t mid, chunk_t assoc)
 {
 	status_t status;
 
@@ -1015,7 +1015,7 @@ encrypted_fragment_payload_t *encrypted_fragment_payload_create()
  * Described in header
  */
 encrypted_fragment_payload_t *encrypted_fragment_payload_create_from_data(
-								u_int16_t num, u_int16_t total, chunk_t plain)
+								uint16_t num, uint16_t total, chunk_t plain)
 {
 	private_encrypted_fragment_payload_t *this;
 
diff --git a/src/libcharon/encoding/payloads/encrypted_payload.h b/src/libcharon/encoding/payloads/encrypted_payload.h
index be59e3c2d..19c60c5be 100644
--- a/src/libcharon/encoding/payloads/encrypted_payload.h
+++ b/src/libcharon/encoding/payloads/encrypted_payload.h
@@ -88,7 +88,7 @@ struct encrypted_payload_t {
 	 * 						- FAILED if encryption failed
 	 * 						- INVALID_STATE if aead not supplied, but needed
 	 */
-	status_t (*encrypt) (encrypted_payload_t *this, u_int64_t mid,
+	status_t (*encrypt) (encrypted_payload_t *this, uint64_t mid,
 						 chunk_t assoc);
 
 	/**
diff --git a/src/libcharon/encoding/payloads/endpoint_notify.c b/src/libcharon/encoding/payloads/endpoint_notify.c
index ebe5f32f7..afeee72e4 100644
--- a/src/libcharon/encoding/payloads/endpoint_notify.c
+++ b/src/libcharon/encoding/payloads/endpoint_notify.c
@@ -33,7 +33,7 @@ struct private_endpoint_notify_t {
 	/**
 	 * Priority
 	 */
-	u_int32_t priority;
+	uint32_t priority;
 
 	/**
 	 * Family
@@ -83,36 +83,36 @@ static private_endpoint_notify_t *endpoint_notify_create();
 /**
  * Helper functions to parse integer values
  */
-static status_t parse_uint8(u_int8_t **cur, u_int8_t *top, u_int8_t *val)
+static status_t parse_uint8(uint8_t **cur, uint8_t *top, uint8_t *val)
 {
-	if (*cur + sizeof(u_int8_t) > top)
+	if (*cur + sizeof(uint8_t) > top)
 	{
 		return FAILED;
 	}
-	*val =  *(u_int8_t*)*cur;
-	*cur += sizeof(u_int8_t);
+	*val =  *(uint8_t*)*cur;
+	*cur += sizeof(uint8_t);
 	return SUCCESS;
 }
 
-static status_t parse_uint16(u_int8_t **cur, u_int8_t *top, u_int16_t *val)
+static status_t parse_uint16(uint8_t **cur, uint8_t *top, uint16_t *val)
 {
-	if (*cur + sizeof(u_int16_t) > top)
+	if (*cur + sizeof(uint16_t) > top)
 	{
 		return FAILED;
 	}
-	*val =  ntohs(*(u_int16_t*)*cur);
-	*cur += sizeof(u_int16_t);
+	*val =  ntohs(*(uint16_t*)*cur);
+	*cur += sizeof(uint16_t);
 	return SUCCESS;
 }
 
-static status_t parse_uint32(u_int8_t **cur, u_int8_t *top, u_int32_t *val)
+static status_t parse_uint32(uint8_t **cur, uint8_t *top, uint32_t *val)
 {
-	if (*cur + sizeof(u_int32_t) > top)
+	if (*cur + sizeof(uint32_t) > top)
 	{
 		return FAILED;
 	}
-	*val =  ntohl(*(u_int32_t*)*cur);
-	*cur += sizeof(u_int32_t);
+	*val =  ntohl(*(uint32_t*)*cur);
+	*cur += sizeof(uint32_t);
 	return SUCCESS;
 }
 
@@ -121,11 +121,11 @@ static status_t parse_uint32(u_int8_t **cur, u_int8_t *top, u_int32_t *val)
  */
 static status_t parse_notification_data(private_endpoint_notify_t *this, chunk_t data)
 {
-	u_int8_t family, type, addr_family;
-	u_int16_t port;
+	uint8_t family, type, addr_family;
+	uint16_t port;
 	chunk_t addr;
-	u_int8_t *cur = data.ptr;
-	u_int8_t *top = data.ptr + data.len;
+	uint8_t *cur = data.ptr;
+	uint8_t *top = data.ptr + data.len;
 
 	DBG3(DBG_IKE, "me_endpoint_data %B", &data);
 
@@ -191,9 +191,9 @@ static chunk_t build_notification_data(private_endpoint_notify_t *this)
 {
 	chunk_t prio_chunk, family_chunk, type_chunk, port_chunk, addr_chunk;
 	chunk_t data;
-	u_int32_t prio;
-	u_int16_t port;
-	u_int8_t family, type;
+	uint32_t prio;
+	uint16_t port;
+	uint8_t family, type;
 
 	prio = htonl(this->priority);
 	prio_chunk = chunk_from_thing(prio);
@@ -237,14 +237,14 @@ METHOD(endpoint_notify_t, build_notify, notify_payload_t*,
 }
 
 
-METHOD(endpoint_notify_t, get_priority, u_int32_t,
+METHOD(endpoint_notify_t, get_priority, uint32_t,
 	private_endpoint_notify_t *this)
 {
 	return this->priority;
 }
 
 METHOD(endpoint_notify_t, set_priority, void,
-	private_endpoint_notify_t *this, u_int32_t priority)
+	private_endpoint_notify_t *this, uint32_t priority)
 {
 	this->priority = priority;
 }
diff --git a/src/libcharon/encoding/payloads/endpoint_notify.h b/src/libcharon/encoding/payloads/endpoint_notify.h
index 853aadf3d..f4cf89fd7 100644
--- a/src/libcharon/encoding/payloads/endpoint_notify.h
+++ b/src/libcharon/encoding/payloads/endpoint_notify.h
@@ -82,14 +82,14 @@ struct endpoint_notify_t {
 	 *
 	 * @return			priority
 	 */
-	u_int32_t (*get_priority) (endpoint_notify_t *this);
+	uint32_t (*get_priority) (endpoint_notify_t *this);
 
 	/**
 	 * Sets the priority of this endpoint.
 	 *
 	 * @param priority	priority
 	 */
-	void (*set_priority) (endpoint_notify_t *this, u_int32_t priority);
+	void (*set_priority) (endpoint_notify_t *this, uint32_t priority);
 
 	/**
 	 * Returns the endpoint type of this endpoint.
diff --git a/src/libcharon/encoding/payloads/fragment_payload.c b/src/libcharon/encoding/payloads/fragment_payload.c
index 7f158f548..fecd05f05 100644
--- a/src/libcharon/encoding/payloads/fragment_payload.c
+++ b/src/libcharon/encoding/payloads/fragment_payload.c
@@ -35,32 +35,32 @@ struct private_fragment_payload_t {
 	/**
 	 * Next payload type.
 	 */
-	u_int8_t next_payload;
+	uint8_t next_payload;
 
 	/**
 	 * Reserved byte
 	 */
-	u_int8_t reserved;
+	uint8_t reserved;
 
 	/**
 	 * Length of this payload.
 	 */
-	u_int16_t payload_length;
+	uint16_t payload_length;
 
 	/**
 	 * Fragment ID.
 	 */
-	u_int16_t fragment_id;
+	uint16_t fragment_id;
 
 	/**
 	 * Fragment number.
 	 */
-	u_int8_t fragment_number;
+	uint8_t fragment_number;
 
 	/**
 	 * Flags
 	 */
-	u_int8_t flags;
+	uint8_t flags;
 
 	/**
 	 * The contained fragment data.
@@ -145,13 +145,13 @@ METHOD(payload_t, get_length, size_t,
 	return this->payload_length;
 }
 
-METHOD(fragment_payload_t, get_id, u_int16_t,
+METHOD(fragment_payload_t, get_id, uint16_t,
 	private_fragment_payload_t *this)
 {
 	return this->fragment_id;
 }
 
-METHOD(fragment_payload_t, get_number, u_int8_t,
+METHOD(fragment_payload_t, get_number, uint8_t,
 	private_fragment_payload_t *this)
 {
 	return this->fragment_number;
@@ -210,7 +210,7 @@ fragment_payload_t *fragment_payload_create()
 /*
  * Described in header
  */
-fragment_payload_t *fragment_payload_create_from_data(u_int8_t num, bool last,
+fragment_payload_t *fragment_payload_create_from_data(uint8_t num, bool last,
 													  chunk_t data)
 {
 	private_fragment_payload_t *this;
diff --git a/src/libcharon/encoding/payloads/fragment_payload.h b/src/libcharon/encoding/payloads/fragment_payload.h
index a49cf32dd..a756601a0 100644
--- a/src/libcharon/encoding/payloads/fragment_payload.h
+++ b/src/libcharon/encoding/payloads/fragment_payload.h
@@ -42,14 +42,14 @@ struct fragment_payload_t {
 	 *
 	 * @return				fragment ID
 	 */
-	u_int16_t (*get_id)(fragment_payload_t *this);
+	uint16_t (*get_id)(fragment_payload_t *this);
 
 	/**
 	 * Get the fragment number. Defines the order of the fragments.
 	 *
 	 * @return				fragment number
 	 */
-	u_int8_t (*get_number)(fragment_payload_t *this);
+	uint8_t (*get_number)(fragment_payload_t *this);
 
 	/**
 	 * Check if this is the last fragment.
@@ -88,7 +88,7 @@ fragment_payload_t *fragment_payload_create();
  * @param data		fragment data (gets cloned)
  * @return			fragment_payload_t object
  */
-fragment_payload_t *fragment_payload_create_from_data(u_int8_t num, bool last,
+fragment_payload_t *fragment_payload_create_from_data(uint8_t num, bool last,
 													  chunk_t data);
 
 #endif /** FRAGMENT_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/hash_payload.c b/src/libcharon/encoding/payloads/hash_payload.c
index a12b018e5..eac820742 100644
--- a/src/libcharon/encoding/payloads/hash_payload.c
+++ b/src/libcharon/encoding/payloads/hash_payload.c
@@ -34,17 +34,17 @@ struct private_hash_payload_t {
 	/**
 	 * Next payload type.
 	 */
-	u_int8_t next_payload;
+	uint8_t next_payload;
 
 	/**
 	 * Reserved byte
 	 */
-	u_int8_t reserved;
+	uint8_t reserved;
 
 	/**
 	 * Length of this payload.
 	 */
-	u_int16_t payload_length;
+	uint16_t payload_length;
 
 	/**
 	 * The contained hash value.
diff --git a/src/libcharon/encoding/payloads/id_payload.c b/src/libcharon/encoding/payloads/id_payload.c
index bb8aab748..ae0b19a9d 100644
--- a/src/libcharon/encoding/payloads/id_payload.c
+++ b/src/libcharon/encoding/payloads/id_payload.c
@@ -38,7 +38,7 @@ struct private_id_payload_t {
 	/**
 	 * Next payload type.
 	 */
-	u_int8_t next_payload;
+	uint8_t next_payload;
 
 	/**
 	 * Critical flag.
@@ -53,17 +53,17 @@ struct private_id_payload_t {
 	/**
 	 * Reserved bytes
 	 */
-	u_int8_t reserved_byte[3];
+	uint8_t reserved_byte[3];
 
 	/**
 	 * Length of this payload.
 	 */
-	u_int16_t payload_length;
+	uint16_t payload_length;
 
 	/**
 	 * Type of the ID Data.
 	 */
-	u_int8_t id_type;
+	uint8_t id_type;
 
 	/**
 	 * The contained id data value.
@@ -73,12 +73,12 @@ struct private_id_payload_t {
 	/**
 	 * Tunneled protocol ID for IKEv1 quick modes.
 	 */
-	u_int8_t protocol_id;
+	uint8_t protocol_id;
 
 	/**
 	 * Tunneled port for IKEv1 quick modes.
 	 */
-	u_int16_t port;
+	uint16_t port;
 
 	/**
 	 * one of PLV2_ID_INITIATOR, PLV2_ID_RESPONDER, IDv1 and PLV1_NAT_OA
@@ -334,7 +334,7 @@ METHOD(id_payload_t, get_ts, traffic_selector_t*,
 METHOD(id_payload_t, get_encoded, chunk_t,
 	private_id_payload_t *this)
 {
-	u_int16_t port = htons(this->port);
+	uint16_t port = htons(this->port);
 	return chunk_cat("cccc", chunk_from_thing(this->id_type),
 					 chunk_from_thing(this->protocol_id),
 					 chunk_from_thing(port), this->id_data);
@@ -400,7 +400,7 @@ id_payload_t *id_payload_create_from_identification(payload_type_t type,
 id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts)
 {
 	private_id_payload_t *this;
-	u_int8_t mask;
+	uint8_t mask;
 	host_t *net;
 
 	this = (private_id_payload_t*)id_payload_create(PLV1_ID);
@@ -419,7 +419,7 @@ id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts)
 	}
 	else if (ts->to_subnet(ts, &net, &mask))
 	{
-		u_int8_t netmask[16], len, byte;
+		uint8_t netmask[16], len, byte;
 
 		if (ts->get_type(ts) == TS_IPV4_ADDR_RANGE)
 		{
diff --git a/src/libcharon/encoding/payloads/ike_header.c b/src/libcharon/encoding/payloads/ike_header.c
index c96738a34..61a0424e3 100644
--- a/src/libcharon/encoding/payloads/ike_header.c
+++ b/src/libcharon/encoding/payloads/ike_header.c
@@ -37,31 +37,31 @@ struct private_ike_header_t {
 	/**
 	 * SPI of the initiator.
 	 */
-	u_int64_t initiator_spi;
+	uint64_t initiator_spi;
 
 	/**
 	 * SPI of the responder.
 	 */
-	u_int64_t responder_spi;
+	uint64_t responder_spi;
 
 	/**
 	 * Next payload type.
 	 */
-	u_int8_t  next_payload;
+	uint8_t  next_payload;
 	/**
 	 * IKE major version.
 	 */
-	u_int8_t  maj_version;
+	uint8_t  maj_version;
 
 	/**
 	 * IKE minor version.
 	 */
-	u_int8_t  min_version;
+	uint8_t  min_version;
 
 	/**
 	 * Exchange type .
 	 */
-	u_int8_t  exchange_type;
+	uint8_t  exchange_type;
 
 	/**
 	 * Flags of the Message.
@@ -106,12 +106,12 @@ struct private_ike_header_t {
 	/**
 	 * Associated Message-ID.
 	 */
-	u_int32_t message_id;
+	uint32_t message_id;
 
 	/**
 	 * Length of the whole IKEv2-Message (header and all payloads).
 	 */
-	u_int32_t length;
+	uint32_t length;
 };
 
 ENUM_BEGIN(exchange_type_names, ID_PROT, TRANSACTION,
@@ -290,50 +290,50 @@ METHOD(payload_t, get_length, size_t,
 	return this->length;
 }
 
-METHOD(ike_header_t, get_initiator_spi, u_int64_t,
+METHOD(ike_header_t, get_initiator_spi, uint64_t,
 	private_ike_header_t *this)
 {
 	return this->initiator_spi;
 }
 
 METHOD(ike_header_t, set_initiator_spi, void,
-	private_ike_header_t *this, u_int64_t initiator_spi)
+	private_ike_header_t *this, uint64_t initiator_spi)
 {
 	this->initiator_spi = initiator_spi;
 }
 
-METHOD(ike_header_t, get_responder_spi, u_int64_t,
+METHOD(ike_header_t, get_responder_spi, uint64_t,
 	private_ike_header_t *this)
 {
 	return this->responder_spi;
 }
 
 METHOD(ike_header_t, set_responder_spi, void,
-	private_ike_header_t *this, u_int64_t responder_spi)
+	private_ike_header_t *this, uint64_t responder_spi)
 {
 	this->responder_spi = responder_spi;
 }
 
-METHOD(ike_header_t, get_maj_version, u_int8_t,
+METHOD(ike_header_t, get_maj_version, uint8_t,
 	private_ike_header_t *this)
 {
 	return this->maj_version;
 }
 
 METHOD(ike_header_t, set_maj_version, void,
-	private_ike_header_t *this, u_int8_t major)
+	private_ike_header_t *this, uint8_t major)
 {
 	this->maj_version = major;
 }
 
-METHOD(ike_header_t, get_min_version, u_int8_t,
+METHOD(ike_header_t, get_min_version, uint8_t,
 	private_ike_header_t *this)
 {
 	return this->min_version;
 }
 
 METHOD(ike_header_t, set_min_version, void,
-	private_ike_header_t *this, u_int8_t minor)
+	private_ike_header_t *this, uint8_t minor)
 {
 	this->min_version = minor;
 }
@@ -411,26 +411,26 @@ METHOD(ike_header_t, set_authonly_flag, void,
 	this->flags.authonly = authonly;
 }
 
-METHOD(ike_header_t, get_exchange_type, u_int8_t,
+METHOD(ike_header_t, get_exchange_type, uint8_t,
 	private_ike_header_t *this)
 {
 	return this->exchange_type;
 }
 
 METHOD(ike_header_t, set_exchange_type, void,
-	private_ike_header_t *this, u_int8_t exchange_type)
+	private_ike_header_t *this, uint8_t exchange_type)
 {
 	this->exchange_type = exchange_type;
 }
 
-METHOD(ike_header_t, get_message_id, u_int32_t,
+METHOD(ike_header_t, get_message_id, uint32_t,
 	private_ike_header_t *this)
 {
 	return this->message_id;
 }
 
 METHOD(ike_header_t, set_message_id, void,
-	private_ike_header_t *this, u_int32_t message_id)
+	private_ike_header_t *this, uint32_t message_id)
 {
 	this->message_id = message_id;
 }
diff --git a/src/libcharon/encoding/payloads/ike_header.h b/src/libcharon/encoding/payloads/ike_header.h
index d9a44dd0c..fa89c3939 100644
--- a/src/libcharon/encoding/payloads/ike_header.h
+++ b/src/libcharon/encoding/payloads/ike_header.h
@@ -153,56 +153,56 @@ struct ike_header_t {
 	 *
 	 * @return				initiator_spi
 	 */
-	u_int64_t (*get_initiator_spi) (ike_header_t *this);
+	uint64_t (*get_initiator_spi) (ike_header_t *this);
 
 	/**
 	 * Set the initiator spi.
 	 *
 	 * @param initiator_spi	initiator_spi
 	 */
-	void (*set_initiator_spi) (ike_header_t *this, u_int64_t initiator_spi);
+	void (*set_initiator_spi) (ike_header_t *this, uint64_t initiator_spi);
 
 	/**
 	 * Get the responder spi.
 	 *
 	 * @return				responder_spi
 	 */
-	u_int64_t (*get_responder_spi) (ike_header_t *this);
+	uint64_t (*get_responder_spi) (ike_header_t *this);
 
 	/**
 	 * Set the responder spi.
 	 *
 	 * @param responder_spi	responder_spi
 	 */
-	void (*set_responder_spi) (ike_header_t *this, u_int64_t responder_spi);
+	void (*set_responder_spi) (ike_header_t *this, uint64_t responder_spi);
 
 	/**
 	 * Get the major version.
 	 *
 	 * @return				major version
 	 */
-	u_int8_t (*get_maj_version) (ike_header_t *this);
+	uint8_t (*get_maj_version) (ike_header_t *this);
 
 	/**
 	 * Set the major version.
 	 *
 	 * @param major			major version
 	 */
-	void (*set_maj_version) (ike_header_t *this, u_int8_t major);
+	void (*set_maj_version) (ike_header_t *this, uint8_t major);
 
 	/**
 	 * Get the minor version.
 	 *
 	 * @return				minor version
 	 */
-	u_int8_t (*get_min_version) (ike_header_t *this);
+	uint8_t (*get_min_version) (ike_header_t *this);
 
 	/**
 	 * Set the minor version.
 	 *
 	 * @param minor			minor version
 	 */
-	void (*set_min_version) (ike_header_t *this, u_int8_t minor);
+	void (*set_min_version) (ike_header_t *this, uint8_t minor);
 
 	/**
 	 * Get the response flag.
@@ -293,28 +293,28 @@ struct ike_header_t {
 	 *
 	 * @return				exchange type
 	 */
-	u_int8_t (*get_exchange_type) (ike_header_t *this);
+	uint8_t (*get_exchange_type) (ike_header_t *this);
 
 	/**
 	 * Set the  exchange type.
 	 *
 	 * @param exchange_type	exchange type
 	 */
-	void (*set_exchange_type) (ike_header_t *this, u_int8_t exchange_type);
+	void (*set_exchange_type) (ike_header_t *this, uint8_t exchange_type);
 
 	/**
 	 * Get the message id.
 	 *
 	 * @return				message id
 	 */
-	u_int32_t (*get_message_id) (ike_header_t *this);
+	uint32_t (*get_message_id) (ike_header_t *this);
 
 	/**
 	 * Set the message id.
 	 *
 	 * @param initiator_spi	message id
 	 */
-	void (*set_message_id) (ike_header_t *this, u_int32_t message_id);
+	void (*set_message_id) (ike_header_t *this, uint32_t message_id);
 
 	/**
 	 * Destroys a ike_header_t object.
diff --git a/src/libcharon/encoding/payloads/ke_payload.c b/src/libcharon/encoding/payloads/ke_payload.c
index 50fd73f90..37f3adf88 100644
--- a/src/libcharon/encoding/payloads/ke_payload.c
+++ b/src/libcharon/encoding/payloads/ke_payload.c
@@ -36,7 +36,7 @@ struct private_ke_payload_t {
 	/**
 	 * Next payload type.
 	 */
-	u_int8_t  next_payload;
+	uint8_t  next_payload;
 
 	/**
 	 * Critical flag.
@@ -51,17 +51,17 @@ struct private_ke_payload_t {
 	/**
 	 * Reserved bytes
 	 */
-	u_int8_t reserved_byte[2];
+	uint8_t reserved_byte[2];
 
 	/**
 	 * Length of this payload.
 	 */
-	u_int16_t payload_length;
+	uint16_t payload_length;
 
 	/**
 	 * DH Group Number.
 	 */
-	u_int16_t dh_group_number;
+	uint16_t dh_group_number;
 
 	/**
 	 * Key Exchange Data of this KE payload.
diff --git a/src/libcharon/encoding/payloads/nonce_payload.c b/src/libcharon/encoding/payloads/nonce_payload.c
index b0d1c601a..17a0417dc 100644
--- a/src/libcharon/encoding/payloads/nonce_payload.c
+++ b/src/libcharon/encoding/payloads/nonce_payload.c
@@ -37,7 +37,7 @@ struct private_nonce_payload_t {
 	/**
 	 * Next payload type.
 	 */
-	u_int8_t  next_payload;
+	uint8_t  next_payload;
 
 	/**
 	 * Critical flag.
@@ -52,7 +52,7 @@ struct private_nonce_payload_t {
 	/**
 	 * Length of this payload.
 	 */
-	u_int16_t payload_length;
+	uint16_t payload_length;
 
 	/**
 	 * The contained nonce value.
diff --git a/src/libcharon/encoding/payloads/notify_payload.c b/src/libcharon/encoding/payloads/notify_payload.c
index f32a1273f..ca7ef3a45 100644
--- a/src/libcharon/encoding/payloads/notify_payload.c
+++ b/src/libcharon/encoding/payloads/notify_payload.c
@@ -260,7 +260,7 @@ struct private_notify_payload_t {
 	/**
 	 * Next payload type.
 	 */
-	u_int8_t  next_payload;
+	uint8_t  next_payload;
 
 	/**
 	 * Critical flag.
@@ -275,27 +275,27 @@ struct private_notify_payload_t {
 	/**
 	 * Length of this payload.
 	 */
-	u_int16_t payload_length;
+	uint16_t payload_length;
 
 	/**
 	 * Domain of interpretation, IKEv1 only.
 	 */
-	u_int32_t doi;
+	uint32_t doi;
 
 	/**
 	 * Protocol id.
 	 */
-	u_int8_t protocol_id;
+	uint8_t protocol_id;
 
 	/**
 	 * Spi size.
 	 */
-	u_int8_t spi_size;
+	uint8_t spi_size;
 
 	/**
 	 * Notify message type.
 	 */
-	u_int16_t notify_type;
+	uint16_t notify_type;
 
 	/**
 	 * Security parameter index (spi).
@@ -596,14 +596,14 @@ METHOD(payload_t, get_length, size_t,
 	return this->payload_length;
 }
 
-METHOD(notify_payload_t, get_protocol_id, u_int8_t,
+METHOD(notify_payload_t, get_protocol_id, uint8_t,
 	private_notify_payload_t *this)
 {
 	return this->protocol_id;
 }
 
 METHOD(notify_payload_t, set_protocol_id, void,
-	private_notify_payload_t *this, u_int8_t protocol_id)
+	private_notify_payload_t *this, uint8_t protocol_id)
 {
 	this->protocol_id = protocol_id;
 }
@@ -620,7 +620,7 @@ METHOD(notify_payload_t, set_notify_type, void,
 	this->notify_type = notify_type;
 }
 
-METHOD(notify_payload_t, get_spi, u_int32_t,
+METHOD(notify_payload_t, get_spi, uint32_t,
 	private_notify_payload_t *this)
 {
 	switch (this->protocol_id)
@@ -629,7 +629,7 @@ METHOD(notify_payload_t, get_spi, u_int32_t,
 		case PROTO_ESP:
 			if (this->spi.len == 4)
 			{
-				return *((u_int32_t*)this->spi.ptr);
+				return *((uint32_t*)this->spi.ptr);
 			}
 		default:
 			break;
@@ -638,7 +638,7 @@ METHOD(notify_payload_t, get_spi, u_int32_t,
 }
 
 METHOD(notify_payload_t, set_spi, void,
-	private_notify_payload_t *this, u_int32_t spi)
+	private_notify_payload_t *this, uint32_t spi)
 {
 	chunk_free(&this->spi);
 	switch (this->protocol_id)
@@ -646,7 +646,7 @@ METHOD(notify_payload_t, set_spi, void,
 		case PROTO_AH:
 		case PROTO_ESP:
 			this->spi = chunk_alloc(4);
-			*((u_int32_t*)this->spi.ptr) = spi;
+			*((uint32_t*)this->spi.ptr) = spi;
 			break;
 		default:
 			break;
diff --git a/src/libcharon/encoding/payloads/notify_payload.h b/src/libcharon/encoding/payloads/notify_payload.h
index 690757383..04160bbfc 100644
--- a/src/libcharon/encoding/payloads/notify_payload.h
+++ b/src/libcharon/encoding/payloads/notify_payload.h
@@ -200,14 +200,14 @@ struct notify_payload_t {
 	 *
 	 * @return			protocol id of this payload
 	 */
-	u_int8_t (*get_protocol_id) (notify_payload_t *this);
+	uint8_t (*get_protocol_id) (notify_payload_t *this);
 
 	/**
 	 * Sets the protocol id of this payload.
 	 *
 	 * @param protocol_id	protocol id to set
 	 */
-	void (*set_protocol_id) (notify_payload_t *this, u_int8_t protocol_id);
+	void (*set_protocol_id) (notify_payload_t *this, uint8_t protocol_id);
 
 	/**
 	 * Gets the notify message type of this payload.
@@ -230,7 +230,7 @@ struct notify_payload_t {
 	 *
 	 * @return		SPI value
 	 */
-	u_int32_t (*get_spi) (notify_payload_t *this);
+	uint32_t (*get_spi) (notify_payload_t *this);
 
 	/**
 	 * Sets the spi of this payload.
@@ -239,7 +239,7 @@ struct notify_payload_t {
 	 *
 	 * @param spi	SPI value
 	 */
-	void (*set_spi) (notify_payload_t *this, u_int32_t spi);
+	void (*set_spi) (notify_payload_t *this, uint32_t spi);
 
 	/**
 	 * Returns the currently set spi of this payload.
diff --git a/src/libcharon/encoding/payloads/payload.c b/src/libcharon/encoding/payloads/payload.c
index f7c2754e0..6d1894edb 100644
--- a/src/libcharon/encoding/payloads/payload.c
+++ b/src/libcharon/encoding/payloads/payload.c
@@ -268,7 +268,7 @@ payload_t *payload_create(payload_type_t type)
 /**
  * See header.
  */
-bool payload_is_known(payload_type_t type, u_int8_t maj_ver)
+bool payload_is_known(payload_type_t type, uint8_t maj_ver)
 {
 	if (type >= PL_HEADER)
 	{
diff --git a/src/libcharon/encoding/payloads/payload.h b/src/libcharon/encoding/payloads/payload.h
index 72003894f..8ba1ef9f5 100644
--- a/src/libcharon/encoding/payloads/payload.h
+++ b/src/libcharon/encoding/payloads/payload.h
@@ -413,7 +413,7 @@ payload_t *payload_create(payload_type_t type);
  * @param maj_ver	major IKE version (use 0 to skip version check)
  * @return			FALSE if payload type handled as unknown payload
  */
-bool payload_is_known(payload_type_t type, u_int8_t maj_ver);
+bool payload_is_known(payload_type_t type, uint8_t maj_ver);
 
 /**
  * Get the value field in a payload using encoding rules.
diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c
index 65ce667c7..1a435a823 100644
--- a/src/libcharon/encoding/payloads/proposal_substructure.c
+++ b/src/libcharon/encoding/payloads/proposal_substructure.c
@@ -45,37 +45,37 @@ struct private_proposal_substructure_t {
 	/**
 	 * Next payload type.
 	 */
-	u_int8_t  next_payload;
+	uint8_t  next_payload;
 
 	/**
 	 * reserved byte
 	 */
-	u_int8_t reserved;
+	uint8_t reserved;
 
 	/**
 	 * Length of this payload.
 	 */
-	u_int16_t proposal_length;
+	uint16_t proposal_length;
 
 	/**
 	 * Proposal number.
 	 */
-	u_int8_t proposal_number;
+	uint8_t proposal_number;
 
 	/**
 	 * Protocol ID.
 	 */
-	u_int8_t protocol_id;
+	uint8_t protocol_id;
 
 	/**
 	 * SPI size of the following SPI.
 	 */
-	u_int8_t  spi_size;
+	uint8_t  spi_size;
 
 	/**
 	 * Number of transforms.
 	 */
-	u_int8_t  transforms_count;
+	uint8_t  transforms_count;
 
 	/**
 	 * SPI is stored as chunk.
@@ -479,24 +479,24 @@ METHOD(proposal_substructure_t, set_is_last_proposal, void,
 }
 
 METHOD(proposal_substructure_t, set_proposal_number, void,
-	private_proposal_substructure_t *this,u_int8_t proposal_number)
+	private_proposal_substructure_t *this,uint8_t proposal_number)
 {
 	this->proposal_number = proposal_number;
 }
 
-METHOD(proposal_substructure_t, get_proposal_number, u_int8_t,
+METHOD(proposal_substructure_t, get_proposal_number, uint8_t,
 	private_proposal_substructure_t *this)
 {
 	return this->proposal_number;
 }
 
 METHOD(proposal_substructure_t, set_protocol_id, void,
-	private_proposal_substructure_t *this,u_int8_t protocol_id)
+	private_proposal_substructure_t *this,uint8_t protocol_id)
 {
 	this->protocol_id = protocol_id;
 }
 
-METHOD(proposal_substructure_t, get_protocol_id, u_int8_t,
+METHOD(proposal_substructure_t, get_protocol_id, uint8_t,
 	private_proposal_substructure_t *this)
 {
 	return this->protocol_id;
@@ -518,7 +518,7 @@ METHOD(proposal_substructure_t, get_spi, chunk_t,
 }
 
 METHOD(proposal_substructure_t, get_cpi, bool,
-	private_proposal_substructure_t *this, u_int16_t *cpi)
+	private_proposal_substructure_t *this, uint16_t *cpi)
 {
 
 	transform_substructure_t *transform;
@@ -554,7 +554,7 @@ static void add_to_proposal_v2(proposal_t *proposal,
 {
 	transform_attribute_t *tattr;
 	enumerator_t *enumerator;
-	u_int16_t key_length = 0;
+	uint16_t key_length = 0;
 
 	enumerator = transform->create_attribute_enumerator(transform);
 	while (enumerator->enumerate(enumerator, &tattr))
@@ -576,8 +576,8 @@ static void add_to_proposal_v2(proposal_t *proposal,
  * Map IKEv1 to IKEv2 algorithms
  */
 typedef struct {
-	u_int16_t ikev1;
-	u_int16_t ikev2;
+	uint16_t ikev1;
+	uint16_t ikev2;
 } algo_map_t;
 
 /**
@@ -681,8 +681,8 @@ static algo_map_t map_auth[] = {
 /**
  * Map an IKEv1 to an IKEv2 identifier
  */
-static u_int16_t ikev2_from_ikev1(algo_map_t *map, int count, u_int16_t def,
-								  u_int16_t value)
+static uint16_t ikev2_from_ikev1(algo_map_t *map, int count, uint16_t def,
+								  uint16_t value)
 {
 	int i;
 
@@ -699,7 +699,7 @@ static u_int16_t ikev2_from_ikev1(algo_map_t *map, int count, u_int16_t def,
 /**
  * Map an IKEv2 to an IKEv1 identifier
  */
-static u_int16_t ikev1_from_ikev2(algo_map_t *map, int count, u_int16_t value)
+static uint16_t ikev1_from_ikev2(algo_map_t *map, int count, uint16_t value)
 {
 	int i;
 
@@ -716,7 +716,7 @@ static u_int16_t ikev1_from_ikev2(algo_map_t *map, int count, u_int16_t value)
 /**
  * Get IKEv2 algorithm from IKEv1 identifier
  */
-static u_int16_t get_alg_from_ikev1(transform_type_t type, u_int16_t value)
+static uint16_t get_alg_from_ikev1(transform_type_t type, uint16_t value)
 {
 	switch (type)
 	{
@@ -737,7 +737,7 @@ static u_int16_t get_alg_from_ikev1(transform_type_t type, u_int16_t value)
 /**
  * Get IKEv1 algorithm from IKEv2 identifier
  */
-static u_int16_t get_ikev1_from_alg(transform_type_t type, u_int16_t value)
+static uint16_t get_ikev1_from_alg(transform_type_t type, uint16_t value)
 {
 	switch (type)
 	{
@@ -755,8 +755,8 @@ static u_int16_t get_ikev1_from_alg(transform_type_t type, u_int16_t value)
 /**
  * Get IKEv2 algorithm from IKEv1 ESP/AH transform ID
  */
-static u_int16_t get_alg_from_ikev1_transid(transform_type_t type,
-											u_int16_t value)
+static uint16_t get_alg_from_ikev1_transid(transform_type_t type,
+											uint16_t value)
 {
 	switch (type)
 	{
@@ -774,8 +774,8 @@ static u_int16_t get_alg_from_ikev1_transid(transform_type_t type,
 /**
  * Get IKEv1 ESP/AH transform ID from IKEv2 identifier
  */
-static u_int16_t get_ikev1_transid_from_alg(transform_type_t type,
-											u_int16_t value)
+static uint16_t get_ikev1_transid_from_alg(transform_type_t type,
+											uint16_t value)
 {
 	switch (type)
 	{
@@ -791,7 +791,7 @@ static u_int16_t get_ikev1_transid_from_alg(transform_type_t type,
 /**
  * Get IKEv1 authentication algorithm from IKEv2 identifier
  */
-static u_int16_t get_alg_from_ikev1_auth(u_int16_t value)
+static uint16_t get_alg_from_ikev1_auth(uint16_t value)
 {
 	return ikev2_from_ikev1(map_auth, countof(map_auth), AUTH_UNDEFINED, value);
 }
@@ -799,7 +799,7 @@ static u_int16_t get_alg_from_ikev1_auth(u_int16_t value)
 /**
  * Get IKEv1 authentication algorithm from IKEv2 identifier
  */
-static u_int16_t get_ikev1_auth_from_alg(u_int16_t value)
+static uint16_t get_ikev1_auth_from_alg(uint16_t value)
 {
 	return ikev1_from_ikev2(map_auth, countof(map_auth), value);
 }
@@ -807,7 +807,7 @@ static u_int16_t get_ikev1_auth_from_alg(u_int16_t value)
 /**
  * Get IKEv1 authentication attribute from auth_method_t
  */
-static u_int16_t get_ikev1_auth(auth_method_t method)
+static uint16_t get_ikev1_auth(auth_method_t method)
 {
 	switch (method)
 	{
@@ -842,7 +842,7 @@ static u_int16_t get_ikev1_auth(auth_method_t method)
 /**
  * Get IKEv1 encapsulation mode
  */
-static u_int16_t get_ikev1_mode(ipsec_mode_t mode, encap_t udp)
+static uint16_t get_ikev1_mode(ipsec_mode_t mode, encap_t udp)
 {
 	switch (mode)
 	{
@@ -880,8 +880,8 @@ static void add_to_proposal_v1_ike(proposal_t *proposal,
 	transform_attribute_type_t type;
 	transform_attribute_t *tattr;
 	enumerator_t *enumerator;
-	u_int16_t value, key_length = 0;
-	u_int16_t encr = ENCR_UNDEFINED;
+	uint16_t value, key_length = 0;
+	uint16_t encr = ENCR_UNDEFINED;
 
 	enumerator = transform->create_attribute_enumerator(transform);
 	while (enumerator->enumerate(enumerator, &tattr))
@@ -932,7 +932,8 @@ static void add_to_proposal_v1(proposal_t *proposal,
 	transform_attribute_type_t type;
 	transform_attribute_t *tattr;
 	enumerator_t *enumerator;
-	u_int16_t encr, value, key_length = 0;
+	uint16_t encr, value, key_length = 0;
+	extended_sequence_numbers_t esn = NO_EXT_SEQ_NUMBERS;
 
 	enumerator = transform->create_attribute_enumerator(transform);
 	while (enumerator->enumerate(enumerator, &tattr))
@@ -952,15 +953,16 @@ static void add_to_proposal_v1(proposal_t *proposal,
 				proposal->add_algorithm(proposal, DIFFIE_HELLMAN_GROUP,
 						value, 0);
 				break;
+			case TATTR_PH2_EXT_SEQ_NUMBER:
+				esn = EXT_SEQ_NUMBERS;
+				break;
 			default:
 				break;
 		}
 	}
 	enumerator->destroy(enumerator);
 
-	/* TODO-IKEv1: handle ESN attribute */
-	proposal->add_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS,
-							NO_EXT_SEQ_NUMBERS, 0);
+	proposal->add_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS, esn, 0);
 	if (proto == PROTO_ESP)
 	{
 		encr = get_alg_from_ikev1_transid(ENCRYPTION_ALGORITHM,
@@ -985,15 +987,15 @@ METHOD(proposal_substructure_t, get_proposals, void,
 	transform_substructure_t *transform;
 	enumerator_t *enumerator;
 	proposal_t *proposal = NULL;
-	u_int64_t spi = 0;
+	uint64_t spi = 0;
 
 	switch (this->spi.len)
 	{
 		case 4:
-			spi =  *((u_int32_t*)this->spi.ptr);
+			spi =  *((uint32_t*)this->spi.ptr);
 			break;
 		case 8:
-			spi = *((u_int64_t*)this->spi.ptr);
+			spi = *((uint64_t*)this->spi.ptr);
 			break;
 		default:
 			break;
@@ -1042,7 +1044,7 @@ METHOD(proposal_substructure_t, create_substructure_enumerator, enumerator_t*,
 /**
  * Get an attribute from any transform, 0 if not found
  */
-static u_int64_t get_attr(private_proposal_substructure_t *this,
+static uint64_t get_attr(private_proposal_substructure_t *this,
 						  transform_attribute_type_t type)
 {
 	enumerator_t *transforms, *attributes;
@@ -1071,7 +1073,7 @@ static u_int64_t get_attr(private_proposal_substructure_t *this,
 /**
  * Look up a lifetime duration of a given kind in all transforms
  */
-static u_int64_t get_life_duration(private_proposal_substructure_t *this,
+static uint64_t get_life_duration(private_proposal_substructure_t *this,
 				transform_attribute_type_t type_attr, ikev1_life_type_t type,
 				transform_attribute_type_t dur_attr)
 {
@@ -1105,10 +1107,10 @@ static u_int64_t get_life_duration(private_proposal_substructure_t *this,
 	return 0;
 }
 
-METHOD(proposal_substructure_t, get_lifetime, u_int32_t,
+METHOD(proposal_substructure_t, get_lifetime, uint32_t,
 	private_proposal_substructure_t *this)
 {
-	u_int32_t duration;
+	uint32_t duration;
 
 	switch (this->protocol_id)
 	{
@@ -1129,7 +1131,7 @@ METHOD(proposal_substructure_t, get_lifetime, u_int32_t,
 	}
 }
 
-METHOD(proposal_substructure_t, get_lifebytes, u_int64_t,
+METHOD(proposal_substructure_t, get_lifebytes, uint64_t,
 	private_proposal_substructure_t *this)
 {
 	switch (this->protocol_id)
@@ -1259,11 +1261,11 @@ proposal_substructure_t *proposal_substructure_create(payload_type_t type)
  * Add an IKEv1 IKE proposal to the substructure
  */
 static void set_from_proposal_v1_ike(private_proposal_substructure_t *this,
-									 proposal_t *proposal, u_int32_t lifetime,
+									 proposal_t *proposal, uint32_t lifetime,
 									 auth_method_t method, int number)
 {
 	transform_substructure_t *transform;
-	u_int16_t alg, key_size;
+	uint16_t alg, key_size;
 	enumerator_t *enumerator;
 
 	transform = transform_substructure_create_type(PLV1_TRANSFORM_SUBSTRUCTURE,
@@ -1330,11 +1332,11 @@ static void set_from_proposal_v1_ike(private_proposal_substructure_t *this,
  * Add an IKEv1 ESP/AH proposal to the substructure
  */
 static void set_from_proposal_v1(private_proposal_substructure_t *this,
-				proposal_t *proposal, u_int32_t lifetime, u_int64_t lifebytes,
+				proposal_t *proposal, uint32_t lifetime, uint64_t lifebytes,
 				ipsec_mode_t mode, encap_t udp, int number)
 {
 	transform_substructure_t *transform = NULL;
-	u_int16_t alg, transid, key_size;
+	uint16_t alg, transid, key_size;
 	enumerator_t *enumerator;
 
 	enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM);
@@ -1410,6 +1412,18 @@ static void set_from_proposal_v1(private_proposal_substructure_t *this,
 							TATTR_PH2_SA_LIFE_DURATION, lifebytes / 1000));
 	}
 
+	enumerator = proposal->create_enumerator(proposal,
+			EXTENDED_SEQUENCE_NUMBERS);
+	while (enumerator->enumerate(enumerator, &alg, NULL))
+	{
+		if (alg == EXT_SEQ_NUMBERS)
+		{
+			transform->add_transform_attribute(transform,
+				transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
+								TATTR_PH2_EXT_SEQ_NUMBER, alg));
+		}
+	}
+	enumerator->destroy(enumerator);
 	add_transform_substructure(this, transform);
 }
 
@@ -1420,7 +1434,7 @@ static void set_from_proposal_v2(private_proposal_substructure_t *this,
 								 proposal_t *proposal)
 {
 	transform_substructure_t *transform;
-	u_int16_t alg, key_size;
+	uint16_t alg, key_size;
 	enumerator_t *enumerator;
 
 	/* encryption algorithm is only available in ESP */
@@ -1485,8 +1499,8 @@ static void set_from_proposal_v2(private_proposal_substructure_t *this,
  */
 static void set_data(private_proposal_substructure_t *this, proposal_t *proposal)
 {
-	u_int64_t spi64;
-	u_int32_t spi32;
+	uint64_t spi64;
+	uint32_t spi32;
 
 	/* add SPI, if necessary */
 	switch (proposal->get_protocol(proposal))
@@ -1533,7 +1547,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal_v2(
  * See header.
  */
 proposal_substructure_t *proposal_substructure_create_from_proposal_v1(
-			proposal_t *proposal, u_int32_t lifetime, u_int64_t lifebytes,
+			proposal_t *proposal, uint32_t lifetime, uint64_t lifebytes,
 			auth_method_t auth, ipsec_mode_t mode, encap_t udp)
 {
 	private_proposal_substructure_t *this;
@@ -1562,7 +1576,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal_v1(
  * See header.
  */
 proposal_substructure_t *proposal_substructure_create_from_proposals_v1(
-			linked_list_t *proposals, u_int32_t lifetime, u_int64_t lifebytes,
+			linked_list_t *proposals, uint32_t lifetime, uint64_t lifebytes,
 			auth_method_t auth, ipsec_mode_t mode, encap_t udp)
 {
 	private_proposal_substructure_t *this = NULL;
@@ -1607,8 +1621,8 @@ proposal_substructure_t *proposal_substructure_create_from_proposals_v1(
  * See header.
  */
 proposal_substructure_t *proposal_substructure_create_for_ipcomp_v1(
-			u_int32_t lifetime, u_int64_t lifebytes, u_int16_t cpi,
-			ipsec_mode_t mode, encap_t udp, u_int8_t proposal_number)
+			uint32_t lifetime, uint64_t lifebytes, uint16_t cpi,
+			ipsec_mode_t mode, encap_t udp, uint8_t proposal_number)
 {
 	private_proposal_substructure_t *this;
 	transform_substructure_t *transform;
diff --git a/src/libcharon/encoding/payloads/proposal_substructure.h b/src/libcharon/encoding/payloads/proposal_substructure.h
index c4614b88f..796c10890 100644
--- a/src/libcharon/encoding/payloads/proposal_substructure.h
+++ b/src/libcharon/encoding/payloads/proposal_substructure.h
@@ -59,13 +59,13 @@ struct proposal_substructure_t {
 	 * @param id			proposal number to set
 	 */
 	void (*set_proposal_number) (proposal_substructure_t *this,
-								 u_int8_t proposal_number);
+								 uint8_t proposal_number);
 	/**
 	 * get proposal number of current proposal.
 	 *
 	 * @return			proposal number of current proposal substructure.
 	 */
-	u_int8_t (*get_proposal_number) (proposal_substructure_t *this);
+	uint8_t (*get_proposal_number) (proposal_substructure_t *this);
 
 	/**
 	 * Sets the protocol id of current proposal.
@@ -73,14 +73,14 @@ struct proposal_substructure_t {
 	 * @param id		protocol id to set
 	 */
 	void (*set_protocol_id) (proposal_substructure_t *this,
-							 u_int8_t protocol_id);
+							 uint8_t protocol_id);
 
 	/**
 	 * get protocol id of current proposal.
 	 *
 	 * @return			protocol id of current proposal substructure.
 	 */
-	u_int8_t (*get_protocol_id) (proposal_substructure_t *this);
+	uint8_t (*get_protocol_id) (proposal_substructure_t *this);
 
 	/**
 	 * Sets the next_payload field of this substructure
@@ -114,7 +114,7 @@ struct proposal_substructure_t {
 	 * @param cpi		the CPI if a supported algorithm is proposed
 	 * @return			TRUE if a supported algorithm is proposed
 	 */
-	bool (*get_cpi) (proposal_substructure_t *this, u_int16_t *cpi);
+	bool (*get_cpi) (proposal_substructure_t *this, uint16_t *cpi);
 
 	/**
 	 * Get proposals contained in a propsal_substructure_t.
@@ -135,14 +135,14 @@ struct proposal_substructure_t {
 	 *
 	 * @return					lifetime, in seconds
 	 */
-	u_int32_t (*get_lifetime)(proposal_substructure_t *this);
+	uint32_t (*get_lifetime)(proposal_substructure_t *this);
 
 	/**
 	 * Get the (shortest) life duration of a proposal (IKEv1 only).
 	 *
 	 * @return					life duration, in bytes
 	 */
-	u_int64_t (*get_lifebytes)(proposal_substructure_t *this);
+	uint64_t (*get_lifebytes)(proposal_substructure_t *this);
 
 	/**
 	 * Get the first authentication method from the proposal (IKEv1 only).
@@ -193,7 +193,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal_v2(
  * @return			proposal_substructure_t object PLV1_PROPOSAL_SUBSTRUCTURE
  */
 proposal_substructure_t *proposal_substructure_create_from_proposal_v1(
-			proposal_t *proposal,  u_int32_t lifetime, u_int64_t lifebytes,
+			proposal_t *proposal,  uint32_t lifetime, uint64_t lifebytes,
 			auth_method_t auth, ipsec_mode_t mode, encap_t udp);
 
 /**
@@ -208,7 +208,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal_v1(
  * @return			IKEv1 proposal_substructure_t PLV1_PROPOSAL_SUBSTRUCTURE
  */
 proposal_substructure_t *proposal_substructure_create_from_proposals_v1(
-			linked_list_t *proposals, u_int32_t lifetime, u_int64_t lifebytes,
+			linked_list_t *proposals, uint32_t lifetime, uint64_t lifebytes,
 			auth_method_t auth, ipsec_mode_t mode, encap_t udp);
 
 /**
@@ -224,7 +224,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposals_v1(
  * @return					IKEv1 proposal_substructure_t PLV1_PROPOSAL_SUBSTRUCTURE
  */
 proposal_substructure_t *proposal_substructure_create_for_ipcomp_v1(
-			u_int32_t lifetime, u_int64_t lifebytes, u_int16_t cpi,
-			ipsec_mode_t mode, encap_t udp, u_int8_t proposal_number);
+			uint32_t lifetime, uint64_t lifebytes, uint16_t cpi,
+			ipsec_mode_t mode, encap_t udp, uint8_t proposal_number);
 
 #endif /** PROPOSAL_SUBSTRUCTURE_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/sa_payload.c b/src/libcharon/encoding/payloads/sa_payload.c
index 407038a2d..9c0b071da 100644
--- a/src/libcharon/encoding/payloads/sa_payload.c
+++ b/src/libcharon/encoding/payloads/sa_payload.c
@@ -41,7 +41,7 @@ struct private_sa_payload_t {
 	/**
 	 * Next payload type.
 	 */
-	u_int8_t  next_payload;
+	uint8_t  next_payload;
 
 	/**
 	 * Critical flag.
@@ -56,7 +56,7 @@ struct private_sa_payload_t {
 	/**
 	 * Length of this payload.
 	 */
-	u_int16_t payload_length;
+	uint16_t payload_length;
 
 	/**
 	 * Proposals in this payload are stored in a linked_list_t.
@@ -71,12 +71,12 @@ struct private_sa_payload_t {
 	/**
 	 * IKEv1 DOI
 	 */
-	u_int32_t doi;
+	uint32_t doi;
 
 	/**
 	 * IKEv1 situation
 	 */
-	u_int32_t situation;
+	uint32_t situation;
 };
 
 /**
@@ -342,7 +342,7 @@ METHOD(sa_payload_t, get_proposals, linked_list_t*,
 }
 
 METHOD(sa_payload_t, get_ipcomp_proposals, linked_list_t*,
-	private_sa_payload_t *this, u_int16_t *cpi)
+	private_sa_payload_t *this, uint16_t *cpi)
 {
 	int current_proposal = -1, unsupported_proposal = -1;
 	enumerator_t *enumerator;
@@ -353,8 +353,8 @@ METHOD(sa_payload_t, get_ipcomp_proposals, linked_list_t*,
 	enumerator = this->proposals->create_enumerator(this->proposals);
 	while (enumerator->enumerate(enumerator, &substruct))
 	{
-		u_int8_t proposal_number = substruct->get_proposal_number(substruct);
-		u_int8_t protocol_id = substruct->get_protocol_id(substruct);
+		uint8_t proposal_number = substruct->get_proposal_number(substruct);
+		uint8_t protocol_id = substruct->get_protocol_id(substruct);
 
 		if (proposal_number == unsupported_proposal)
 		{
@@ -403,12 +403,12 @@ METHOD(sa_payload_t, create_substructure_enumerator, enumerator_t*,
 	return this->proposals->create_enumerator(this->proposals);
 }
 
-METHOD(sa_payload_t, get_lifetime, u_int32_t,
+METHOD(sa_payload_t, get_lifetime, uint32_t,
 	private_sa_payload_t *this)
 {
 	proposal_substructure_t *substruct;
 	enumerator_t *enumerator;
-	u_int32_t lifetime = 0;
+	uint32_t lifetime = 0;
 
 	enumerator = this->proposals->create_enumerator(this->proposals);
 	if (enumerator->enumerate(enumerator, &substruct))
@@ -420,12 +420,12 @@ METHOD(sa_payload_t, get_lifetime, u_int32_t,
 	return lifetime;
 }
 
-METHOD(sa_payload_t, get_lifebytes, u_int64_t,
+METHOD(sa_payload_t, get_lifebytes, uint64_t,
 	private_sa_payload_t *this)
 {
 	proposal_substructure_t *substruct;
 	enumerator_t *enumerator;
-	u_int64_t lifebytes = 0;
+	uint64_t lifebytes = 0;
 
 	enumerator = this->proposals->create_enumerator(this->proposals);
 	if (enumerator->enumerate(enumerator, &substruct))
@@ -558,9 +558,9 @@ sa_payload_t *sa_payload_create_from_proposal_v2(proposal_t *proposal)
  * Described in header.
  */
 sa_payload_t *sa_payload_create_from_proposals_v1(linked_list_t *proposals,
-								u_int32_t lifetime, u_int64_t lifebytes,
+								uint32_t lifetime, uint64_t lifebytes,
 								auth_method_t auth, ipsec_mode_t mode,
-								encap_t udp, u_int16_t cpi)
+								encap_t udp, uint16_t cpi)
 {
 	proposal_substructure_t *substruct;
 	private_sa_payload_t *this;
@@ -580,7 +580,7 @@ sa_payload_t *sa_payload_create_from_proposals_v1(linked_list_t *proposals,
 	substruct->set_is_last_proposal(substruct, FALSE);
 	if (cpi)
 	{
-		u_int8_t proposal_number = substruct->get_proposal_number(substruct);
+		uint8_t proposal_number = substruct->get_proposal_number(substruct);
 
 		substruct = proposal_substructure_create_for_ipcomp_v1(lifetime,
 					lifebytes, cpi, mode, udp, proposal_number);
@@ -602,9 +602,9 @@ sa_payload_t *sa_payload_create_from_proposals_v1(linked_list_t *proposals,
  * Described in header.
  */
 sa_payload_t *sa_payload_create_from_proposal_v1(proposal_t *proposal,
-								u_int32_t lifetime, u_int64_t lifebytes,
+								uint32_t lifetime, uint64_t lifebytes,
 								auth_method_t auth, ipsec_mode_t mode,
-								encap_t udp, u_int16_t cpi)
+								encap_t udp, uint16_t cpi)
 {
 	private_sa_payload_t *this;
 	linked_list_t *proposals;
diff --git a/src/libcharon/encoding/payloads/sa_payload.h b/src/libcharon/encoding/payloads/sa_payload.h
index 0ddf3619c..f01c45130 100644
--- a/src/libcharon/encoding/payloads/sa_payload.h
+++ b/src/libcharon/encoding/payloads/sa_payload.h
@@ -57,21 +57,21 @@ struct sa_payload_t {
 	 * @param cpi			the CPI of the first IPComp (sub)proposal
 	 * @return				a list containing proposal_ts
 	 */
-	linked_list_t *(*get_ipcomp_proposals) (sa_payload_t *this, u_int16_t *cpi);
+	linked_list_t *(*get_ipcomp_proposals) (sa_payload_t *this, uint16_t *cpi);
 
 	/**
 	 * Get the (shortest) lifetime of a proposal (IKEv1 only).
 	 *
 	 * @return					lifetime, in seconds
 	 */
-	u_int32_t (*get_lifetime)(sa_payload_t *this);
+	uint32_t (*get_lifetime)(sa_payload_t *this);
 
 	/**
 	 * Get the (shortest) life duration of a proposal (IKEv1 only).
 	 *
 	 * @return					life duration, in bytes
 	 */
-	u_int64_t (*get_lifebytes)(sa_payload_t *this);
+	uint64_t (*get_lifebytes)(sa_payload_t *this);
 
 	/**
 	 * Get the first authentication method from the proposal (IKEv1 only).
@@ -138,9 +138,9 @@ sa_payload_t *sa_payload_create_from_proposal_v2(proposal_t *proposal);
  * @return					sa_payload_t object
  */
 sa_payload_t *sa_payload_create_from_proposals_v1(linked_list_t *proposals,
-							u_int32_t lifetime, u_int64_t lifebytes,
+							uint32_t lifetime, uint64_t lifebytes,
 							auth_method_t auth, ipsec_mode_t mode, encap_t udp,
-							u_int16_t cpi);
+							uint16_t cpi);
 
 /**
  * Creates an IKEv1 sa_payload_t object from a single proposal.
@@ -155,8 +155,8 @@ sa_payload_t *sa_payload_create_from_proposals_v1(linked_list_t *proposals,
  * @return					sa_payload_t object
  */
 sa_payload_t *sa_payload_create_from_proposal_v1(proposal_t *proposal,
-							u_int32_t lifetime, u_int64_t lifebytes,
+							uint32_t lifetime, uint64_t lifebytes,
 							auth_method_t auth, ipsec_mode_t mode, encap_t udp,
-							u_int16_t cpi);
+							uint16_t cpi);
 
 #endif /** SA_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/traffic_selector_substructure.c b/src/libcharon/encoding/payloads/traffic_selector_substructure.c
index 83618ff5d..f69fee3ae 100644
--- a/src/libcharon/encoding/payloads/traffic_selector_substructure.c
+++ b/src/libcharon/encoding/payloads/traffic_selector_substructure.c
@@ -35,27 +35,27 @@ struct private_traffic_selector_substructure_t {
 	/**
 	 * Type of traffic selector.
 	 */
-	u_int8_t ts_type;
+	uint8_t ts_type;
 
 	/**
 	 * IP Protocol ID.
 	 */
-	u_int8_t ip_protocol_id;
+	uint8_t ip_protocol_id;
 
 	/**
 	 * Length of this payload.
 	 */
-	u_int16_t payload_length;
+	uint16_t payload_length;
 
 	/**
 	 * Start port number.
 	 */
-	u_int16_t start_port;
+	uint16_t start_port;
 
 	/**
 	 * End port number.
 	 */
-	u_int16_t end_port;
+	uint16_t end_port;
 
 	/**
 	 * Starting address.
diff --git a/src/libcharon/encoding/payloads/traffic_selector_substructure.h b/src/libcharon/encoding/payloads/traffic_selector_substructure.h
index d3fbe8476..c7a54435b 100644
--- a/src/libcharon/encoding/payloads/traffic_selector_substructure.h
+++ b/src/libcharon/encoding/payloads/traffic_selector_substructure.h
@@ -62,7 +62,7 @@ struct traffic_selector_substructure_t {
 	 * @return			type of traffic selector
 	 *
 	 */
-	u_int8_t (*get_protocol_id) (traffic_selector_substructure_t *this);
+	uint8_t (*get_protocol_id) (traffic_selector_substructure_t *this);
 
 	/**
 	 * Set the IP protocol ID of Traffic selector
@@ -70,7 +70,7 @@ struct traffic_selector_substructure_t {
 	 * @param protocol_id	protocol ID of traffic selector
 	 */
 	void (*set_protocol_id) (traffic_selector_substructure_t *this,
-							  u_int8_t protocol_id);
+							  uint8_t protocol_id);
 
 	/**
 	 * Get the start port and address as host_t object.
diff --git a/src/libcharon/encoding/payloads/transform_attribute.c b/src/libcharon/encoding/payloads/transform_attribute.c
index 4a5b52dcf..860607faf 100644
--- a/src/libcharon/encoding/payloads/transform_attribute.c
+++ b/src/libcharon/encoding/payloads/transform_attribute.c
@@ -85,12 +85,12 @@ struct private_transform_attribute_t {
 	/**
 	 * Type of the attribute.
 	 */
-	u_int16_t attribute_type;
+	uint16_t attribute_type;
 
 	/**
 	 * Attribute Length if attribute_format is 0, attribute Value otherwise.
 	 */
-	u_int16_t attribute_length_or_value;
+	uint16_t attribute_length_or_value;
 
 	/**
 	 * Attribute value as chunk if attribute_format is 0 (FALSE).
@@ -185,10 +185,10 @@ METHOD(transform_attribute_t, get_value_chunk, chunk_t,
 	return this->attribute_value;
 }
 
-METHOD(transform_attribute_t, get_value, u_int64_t,
+METHOD(transform_attribute_t, get_value, uint64_t,
 	private_transform_attribute_t *this)
 {
-	u_int64_t value = 0;
+	uint64_t value = 0;
 
 	if (this->attribute_format)
 	{
@@ -203,7 +203,7 @@ METHOD(transform_attribute_t, get_value, u_int64_t,
 	return untoh64((char*)&value);
 }
 
-METHOD(transform_attribute_t, get_attribute_type, u_int16_t,
+METHOD(transform_attribute_t, get_attribute_type, uint16_t,
 	private_transform_attribute_t *this)
 {
 	return this->attribute_type;
@@ -250,7 +250,7 @@ transform_attribute_t *transform_attribute_create(payload_type_t type)
  * Described in header.
  */
 transform_attribute_t *transform_attribute_create_value(payload_type_t type,
-							transform_attribute_type_t kind, u_int64_t value)
+							transform_attribute_type_t kind, uint64_t value)
 {
 	private_transform_attribute_t *this;
 
@@ -265,7 +265,7 @@ transform_attribute_t *transform_attribute_create_value(payload_type_t type,
 	}
 	else if (value <= UINT32_MAX)
 	{
-		u_int32_t val32;
+		uint32_t val32;
 
 		val32 = htonl(value);
 		this->attribute_value = chunk_clone(chunk_from_thing(val32));
diff --git a/src/libcharon/encoding/payloads/transform_attribute.h b/src/libcharon/encoding/payloads/transform_attribute.h
index 87e283b18..2e86a409c 100644
--- a/src/libcharon/encoding/payloads/transform_attribute.h
+++ b/src/libcharon/encoding/payloads/transform_attribute.h
@@ -109,14 +109,14 @@ struct transform_attribute_t {
 	 *
 	 * @return 		value
 	 */
-	u_int64_t (*get_value) (transform_attribute_t *this);
+	uint64_t (*get_value) (transform_attribute_t *this);
 
 	/**
 	 * get the type of the attribute.
 	 *
 	 * @return 		type of the value
 	 */
-	u_int16_t (*get_attribute_type) (transform_attribute_t *this);
+	uint16_t (*get_attribute_type) (transform_attribute_t *this);
 
 	/**
 	 * Destroys an transform_attribute_t object.
@@ -141,6 +141,6 @@ transform_attribute_t *transform_attribute_create(payload_type_t type);
  * @return				transform_attribute_t object
  */
 transform_attribute_t *transform_attribute_create_value(payload_type_t type,
-							transform_attribute_type_t kind, u_int64_t value);
+							transform_attribute_type_t kind, uint64_t value);
 
 #endif /** TRANSFORM_ATTRIBUTE_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/transform_substructure.c b/src/libcharon/encoding/payloads/transform_substructure.c
index 6885d6181..11e4b462d 100644
--- a/src/libcharon/encoding/payloads/transform_substructure.c
+++ b/src/libcharon/encoding/payloads/transform_substructure.c
@@ -40,32 +40,32 @@ struct private_transform_substructure_t {
 	/**
 	 * Next payload type.
 	 */
-	u_int8_t  next_payload;
+	uint8_t  next_payload;
 
 	/**
 	 * Reserved byte
 	 */
-	u_int8_t reserved[3];
+	uint8_t reserved[3];
 
 	/**
 	 * Length of this payload.
 	 */
-	u_int16_t transform_length;
+	uint16_t transform_length;
 
 	/**
 	 * Type or number, Type of the transform in IKEv2, number in IKEv2.
 	 */
-	u_int8_t transform_ton;
+	uint8_t transform_ton;
 
 	/**
 	 * Transform ID, as encoded in IKEv1.
 	 */
-	u_int8_t transform_id_v1;
+	uint8_t transform_id_v1;
 
 	/**
 	 * Transform ID, as encoded in IKEv2.
 	 */
-	u_int16_t transform_id_v2;
+	uint16_t transform_id_v2;
 
 	/**
 	 * Transforms Attributes are stored in a linked_list_t.
@@ -235,13 +235,13 @@ METHOD(payload_t, set_next_type, void,
 {
 }
 
-METHOD(transform_substructure_t, get_transform_type_or_number, u_int8_t,
+METHOD(transform_substructure_t, get_transform_type_or_number, uint8_t,
 	private_transform_substructure_t *this)
 {
 	return this->transform_ton;
 }
 
-METHOD(transform_substructure_t, get_transform_id, u_int16_t,
+METHOD(transform_substructure_t, get_transform_id, uint16_t,
 	private_transform_substructure_t *this)
 {
 	if (this->type == PLV2_TRANSFORM_SUBSTRUCTURE)
@@ -303,7 +303,7 @@ transform_substructure_t *transform_substructure_create(payload_type_t type)
  * Described in header
  */
 transform_substructure_t *transform_substructure_create_type(payload_type_t type,
-				u_int8_t type_or_number, u_int16_t id)
+				uint8_t type_or_number, uint16_t id)
 {
 	private_transform_substructure_t *this;
 
diff --git a/src/libcharon/encoding/payloads/transform_substructure.h b/src/libcharon/encoding/payloads/transform_substructure.h
index ba821d3bd..e75dc27bb 100644
--- a/src/libcharon/encoding/payloads/transform_substructure.h
+++ b/src/libcharon/encoding/payloads/transform_substructure.h
@@ -72,14 +72,14 @@ struct transform_substructure_t {
 	 *
 	 * @return 			Transform type of current transform substructure.
 	 */
-	u_int8_t (*get_transform_type_or_number) (transform_substructure_t *this);
+	uint8_t (*get_transform_type_or_number) (transform_substructure_t *this);
 
 	/**
 	 * Get transform id of the current transform.
 	 *
 	 * @return 			Transform id of current transform substructure.
 	 */
-	u_int16_t (*get_transform_id) (transform_substructure_t *this);
+	uint16_t (*get_transform_id) (transform_substructure_t *this);
 
 	/**
 	 * Create an enumerator over transform attributes.
@@ -111,6 +111,6 @@ transform_substructure_t *transform_substructure_create(payload_type_t type);
  * @return					transform_substructure_t object
  */
 transform_substructure_t *transform_substructure_create_type(payload_type_t type,
-										u_int8_t type_or_number, u_int16_t id);
+										uint8_t type_or_number, uint16_t id);
 
 #endif /** TRANSFORM_SUBSTRUCTURE_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/ts_payload.c b/src/libcharon/encoding/payloads/ts_payload.c
index e74b9ae1b..0b2d4de57 100644
--- a/src/libcharon/encoding/payloads/ts_payload.c
+++ b/src/libcharon/encoding/payloads/ts_payload.c
@@ -42,7 +42,7 @@ struct private_ts_payload_t {
 	/**
 	 * Next payload type.
 	 */
-	u_int8_t  next_payload;
+	uint8_t  next_payload;
 
 	/**
 	 * Critical flag.
@@ -62,12 +62,12 @@ struct private_ts_payload_t {
 	/**
 	 * Length of this payload.
 	 */
-	u_int16_t payload_length;
+	uint16_t payload_length;
 
 	/**
 	 * Number of traffic selectors
 	 */
-	u_int8_t ts_num;
+	uint8_t ts_num;
 
 	/**
 	 * Contains the traffic selectors of type traffic_selector_substructure_t.
diff --git a/src/libcharon/encoding/payloads/unknown_payload.c b/src/libcharon/encoding/payloads/unknown_payload.c
index c69254fc0..adbf2c8f2 100644
--- a/src/libcharon/encoding/payloads/unknown_payload.c
+++ b/src/libcharon/encoding/payloads/unknown_payload.c
@@ -39,7 +39,7 @@ struct private_unknown_payload_t {
 	/**
 	 * Next payload type.
 	 */
-	u_int8_t next_payload;
+	uint8_t next_payload;
 
 	/**
 	 * Critical flag.
@@ -54,7 +54,7 @@ struct private_unknown_payload_t {
 	/**
 	 * Length of this payload.
 	 */
-	u_int16_t payload_length;
+	uint16_t payload_length;
 
 	/**
 	 * The contained data.
diff --git a/src/libcharon/encoding/payloads/vendor_id_payload.c b/src/libcharon/encoding/payloads/vendor_id_payload.c
index 400e0640d..7db9a69d3 100644
--- a/src/libcharon/encoding/payloads/vendor_id_payload.c
+++ b/src/libcharon/encoding/payloads/vendor_id_payload.c
@@ -34,7 +34,7 @@ struct private_vendor_id_payload_t {
 	/**
 	 * Next payload type.
 	 */
-	u_int8_t  next_payload;
+	uint8_t  next_payload;
 
 	/**
 	 * Critical flag.
@@ -49,7 +49,7 @@ struct private_vendor_id_payload_t {
 	/**
 	 * Length of this payload.
 	 */
-	u_int16_t payload_length;
+	uint16_t payload_length;
 
 	/**
 	 * The contained data.
diff --git a/src/libcharon/kernel/kernel_handler.c b/src/libcharon/kernel/kernel_handler.c
index be37d30e5..71121908b 100644
--- a/src/libcharon/kernel/kernel_handler.c
+++ b/src/libcharon/kernel/kernel_handler.c
@@ -39,7 +39,7 @@ struct private_kernel_handler_t {
 /**
  * convert an IP protocol identifier to the IKEv2 specific protocol identifier.
  */
-static inline protocol_id_t proto_ip2ike(u_int8_t protocol)
+static inline protocol_id_t proto_ip2ike(uint8_t protocol)
 {
 	switch (protocol)
 	{
@@ -53,7 +53,7 @@ static inline protocol_id_t proto_ip2ike(u_int8_t protocol)
 }
 
 METHOD(kernel_listener_t, acquire, bool,
-	private_kernel_handler_t *this, u_int32_t reqid,
+	private_kernel_handler_t *this, uint32_t reqid,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
 {
 	if (src_ts && dst_ts)
@@ -71,7 +71,7 @@ METHOD(kernel_listener_t, acquire, bool,
 }
 
 METHOD(kernel_listener_t, expire, bool,
-	private_kernel_handler_t *this, u_int8_t protocol, u_int32_t spi,
+	private_kernel_handler_t *this, uint8_t protocol, uint32_t spi,
 	host_t *dst, bool hard)
 {
 	protocol_id_t proto = proto_ip2ike(protocol);
@@ -93,7 +93,7 @@ METHOD(kernel_listener_t, expire, bool,
 }
 
 METHOD(kernel_listener_t, mapping, bool,
-	private_kernel_handler_t *this, u_int8_t protocol, u_int32_t spi,
+	private_kernel_handler_t *this, uint8_t protocol, uint32_t spi,
 	host_t *dst, host_t *remote)
 {
 	protocol_id_t proto = proto_ip2ike(protocol);
@@ -108,7 +108,7 @@ METHOD(kernel_listener_t, mapping, bool,
 }
 
 METHOD(kernel_listener_t, migrate, bool,
-	private_kernel_handler_t *this, u_int32_t reqid,
+	private_kernel_handler_t *this, uint32_t reqid,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
 	policy_dir_t direction, host_t *local, host_t *remote)
 {
diff --git a/src/libcharon/kernel/kernel_interface.c b/src/libcharon/kernel/kernel_interface.c
index 40c4ee589..7b39a020c 100644
--- a/src/libcharon/kernel/kernel_interface.c
+++ b/src/libcharon/kernel/kernel_interface.c
@@ -1,6 +1,7 @@
 /*
- * Copyright (C) 2008-2015 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2008-2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -62,12 +63,12 @@ struct kernel_algorithm_t {
 	/**
 	 * Identifier specified in IKE
 	 */
-	u_int16_t ike;
+	uint16_t ike;
 
 	/**
 	 * Identifier as defined in pfkeyv2.h
 	 */
-	u_int16_t kernel;
+	uint16_t kernel;
 
 	/**
 	 * Name of the algorithm in linux crypto API
@@ -166,7 +167,7 @@ METHOD(kernel_interface_t, get_features, kernel_feature_t,
 
 METHOD(kernel_interface_t, get_spi, status_t,
 	private_kernel_interface_t *this, host_t *src, host_t *dst,
-	u_int8_t protocol, u_int32_t *spi)
+	uint8_t protocol, uint32_t *spi)
 {
 	if (!this->ipsec)
 	{
@@ -177,7 +178,7 @@ METHOD(kernel_interface_t, get_spi, status_t,
 
 METHOD(kernel_interface_t, get_cpi, status_t,
 	private_kernel_interface_t *this, host_t *src, host_t *dst,
-	u_int16_t *cpi)
+	uint16_t *cpi)
 {
 	if (!this->ipsec)
 	{
@@ -191,7 +192,7 @@ METHOD(kernel_interface_t, get_cpi, status_t,
  */
 typedef struct {
 	/** allocated reqid */
-	u_int32_t reqid;
+	uint32_t reqid;
 	/** references to this entry */
 	u_int refs;
 	/** inbound mark used for SA */
@@ -327,9 +328,9 @@ static array_t *array_from_ts_list(linked_list_t *list)
 METHOD(kernel_interface_t, alloc_reqid, status_t,
 	private_kernel_interface_t *this,
 	linked_list_t *local_ts, linked_list_t *remote_ts,
-	mark_t mark_in, mark_t mark_out, u_int32_t *reqid)
+	mark_t mark_in, mark_t mark_out, uint32_t *reqid)
 {
-	static u_int32_t counter = 0;
+	static uint32_t counter = 0;
 	reqid_entry_t *entry = NULL, *tmpl;
 	status_t status = SUCCESS;
 
@@ -379,7 +380,7 @@ METHOD(kernel_interface_t, alloc_reqid, status_t,
 }
 
 METHOD(kernel_interface_t, release_reqid, status_t,
-	private_kernel_interface_t *this, u_int32_t reqid,
+	private_kernel_interface_t *this, uint32_t reqid,
 	mark_t mark_in, mark_t mark_out)
 {
 	reqid_entry_t *entry, tmpl = {
@@ -415,59 +416,48 @@ METHOD(kernel_interface_t, release_reqid, status_t,
 }
 
 METHOD(kernel_interface_t, add_sa, status_t,
-	private_kernel_interface_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
-	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
-	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
-	u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
-	bool initiator, bool encap, bool esn, bool inbound, bool update,
-	linked_list_t *src_ts, linked_list_t *dst_ts)
+	private_kernel_interface_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_add_sa_t *data)
 {
 	if (!this->ipsec)
 	{
 		return NOT_SUPPORTED;
 	}
-	return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid,
-				mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode,
-				ipcomp, cpi, replay_window, initiator, encap, esn, inbound,
-				update, src_ts, dst_ts);
+	return this->ipsec->add_sa(this->ipsec, id, data);
 }
 
 METHOD(kernel_interface_t, update_sa, status_t,
-	private_kernel_interface_t *this, u_int32_t spi, u_int8_t protocol,
-	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
-	bool encap, bool new_encap, mark_t mark)
+	private_kernel_interface_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_update_sa_t *data)
 {
 	if (!this->ipsec)
 	{
 		return NOT_SUPPORTED;
 	}
-	return this->ipsec->update_sa(this->ipsec, spi, protocol, cpi, src, dst,
-								  new_src, new_dst, encap, new_encap, mark);
+	return this->ipsec->update_sa(this->ipsec, id, data);
 }
 
 METHOD(kernel_interface_t, query_sa, status_t,
-	private_kernel_interface_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, mark_t mark,
-	u_int64_t *bytes, u_int64_t *packets, time_t *time)
+	private_kernel_interface_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_query_sa_t *data, uint64_t *bytes, uint64_t *packets,
+	time_t *time)
 {
 	if (!this->ipsec)
 	{
 		return NOT_SUPPORTED;
 	}
-	return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, mark,
-								 bytes, packets, time);
+	return this->ipsec->query_sa(this->ipsec, id, data, bytes, packets, time);
 }
 
 METHOD(kernel_interface_t, del_sa, status_t,
-	private_kernel_interface_t *this, host_t *src, host_t *dst, u_int32_t spi,
-	u_int8_t protocol, u_int16_t cpi, mark_t mark)
+	private_kernel_interface_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_del_sa_t *data)
 {
 	if (!this->ipsec)
 	{
 		return NOT_SUPPORTED;
 	}
-	return this->ipsec->del_sa(this->ipsec, src, dst, spi, protocol, cpi, mark);
+	return this->ipsec->del_sa(this->ipsec, id, data);
 }
 
 METHOD(kernel_interface_t, flush_sas, status_t,
@@ -481,44 +471,36 @@ METHOD(kernel_interface_t, flush_sas, status_t,
 }
 
 METHOD(kernel_interface_t, add_policy, status_t,
-	private_kernel_interface_t *this, host_t *src, host_t *dst,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
-	mark_t mark, policy_priority_t priority)
+	private_kernel_interface_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_manage_policy_t *data)
 {
 	if (!this->ipsec)
 	{
 		return NOT_SUPPORTED;
 	}
-	return this->ipsec->add_policy(this->ipsec, src, dst, src_ts, dst_ts,
-								   direction, type, sa, mark, priority);
+	return this->ipsec->add_policy(this->ipsec, id, data);
 }
 
 METHOD(kernel_interface_t, query_policy, status_t,
-	private_kernel_interface_t *this, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
-	time_t *use_time)
+	private_kernel_interface_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_query_policy_t *data, time_t *use_time)
 {
 	if (!this->ipsec)
 	{
 		return NOT_SUPPORTED;
 	}
-	return this->ipsec->query_policy(this->ipsec, src_ts, dst_ts,
-									 direction, mark, use_time);
+	return this->ipsec->query_policy(this->ipsec, id, data, use_time);
 }
 
 METHOD(kernel_interface_t, del_policy, status_t,
-	private_kernel_interface_t *this, host_t *src, host_t *dst,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
-	mark_t mark, policy_priority_t priority)
+	private_kernel_interface_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_manage_policy_t *data)
 {
 	if (!this->ipsec)
 	{
 		return NOT_SUPPORTED;
 	}
-	return this->ipsec->del_policy(this->ipsec, src, dst, src_ts, dst_ts,
-								   direction, type, sa, mark, priority);
+	return this->ipsec->del_policy(this->ipsec, id, data);
 }
 
 METHOD(kernel_interface_t, flush_policies, status_t,
@@ -542,13 +524,14 @@ METHOD(kernel_interface_t, get_source_addr, host_t*,
 }
 
 METHOD(kernel_interface_t, get_nexthop, host_t*,
-	private_kernel_interface_t *this, host_t *dest, int prefix, host_t *src)
+	private_kernel_interface_t *this, host_t *dest, int prefix, host_t *src,
+	char **iface)
 {
 	if (!this->net)
 	{
 		return NULL;
 	}
-	return this->net->get_nexthop(this->net, dest, prefix, src);
+	return this->net->get_nexthop(this->net, dest, prefix, src, iface);
 }
 
 METHOD(kernel_interface_t, get_interface, bool,
@@ -594,7 +577,7 @@ METHOD(kernel_interface_t, del_ip, status_t,
 
 METHOD(kernel_interface_t, add_route, status_t,
 	private_kernel_interface_t *this, chunk_t dst_net,
-	u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+	uint8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
 {
 	if (!this->net)
 	{
@@ -606,7 +589,7 @@ METHOD(kernel_interface_t, add_route, status_t,
 
 METHOD(kernel_interface_t, del_route, status_t,
 	private_kernel_interface_t *this, chunk_t dst_net,
-	u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+	uint8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
 {
 	if (!this->net)
 	{
@@ -627,7 +610,7 @@ METHOD(kernel_interface_t, bypass_socket, bool,
 }
 
 METHOD(kernel_interface_t, enable_udp_decap, bool,
-	private_kernel_interface_t *this, int fd, int family, u_int16_t port)
+	private_kernel_interface_t *this, int fd, int family, uint16_t port)
 {
 	if (!this->ipsec)
 	{
@@ -683,6 +666,10 @@ METHOD(kernel_interface_t, get_address_by_ts, status_t,
 	if (ts->includes(ts, host))
 	{
 		*ip = host_create_any(family);
+		if (vip)
+		{
+			*vip = FALSE;
+		}
 		host->destroy(host);
 		DBG2(DBG_KNL, "using host %H", *ip);
 		return SUCCESS;
@@ -803,7 +790,7 @@ METHOD(kernel_interface_t, remove_listener, void,
 }
 
 METHOD(kernel_interface_t, acquire, void,
-	private_kernel_interface_t *this, u_int32_t reqid,
+	private_kernel_interface_t *this, uint32_t reqid,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
 {
 	kernel_listener_t *listener;
@@ -823,7 +810,7 @@ METHOD(kernel_interface_t, acquire, void,
 }
 
 METHOD(kernel_interface_t, expire, void,
-	private_kernel_interface_t *this, u_int8_t protocol, u_int32_t spi,
+	private_kernel_interface_t *this, uint8_t protocol, uint32_t spi,
 	host_t *dst, bool hard)
 {
 	kernel_listener_t *listener;
@@ -844,7 +831,7 @@ METHOD(kernel_interface_t, expire, void,
 }
 
 METHOD(kernel_interface_t, mapping, void,
-	private_kernel_interface_t *this, u_int8_t protocol, u_int32_t spi,
+	private_kernel_interface_t *this, uint8_t protocol, uint32_t spi,
 	host_t *dst, host_t *remote)
 {
 	kernel_listener_t *listener;
@@ -865,7 +852,7 @@ METHOD(kernel_interface_t, mapping, void,
 }
 
 METHOD(kernel_interface_t, migrate, void,
-	private_kernel_interface_t *this, u_int32_t reqid,
+	private_kernel_interface_t *this, uint32_t reqid,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
 	policy_dir_t direction, host_t *local, host_t *remote)
 {
@@ -919,8 +906,8 @@ METHOD(kernel_interface_t, tun, void,
 }
 
 METHOD(kernel_interface_t, register_algorithm, void,
-	private_kernel_interface_t *this, u_int16_t alg_id, transform_type_t type,
-	u_int16_t kernel_id, char *kernel_name)
+	private_kernel_interface_t *this, uint16_t alg_id, transform_type_t type,
+	uint16_t kernel_id, char *kernel_name)
 {
 	kernel_algorithm_t *algorithm;
 
@@ -937,8 +924,8 @@ METHOD(kernel_interface_t, register_algorithm, void,
 }
 
 METHOD(kernel_interface_t, lookup_algorithm, bool,
-	private_kernel_interface_t *this, u_int16_t alg_id, transform_type_t type,
-	u_int16_t *kernel_id, char **kernel_name)
+	private_kernel_interface_t *this, uint16_t alg_id, transform_type_t type,
+	uint16_t *kernel_id, char **kernel_name)
 {
 	kernel_algorithm_t *algorithm;
 	enumerator_t *enumerator;
diff --git a/src/libcharon/kernel/kernel_interface.h b/src/libcharon/kernel/kernel_interface.h
index 6793c6cc6..225b40932 100644
--- a/src/libcharon/kernel/kernel_interface.h
+++ b/src/libcharon/kernel/kernel_interface.h
@@ -1,9 +1,9 @@
 /*
- * Copyright (C) 2006-2015 Tobias Brunner
+ * Copyright (C) 2006-2016 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -108,7 +108,7 @@ struct kernel_interface_t {
 	 * @return			SUCCESS if operation completed
 	 */
 	status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst,
-						u_int8_t protocol, u_int32_t *spi);
+						uint8_t protocol, uint32_t *spi);
 
 	/**
 	 * Get a Compression Parameter Index (CPI) from the kernel.
@@ -119,7 +119,7 @@ struct kernel_interface_t {
 	 * @return			SUCCESS if operation completed
 	 */
 	status_t (*get_cpi)(kernel_interface_t *this, host_t *src, host_t *dst,
-						u_int16_t *cpi);
+						uint16_t *cpi);
 
 	/**
 	 * Allocate or confirm a reqid to use for a given SA pair.
@@ -141,7 +141,7 @@ struct kernel_interface_t {
 	status_t (*alloc_reqid)(kernel_interface_t *this,
 							linked_list_t *local_ts, linked_list_t *remote_ts,
 							mark_t mark_in, mark_t mark_out,
-							u_int32_t *reqid);
+							uint32_t *reqid);
 
 	/**
 	 * Release a previously allocated reqid.
@@ -151,7 +151,7 @@ struct kernel_interface_t {
 	 * @param mark_out	outbound mark on SA
 	 * @return			SUCCESS if reqid released
 	 */
-	status_t (*release_reqid)(kernel_interface_t *this, u_int32_t reqid,
+	status_t (*release_reqid)(kernel_interface_t *this, uint32_t reqid,
 							  mark_t mark_in, mark_t mark_out);
 
 	/**
@@ -160,41 +160,12 @@ struct kernel_interface_t {
 	 * This function does install a single SA for a single protocol in one
 	 * direction.
 	 *
-	 * @param src			source address for this SA
-	 * @param dst			destination address for this SA
-	 * @param spi			SPI allocated by us or remote peer
-	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param reqid			reqid for this SA
-	 * @param mark			optional mark for this SA
-	 * @param tfc			Traffic Flow Confidentiality padding for this SA
-	 * @param lifetime		lifetime_cfg_t for this SA
-	 * @param enc_alg		Algorithm to use for encryption (ESP only)
-	 * @param enc_key		key to use for encryption
-	 * @param int_alg		Algorithm to use for integrity protection
-	 * @param int_key		key to use for integrity protection
-	 * @param mode			mode of the SA (tunnel, transport)
-	 * @param ipcomp		IPComp transform to use
-	 * @param cpi			CPI for IPComp
-	 * @param replay_window	anti-replay window size
-	 * @param initiator		TRUE if initiator of the exchange creating this SA
-	 * @param encap			enable UDP encapsulation for NAT traversal
-	 * @param esn			TRUE to use Extended Sequence Numbers
-	 * @param inbound		TRUE if this is an inbound SA
-	 * @param update		TRUE if an SPI has already been allocated for SA
-	 * @param src_ts		list of source traffic selectors
-	 * @param dst_ts		list of destination traffic selectors
+	 * @param id			data identifying this SA
+	 * @param data			data for this SA
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*add_sa) (kernel_interface_t *this,
-						host_t *src, host_t *dst, u_int32_t spi,
-						u_int8_t protocol, u_int32_t reqid, mark_t mark,
-						u_int32_t tfc, lifetime_cfg_t *lifetime,
-						u_int16_t enc_alg, chunk_t enc_key,
-						u_int16_t int_alg, chunk_t int_key,
-						ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-						u_int32_t replay_window, bool initiator, bool encap,
-						bool esn, bool inbound, bool update,
-						linked_list_t *src_ts, linked_list_t *dst_ts);
+	status_t (*add_sa)(kernel_interface_t *this, kernel_ipsec_sa_id_t *id,
+					   kernel_ipsec_add_sa_t *data);
 
 	/**
 	 * Update the hosts on an installed SA.
@@ -204,85 +175,55 @@ struct kernel_interface_t {
 	 * to identify SAs. Therefore if the destination address changed we
 	 * create a new SA and delete the old one.
 	 *
-	 * @param spi			SPI of the SA
-	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param cpi			CPI for IPComp, 0 if no IPComp is used
-	 * @param src			current source address
-	 * @param dst			current destination address
-	 * @param new_src		new source address
-	 * @param new_dst		new destination address
-	 * @param encap			current use of UDP encapsulation
-	 * @param new_encap		new use of UDP encapsulation
-	 * @param mark			optional mark for this SA
+	 * @param id			data identifying this SA
+	 * @param data			updated data for this SA
 	 * @return				SUCCESS if operation completed, NOT_SUPPORTED if
-	 *					  the kernel interface can't update the SA
+	 *						the kernel interface can't update the SA
 	 */
-	status_t (*update_sa)(kernel_interface_t *this,
-						  u_int32_t spi, u_int8_t protocol, u_int16_t cpi,
-						  host_t *src, host_t *dst,
-						  host_t *new_src, host_t *new_dst,
-						  bool encap, bool new_encap, mark_t mark);
+	status_t (*update_sa)(kernel_interface_t *this, kernel_ipsec_sa_id_t *id,
+						  kernel_ipsec_update_sa_t *data);
 
 	/**
 	 * Query the number of bytes processed by an SA from the SAD.
 	 *
-	 * @param src			source address for this SA
-	 * @param dst			destination address for this SA
-	 * @param spi			SPI allocated by us or remote peer
-	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param mark			optional mark for this SA
+	 * @param id			data identifying this SA
+	 * @param data			data to query the SA
 	 * @param[out] bytes	the number of bytes processed by SA
 	 * @param[out] packets	number of packets processed by SA
 	 * @param[out] time		last (monotonic) time of SA use
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
-						  u_int32_t spi, u_int8_t protocol, mark_t mark,
-						  u_int64_t *bytes, u_int64_t *packets, time_t *time);
+	status_t (*query_sa)(kernel_interface_t *this, kernel_ipsec_sa_id_t *id,
+						 kernel_ipsec_query_sa_t *data, uint64_t *bytes,
+						 uint64_t *packets, time_t *time);
 
 	/**
 	 * Delete a previously installed SA from the SAD.
 	 *
-	 * @param src			source address for this SA
-	 * @param dst			destination address for this SA
-	 * @param spi			SPI allocated by us or remote peer
-	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param cpi			CPI for IPComp or 0
-	 * @param mark			optional mark for this SA
+	 * @param id			data identifying this SA
+	 * @param data			data to delete the SA
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*del_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
-						u_int32_t spi, u_int8_t protocol, u_int16_t cpi,
-						mark_t mark);
+	status_t (*del_sa)(kernel_interface_t *this, kernel_ipsec_sa_id_t *id,
+					   kernel_ipsec_del_sa_t *data);
 
 	/**
 	 * Flush all SAs from the SAD.
 	 *
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*flush_sas) (kernel_interface_t *this);
+	status_t (*flush_sas)(kernel_interface_t *this);
 
 	/**
 	 * Add a policy to the SPD.
 	 *
-	 * @param src			source address of SA
-	 * @param dst			dest address of SA
-	 * @param src_ts		traffic selector to match traffic source
-	 * @param dst_ts		traffic selector to match traffic dest
-	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
-	 * @param type			type of policy, POLICY_(IPSEC|PASS|DROP)
-	 * @param sa			details about the SA(s) tied to this policy
-	 * @param mark			mark for this policy
-	 * @param priority		priority of this policy
+	 * @param id			data identifying this policy
+	 * @param data			data for this policy
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*add_policy) (kernel_interface_t *this,
-							host_t *src, host_t *dst,
-							traffic_selector_t *src_ts,
-							traffic_selector_t *dst_ts,
-							policy_dir_t direction, policy_type_t type,
-							ipsec_sa_cfg_t *sa, mark_t mark,
-							policy_priority_t priority);
+	status_t (*add_policy)(kernel_interface_t *this,
+						   kernel_ipsec_policy_id_t *id,
+						   kernel_ipsec_manage_policy_t *data);
 
 	/**
 	 * Query the use time of a policy.
@@ -290,47 +231,33 @@ struct kernel_interface_t {
 	 * The use time of a policy is the time the policy was used
 	 * for the last time.
 	 *
-	 * @param src_ts		traffic selector to match traffic source
-	 * @param dst_ts		traffic selector to match traffic dest
-	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
-	 * @param mark			optional mark
-	 * @param[out] use_time	the (monotonic) time of this SA's last use
+	 * @param id			data identifying this policy
+	 * @param data			data to query the policy
+	 * @param[out] use_time	the monotonic timestamp of this SA's last use
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*query_policy) (kernel_interface_t *this,
-							  traffic_selector_t *src_ts,
-							  traffic_selector_t *dst_ts,
-							  policy_dir_t direction, mark_t mark,
-							  time_t *use_time);
+	status_t (*query_policy)(kernel_interface_t *this,
+							 kernel_ipsec_policy_id_t *id,
+							 kernel_ipsec_query_policy_t *data,
+							 time_t *use_time);
 
 	/**
 	 * Remove a policy from the SPD.
 	 *
-	 * @param src			source address of SA
-	 * @param dst			dest address of SA
-	 * @param src_ts		traffic selector to match traffic source
-	 * @param dst_ts		traffic selector to match traffic dest
-	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
-	 * @param type			type of policy, POLICY_(IPSEC|PASS|DROP)
-	 * @param sa			details about the SA(s) tied to this policy
-	 * @param mark			mark for this policy
-	 * @param priority		priority of the policy
+	 * @param id			data identifying this policy
+	 * @param data			data for this policy
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*del_policy) (kernel_interface_t *this,
-							host_t *src, host_t *dst,
-							traffic_selector_t *src_ts,
-							traffic_selector_t *dst_ts,
-							policy_dir_t direction, policy_type_t type,
-							ipsec_sa_cfg_t *sa, mark_t mark,
-							policy_priority_t priority);
+	status_t (*del_policy)(kernel_interface_t *this,
+						   kernel_ipsec_policy_id_t *id,
+						   kernel_ipsec_manage_policy_t *data);
 
 	/**
 	 * Flush all policies from the SPD.
 	 *
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*flush_policies) (kernel_interface_t *this);
+	status_t (*flush_policies)(kernel_interface_t *this);
 
 	/**
 	 * Get our outgoing source address for a destination.
@@ -358,10 +285,12 @@ struct kernel_interface_t {
 	 * @param dest			target destination address
 	 * @param prefix		prefix length if dest is a subnet, -1 for auto
 	 * @param src			source address to check, or NULL
+	 * @param[out] iface	allocated name of the interface to reach dest, if
+	 *						available (optional)
 	 * @return				next hop address, NULL if unreachable
 	 */
 	host_t* (*get_nexthop)(kernel_interface_t *this, host_t *dest,
-						   int prefix, host_t *src);
+						   int prefix, host_t *src, char **iface);
 
 	/**
 	 * Get the interface name of a local address. Interfaces that are down or
@@ -426,7 +355,7 @@ struct kernel_interface_t {
 	 *						ALREADY_DONE if the route already exists
 	 */
 	status_t (*add_route) (kernel_interface_t *this, chunk_t dst_net,
-						   u_int8_t prefixlen, host_t *gateway, host_t *src_ip,
+						   uint8_t prefixlen, host_t *gateway, host_t *src_ip,
 						   char *if_name);
 
 	/**
@@ -440,7 +369,7 @@ struct kernel_interface_t {
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*del_route) (kernel_interface_t *this, chunk_t dst_net,
-						   u_int8_t prefixlen, host_t *gateway, host_t *src_ip,
+						   uint8_t prefixlen, host_t *gateway, host_t *src_ip,
 						   char *if_name);
 
 	/**
@@ -461,7 +390,7 @@ struct kernel_interface_t {
 	 * @return				TRUE if UDP decapsulation was enabled successfully
 	 */
 	bool (*enable_udp_decap)(kernel_interface_t *this, int fd, int family,
-							 u_int16_t port);
+							 uint16_t port);
 
 
 	/**
@@ -561,7 +490,7 @@ struct kernel_interface_t {
 	 * @param src_ts		source traffic selector
 	 * @param dst_ts		destination traffic selector
 	 */
-	void (*acquire)(kernel_interface_t *this, u_int32_t reqid,
+	void (*acquire)(kernel_interface_t *this, uint32_t reqid,
 					traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
 
 	/**
@@ -572,7 +501,7 @@ struct kernel_interface_t {
 	 * @param dst			destination address of expired SA
 	 * @param hard			TRUE if it is a hard expire, FALSE otherwise
 	 */
-	void (*expire)(kernel_interface_t *this, u_int8_t protocol, u_int32_t spi,
+	void (*expire)(kernel_interface_t *this, uint8_t protocol, uint32_t spi,
 				   host_t *dst, bool hard);
 
 	/**
@@ -583,7 +512,7 @@ struct kernel_interface_t {
 	 * @param dst			original destination address of SA
 	 * @param remote		new remote host
 	 */
-	void (*mapping)(kernel_interface_t *this, u_int8_t protocol, u_int32_t spi,
+	void (*mapping)(kernel_interface_t *this, uint8_t protocol, uint32_t spi,
 					host_t *dst, host_t *remote);
 
 	/**
@@ -596,7 +525,7 @@ struct kernel_interface_t {
 	 * @param local			local host address to be used in the IKE_SA
 	 * @param remote		remote host address to be used in the IKE_SA
 	 */
-	void (*migrate)(kernel_interface_t *this, u_int32_t reqid,
+	void (*migrate)(kernel_interface_t *this, uint32_t reqid,
 					traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
 					policy_dir_t direction, host_t *local, host_t *remote);
 
@@ -623,8 +552,8 @@ struct kernel_interface_t {
 	 * @param kernel_id			the kernel id of the algorithm
 	 * @param kernel_name		the kernel name of the algorithm
 	 */
-	void (*register_algorithm)(kernel_interface_t *this, u_int16_t alg_id,
-							   transform_type_t type, u_int16_t kernel_id,
+	void (*register_algorithm)(kernel_interface_t *this, uint16_t alg_id,
+							   transform_type_t type, uint16_t kernel_id,
 							   char *kernel_name);
 
 	/**
@@ -637,8 +566,8 @@ struct kernel_interface_t {
 	 * @param kernel_name		the kernel name of the algorithm (optional)
 	 * @return					TRUE if algorithm was found
 	 */
-	bool (*lookup_algorithm)(kernel_interface_t *this, u_int16_t alg_id,
-							 transform_type_t type, u_int16_t *kernel_id,
+	bool (*lookup_algorithm)(kernel_interface_t *this, uint16_t alg_id,
+							 transform_type_t type, uint16_t *kernel_id,
 							 char **kernel_name);
 
 	/**
diff --git a/src/libcharon/kernel/kernel_ipsec.h b/src/libcharon/kernel/kernel_ipsec.h
index 31e06308e..0ad566068 100644
--- a/src/libcharon/kernel/kernel_ipsec.h
+++ b/src/libcharon/kernel/kernel_ipsec.h
@@ -1,9 +1,10 @@
 /*
- * Copyright (C) 2006-2015 Tobias Brunner
+ * Copyright (C) 2016 Andreas Steffen
+ * Copyright (C) 2006-2016 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -25,6 +26,14 @@
 #define KERNEL_IPSEC_H_
 
 typedef struct kernel_ipsec_t kernel_ipsec_t;
+typedef struct kernel_ipsec_sa_id_t kernel_ipsec_sa_id_t;
+typedef struct kernel_ipsec_add_sa_t kernel_ipsec_add_sa_t;
+typedef struct kernel_ipsec_update_sa_t kernel_ipsec_update_sa_t;
+typedef struct kernel_ipsec_query_sa_t kernel_ipsec_query_sa_t;
+typedef struct kernel_ipsec_del_sa_t kernel_ipsec_del_sa_t;
+typedef struct kernel_ipsec_policy_id_t kernel_ipsec_policy_id_t;
+typedef struct kernel_ipsec_manage_policy_t kernel_ipsec_manage_policy_t;
+typedef struct kernel_ipsec_query_policy_t kernel_ipsec_query_policy_t;
 
 #include <networking/host.h>
 #include <ipsec/ipsec_types.h>
@@ -33,6 +42,137 @@ typedef struct kernel_ipsec_t kernel_ipsec_t;
 #include <kernel/kernel_interface.h>
 
 /**
+ * Data required to identify an SA in the kernel
+ */
+struct kernel_ipsec_sa_id_t {
+	/** Source address */
+	host_t *src;
+	/** Destination address */
+	host_t *dst;
+	/** SPI */
+	uint32_t spi;
+	/** Protocol (ESP/AH) */
+	uint8_t proto;
+	/** Optional mark */
+	mark_t mark;
+};
+
+/**
+ * Data required to add an SA to the kernel
+ */
+struct kernel_ipsec_add_sa_t {
+	/** Reqid */
+	uint32_t reqid;
+	/** Mode (tunnel, transport...) */
+	ipsec_mode_t mode;
+	/** List of source traffic selectors */
+	linked_list_t *src_ts;
+	/** List of destination traffic selectors */
+	linked_list_t *dst_ts;
+	/** Network interface restricting policy */
+	char *interface;
+	/** Lifetime configuration */
+	lifetime_cfg_t *lifetime;
+	/** Encryption algorithm */
+	uint16_t enc_alg;
+	/** Encryption key */
+	chunk_t enc_key;
+	/** Integrity protection algorithm */
+	uint16_t int_alg;
+	/** Integrity protection key */
+	chunk_t int_key;
+	/** Anti-replay window size */
+	uint32_t replay_window;
+	/** Traffic Flow Confidentiality padding */
+	uint32_t tfc;
+	/** IPComp transform */
+	uint16_t ipcomp;
+	/** CPI for IPComp */
+	uint16_t cpi;
+	/** TRUE to enable UDP encapsulation for NAT traversal */
+	bool encap;
+	/** TRUE to use Extended Sequence Numbers */
+	bool esn;
+	/** TRUE if initiator of the exchange creating the SA */
+	bool initiator;
+	/** TRUE if this is an inbound SA */
+	bool inbound;
+	/** TRUE if an SPI has already been allocated for this SA */
+	bool update;
+};
+
+/**
+ * Data required to update the hosts of an SA in the kernel
+ */
+struct kernel_ipsec_update_sa_t {
+	/** CPI in case IPComp is used */
+	uint16_t cpi;
+	/** New source address */
+	host_t *new_src;
+	/** New destination address */
+	host_t *new_dst;
+	/** TRUE if UDP encapsulation is currently enabled */
+	bool encap;
+	/** TRUE to enable UDP encapsulation */
+	bool new_encap;
+};
+
+/**
+ * Data required to query an SA in the kernel
+ */
+struct kernel_ipsec_query_sa_t {
+	uint16_t cpi;
+};
+
+/**
+ * Data required to delete an SA in the kernel
+ */
+struct kernel_ipsec_del_sa_t {
+	/** CPI in case IPComp is used */
+	uint16_t cpi;
+};
+
+/**
+ * Data identifying a policy in the kernel
+ */
+struct kernel_ipsec_policy_id_t {
+	/** Direction of traffic */
+	policy_dir_t dir;
+	/** Source traffic selector */
+	traffic_selector_t *src_ts;
+	/** Destination traffic selector */
+	traffic_selector_t *dst_ts;
+	/** Optional mark */
+	mark_t mark;
+	/** Network interface restricting policy */
+	char *interface;
+};
+
+/**
+ * Data required to add/delete a policy to/from the kernel
+ */
+struct kernel_ipsec_manage_policy_t {
+	/** Type of policy */
+	policy_type_t type;
+	/** Priority class */
+	policy_priority_t prio;
+	/** Manually-set priority (automatic if set to 0) */
+	uint32_t manual_prio;
+	/** Source address of the SA(s) tied to this policy */
+	host_t *src;
+	/** Destination address of the SA(s) tied to this policy */
+	host_t *dst;
+	/** Details about the SA(s) tied to this policy */
+	ipsec_sa_cfg_t *sa;
+};
+
+/**
+ * Data required to query a policy in the kernel
+ */
+struct kernel_ipsec_query_policy_t {
+};
+
+/**
  * Interface to the ipsec subsystem of the kernel.
  *
  * The kernel ipsec interface handles the communication with the kernel
@@ -62,7 +202,7 @@ struct kernel_ipsec_t {
 	 * @return			SUCCESS if operation completed
 	 */
 	status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
-						u_int8_t protocol, u_int32_t *spi);
+						uint8_t protocol, uint32_t *spi);
 
 	/**
 	 * Get a Compression Parameter Index (CPI) from the kernel.
@@ -73,7 +213,7 @@ struct kernel_ipsec_t {
 	 * @return			SUCCESS if operation completed
 	 */
 	status_t (*get_cpi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
-						u_int16_t *cpi);
+						uint16_t *cpi);
 
 	/**
 	 * Add an SA to the SAD.
@@ -81,41 +221,12 @@ struct kernel_ipsec_t {
 	 * This function does install a single SA for a single protocol in one
 	 * direction.
 	 *
-	 * @param src			source address for this SA
-	 * @param dst			destination address for this SA
-	 * @param spi			SPI allocated by us or remote peer
-	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param reqid			unique ID for this SA
-	 * @param mark			mark for this SA
-	 * @param tfc			Traffic Flow Confidentiality padding for this SA
-	 * @param lifetime		lifetime_cfg_t for this SA
-	 * @param enc_alg		Algorithm to use for encryption (ESP only)
-	 * @param enc_key		key to use for encryption
-	 * @param int_alg		Algorithm to use for integrity protection
-	 * @param int_key		key to use for integrity protection
-	 * @param mode			mode of the SA (tunnel, transport)
-	 * @param ipcomp		IPComp transform to use
-	 * @param cpi			CPI for IPComp
-	 * @param replay_window	anti-replay window size
-	 * @param initiator		TRUE if initiator of the exchange creating this SA
-	 * @param encap			enable UDP encapsulation for NAT traversal
-	 * @param esn			TRUE to use Extended Sequence Numbers
-	 * @param inbound		TRUE if this is an inbound SA
-	 * @param update		TRUE if an SPI has already been allocated for SA
-	 * @param src_ts		list of source traffic selectors
-	 * @param dst_ts		list of destination traffic selectors
+	 * @param id			data identifying this SA
+	 * @param data			data for this SA
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*add_sa) (kernel_ipsec_t *this,
-						host_t *src, host_t *dst, u_int32_t spi,
-						u_int8_t protocol, u_int32_t reqid,
-						mark_t mark, u_int32_t tfc, lifetime_cfg_t *lifetime,
-						u_int16_t enc_alg, chunk_t enc_key,
-						u_int16_t int_alg, chunk_t int_key,
-						ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-						u_int32_t replay_window, bool initiator, bool encap,
-						bool esn, bool inbound, bool update,
-						linked_list_t *src_ts, linked_list_t *dst_ts);
+	status_t (*add_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+					   kernel_ipsec_add_sa_t *data);
 
 	/**
 	 * Update the hosts on an installed SA.
@@ -125,85 +236,55 @@ struct kernel_ipsec_t {
 	 * to identify SAs. Therefore if the destination address changed we
 	 * create a new SA and delete the old one.
 	 *
-	 * @param spi			SPI of the SA
-	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param cpi			CPI for IPComp, 0 if no IPComp is used
-	 * @param src			current source address
-	 * @param dst			current destination address
-	 * @param new_src		new source address
-	 * @param new_dst		new destination address
-	 * @param encap			current use of UDP encapsulation
-	 * @param new_encap		new use of UDP encapsulation
-	 * @param mark			optional mark for this SA
+	 * @param id			data identifying this SA
+	 * @param data			updated data for this SA
 	 * @return				SUCCESS if operation completed, NOT_SUPPORTED if
-	 *					  the kernel interface can't update the SA
+	 *						the kernel interface can't update the SA
 	 */
-	status_t (*update_sa)(kernel_ipsec_t *this,
-						  u_int32_t spi, u_int8_t protocol, u_int16_t cpi,
-						  host_t *src, host_t *dst,
-						  host_t *new_src, host_t *new_dst,
-						  bool encap, bool new_encap, mark_t mark);
+	status_t (*update_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+						  kernel_ipsec_update_sa_t *data);
 
 	/**
 	 * Query the number of bytes processed by an SA from the SAD.
 	 *
-	 * @param src			source address for this SA
-	 * @param dst			destination address for this SA
-	 * @param spi			SPI allocated by us or remote peer
-	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param mark			optional mark for this SA
+	 * @param id			data identifying this SA
+	 * @param data			data to query the SA
 	 * @param[out] bytes	the number of bytes processed by SA
 	 * @param[out] packets	number of packets processed by SA
 	 * @param[out] time		last (monotonic) time of SA use
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
-						  u_int32_t spi, u_int8_t protocol, mark_t mark,
-						  u_int64_t *bytes, u_int64_t *packets, time_t *time);
+	status_t (*query_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+						 kernel_ipsec_query_sa_t *data, uint64_t *bytes,
+						 uint64_t *packets, time_t *time);
 
 	/**
-	 * Delete a previusly installed SA from the SAD.
+	 * Delete a previously installed SA from the SAD.
 	 *
-	 * @param src			source address for this SA
-	 * @param dst			destination address for this SA
-	 * @param spi			SPI allocated by us or remote peer
-	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param cpi			CPI for IPComp or 0
-	 * @param mark			optional mark for this SA
+	 * @param id			data identifying this SA
+	 * @param data			data to delete the SA
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*del_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
-						u_int32_t spi, u_int8_t protocol, u_int16_t cpi,
-						mark_t mark);
+	status_t (*del_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+					   kernel_ipsec_del_sa_t *data);
 
 	/**
 	 * Flush all SAs from the SAD.
 	 *
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*flush_sas) (kernel_ipsec_t *this);
+	status_t (*flush_sas)(kernel_ipsec_t *this);
 
 	/**
 	 * Add a policy to the SPD.
 	 *
-	 * @param src			source address of SA
-	 * @param dst			dest address of SA
-	 * @param src_ts		traffic selector to match traffic source
-	 * @param dst_ts		traffic selector to match traffic dest
-	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
-	 * @param type			type of policy, POLICY_(IPSEC|PASS|DROP)
-	 * @param sa			details about the SA(s) tied to this policy
-	 * @param mark			mark for this policy
-	 * @param priority		priority of this policy
+	 * @param id			data identifying this policy
+	 * @param data			data for this policy
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*add_policy) (kernel_ipsec_t *this,
-							host_t *src, host_t *dst,
-							traffic_selector_t *src_ts,
-							traffic_selector_t *dst_ts,
-							policy_dir_t direction, policy_type_t type,
-							ipsec_sa_cfg_t *sa, mark_t mark,
-							policy_priority_t priority);
+	status_t (*add_policy)(kernel_ipsec_t *this,
+						   kernel_ipsec_policy_id_t *id,
+						   kernel_ipsec_manage_policy_t *data);
 
 	/**
 	 * Query the use time of a policy.
@@ -212,47 +293,33 @@ struct kernel_ipsec_t {
 	 * time. It is not the system time, but a monotonic timestamp as returned
 	 * by time_monotonic.
 	 *
-	 * @param src_ts		traffic selector to match traffic source
-	 * @param dst_ts		traffic selector to match traffic dest
-	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
-	 * @param mark			optional mark
+	 * @param id			data identifying this policy
+	 * @param data			data to query the policy
 	 * @param[out] use_time	the monotonic timestamp of this SA's last use
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*query_policy) (kernel_ipsec_t *this,
-							  traffic_selector_t *src_ts,
-							  traffic_selector_t *dst_ts,
-							  policy_dir_t direction, mark_t mark,
-							  time_t *use_time);
+	status_t (*query_policy)(kernel_ipsec_t *this,
+							 kernel_ipsec_policy_id_t *id,
+							 kernel_ipsec_query_policy_t *data,
+							 time_t *use_time);
 
 	/**
 	 * Remove a policy from the SPD.
 	 *
-	 * @param src			source address of SA
-	 * @param dst			dest address of SA
-	 * @param src_ts		traffic selector to match traffic source
-	 * @param dst_ts		traffic selector to match traffic dest
-	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
-	 * @param type			type of policy, POLICY_(IPSEC|PASS|DROP)
-	 * @param sa			details about the SA(s) tied to this policy
-	 * @param mark			mark for this policy
-	 * @param priority		priority of the policy
+	 * @param id			data identifying this policy
+	 * @param data			data for this policy
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*del_policy) (kernel_ipsec_t *this,
-							host_t *src, host_t *dst,
-							traffic_selector_t *src_ts,
-							traffic_selector_t *dst_ts,
-							policy_dir_t direction, policy_type_t type,
-							ipsec_sa_cfg_t *sa, mark_t mark,
-							policy_priority_t priority);
+	status_t (*del_policy)(kernel_ipsec_t *this,
+						   kernel_ipsec_policy_id_t *id,
+						   kernel_ipsec_manage_policy_t *data);
 
 	/**
 	 * Flush all policies from the SPD.
 	 *
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*flush_policies) (kernel_ipsec_t *this);
+	status_t (*flush_policies)(kernel_ipsec_t *this);
 
 	/**
 	 * Install a bypass policy for the given socket.
@@ -272,12 +339,12 @@ struct kernel_ipsec_t {
 	 * @return				TRUE if UDP decapsulation was enabled successfully
 	 */
 	bool (*enable_udp_decap)(kernel_ipsec_t *this, int fd, int family,
-							 u_int16_t port);
+							 uint16_t port);
 
 	/**
 	 * Destroy the implementation.
 	 */
-	void (*destroy) (kernel_ipsec_t *this);
+	void (*destroy)(kernel_ipsec_t *this);
 };
 
 /**
diff --git a/src/libcharon/kernel/kernel_listener.h b/src/libcharon/kernel/kernel_listener.h
index 6426fae2a..aaeb4f5b7 100644
--- a/src/libcharon/kernel/kernel_listener.h
+++ b/src/libcharon/kernel/kernel_listener.h
@@ -43,7 +43,7 @@ struct kernel_listener_t {
 	 * @param dst_ts		destination traffic selector
 	 * @return				TRUE to remain registered, FALSE to unregister
 	 */
-	bool (*acquire)(kernel_listener_t *this, u_int32_t reqid,
+	bool (*acquire)(kernel_listener_t *this, uint32_t reqid,
 					traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
 
 	/**
@@ -55,7 +55,7 @@ struct kernel_listener_t {
 	 * @param hard			TRUE if it is a hard expire, FALSE otherwise
 	 * @return				TRUE to remain registered, FALSE to unregister
 	 */
-	bool (*expire)(kernel_listener_t *this, u_int8_t protocol, u_int32_t spi,
+	bool (*expire)(kernel_listener_t *this, uint8_t protocol, uint32_t spi,
 				   host_t *dst, bool hard);
 
 	/**
@@ -67,7 +67,7 @@ struct kernel_listener_t {
 	 * @param remote		new remote host
 	 * @return				TRUE to remain registered, FALSE to unregister
 	 */
-	bool (*mapping)(kernel_listener_t *this, u_int8_t protocol, u_int32_t spi,
+	bool (*mapping)(kernel_listener_t *this, uint8_t protocol, uint32_t spi,
 					host_t *dst, host_t *remote);
 
 	/**
@@ -81,7 +81,7 @@ struct kernel_listener_t {
 	 * @param remote		remote host address to be used in the IKE_SA
 	 * @return				TRUE to remain registered, FALSE to unregister
 	 */
-	bool (*migrate)(kernel_listener_t *this, u_int32_t reqid,
+	bool (*migrate)(kernel_listener_t *this, uint32_t reqid,
 					traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
 					policy_dir_t direction, host_t *local, host_t *remote);
 
diff --git a/src/libcharon/kernel/kernel_net.h b/src/libcharon/kernel/kernel_net.h
index 7fc644a7e..1d78d6edd 100644
--- a/src/libcharon/kernel/kernel_net.h
+++ b/src/libcharon/kernel/kernel_net.h
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2008-2016 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -88,10 +88,12 @@ struct kernel_net_t {
 	 * @param dest			target destination address
 	 * @param prefix		prefix length if dest is a subnet, -1 for auto
 	 * @param src			source address to check, or NULL
+	 * @param[out] iface	allocated name of the interface to reach dest, if
+	 *						available (optional)
 	 * @return				next hop address, NULL if unreachable
 	 */
 	host_t* (*get_nexthop)(kernel_net_t *this, host_t *dest, int prefix,
-						   host_t *src);
+						   host_t *src, char **iface);
 
 	/**
 	 * Get the interface name of a local address. Interfaces that are down or
@@ -156,7 +158,7 @@ struct kernel_net_t {
 	 *						ALREADY_DONE if the route already exists
 	 */
 	status_t (*add_route) (kernel_net_t *this, chunk_t dst_net,
-						   u_int8_t prefixlen, host_t *gateway, host_t *src_ip,
+						   uint8_t prefixlen, host_t *gateway, host_t *src_ip,
 						   char *if_name);
 
 	/**
@@ -170,7 +172,7 @@ struct kernel_net_t {
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*del_route) (kernel_net_t *this, chunk_t dst_net,
-						   u_int8_t prefixlen, host_t *gateway, host_t *src_ip,
+						   uint8_t prefixlen, host_t *gateway, host_t *src_ip,
 						   char *if_name);
 
 	/**
diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c
index ee357ca4d..1bf93ad40 100644
--- a/src/libcharon/network/receiver.c
+++ b/src/libcharon/network/receiver.c
@@ -81,17 +81,17 @@ struct private_receiver_t {
 	/**
 	 * how many times we have used "secret" so far
 	 */
-	u_int32_t secret_used;
+	uint32_t secret_used;
 
 	/**
 	 * time we did the cookie switch
 	 */
-	u_int32_t secret_switch;
+	uint32_t secret_switch;
 
 	/**
 	 * time offset to use, hides our system time
 	 */
-	u_int32_t secret_offset;
+	uint32_t secret_offset;
 
 	/**
 	 * the RNG to use for secret generation
@@ -106,7 +106,7 @@ struct private_receiver_t {
 	/**
 	 * require cookies after this many half open IKE_SAs
 	 */
-	u_int32_t cookie_threshold;
+	uint32_t cookie_threshold;
 
 	/**
 	 * timestamp of last cookie requested
@@ -116,7 +116,7 @@ struct private_receiver_t {
 	/**
 	 * how many half open IKE_SAs per peer before blocking
 	 */
-	u_int32_t block_threshold;
+	uint32_t block_threshold;
 
 	/**
 	 * Drop IKE_SA_INIT requests if processor job load exceeds this limit
@@ -192,9 +192,9 @@ static void send_notify(message_t *request, int major, exchange_type_t exchange,
  * build a cookie
  */
 static bool cookie_build(private_receiver_t *this, message_t *message,
-						 u_int32_t t, chunk_t secret, chunk_t *cookie)
+						 uint32_t t, chunk_t secret, chunk_t *cookie)
 {
-	u_int64_t spi = message->get_initiator_spi(message);
+	uint64_t spi = message->get_initiator_spi(message);
 	host_t *ip = message->get_source(message);
 	chunk_t input, hash;
 
@@ -216,14 +216,14 @@ static bool cookie_build(private_receiver_t *this, message_t *message,
 static bool cookie_verify(private_receiver_t *this, message_t *message,
 						  chunk_t cookie)
 {
-	u_int32_t t, now;
+	uint32_t t, now;
 	chunk_t reference;
 	chunk_t secret;
 
 	now = time_monotonic(NULL);
-	t = *(u_int32_t*)cookie.ptr;
+	t = *(uint32_t*)cookie.ptr;
 
-	if (cookie.len != sizeof(u_int32_t) +
+	if (cookie.len != sizeof(uint32_t) +
 			this->hasher->get_hash_size(this->hasher) ||
 		t < now - this->secret_offset - COOKIE_LIFETIME)
 	{
@@ -269,15 +269,15 @@ static bool check_cookie(private_receiver_t *this, message_t *message)
 	data = message->get_packet_data(message);
 	if (data.len <
 		 IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH +
-		 sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher) ||
+		 sizeof(uint32_t) + this->hasher->get_hash_size(this->hasher) ||
 		*(data.ptr + 16) != PLV2_NOTIFY ||
-		*(u_int16_t*)(data.ptr + IKE_HEADER_LENGTH + 6) != htons(COOKIE))
+		*(uint16_t*)(data.ptr + IKE_HEADER_LENGTH + 6) != htons(COOKIE))
 	{
 		/* no cookie found */
 		return FALSE;
 	}
 	data.ptr += IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH;
-	data.len = sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher);
+	data.len = sizeof(uint32_t) + this->hasher->get_hash_size(this->hasher);
 	if (!cookie_verify(this, message, data))
 	{
 		DBG2(DBG_NET, "found cookie, but content invalid");
@@ -290,7 +290,7 @@ static bool check_cookie(private_receiver_t *this, message_t *message)
  * Check if we currently require cookies
  */
 static bool cookie_required(private_receiver_t *this,
-							u_int half_open, u_int32_t now)
+							u_int half_open, uint32_t now)
 {
 	if (this->cookie_threshold && half_open >= this->cookie_threshold)
 	{
@@ -322,7 +322,7 @@ static bool cookie_required(private_receiver_t *this,
 static bool drop_ike_sa_init(private_receiver_t *this, message_t *message)
 {
 	u_int half_open, half_open_r;
-	u_int32_t now;
+	uint32_t now;
 
 	now = time_monotonic(NULL);
 	half_open = charon->ike_sa_manager->get_half_open_count(
@@ -620,7 +620,7 @@ METHOD(receiver_t, destroy, void,
 receiver_t *receiver_create()
 {
 	private_receiver_t *this;
-	u_int32_t now = time_monotonic(NULL);
+	uint32_t now = time_monotonic(NULL);
 
 	INIT(this,
 		.public = {
diff --git a/src/libcharon/network/socket.h b/src/libcharon/network/socket.h
index e3cda3bea..b084d96a2 100644
--- a/src/libcharon/network/socket.h
+++ b/src/libcharon/network/socket.h
@@ -99,7 +99,7 @@ struct socket_t {
 	 * @param nat_t			TRUE to get the port used to float in case of NAT-T
 	 * @return				the port
 	 */
-	u_int16_t (*get_port)(socket_t *this, bool nat_t);
+	uint16_t (*get_port)(socket_t *this, bool nat_t);
 
 	/**
 	 * Get the address families this socket is listening on.
diff --git a/src/libcharon/network/socket_manager.c b/src/libcharon/network/socket_manager.c
index 2a07e503c..564608d77 100644
--- a/src/libcharon/network/socket_manager.c
+++ b/src/libcharon/network/socket_manager.c
@@ -89,10 +89,10 @@ METHOD(socket_manager_t, sender, status_t,
 	return status;
 }
 
-METHOD(socket_manager_t, get_port, u_int16_t,
+METHOD(socket_manager_t, get_port, uint16_t,
 	private_socket_manager_t *this, bool nat_t)
 {
-	u_int16_t port = 0;
+	uint16_t port = 0;
 	this->lock->read_lock(this->lock);
 	if (this->socket)
 	{
diff --git a/src/libcharon/network/socket_manager.h b/src/libcharon/network/socket_manager.h
index a07d0804c..cde7859c2 100644
--- a/src/libcharon/network/socket_manager.h
+++ b/src/libcharon/network/socket_manager.h
@@ -58,7 +58,7 @@ struct socket_manager_t {
 	 * @param nat_t			TRUE to get the port used to float in case of NAT-T
 	 * @return				the port, or 0, if no socket is registered
 	 */
-	u_int16_t (*get_port)(socket_manager_t *this, bool nat_t);
+	uint16_t (*get_port)(socket_manager_t *this, bool nat_t);
 
 	/**
 	 * Get the address families the registered socket is listening on.
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in
index b4ae6fa3e..3b49a8582 100644
--- a/src/libcharon/plugins/addrblock/Makefile.in
+++ b/src/libcharon/plugins/addrblock/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/addrblock
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -462,7 +476,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/addrblock/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/addrblock/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -777,6 +790,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/android_dns/Makefile.in b/src/libcharon/plugins/android_dns/Makefile.in
index d90149827..5f6ecbf14 100644
--- a/src/libcharon/plugins/android_dns/Makefile.in
+++ b/src/libcharon/plugins/android_dns/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/android_dns
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -462,7 +476,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/android_dns/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/android_dns/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -776,6 +789,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/android_log/Makefile.in b/src/libcharon/plugins/android_log/Makefile.in
index 64fecd9e3..bee30d9a9 100644
--- a/src/libcharon/plugins/android_log/Makefile.in
+++ b/src/libcharon/plugins/android_log/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/android_log
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -461,7 +475,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/android_log/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/android_log/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -775,6 +788,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/attr/Makefile.in b/src/libcharon/plugins/attr/Makefile.in
index acb7d07c0..607fe3f87 100644
--- a/src/libcharon/plugins/attr/Makefile.in
+++ b/src/libcharon/plugins/attr/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/attr
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -200,12 +209,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -255,6 +266,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -289,6 +301,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -400,6 +413,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -458,7 +472,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/attr/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/attr/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -772,6 +785,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/attr/attr_provider.c b/src/libcharon/plugins/attr/attr_provider.c
index 1de571c3f..f4c143641 100644
--- a/src/libcharon/plugins/attr/attr_provider.c
+++ b/src/libcharon/plugins/attr/attr_provider.c
@@ -272,10 +272,10 @@ static void load_entries(private_attr_provider_t *this)
 				{
 					if (family == AF_INET)
 					{	/* IPv4 attributes contain a subnet mask */
-						u_int32_t netmask = 0;
+						uint32_t netmask = 0;
 
 						if (mask)
-						{	/* shifting u_int32_t by 32 or more is undefined */
+						{	/* shifting uint32_t by 32 or more is undefined */
 							mask = 32 - mask;
 							netmask = htonl((0xFFFFFFFF >> mask) << mask);
 						}
diff --git a/src/libcharon/plugins/attr_sql/Makefile.in b/src/libcharon/plugins/attr_sql/Makefile.in
index 8ee9f3f92..d533a56b5 100644
--- a/src/libcharon/plugins/attr_sql/Makefile.in
+++ b/src/libcharon/plugins/attr_sql/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/attr_sql
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -461,7 +475,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/attr_sql/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/attr_sql/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -775,6 +788,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/certexpire/Makefile.in b/src/libcharon/plugins/certexpire/Makefile.in
index be19d615e..31e786158 100644
--- a/src/libcharon/plugins/certexpire/Makefile.in
+++ b/src/libcharon/plugins/certexpire/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/certexpire
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -463,7 +477,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/certexpire/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/certexpire/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -779,6 +792,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/connmark/Makefile.in b/src/libcharon/plugins/connmark/Makefile.in
index eaf4f1ec9..c312821aa 100644
--- a/src/libcharon/plugins/connmark/Makefile.in
+++ b/src/libcharon/plugins/connmark/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/connmark
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -204,12 +213,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -259,6 +270,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -293,6 +305,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -404,6 +417,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -463,7 +477,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/connmark/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/connmark/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -777,6 +790,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/connmark/connmark_listener.c b/src/libcharon/plugins/connmark/connmark_listener.c
index 607316f7b..29f7cac42 100644
--- a/src/libcharon/plugins/connmark/connmark_listener.c
+++ b/src/libcharon/plugins/connmark/connmark_listener.c
@@ -24,6 +24,7 @@
 #include <libiptc/libiptc.h>
 #include <linux/netfilter/xt_esp.h>
 #include <linux/netfilter/xt_tcpudp.h>
+#include <linux/netfilter/xt_mark.h>
 #include <linux/netfilter/xt_MARK.h>
 #include <linux/netfilter/xt_policy.h>
 #include <linux/netfilter/xt_CONNMARK.h>
@@ -56,7 +57,7 @@ struct private_connmark_listener_t {
 static bool ts2in(traffic_selector_t *ts,
 				  struct in_addr *addr, struct in_addr *mask)
 {
-	u_int8_t bits;
+	uint8_t bits;
 	host_t *net;
 
 	if (ts->get_type(ts) == TS_IPV4_ADDR_RANGE &&
@@ -119,15 +120,15 @@ static bool manage_rule(struct iptc_handle *ipth, const char *chain,
  */
 static bool manage_pre_esp_in_udp(private_connmark_listener_t *this,
 								  struct iptc_handle *ipth, bool add,
-								  u_int mark, u_int32_t spi,
+								  u_int mark, uint32_t spi,
 								  host_t *dst, host_t *src)
 {
-	u_int16_t match_size	= XT_ALIGN(sizeof(struct ipt_entry_match)) +
+	uint16_t match_size	= XT_ALIGN(sizeof(struct ipt_entry_match)) +
 							  XT_ALIGN(sizeof(struct xt_udp));
-	u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
-	u_int16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
+	uint16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
+	uint16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
 							  XT_ALIGN(sizeof(struct xt_mark_tginfo2));
-	u_int16_t entry_size	= target_offset + target_size;
+	uint16_t entry_size	= target_offset + target_size;
 	u_char ipt[entry_size], *pos = ipt;
 	struct ipt_entry *e;
 
@@ -177,15 +178,15 @@ static bool manage_pre_esp_in_udp(private_connmark_listener_t *this,
  */
 static bool manage_pre_esp(private_connmark_listener_t *this,
 						   struct iptc_handle *ipth, bool add,
-						   u_int mark, u_int32_t spi,
+						   u_int mark, uint32_t spi,
 						   host_t *dst, host_t *src)
 {
-	u_int16_t match_size	= XT_ALIGN(sizeof(struct ipt_entry_match)) +
+	uint16_t match_size	= XT_ALIGN(sizeof(struct ipt_entry_match)) +
 							  XT_ALIGN(sizeof(struct xt_esp));
-	u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
-	u_int16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
+	uint16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
+	uint16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
 							  XT_ALIGN(sizeof(struct xt_mark_tginfo2));
-	u_int16_t entry_size	= target_offset + target_size;
+	uint16_t entry_size	= target_offset + target_size;
 	u_char ipt[entry_size], *pos = ipt;
 	struct ipt_entry *e;
 
@@ -234,7 +235,7 @@ static bool manage_pre_esp(private_connmark_listener_t *this,
  */
 static bool manage_pre(private_connmark_listener_t *this,
 					   struct iptc_handle *ipth, bool add,
-					   u_int mark, u_int32_t spi, bool encap,
+					   u_int mark, uint32_t spi, bool encap,
 					   host_t *dst, host_t *src)
 {
 	if (encap)
@@ -249,15 +250,15 @@ static bool manage_pre(private_connmark_listener_t *this,
  */
 static bool manage_in(private_connmark_listener_t *this,
 					  struct iptc_handle *ipth, bool add,
-					  u_int mark, u_int32_t spi,
+					  u_int mark, uint32_t spi,
 					  traffic_selector_t *dst, traffic_selector_t *src)
 {
-	u_int16_t match_size	= XT_ALIGN(sizeof(struct ipt_entry_match)) +
+	uint16_t match_size	= XT_ALIGN(sizeof(struct ipt_entry_match)) +
 							  XT_ALIGN(sizeof(struct xt_policy_info));
-	u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
-	u_int16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
+	uint16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
+	uint16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
 							  XT_ALIGN(sizeof(struct xt_connmark_tginfo1));
-	u_int16_t entry_size	= target_offset + target_size;
+	uint16_t entry_size	= target_offset + target_size;
 	u_char ipt[entry_size], *pos = ipt;
 	struct ipt_entry *e;
 
@@ -315,12 +316,12 @@ static bool manage_out(private_connmark_listener_t *this,
 					   struct iptc_handle *ipth, bool add,
 					   traffic_selector_t *dst, traffic_selector_t *src)
 {
-	u_int16_t match_size	= XT_ALIGN(sizeof(struct ipt_entry_match)) +
+	uint16_t match_size	= XT_ALIGN(sizeof(struct ipt_entry_match)) +
 							  XT_ALIGN(sizeof(struct xt_mark_mtinfo1));
-	u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
-	u_int16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
+	uint16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
+	uint16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
 							  XT_ALIGN(sizeof(struct xt_connmark_tginfo1));
-	u_int16_t entry_size	= target_offset + target_size;
+	uint16_t entry_size	= target_offset + target_size;
 	u_char ipt[entry_size], *pos = ipt;
 	struct ipt_entry *e;
 
@@ -401,7 +402,7 @@ static bool manage_policies(private_connmark_listener_t *this,
 {
 	traffic_selector_t *local, *remote;
 	enumerator_t *enumerator;
-	u_int32_t spi;
+	uint32_t spi;
 	u_int mark;
 	bool done = TRUE;
 
diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in
index 44598c3ea..a71d75518 100644
--- a/src/libcharon/plugins/coupling/Makefile.in
+++ b/src/libcharon/plugins/coupling/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/coupling
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -460,7 +474,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/coupling/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/coupling/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -774,6 +787,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in
index 3d39fda29..843d05eae 100644
--- a/src/libcharon/plugins/dhcp/Makefile.in
+++ b/src/libcharon/plugins/dhcp/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/dhcp
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -201,12 +210,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -256,6 +267,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -290,6 +302,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -401,6 +414,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -460,7 +474,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/dhcp/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/dhcp/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -776,6 +789,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c
index 0fd1d33fd..807c68274 100644
--- a/src/libcharon/plugins/dhcp/dhcp_socket.c
+++ b/src/libcharon/plugins/dhcp/dhcp_socket.c
@@ -151,8 +151,8 @@ typedef enum {
  * DHCP option encoding, a TLV
  */
 typedef struct __attribute__((packed)) {
-	u_int8_t type;
-	u_int8_t len;
+	uint8_t type;
+	uint8_t len;
 	char data[];
 } dhcp_option_t;
 
@@ -160,22 +160,22 @@ typedef struct __attribute__((packed)) {
  * DHCP message format, with a maximum size options buffer
  */
 typedef struct __attribute__((packed)) {
-	u_int8_t opcode;
-	u_int8_t hw_type;
-	u_int8_t hw_addr_len;
-	u_int8_t hop_count;
-	u_int32_t transaction_id;
-	u_int16_t number_of_seconds;
-	u_int16_t flags;
-	u_int32_t client_address;
-	u_int32_t your_address;
-	u_int32_t server_address;
-	u_int32_t gateway_address;
+	uint8_t opcode;
+	uint8_t hw_type;
+	uint8_t hw_addr_len;
+	uint8_t hop_count;
+	uint32_t transaction_id;
+	uint16_t number_of_seconds;
+	uint16_t flags;
+	uint32_t client_address;
+	uint32_t your_address;
+	uint32_t server_address;
+	uint32_t gateway_address;
 	char client_hw_addr[6];
 	char client_hw_padding[10];
 	char server_hostname[64];
 	char boot_filename[128];
-	u_int32_t magic_cookie;
+	uint32_t magic_cookie;
 	char options[252];
 } dhcp_t;
 
@@ -191,7 +191,7 @@ static int prepare_dhcp(private_dhcp_socket_t *this,
 	dhcp_option_t *option;
 	int optlen = 0;
 	host_t *src;
-	u_int32_t id;
+	uint32_t id;
 
 	memset(dhcp, 0, sizeof(*dhcp));
 	dhcp->opcode = BOOTREQUEST;
@@ -366,10 +366,10 @@ METHOD(dhcp_socket_t, enroll, dhcp_transaction_t*,
 	private_dhcp_socket_t *this, identification_t *identity)
 {
 	dhcp_transaction_t *transaction;
-	u_int32_t id;
+	uint32_t id;
 	int try;
 
-	if (!this->rng->get_bytes(this->rng, sizeof(id), (u_int8_t*)&id))
+	if (!this->rng->get_bytes(this->rng, sizeof(id), (uint8_t*)&id))
 	{
 		DBG1(DBG_CFG, "DHCP DISCOVER failed, no transaction ID");
 		return NULL;
diff --git a/src/libcharon/plugins/dhcp/dhcp_transaction.c b/src/libcharon/plugins/dhcp/dhcp_transaction.c
index 22d3f3fdf..3ee88a698 100644
--- a/src/libcharon/plugins/dhcp/dhcp_transaction.c
+++ b/src/libcharon/plugins/dhcp/dhcp_transaction.c
@@ -32,7 +32,7 @@ struct private_dhcp_transaction_t {
 	/**
 	 * DHCP transaction ID
 	 */
-	u_int32_t id;
+	uint32_t id;
 
 	/**
 	 * Peer identity
@@ -63,7 +63,7 @@ typedef struct {
 	chunk_t data;
 } attribute_entry_t;
 
-METHOD(dhcp_transaction_t, get_id, u_int32_t,
+METHOD(dhcp_transaction_t, get_id, uint32_t,
 	private_dhcp_transaction_t *this)
 {
 	return this->id;
@@ -157,7 +157,7 @@ METHOD(dhcp_transaction_t, destroy, void,
 /**
  * See header
  */
-dhcp_transaction_t *dhcp_transaction_create(u_int32_t id,
+dhcp_transaction_t *dhcp_transaction_create(uint32_t id,
 											identification_t *identity)
 {
 	private_dhcp_transaction_t *this;
diff --git a/src/libcharon/plugins/dhcp/dhcp_transaction.h b/src/libcharon/plugins/dhcp/dhcp_transaction.h
index 35f08e836..0c614f7b1 100644
--- a/src/libcharon/plugins/dhcp/dhcp_transaction.h
+++ b/src/libcharon/plugins/dhcp/dhcp_transaction.h
@@ -37,7 +37,7 @@ struct dhcp_transaction_t {
 	 *
 	 * @return			DHCP transaction identifier
 	 */
-	u_int32_t (*get_id)(dhcp_transaction_t *this);
+	uint32_t (*get_id)(dhcp_transaction_t *this);
 
 	/**
 	 * Get the peer identity this transaction is used for.
@@ -103,7 +103,7 @@ struct dhcp_transaction_t {
  * @param identity	peer identity this transaction is used for
  * @return			transaction instance
  */
-dhcp_transaction_t *dhcp_transaction_create(u_int32_t id,
+dhcp_transaction_t *dhcp_transaction_create(uint32_t id,
 											identification_t *identity);
 
 #endif /** DHCP_TRANSACTION_H_ @}*/
diff --git a/src/libcharon/plugins/dnscert/Makefile.in b/src/libcharon/plugins/dnscert/Makefile.in
index 04fc31a3a..5f035ba35 100644
--- a/src/libcharon/plugins/dnscert/Makefile.in
+++ b/src/libcharon/plugins/dnscert/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/dnscert
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -462,7 +476,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/dnscert/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/dnscert/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -777,6 +790,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/dnscert/dnscert.c b/src/libcharon/plugins/dnscert/dnscert.c
index 882ad9f0c..b360eac34 100644
--- a/src/libcharon/plugins/dnscert/dnscert.c
+++ b/src/libcharon/plugins/dnscert/dnscert.c
@@ -41,17 +41,17 @@ struct private_dnscert_t {
 	/**
 	 * Certificate type
 	 */
-	u_int16_t cert_type;
+	uint16_t cert_type;
 
 	/**
 	 * Key tag
 	 */
-	u_int16_t key_tag;
+	uint16_t key_tag;
 
 	/**
 	 * Algorithm
 	 */
-	u_int8_t algorithm;
+	uint8_t algorithm;
 
 	/**
 	 * Certificate
@@ -65,7 +65,7 @@ METHOD(dnscert_t, get_cert_type, dnscert_type_t,
 	return this->cert_type;
 }
 
-METHOD(dnscert_t, get_key_tag, u_int16_t,
+METHOD(dnscert_t, get_key_tag, uint16_t,
 	private_dnscert_t *this)
 {
 	return this->key_tag;
diff --git a/src/libcharon/plugins/dnscert/dnscert.h b/src/libcharon/plugins/dnscert/dnscert.h
index 567a9dfac..31a26ff76 100644
--- a/src/libcharon/plugins/dnscert/dnscert.h
+++ b/src/libcharon/plugins/dnscert/dnscert.h
@@ -119,7 +119,7 @@ struct dnscert_t {
 	 *
 	 * @return			keytag
 	 */
-	u_int16_t (*get_key_tag)(dnscert_t *this);
+	uint16_t (*get_key_tag)(dnscert_t *this);
 
 	/**
 	 * Get the algorithm.
diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in
index da4534c21..9e3133b1d 100644
--- a/src/libcharon/plugins/duplicheck/Makefile.in
+++ b/src/libcharon/plugins/duplicheck/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -16,7 +16,17 @@
 
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -81,8 +91,6 @@ build_triplet = @build@
 host_triplet = @host@
 ipsec_PROGRAMS = duplicheck$(EXEEXT)
 subdir = src/libcharon/plugins/duplicheck
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -96,6 +104,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -210,12 +219,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -265,6 +276,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -299,6 +311,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -410,6 +423,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -471,7 +485,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/duplicheck/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/duplicheck/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -841,6 +854,8 @@ uninstall-am: uninstall-ipsecPROGRAMS uninstall-pluginLTLIBRARIES
 	pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \
 	uninstall-ipsecPROGRAMS uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/duplicheck/duplicheck.c b/src/libcharon/plugins/duplicheck/duplicheck.c
index 7c4cd5ce1..442fa4a99 100644
--- a/src/libcharon/plugins/duplicheck/duplicheck.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck.c
@@ -71,7 +71,7 @@ int main(int argc, char *argv[])
 {
 	char buf[128];
 	int fd, len;
-	u_int16_t msglen;
+	uint16_t msglen;
 
 	fd = make_connection();
 	if (fd < 0)
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_msg.h b/src/libcharon/plugins/duplicheck/duplicheck_msg.h
index 99e297104..0f405746e 100644
--- a/src/libcharon/plugins/duplicheck/duplicheck_msg.h
+++ b/src/libcharon/plugins/duplicheck/duplicheck_msg.h
@@ -35,7 +35,7 @@ typedef struct duplicheck_msg_t duplicheck_msg_t;
  */
 struct duplicheck_msg_t {
 	/** length of the identity following, in network order (excluding len). */
-	u_int16_t len;
+	uint16_t len;
 	/** identity string, not null terminated */
 	char identity[];
 } __attribute__((__packed__));
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_notify.c b/src/libcharon/plugins/duplicheck/duplicheck_notify.c
index f77b48b09..501d1229f 100644
--- a/src/libcharon/plugins/duplicheck/duplicheck_notify.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck_notify.c
@@ -75,7 +75,7 @@ METHOD(duplicheck_notify_t, send_, void,
 {
 	enumerator_t *enumerator;
 	stream_t *stream;
-	u_int16_t nlen;
+	uint16_t nlen;
 	char buf[512];
 	int len;
 
diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index b5ffd8c24..8ac12c1f2 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/eap_aka
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -204,12 +213,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -259,6 +270,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -293,6 +305,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -404,6 +417,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -465,7 +479,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_aka/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_aka/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -780,6 +793,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_peer.c b/src/libcharon/plugins/eap_aka/eap_aka_peer.c
index 810a19c55..3ab053ba6 100644
--- a/src/libcharon/plugins/eap_aka/eap_aka_peer.c
+++ b/src/libcharon/plugins/eap_aka/eap_aka_peer.c
@@ -62,7 +62,7 @@ struct private_eap_aka_peer_t {
 	/**
 	 * EAP message identifier
 	 */
-	u_int8_t identifier;
+	uint8_t identifier;
 
 	/**
 	 * MSK
@@ -77,7 +77,7 @@ struct private_eap_aka_peer_t {
 	/**
 	 * Counter value if reauthentication is used
 	 */
-	u_int16_t counter;
+	uint16_t counter;
 };
 
 /**
@@ -105,7 +105,7 @@ static bool create_client_error(private_eap_aka_peer_t *this,
 								eap_payload_t **out)
 {
 	simaka_message_t *message;
-	u_int16_t encoded;
+	uint16_t encoded;
 
 	DBG1(DBG_IKE, "sending client error '%N'",
 		 simaka_client_error_names, AKA_UNABLE_TO_PROCESS);
@@ -347,7 +347,7 @@ static status_t process_challenge(private_eap_aka_peer_t *this,
  */
 static bool counter_too_small(private_eap_aka_peer_t *this, chunk_t chunk)
 {
-	u_int16_t counter;
+	uint16_t counter;
 
 	memcpy(&counter, chunk.ptr, sizeof(counter));
 	counter = htons(counter);
@@ -483,7 +483,7 @@ static status_t process_notification(private_eap_aka_peer_t *this,
 	{
 		if (type == AT_NOTIFICATION)
 		{
-			u_int16_t code;
+			uint16_t code;
 
 			memcpy(&code, data.ptr, sizeof(code));
 			code = ntohs(code);
@@ -594,7 +594,7 @@ METHOD(eap_method_t, initiate, status_t,
 }
 
 METHOD(eap_method_t, get_type, eap_type_t,
-	private_eap_aka_peer_t *this, u_int32_t *vendor)
+	private_eap_aka_peer_t *this, uint32_t *vendor)
 {
 	*vendor = 0;
 	return EAP_AKA;
@@ -611,14 +611,14 @@ METHOD(eap_method_t, get_msk, status_t,
 	return FAILED;
 }
 
-METHOD(eap_method_t, get_identifier, u_int8_t,
+METHOD(eap_method_t, get_identifier, uint8_t,
 	private_eap_aka_peer_t *this)
 {
 	return this->identifier;
 }
 
 METHOD(eap_method_t, set_identifier, void,
-	private_eap_aka_peer_t *this, u_int8_t identifier)
+	private_eap_aka_peer_t *this, uint8_t identifier)
 {
 	this->identifier = identifier;
 }
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_server.c b/src/libcharon/plugins/eap_aka/eap_aka_server.c
index 04bfc170b..1ede56757 100644
--- a/src/libcharon/plugins/eap_aka/eap_aka_server.c
+++ b/src/libcharon/plugins/eap_aka/eap_aka_server.c
@@ -65,7 +65,7 @@ struct private_eap_aka_server_t {
 	/**
 	 * EAP message identifier
 	 */
-	u_int8_t identifier;
+	uint8_t identifier;
 
 	/**
 	 * Expected Result XRES
@@ -238,7 +238,7 @@ static status_t challenge(private_eap_aka_server_t *this, eap_payload_t **out)
  * Initiate  EAP-AKA/Request/Re-authentication message
  */
 static status_t reauthenticate(private_eap_aka_server_t *this,
-							   char mk[HASH_SIZE_SHA1], u_int16_t counter,
+							   char mk[HASH_SIZE_SHA1], uint16_t counter,
 							   eap_payload_t **out)
 {
 	simaka_message_t *message;
@@ -341,7 +341,7 @@ static status_t process_identity(private_eap_aka_server_t *this,
 	if (this->use_reauth)
 	{
 		char mk[HASH_SIZE_SHA1];
-		u_int16_t counter;
+		uint16_t counter;
 
 		permanent = this->mgr->provider_is_reauth(this->mgr, id, mk, &counter);
 		if (permanent)
@@ -564,7 +564,7 @@ static status_t process_client_error(private_eap_aka_server_t *this,
 	{
 		if (type == AT_CLIENT_ERROR_CODE)
 		{
-			u_int16_t code;
+			uint16_t code;
 
 			memcpy(&code, data.ptr, sizeof(code));
 			DBG1(DBG_IKE, "received EAP-AKA client error '%N'",
@@ -637,7 +637,7 @@ METHOD(eap_method_t, process, status_t,
 }
 
 METHOD(eap_method_t, get_type, eap_type_t,
-	private_eap_aka_server_t *this, u_int32_t *vendor)
+	private_eap_aka_server_t *this, uint32_t *vendor)
 {
 	*vendor = 0;
 	return EAP_AKA;
@@ -654,14 +654,14 @@ METHOD(eap_method_t, get_msk, status_t,
 	return FAILED;
 }
 
-METHOD(eap_method_t, get_identifier, u_int8_t,
+METHOD(eap_method_t, get_identifier, uint8_t,
 	private_eap_aka_server_t *this)
 {
 	return this->identifier;
 }
 
 METHOD(eap_method_t, set_identifier, void,
-	private_eap_aka_server_t *this, u_int8_t identifier)
+	private_eap_aka_server_t *this, uint8_t identifier)
 {
 	this->identifier = identifier;
 }
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
index e0ad6fe2e..7dc9003c9 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -80,8 +90,6 @@ build_triplet = @build@
 host_triplet = @host@
 @MONOLITHIC_FALSE@am__append_1 = $(top_builddir)/src/libsimaka/libsimaka.la
 subdir = src/libcharon/plugins/eap_aka_3gpp2
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -95,6 +103,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -205,12 +214,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -260,6 +271,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -294,6 +306,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -405,6 +418,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -467,7 +481,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_aka_3gpp2/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_aka_3gpp2/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -783,6 +796,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.c b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.c
index 93ea8d08c..cfe6407b0 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.c
+++ b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.c
@@ -54,7 +54,7 @@ static chunk_t fmk = chunk_from_chars(0x41, 0x48, 0x41, 0x47);
 /**
  * Binary represnation of the polynom T^160 + T^5 + T^3 + T^2 + 1
  */
-static u_int8_t g[] = {
+static uint8_t g[] = {
 	0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x2d
@@ -63,7 +63,7 @@ static u_int8_t g[] = {
 /**
  * Predefined random bits from the RAND Corporation book
  */
-static u_int8_t a[] = {
+static uint8_t a[] = {
 	0x9d, 0xe9, 0xc9, 0xc8, 0xef, 0xd5, 0x78, 0x11,
 	0x48, 0x23, 0x14, 0x01, 0x90, 0x1f, 0x2d, 0x49,
 	0x3f, 0x4c, 0x63, 0x65
@@ -72,7 +72,7 @@ static u_int8_t a[] = {
 /**
  * Predefined random bits from the RAND Corporation book
  */
-static u_int8_t b[] = {
+static uint8_t b[] = {
 	0x75, 0xef, 0xd1, 0x5c, 0x4b, 0x8f, 0x8f, 0x51,
 	0x4e, 0xf3, 0xbc, 0xc3, 0x79, 0x4a, 0x76, 0x5e,
 	0x7e, 0xec, 0x45, 0xe0
@@ -171,7 +171,7 @@ static void mpz_mod_poly(mpz_t r, mpz_t a, mpz_t b)
  * XOR the key into the SHA1 IV
  */
 static bool step3(prf_t *prf, u_char k[AKA_K_LEN],
-				  u_char payload[AKA_PAYLOAD_LEN], u_int8_t h[HASH_SIZE_SHA1])
+				  u_char payload[AKA_PAYLOAD_LEN], uint8_t h[HASH_SIZE_SHA1])
 {
 	/* use the keyed hasher to build the hash */
 	return prf->set_key(prf, chunk_create(k, AKA_K_LEN)) &&
@@ -243,7 +243,7 @@ static bool fx(prf_t *prf, u_char f, u_char k[AKA_K_LEN],
 /**
  * Calculation function of f1() and f1star()
  */
-static bool f1x(prf_t *prf, u_int8_t f, u_char k[AKA_K_LEN],
+static bool f1x(prf_t *prf, uint8_t f, u_char k[AKA_K_LEN],
 				u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN],
 				u_char amf[AKA_AMF_LEN], u_char mac[AKA_MAC_LEN])
 {
diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.in b/src/libcharon/plugins/eap_dynamic/Makefile.in
index 821f6de6c..f81d54fc2 100644
--- a/src/libcharon/plugins/eap_dynamic/Makefile.in
+++ b/src/libcharon/plugins/eap_dynamic/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/eap_dynamic
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -460,7 +474,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_dynamic/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_dynamic/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -774,6 +787,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/eap_dynamic/eap_dynamic.c b/src/libcharon/plugins/eap_dynamic/eap_dynamic.c
index 3216446af..d0f0595de 100644
--- a/src/libcharon/plugins/eap_dynamic/eap_dynamic.c
+++ b/src/libcharon/plugins/eap_dynamic/eap_dynamic.c
@@ -73,7 +73,7 @@ static bool entry_matches(eap_vendor_type_t *item, eap_vendor_type_t *other)
  * Load the given EAP method
  */
 static eap_method_t *load_method(private_eap_dynamic_t *this,
-								 eap_type_t type, u_int32_t vendor)
+								 eap_type_t type, uint32_t vendor)
 {
 	eap_method_t *method;
 
@@ -171,7 +171,7 @@ METHOD(eap_method_t, process, status_t,
 	private_eap_dynamic_t *this, eap_payload_t *in, eap_payload_t **out)
 {
 	eap_type_t received_type, type;
-	u_int32_t received_vendor, vendor;
+	uint32_t received_vendor, vendor;
 
 	received_type = in->get_type(in, &received_vendor);
 	if (received_vendor == 0 && received_type == EAP_NAK)
@@ -225,7 +225,7 @@ METHOD(eap_method_t, process, status_t,
 }
 
 METHOD(eap_method_t, get_type, eap_type_t,
-	private_eap_dynamic_t *this, u_int32_t *vendor)
+	private_eap_dynamic_t *this, uint32_t *vendor)
 {
 	if (this->method)
 	{
@@ -245,7 +245,7 @@ METHOD(eap_method_t, get_msk, status_t,
 	return FAILED;
 }
 
-METHOD(eap_method_t, get_identifier, u_int8_t,
+METHOD(eap_method_t, get_identifier, uint8_t,
 	private_eap_dynamic_t *this)
 {
 	if (this->method)
@@ -256,7 +256,7 @@ METHOD(eap_method_t, get_identifier, u_int8_t,
 }
 
 METHOD(eap_method_t, set_identifier, void,
-	private_eap_dynamic_t *this, u_int8_t identifier)
+	private_eap_dynamic_t *this, uint8_t identifier)
 {
 	if (this->method)
 	{
@@ -335,7 +335,7 @@ static void get_supported_eap_types(private_eap_dynamic_t *this)
 {
 	enumerator_t *enumerator;
 	eap_type_t type;
-	u_int32_t vendor;
+	uint32_t vendor;
 
 	enumerator = charon->eap->create_enumerator(charon->eap, EAP_SERVER);
 	while (enumerator->enumerate(enumerator, &type, &vendor))
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in
index cfd7c4e24..f11d86051 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.in
+++ b/src/libcharon/plugins/eap_gtc/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/eap_gtc
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -202,12 +211,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -257,6 +268,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -291,6 +303,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -402,6 +415,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -459,7 +473,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_gtc/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_gtc/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -773,6 +786,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc.c b/src/libcharon/plugins/eap_gtc/eap_gtc.c
index 5fcd9ebc9..6f5c38edd 100644
--- a/src/libcharon/plugins/eap_gtc/eap_gtc.c
+++ b/src/libcharon/plugins/eap_gtc/eap_gtc.c
@@ -46,7 +46,7 @@ struct private_eap_gtc_t {
 	/**
 	 * EAP message identififier
 	 */
-	u_int8_t identifier;
+	uint8_t identifier;
 };
 
 typedef struct eap_gtc_header_t eap_gtc_header_t;
@@ -56,15 +56,15 @@ typedef struct eap_gtc_header_t eap_gtc_header_t;
  */
 struct eap_gtc_header_t {
 	/** EAP code (REQUEST/RESPONSE) */
-	u_int8_t code;
+	uint8_t code;
 	/** unique message identifier */
-	u_int8_t identifier;
+	uint8_t identifier;
 	/** length of whole message */
-	u_int16_t length;
+	uint16_t length;
 	/** EAP type */
-	u_int8_t type;
+	uint8_t type;
 	/** type data */
-	u_int8_t data[];
+	uint8_t data[];
 } __attribute__((__packed__));
 
 METHOD(eap_method_t, initiate_peer, status_t,
@@ -186,7 +186,7 @@ METHOD(eap_method_t, process_server, status_t,
 }
 
 METHOD(eap_method_t, get_type, eap_type_t,
-	private_eap_gtc_t *this, u_int32_t *vendor)
+	private_eap_gtc_t *this, uint32_t *vendor)
 {
 	*vendor = 0;
 	return EAP_GTC;
@@ -198,14 +198,14 @@ METHOD(eap_method_t, get_msk, status_t,
 	return FAILED;
 }
 
-METHOD(eap_method_t, get_identifier, u_int8_t,
+METHOD(eap_method_t, get_identifier, uint8_t,
 	private_eap_gtc_t *this)
 {
 	return this->identifier;
 }
 
 METHOD(eap_method_t, set_identifier, void,
-	private_eap_gtc_t *this, u_int8_t identifier)
+	private_eap_gtc_t *this, uint8_t identifier)
 {
 	this->identifier = identifier;
 }
diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in
index 1c544f360..e9755aa71 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.in
+++ b/src/libcharon/plugins/eap_identity/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/eap_identity
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -460,7 +474,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_identity/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_identity/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -774,6 +787,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/eap_identity/eap_identity.c b/src/libcharon/plugins/eap_identity/eap_identity.c
index 6ecde065c..7d6dc4add 100644
--- a/src/libcharon/plugins/eap_identity/eap_identity.c
+++ b/src/libcharon/plugins/eap_identity/eap_identity.c
@@ -43,7 +43,7 @@ struct private_eap_identity_t {
 	/**
 	 * EAP identifier
 	 */
-	u_int8_t identifier;
+	uint8_t identifier;
 };
 
 typedef struct eap_identity_header_t eap_identity_header_t;
@@ -53,15 +53,15 @@ typedef struct eap_identity_header_t eap_identity_header_t;
  */
 struct eap_identity_header_t {
 	/** EAP code (REQUEST/RESPONSE) */
-	u_int8_t code;
+	uint8_t code;
 	/** unique message identifier */
-	u_int8_t identifier;
+	uint8_t identifier;
 	/** length of whole message */
-	u_int16_t length;
+	uint16_t length;
 	/** EAP type */
-	u_int8_t type;
+	uint8_t type;
 	/** identity data */
-	u_int8_t data[];
+	uint8_t data[];
 } __attribute__((__packed__));
 
 METHOD(eap_method_t, process_peer, status_t,
@@ -124,7 +124,7 @@ METHOD(eap_method_t, initiate_server, status_t,
 }
 
 METHOD(eap_method_t, get_type, eap_type_t,
-	private_eap_identity_t *this, u_int32_t *vendor)
+	private_eap_identity_t *this, uint32_t *vendor)
 {
 	*vendor = 0;
 	return EAP_IDENTITY;
@@ -141,14 +141,14 @@ METHOD(eap_method_t, get_msk, status_t,
 	return FAILED;
 }
 
-METHOD(eap_method_t, get_identifier, u_int8_t,
+METHOD(eap_method_t, get_identifier, uint8_t,
 	private_eap_identity_t *this)
 {
 	return this->identifier;
 }
 
 METHOD(eap_method_t, set_identifier, void,
-	private_eap_identity_t *this, u_int8_t identifier)
+	private_eap_identity_t *this, uint8_t identifier)
 {
 	this->identifier = identifier;
 }
diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in
index e967262b6..82ba96d26 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.in
+++ b/src/libcharon/plugins/eap_md5/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/eap_md5
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -202,12 +211,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -257,6 +268,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -291,6 +303,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -402,6 +415,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -459,7 +473,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_md5/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_md5/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -773,6 +786,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/eap_md5/eap_md5.c b/src/libcharon/plugins/eap_md5/eap_md5.c
index d314e7a9e..2cb0db466 100644
--- a/src/libcharon/plugins/eap_md5/eap_md5.c
+++ b/src/libcharon/plugins/eap_md5/eap_md5.c
@@ -49,7 +49,7 @@ struct private_eap_md5_t {
 	/**
 	 * EAP message identifier
 	 */
-	u_int8_t identifier;
+	uint8_t identifier;
 };
 
 typedef struct eap_md5_header_t eap_md5_header_t;
@@ -59,17 +59,17 @@ typedef struct eap_md5_header_t eap_md5_header_t;
  */
 struct eap_md5_header_t {
 	/** EAP code (REQUEST/RESPONSE) */
-	u_int8_t code;
+	uint8_t code;
 	/** unique message identifier */
-	u_int8_t identifier;
+	uint8_t identifier;
 	/** length of whole message */
-	u_int16_t length;
+	uint16_t length;
 	/** EAP type */
-	u_int8_t type;
+	uint8_t type;
 	/** length of value (challenge) */
-	u_int8_t value_size;
+	uint8_t value_size;
 	/** actual value */
-	u_int8_t value[];
+	uint8_t value[];
 } __attribute__((__packed__));
 
 #define CHALLENGE_LEN 16
@@ -204,7 +204,7 @@ METHOD(eap_method_t, process_server, status_t,
 }
 
 METHOD(eap_method_t, get_type, eap_type_t,
-	private_eap_md5_t *this, u_int32_t *vendor)
+	private_eap_md5_t *this, uint32_t *vendor)
 {
 	*vendor = 0;
 	return EAP_MD5;
@@ -222,14 +222,14 @@ METHOD(eap_method_t, is_mutual, bool,
 	return FALSE;
 }
 
-METHOD(eap_method_t, get_identifier, u_int8_t,
+METHOD(eap_method_t, get_identifier, uint8_t,
 	private_eap_md5_t *this)
 {
 	return this->identifier;
 }
 
 METHOD(eap_method_t, set_identifier, void,
-	private_eap_md5_t *this, u_int8_t identifier)
+	private_eap_md5_t *this, uint8_t identifier)
 {
 	this->identifier = identifier;
 }
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in
index d96343a5c..c3b31cd9a 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.in
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/eap_mschapv2
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -461,7 +475,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_mschapv2/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_mschapv2/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -775,6 +788,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
index 16978f486..12f61f7f8 100644
--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
@@ -70,12 +70,12 @@ struct private_eap_mschapv2_t
 	/**
 	 * EAP message identifier
 	 */
-	u_int8_t identifier;
+	uint8_t identifier;
 
 	/**
 	 * MS-CHAPv2-ID (session ID, increases with each retry)
 	 */
-	u_int8_t mschapv2id;
+	uint8_t mschapv2id;
 
 	/**
 	 * Number of retries
@@ -179,21 +179,21 @@ typedef struct eap_mschapv2_response_t eap_mschapv2_response_t;
 struct eap_mschapv2_header_t
 {
 	/** EAP code (REQUEST/RESPONSE) */
-	u_int8_t code;
+	uint8_t code;
 	/** unique message identifier */
-	u_int8_t identifier;
+	uint8_t identifier;
 	/** length of whole message */
-	u_int16_t length;
+	uint16_t length;
 	/** EAP type */
-	u_int8_t type;
+	uint8_t type;
 	/** MS-CHAPv2 OpCode */
-	u_int8_t opcode;
+	uint8_t opcode;
 	/** MS-CHAPv2-ID (equals identifier) */
-	u_int8_t ms_chapv2_id;
+	uint8_t ms_chapv2_id;
 	/** MS-Length (defined as length - 5) */
-	u_int16_t ms_length;
+	uint16_t ms_length;
 	/** packet data (determined by OpCode) */
-	u_int8_t data[];
+	uint8_t data[];
 }__attribute__((__packed__));
 
 /**
@@ -202,11 +202,11 @@ struct eap_mschapv2_header_t
 struct eap_mschapv2_challenge_t
 {
 	/** Value-Size */
-	u_int8_t value_size;
+	uint8_t value_size;
 	/** Challenge */
-	u_int8_t challenge[CHALLENGE_LEN];
+	uint8_t challenge[CHALLENGE_LEN];
 	/** Name */
-	u_int8_t name[];
+	uint8_t name[];
 }__attribute__((__packed__));
 
 /**
@@ -215,21 +215,21 @@ struct eap_mschapv2_challenge_t
 struct eap_mschapv2_response_t
 {
 	/** Value-Size */
-	u_int8_t value_size;
+	uint8_t value_size;
 	/** Response */
 	struct
 	{
 		/* Peer-Challenge*/
-		u_int8_t peer_challenge[CHALLENGE_LEN];
+		uint8_t peer_challenge[CHALLENGE_LEN];
 		/* Reserved (=zero) */
-		u_int8_t peer_reserved[8];
+		uint8_t peer_reserved[8];
 		/* NT-Response */
-		u_int8_t nt_response[24];
+		uint8_t nt_response[24];
 		/* Flags (=zero) */
-		u_int8_t flags;
+		uint8_t flags;
 	} response;
 	/** Name */
-	u_int8_t name[];
+	uint8_t name[];
 }__attribute__((__packed__));
 
 /**
@@ -597,10 +597,10 @@ static chunk_t extract_username(chunk_t id)
 /**
  * Set the ms_length field using aligned write
  */
-static void set_ms_length(eap_mschapv2_header_t *eap, u_int16_t len)
+static void set_ms_length(eap_mschapv2_header_t *eap, uint16_t len)
 {
 	len = htons(len - 5);
-	memcpy(&eap->ms_length, &len, sizeof(u_int16_t));
+	memcpy(&eap->ms_length, &len, sizeof(uint16_t));
 }
 
 METHOD(eap_method_t, initiate_peer, status_t,
@@ -617,7 +617,7 @@ METHOD(eap_method_t, initiate_server, status_t,
 	eap_mschapv2_header_t *eap;
 	eap_mschapv2_challenge_t *cha;
 	const char *name = MSCHAPV2_HOST_NAME;
-	u_int16_t len = CHALLENGE_PAYLOAD_LEN + sizeof(MSCHAPV2_HOST_NAME) - 1;
+	uint16_t len = CHALLENGE_PAYLOAD_LEN + sizeof(MSCHAPV2_HOST_NAME) - 1;
 
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
 	if (!rng || !rng->allocate_bytes(rng, CHALLENGE_LEN, &this->challenge))
@@ -690,7 +690,7 @@ static status_t process_peer_challenge(private_eap_mschapv2_t *this,
 	eap_mschapv2_challenge_t *cha;
 	eap_mschapv2_response_t *res;
 	chunk_t data, peer_challenge, userid, username, nt_hash;
-	u_int16_t len = RESPONSE_PAYLOAD_LEN;
+	uint16_t len = RESPONSE_PAYLOAD_LEN;
 
 	data = in->get_data(in);
 	eap = (eap_mschapv2_header_t*)data.ptr;
@@ -779,7 +779,7 @@ static status_t process_peer_success(private_eap_mschapv2_t *this,
 	chunk_t data, auth_string = chunk_empty;
 	char *message, *token, *msg = NULL;
 	int message_len;
-	u_int16_t len = SHORT_HEADER_LEN;
+	uint16_t len = SHORT_HEADER_LEN;
 
 	data = in->get_data(in);
 	eap = (eap_mschapv2_header_t*)data.ptr;
@@ -1011,7 +1011,7 @@ static status_t process_server_retry(private_eap_mschapv2_t *this,
 	rng_t *rng;
 	chunk_t hex;
 	char msg[FAILURE_MESSAGE_LEN];
-	u_int16_t len = HEADER_LEN + FAILURE_MESSAGE_LEN - 1; /* no null byte */
+	uint16_t len = HEADER_LEN + FAILURE_MESSAGE_LEN - 1; /* no null byte */
 
 	if (++this->retries > MAX_RETRIES)
 	{
@@ -1127,7 +1127,7 @@ static status_t process_server_response(private_eap_mschapv2_t *this,
 	{
 		chunk_t hex;
 		char msg[AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE)];
-		u_int16_t len = HEADER_LEN + AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE);
+		uint16_t len = HEADER_LEN + AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE);
 
 		eap = alloca(len);
 		eap->code = EAP_REQUEST;
@@ -1213,7 +1213,7 @@ METHOD(eap_method_t, process_server, status_t,
 }
 
 METHOD(eap_method_t, get_type, eap_type_t,
-	private_eap_mschapv2_t *this, u_int32_t *vendor)
+	private_eap_mschapv2_t *this, uint32_t *vendor)
 {
 	*vendor = 0;
 	return EAP_MSCHAPV2;
@@ -1230,14 +1230,14 @@ METHOD(eap_method_t, get_msk, status_t,
 	return FAILED;
 }
 
-METHOD(eap_method_t, get_identifier, u_int8_t,
+METHOD(eap_method_t, get_identifier, uint8_t,
 	private_eap_mschapv2_t *this)
 {
 	return this->identifier;
 }
 
 METHOD(eap_method_t, set_identifier, void,
-	private_eap_mschapv2_t *this, u_int8_t identifier)
+	private_eap_mschapv2_t *this, uint8_t identifier)
 {
 	this->identifier = identifier;
 }
diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in
index 0f920fef8..2a01a369f 100644
--- a/src/libcharon/plugins/eap_peap/Makefile.in
+++ b/src/libcharon/plugins/eap_peap/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/eap_peap
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -204,12 +213,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -259,6 +270,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -293,6 +305,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -404,6 +417,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -467,7 +481,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_peap/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_peap/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -784,6 +797,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/eap_peap/eap_peap.c b/src/libcharon/plugins/eap_peap/eap_peap.c
index c24dd578c..4778a0977 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap.c
+++ b/src/libcharon/plugins/eap_peap/eap_peap.c
@@ -76,7 +76,7 @@ METHOD(eap_method_t, process, status_t,
 }
 
 METHOD(eap_method_t, get_type, eap_type_t,
-	private_eap_peap_t *this, u_int32_t *vendor)
+	private_eap_peap_t *this, uint32_t *vendor)
 {
 	*vendor = 0;
 	return EAP_PEAP;
@@ -93,14 +93,14 @@ METHOD(eap_method_t, get_msk, status_t,
 	return FAILED;
 }
 
-METHOD(eap_method_t, get_identifier, u_int8_t,
+METHOD(eap_method_t, get_identifier, uint8_t,
 	private_eap_peap_t *this)
 {
 	return this->tls_eap->get_identifier(this->tls_eap);
 }
 
 METHOD(eap_method_t, set_identifier, void,
-	private_eap_peap_t *this, u_int8_t identifier)
+	private_eap_peap_t *this, uint8_t identifier)
 {
 	this->tls_eap->set_identifier(this->tls_eap, identifier);
 }
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_avp.c b/src/libcharon/plugins/eap_peap/eap_peap_avp.c
index 3f541ba23..d5ce5fbc1 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap_avp.c
+++ b/src/libcharon/plugins/eap_peap/eap_peap_avp.c
@@ -47,7 +47,7 @@ struct private_eap_peap_avp_t {
 METHOD(eap_peap_avp_t, build, void,
 	private_eap_peap_avp_t *this, bio_writer_t *writer, chunk_t data)
 {
-	u_int8_t code;
+	uint8_t code;
 	eap_packet_t *pkt;
 	chunk_t avp_data;
 
@@ -71,10 +71,10 @@ METHOD(eap_peap_avp_t, build, void,
 
 METHOD(eap_peap_avp_t, process, status_t,
 	private_eap_peap_avp_t* this, bio_reader_t *reader, chunk_t *data,
-	u_int8_t identifier)
+	uint8_t identifier)
 {
-	u_int8_t code;
-	u_int16_t len;
+	uint8_t code;
+	uint16_t len;
 	eap_packet_t *pkt;
 	chunk_t avp_data;
 
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_avp.h b/src/libcharon/plugins/eap_peap/eap_peap_avp.h
index 98c5f1912..cc5930b62 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap_avp.h
+++ b/src/libcharon/plugins/eap_peap/eap_peap_avp.h
@@ -45,7 +45,7 @@ struct eap_peap_avp_t {
 	 *					- NEED_MORE if another invocation of process/build needed
 	 */
 	status_t (*process)(eap_peap_avp_t *this, bio_reader_t *reader,
-						chunk_t *data, u_int8_t identifier);
+						chunk_t *data, uint8_t identifier);
 
 	/**
 	 * Build EAP-PEAP Message AVP to send out.
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_peer.c b/src/libcharon/plugins/eap_peap/eap_peap_peer.c
index f482c5b54..2668ac432 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap_peer.c
+++ b/src/libcharon/plugins/eap_peap/eap_peap_peer.c
@@ -71,7 +71,7 @@ METHOD(tls_application_t, process, status_t,
 	eap_payload_t *in;
 	eap_code_t code;
 	eap_type_t type, received_type;
-	u_int32_t vendor, received_vendor;
+	uint32_t vendor, received_vendor;
 
 	status = this->avp->process(this->avp, reader, &data,
 							this->ph1_method->get_identifier(this->ph1_method));
@@ -191,7 +191,7 @@ METHOD(tls_application_t, build, status_t,
 	chunk_t data;
 	eap_code_t code;
 	eap_type_t type;
-	u_int32_t vendor;
+	uint32_t vendor;
 
 	if (this->out)
 	{
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_server.c b/src/libcharon/plugins/eap_peap/eap_peap_server.c
index 33b01e95e..7f8348e06 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap_server.c
+++ b/src/libcharon/plugins/eap_peap/eap_peap_server.c
@@ -167,7 +167,7 @@ METHOD(tls_application_t, process, status_t,
 	eap_payload_t *in;
 	eap_code_t code;
 	eap_type_t type = EAP_NAK, received_type;
-	u_int32_t vendor, received_vendor;
+	uint32_t vendor, received_vendor;
 
 	status = this->avp->process(this->avp, reader, &data,
 							this->ph1_method->get_identifier(this->ph1_method));
@@ -336,7 +336,7 @@ METHOD(tls_application_t, build, status_t,
 	chunk_t data;
 	eap_code_t code;
 	eap_type_t type;
-	u_int32_t vendor;
+	uint32_t vendor;
 
 	if (this->ph2_method == NULL && this->start_phase2 && this->start_phase2_id)
 	{
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
index 881a5b7e3..cdba38cde 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.in
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/eap_radius
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -205,12 +214,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -260,6 +271,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -294,6 +306,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -405,6 +418,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -470,7 +484,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_radius/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_radius/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -789,6 +802,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c
index 237f065fa..a2530e653 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius.c
@@ -55,12 +55,12 @@ struct private_eap_radius_t {
 	/**
 	 * EAP vendor, if any
 	 */
-	u_int32_t vendor;
+	uint32_t vendor;
 
 	/**
 	 * EAP message identifier
 	 */
-	u_int8_t identifier;
+	uint8_t identifier;
 
 	/**
 	 * RADIUS client instance
@@ -86,15 +86,15 @@ static void add_eap_identity(private_eap_radius_t *this,
 {
 	struct {
 		/** EAP code (REQUEST/RESPONSE) */
-		u_int8_t code;
+		uint8_t code;
 		/** unique message identifier */
-		u_int8_t identifier;
+		uint8_t identifier;
 		/** length of whole message */
-		u_int16_t length;
+		uint16_t length;
 		/** EAP type */
-		u_int8_t type;
+		uint8_t type;
 		/** identity data */
-		u_int8_t data[];
+		uint8_t data[];
 	} __attribute__((__packed__)) *hdr;
 	chunk_t id, prefix;
 	size_t len;
@@ -156,7 +156,7 @@ void eap_radius_build_attributes(radius_message_t *request)
 	ike_sa_t *ike_sa;
 	host_t *host;
 	char buf[40], *station_id_fmt;;
-	u_int32_t value;
+	uint32_t value;
 	chunk_t chunk;
 
 	/* virtual NAS-Port-Type */
@@ -314,8 +314,8 @@ static void process_filter_id(radius_message_t *msg)
 {
 	enumerator_t *enumerator;
 	int type;
-	u_int8_t tunnel_tag;
-	u_int32_t tunnel_type;
+	uint8_t tunnel_tag;
+	uint32_t tunnel_type;
 	chunk_t filter_id = chunk_empty, data;
 	bool is_esp_tunnel = FALSE;
 
@@ -395,7 +395,7 @@ static void process_timeout(radius_message_t *msg)
 /**
  * Add a Cisco Unity configuration attribute
  */
-static void add_unity_attribute(eap_radius_provider_t *provider, u_int32_t id,
+static void add_unity_attribute(eap_radius_provider_t *provider, uint32_t id,
 								int type, chunk_t data)
 {
 	switch (type)
@@ -417,7 +417,7 @@ static void add_unity_attribute(eap_radius_provider_t *provider, u_int32_t id,
  * Add a DNS/NBNS configuration attribute
  */
 static void add_nameserver_attribute(eap_radius_provider_t *provider,
-									 u_int32_t id, int type, chunk_t data)
+									 uint32_t id, int type, chunk_t data)
 {
 	/* these are from different vendors, but there is currently no conflict */
 	switch (type)
@@ -444,7 +444,7 @@ static void add_nameserver_attribute(eap_radius_provider_t *provider,
  * Add a UNITY_LOCAL_LAN or UNITY_SPLIT_INCLUDE attribute
  */
 static void add_unity_split_attribute(eap_radius_provider_t *provider,
-							u_int32_t id, configuration_attribute_type_t type,
+							uint32_t id, configuration_attribute_type_t type,
 							chunk_t data)
 {
 	enumerator_t *enumerator;
@@ -701,7 +701,7 @@ METHOD(eap_method_t, process, status_t,
 }
 
 METHOD(eap_method_t, get_type, eap_type_t,
-	private_eap_radius_t *this, u_int32_t *vendor)
+	private_eap_radius_t *this, uint32_t *vendor)
 {
 	*vendor = this->vendor;
 	return this->type;
@@ -721,14 +721,14 @@ METHOD(eap_method_t, get_msk, status_t,
 	return FAILED;
 }
 
-METHOD(eap_method_t, get_identifier, u_int8_t,
+METHOD(eap_method_t, get_identifier, uint8_t,
 	private_eap_radius_t *this)
 {
 	return this->identifier;
 }
 
 METHOD(eap_method_t, set_identifier, void,
-	private_eap_radius_t *this, u_int8_t identifier)
+	private_eap_radius_t *this, uint8_t identifier)
 {
 	this->identifier = identifier;
 }
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
index 4b7260349..0c302af51 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
@@ -54,7 +54,7 @@ struct private_eap_radius_accounting_t {
 	/**
 	 * Session ID prefix
 	 */
-	u_int32_t prefix;
+	uint32_t prefix;
 
 	/**
 	 * Format string we use for Called/Calling-Station-Id for a host
@@ -101,8 +101,8 @@ typedef enum {
  */
 typedef struct {
 	struct {
-		u_int64_t sent;
-		u_int64_t received;
+		uint64_t sent;
+		uint64_t received;
 	} bytes, packets;
 } usage_t;
 
@@ -133,7 +133,7 @@ static inline void sub_usage(usage_t *a, usage_t b)
  */
 typedef struct {
 	/** unique CHILD_SA identifier */
-	u_int32_t id;
+	uint32_t id;
 	/** usage stats for this SA */
 	usage_t usage;
 } sa_entry_t;
@@ -172,7 +172,7 @@ typedef struct {
 	radius_acct_terminate_cause_t cause;
 	/* interim interval and timestamp of last update */
 	struct {
-		u_int32_t interval;
+		uint32_t interval;
 		time_t last;
 	} interim;
 	/** did we send Accounting-Start */
@@ -237,7 +237,7 @@ static int sa_find(const void *a, const void *b)
 /**
  * Update or create usage counters of a cached SA
  */
-static void update_sa(entry_t *entry, u_int32_t id, usage_t usage)
+static void update_sa(entry_t *entry, uint32_t id, usage_t usage)
 {
 	sa_entry_t *sa, lookup;
 
@@ -402,7 +402,7 @@ static void add_ike_sa_parameters(private_eap_radius_accounting_t *this,
 	host_t *vip, *host;
 	char buf[MAX_RADIUS_ATTRIBUTE_SIZE + 1];
 	chunk_t data;
-	u_int32_t value;
+	uint32_t value;
 
 	/* virtual NAS-Port-Type */
 	value = htonl(5);
@@ -461,7 +461,7 @@ static void add_ike_sa_parameters(private_eap_radius_accounting_t *this,
  * Get an existing or create a new entry from the locked session table
  */
 static entry_t* get_or_create_entry(private_eap_radius_accounting_t *this,
-									ike_sa_id_t *id, u_int32_t unique)
+									ike_sa_id_t *id, uint32_t unique)
 {
 	entry_t *entry;
 	time_t now;
@@ -520,7 +520,7 @@ static job_requeue_t send_interim(interim_data_t *data)
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa;
 	entry_t *entry;
-	u_int32_t value;
+	uint32_t value;
 	array_t *stats;
 	sa_entry_t *sa, *found;
 
@@ -681,7 +681,7 @@ static void send_start(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa)
 {
 	radius_message_t *message;
 	entry_t *entry;
-	u_int32_t value;
+	uint32_t value;
 
 	if (this->acct_req_vip && !has_vip(ike_sa))
 	{
@@ -735,7 +735,7 @@ static void send_stop(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa)
 	enumerator_t *enumerator;
 	entry_t *entry;
 	sa_entry_t *sa;
-	u_int32_t value;
+	uint32_t value;
 
 	this->mutex->lock(this->mutex);
 	entry = this->sessions->remove(this->sessions, ike_sa->get_id(ike_sa));
@@ -931,7 +931,7 @@ METHOD(listener_t, child_rekey, bool,
 
 METHOD(listener_t, children_migrate, bool,
 	private_eap_radius_accounting_t *this, ike_sa_t *ike_sa, ike_sa_id_t *new,
-	u_int32_t unique)
+	uint32_t unique)
 {
 	enumerator_t *enumerator;
 	sa_entry_t *sa, *sa_new, *cached;
@@ -1020,7 +1020,7 @@ eap_radius_accounting_t *eap_radius_accounting_create()
 			.destroy = _destroy,
 		},
 		/* use system time as Session ID prefix */
-		.prefix = (u_int32_t)time(NULL),
+		.prefix = (uint32_t)time(NULL),
 		.sessions = hashtable_create((hashtable_hash_t)hash,
 									 (hashtable_equals_t)equals, 32),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
@@ -1050,7 +1050,7 @@ eap_radius_accounting_t *eap_radius_accounting_create()
 /**
  * See header
  */
-void eap_radius_accounting_start_interim(ike_sa_t *ike_sa, u_int32_t interval)
+void eap_radius_accounting_start_interim(ike_sa_t *ike_sa, uint32_t interval)
 {
 	if (singleton)
 	{
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.h b/src/libcharon/plugins/eap_radius/eap_radius_accounting.h
index 8d4f9a0e1..f7a19c9b5 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.h
+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.h
@@ -52,6 +52,6 @@ eap_radius_accounting_t *eap_radius_accounting_create();
  * @param ike_sa			IKE_SA to send updates for
  * @param interval			interval for interim updates
  */
-void eap_radius_accounting_start_interim(ike_sa_t *ike_sa, u_int32_t interval);
+void eap_radius_accounting_start_interim(ike_sa_t *ike_sa, uint32_t interval);
 
 #endif /** EAP_RADIUS_ACCOUNTING_H_ @}*/
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_dae.c b/src/libcharon/plugins/eap_radius/eap_radius_dae.c
index a0bf99efd..fc9b39c3e 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_dae.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_dae.c
@@ -293,7 +293,7 @@ static void process_disconnect(private_eap_radius_dae_t *this,
  * Apply a new lifetime to an IKE_SA
  */
 static void apply_lifetime(private_eap_radius_dae_t *this, ike_sa_id_t *id,
-						   u_int32_t lifetime)
+						   uint32_t lifetime)
 {
 	ike_sa_t *ike_sa;
 
@@ -323,7 +323,7 @@ static void process_coa(private_eap_radius_dae_t *this,
 	ike_sa_id_t *id;
 	chunk_t data;
 	int type;
-	u_int32_t lifetime = 0;
+	uint32_t lifetime = 0;
 	bool lifetime_seen = FALSE;
 
 	ids = get_matching_ike_sas(this, request, client);
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_forward.c b/src/libcharon/plugins/eap_radius/eap_radius_forward.c
index 52ea84070..919e861be 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_forward.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_forward.c
@@ -63,9 +63,9 @@ struct private_eap_radius_forward_t {
  */
 typedef struct {
 	/** vendor ID, 0 for standard attributes */
-	u_int32_t vendor;
+	uint32_t vendor;
 	/** attribute type */
-	u_int8_t type;
+	uint8_t type;
 } attr_t;
 
 /**
@@ -132,7 +132,7 @@ static bool is_attribute_selected(linked_list_t *selector,
 								  radius_attribute_type_t type, chunk_t data)
 {
 	enumerator_t *enumerator;
-	u_int32_t vendor = 0;
+	uint32_t vendor = 0;
 	attr_t *sel;
 	bool found = FALSE;
 
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.c b/src/libcharon/plugins/eap_radius/eap_radius_provider.c
index 0f207fbe6..9a87ad38d 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_provider.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.c
@@ -469,7 +469,7 @@ METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
 }
 
 METHOD(eap_radius_provider_t, add_framed_ip, void,
-	private_eap_radius_provider_t *this, u_int32_t id, host_t *ip)
+	private_eap_radius_provider_t *this, uint32_t id, host_t *ip)
 {
 	this->listener.mutex->lock(this->listener.mutex);
 	add_addr(this, this->listener.unclaimed, id, ip);
@@ -477,7 +477,7 @@ METHOD(eap_radius_provider_t, add_framed_ip, void,
 }
 
 METHOD(eap_radius_provider_t, add_attribute, void,
-	private_eap_radius_provider_t *this, u_int32_t id,
+	private_eap_radius_provider_t *this, uint32_t id,
 	configuration_attribute_type_t type, chunk_t data)
 {
 	attr_t *attr;
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.h b/src/libcharon/plugins/eap_radius/eap_radius_provider.h
index 5a62f4a38..80971bddb 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_provider.h
+++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.h
@@ -42,7 +42,7 @@ struct eap_radius_provider_t {
 	 * @param id			IKE_SA unique identifier
 	 * @param ip			IP address received from RADIUS server, gets owned
 	 */
-	void (*add_framed_ip)(eap_radius_provider_t *this, u_int32_t id,
+	void (*add_framed_ip)(eap_radius_provider_t *this, uint32_t id,
 						  host_t *ip);
 
 	/**
@@ -52,7 +52,7 @@ struct eap_radius_provider_t {
 	 * @param type			attribute type
 	 * @param data			attribute data
 	 */
-	void (*add_attribute)(eap_radius_provider_t *this, u_int32_t id,
+	void (*add_attribute)(eap_radius_provider_t *this, uint32_t id,
 						  configuration_attribute_type_t type, chunk_t data);
 
 	/**
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in
index aaa24bb17..f1b8adb71 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.in
+++ b/src/libcharon/plugins/eap_sim/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/eap_sim
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -204,12 +213,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -259,6 +270,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -293,6 +305,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -404,6 +417,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -465,7 +479,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_sim/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_sim/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -780,6 +793,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/eap_sim/eap_sim_peer.c b/src/libcharon/plugins/eap_sim/eap_sim_peer.c
index 2637b4314..37f8a879e 100644
--- a/src/libcharon/plugins/eap_sim/eap_sim_peer.c
+++ b/src/libcharon/plugins/eap_sim/eap_sim_peer.c
@@ -64,7 +64,7 @@ struct private_eap_sim_peer_t {
 	/**
 	 * EAP message identifier
 	 */
-	u_int8_t identifier;
+	uint8_t identifier;
 
 	/**
 	 * EAP-SIM crypto helper
@@ -99,7 +99,7 @@ struct private_eap_sim_peer_t {
 	/**
 	 * Counter value if reauthentication is used
 	 */
-	u_int16_t counter;
+	uint16_t counter;
 };
 
 /* version of SIM protocol we speak */
@@ -130,7 +130,7 @@ static bool create_client_error(private_eap_sim_peer_t *this,
 								simaka_client_error_t code, eap_payload_t **out)
 {
 	simaka_message_t *message;
-	u_int16_t encoded;
+	uint16_t encoded;
 
 	DBG1(DBG_IKE, "sending client error '%N'", simaka_client_error_names, code);
 
@@ -404,7 +404,7 @@ static status_t process_challenge(private_eap_sim_peer_t *this,
  */
 static bool counter_too_small(private_eap_sim_peer_t *this, chunk_t chunk)
 {
-	u_int16_t counter;
+	uint16_t counter;
 
 	memcpy(&counter, chunk.ptr, sizeof(counter));
 	counter = htons(counter);
@@ -540,7 +540,7 @@ static status_t process_notification(private_eap_sim_peer_t *this,
 	{
 		if (type == AT_NOTIFICATION)
 		{
-			u_int16_t code;
+			uint16_t code;
 
 			memcpy(&code, data.ptr, sizeof(code));
 			code = ntohs(code);
@@ -650,7 +650,7 @@ METHOD(eap_method_t, initiate, status_t,
 }
 
 METHOD(eap_method_t, get_type, eap_type_t,
-	private_eap_sim_peer_t *this, u_int32_t *vendor)
+	private_eap_sim_peer_t *this, uint32_t *vendor)
 {
 	*vendor = 0;
 	return EAP_SIM;
@@ -667,14 +667,14 @@ METHOD(eap_method_t, get_msk, status_t,
 	return FAILED;
 }
 
-METHOD(eap_method_t, get_identifier, u_int8_t,
+METHOD(eap_method_t, get_identifier, uint8_t,
 	private_eap_sim_peer_t *this)
 {
 	return this->identifier;
 }
 
 METHOD(eap_method_t, set_identifier, void,
-	private_eap_sim_peer_t *this, u_int8_t identifier)
+	private_eap_sim_peer_t *this, uint8_t identifier)
 {
 	this->identifier = identifier;
 }
diff --git a/src/libcharon/plugins/eap_sim/eap_sim_server.c b/src/libcharon/plugins/eap_sim/eap_sim_server.c
index 5aa54db3e..3b413cfc6 100644
--- a/src/libcharon/plugins/eap_sim/eap_sim_server.c
+++ b/src/libcharon/plugins/eap_sim/eap_sim_server.c
@@ -67,7 +67,7 @@ struct private_eap_sim_server_t {
 	/**
 	 * unique EAP identifier
 	 */
-	u_int8_t identifier;
+	uint8_t identifier;
 
 	/**
 	 * concatenated SRES values
@@ -163,7 +163,7 @@ METHOD(eap_method_t, initiate, status_t,
  * Initiate  EAP-SIM/Request/Re-authentication message
  */
 static status_t reauthenticate(private_eap_sim_server_t *this,
-							   char mk[HASH_SIZE_SHA1], u_int16_t counter,
+							   char mk[HASH_SIZE_SHA1], uint16_t counter,
 							   eap_payload_t **out)
 {
 	simaka_message_t *message;
@@ -328,7 +328,7 @@ static status_t process_start(private_eap_sim_server_t *this,
 		if (this->use_reauth && !nonce.len)
 		{
 			char mk[HASH_SIZE_SHA1];
-			u_int16_t counter;
+			uint16_t counter;
 
 			permanent = this->mgr->provider_is_reauth(this->mgr, id,
 													  mk, &counter);
@@ -495,7 +495,7 @@ static status_t process_client_error(private_eap_sim_server_t *this,
 	{
 		if (type == AT_CLIENT_ERROR_CODE)
 		{
-			u_int16_t code;
+			uint16_t code;
 
 			memcpy(&code, data.ptr, sizeof(code));
 			DBG1(DBG_IKE, "received EAP-SIM client error '%N'",
@@ -551,7 +551,7 @@ METHOD(eap_method_t, process, status_t,
 }
 
 METHOD(eap_method_t, get_type, eap_type_t,
-	private_eap_sim_server_t *this, u_int32_t *vendor)
+	private_eap_sim_server_t *this, uint32_t *vendor)
 {
 	*vendor = 0;
 	return EAP_SIM;
@@ -568,14 +568,14 @@ METHOD(eap_method_t, get_msk, status_t,
 	return FAILED;
 }
 
-METHOD(eap_method_t, get_identifier, u_int8_t,
+METHOD(eap_method_t, get_identifier, uint8_t,
 	private_eap_sim_server_t *this)
 {
 	return this->identifier;
 }
 
 METHOD(eap_method_t, set_identifier, void,
-	private_eap_sim_server_t *this, u_int8_t identifier)
+	private_eap_sim_server_t *this, uint8_t identifier)
 {
 	this->identifier = identifier;
 }
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in
index 6e61f99de..40ff9f245 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/eap_sim_file
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -205,12 +214,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -260,6 +271,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -294,6 +306,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -405,6 +418,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -468,7 +482,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_sim_file/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_sim_file/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -784,6 +797,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
index e821e3ee2..354c7a12d 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -80,8 +90,6 @@ build_triplet = @build@
 host_triplet = @host@
 @MONOLITHIC_FALSE@am__append_1 = $(top_builddir)/src/libsimaka/libsimaka.la
 subdir = src/libcharon/plugins/eap_sim_pcsc
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -95,6 +103,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -206,12 +215,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -261,6 +272,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -295,6 +307,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -406,6 +419,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -468,7 +482,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_sim_pcsc/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_sim_pcsc/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -782,6 +795,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
index b883f0abd..4e3105ffd 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/eap_simaka_pseudonym
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -206,12 +215,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -261,6 +272,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -295,6 +307,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -406,6 +419,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -467,7 +481,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_simaka_pseudonym/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_simaka_pseudonym/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -782,6 +795,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c
index b5bbdd60f..758bce4d9 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c
@@ -1,6 +1,7 @@
 /*
+ * Copyright (C) 2016 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -31,17 +32,32 @@ struct private_eap_simaka_pseudonym_card_t {
 	eap_simaka_pseudonym_card_t public;
 
 	/**
-	 * Permanent -> pseudonym mappings
+	 * Permanent -> pseudonym mappings (entry_t*)
 	 */
 	hashtable_t *pseudonym;
-
-	/**
-	 * Reverse pseudonym -> permanent mappings
-	 */
-	hashtable_t *permanent;
 };
 
 /**
+ * Mapping between real and pseudonym identity
+ */
+typedef struct {
+
+	/** Real identity */
+	identification_t *id;
+
+	/** Pseudonym */
+	identification_t *pseudonym;
+
+} entry_t;
+
+static void destroy_entry(entry_t *this)
+{
+	this->id->destroy(this->id);
+	this->pseudonym->destroy(this->pseudonym);
+	free(this);
+}
+
+/**
  * hashtable hash function
  */
 static u_int hash(identification_t *key)
@@ -60,12 +76,12 @@ static bool equals(identification_t *key1, identification_t *key2)
 METHOD(simaka_card_t, get_pseudonym, identification_t*,
 	private_eap_simaka_pseudonym_card_t *this, identification_t *id)
 {
-	identification_t *pseudonym;
+	entry_t *entry;
 
-	pseudonym = this->pseudonym->get(this->pseudonym, id);
-	if (pseudonym)
+	entry = this->pseudonym->get(this->pseudonym, id);
+	if (entry)
 	{
-		return pseudonym->clone(pseudonym);
+		return entry->pseudonym->clone(entry->pseudonym);
 	}
 	return NULL;
 }
@@ -74,17 +90,17 @@ METHOD(simaka_card_t, set_pseudonym, void,
 	private_eap_simaka_pseudonym_card_t *this, identification_t *id,
 	identification_t *pseudonym)
 {
-	identification_t *permanent;
-
-	/* create new entries */
-	id = id->clone(id);
-	pseudonym = pseudonym->clone(pseudonym);
-	permanent = this->permanent->put(this->permanent, pseudonym, id);
-	pseudonym = this->pseudonym->put(this->pseudonym, id, pseudonym);
+	entry_t *entry;
 
-	/* delete old entries */
-	DESTROY_IF(permanent);
-	DESTROY_IF(pseudonym);
+	INIT(entry,
+		.id = id->clone(id),
+		.pseudonym = pseudonym->clone(pseudonym),
+	);
+	entry = this->pseudonym->put(this->pseudonym, entry->id, entry);
+	if (entry)
+	{
+		destroy_entry(entry);
+	}
 }
 
 METHOD(simaka_card_t, get_quintuplet, status_t,
@@ -98,26 +114,7 @@ METHOD(simaka_card_t, get_quintuplet, status_t,
 METHOD(eap_simaka_pseudonym_card_t, destroy, void,
 	private_eap_simaka_pseudonym_card_t *this)
 {
-	enumerator_t *enumerator;
-	identification_t *id;
-	void *key;
-
-	enumerator = this->pseudonym->create_enumerator(this->pseudonym);
-	while (enumerator->enumerate(enumerator, &key, &id))
-	{
-		id->destroy(id);
-	}
-	enumerator->destroy(enumerator);
-
-	enumerator = this->permanent->create_enumerator(this->permanent);
-	while (enumerator->enumerate(enumerator, &key, &id))
-	{
-		id->destroy(id);
-	}
-	enumerator->destroy(enumerator);
-
-	this->pseudonym->destroy(this->pseudonym);
-	this->permanent->destroy(this->permanent);
+	this->pseudonym->destroy_function(this->pseudonym, (void*)destroy_entry);
 	free(this);
 }
 
@@ -142,9 +139,6 @@ eap_simaka_pseudonym_card_t *eap_simaka_pseudonym_card_create()
 			.destroy = _destroy,
 		},
 		.pseudonym = hashtable_create((void*)hash, (void*)equals, 0),
-		.permanent = hashtable_create((void*)hash, (void*)equals, 0),
 	);
-
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
index 5417f9639..2d5747e01 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/eap_simaka_reauth
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -205,12 +214,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -260,6 +271,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -294,6 +306,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -405,6 +418,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -466,7 +480,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_simaka_reauth/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_simaka_reauth/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -781,6 +794,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c
index 5bc5fd382..153ec0f0d 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c
+++ b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c
@@ -45,7 +45,7 @@ typedef struct {
 	/** associated permanent identity */
 	identification_t *permanent;
 	/** counter value */
-	u_int16_t counter;
+	uint16_t counter;
 	/** master key */
 	char mk[HASH_SIZE_SHA1];
 } reauth_data_t;
@@ -68,7 +68,7 @@ static bool equals(identification_t *key1, identification_t *key2)
 
 METHOD(simaka_card_t, get_reauth, identification_t*,
 	private_eap_simaka_reauth_card_t *this, identification_t *id,
-	char mk[HASH_SIZE_SHA1], u_int16_t *counter)
+	char mk[HASH_SIZE_SHA1], uint16_t *counter)
 {
 	reauth_data_t *data;
 	identification_t *reauth;
@@ -89,7 +89,7 @@ METHOD(simaka_card_t, get_reauth, identification_t*,
 
 METHOD(simaka_card_t, set_reauth, void,
 	private_eap_simaka_reauth_card_t *this, identification_t *id,
-	identification_t* next, char mk[HASH_SIZE_SHA1], u_int16_t counter)
+	identification_t* next, char mk[HASH_SIZE_SHA1], uint16_t counter)
 {
 	reauth_data_t *data;
 
diff --git a/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c
index 937095ec1..543b5579b 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c
+++ b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c
@@ -53,7 +53,7 @@ typedef struct {
 	/** currently used reauthentication identity */
 	identification_t *id;
 	/** counter value */
-	u_int16_t counter;
+	uint16_t counter;
 	/** master key */
 	char mk[HASH_SIZE_SHA1];
 } reauth_data_t;
@@ -92,7 +92,7 @@ static identification_t *gen_identity(private_eap_simaka_reauth_provider_t *this
 
 METHOD(simaka_provider_t, is_reauth, identification_t*,
 	private_eap_simaka_reauth_provider_t *this, identification_t *id,
-	char mk[HASH_SIZE_SHA1], u_int16_t *counter)
+	char mk[HASH_SIZE_SHA1], uint16_t *counter)
 {
 	identification_t *permanent;
 	reauth_data_t *data;
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
index c858e467c..a491899ac 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/eap_simaka_sql
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -204,12 +213,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -259,6 +270,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -293,6 +305,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -404,6 +417,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -466,7 +480,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_simaka_sql/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_simaka_sql/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -781,6 +794,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in
index c953d0e9c..c912f9ff4 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.in
+++ b/src/libcharon/plugins/eap_tls/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/eap_tls
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -462,7 +476,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_tls/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_tls/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -776,6 +789,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/eap_tls/eap_tls.c b/src/libcharon/plugins/eap_tls/eap_tls.c
index bc01ba5df..79e87dc89 100644
--- a/src/libcharon/plugins/eap_tls/eap_tls.c
+++ b/src/libcharon/plugins/eap_tls/eap_tls.c
@@ -74,7 +74,7 @@ METHOD(eap_method_t, process, status_t,
 }
 
 METHOD(eap_method_t, get_type, eap_type_t,
-	private_eap_tls_t *this, u_int32_t *vendor)
+	private_eap_tls_t *this, uint32_t *vendor)
 {
 	*vendor = 0;
 	return EAP_TLS;
@@ -91,14 +91,14 @@ METHOD(eap_method_t, get_msk, status_t,
 	return FAILED;
 }
 
-METHOD(eap_method_t, get_identifier, u_int8_t,
+METHOD(eap_method_t, get_identifier, uint8_t,
 	private_eap_tls_t *this)
 {
 	return this->tls_eap->get_identifier(this->tls_eap);
 }
 
 METHOD(eap_method_t, set_identifier, void,
-	private_eap_tls_t *this, u_int8_t identifier)
+	private_eap_tls_t *this, uint8_t identifier)
 {
 	this->tls_eap->set_identifier(this->tls_eap, identifier);
 }
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in
index 2f197ed33..efef3af20 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.in
+++ b/src/libcharon/plugins/eap_tnc/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/eap_tnc
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -204,12 +213,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -259,6 +270,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -293,6 +305,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -404,6 +417,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -468,7 +482,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_tnc/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_tnc/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -782,6 +795,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in
index b563acdda..6f39b8455 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.in
+++ b/src/libcharon/plugins/eap_ttls/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/eap_ttls
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -205,12 +214,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -260,6 +271,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -294,6 +306,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -405,6 +418,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -469,7 +483,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_ttls/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_ttls/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -786,6 +799,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls.c b/src/libcharon/plugins/eap_ttls/eap_ttls.c
index c99d47f8d..9987c43d4 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls.c
@@ -76,7 +76,7 @@ METHOD(eap_method_t, process, status_t,
 }
 
 METHOD(eap_method_t, get_type, eap_type_t,
-	private_eap_ttls_t *this, u_int32_t *vendor)
+	private_eap_ttls_t *this, uint32_t *vendor)
 {
 	*vendor = 0;
 	return EAP_TTLS;
@@ -93,14 +93,14 @@ METHOD(eap_method_t, get_msk, status_t,
 	return FAILED;
 }
 
-METHOD(eap_method_t, get_identifier, u_int8_t,
+METHOD(eap_method_t, get_identifier, uint8_t,
 	private_eap_ttls_t *this)
 {
 	return this->tls_eap->get_identifier(this->tls_eap);
 }
 
 METHOD(eap_method_t, set_identifier, void,
-	private_eap_ttls_t *this, u_int8_t identifier)
+	private_eap_ttls_t *this, uint8_t identifier)
 {
 	this->tls_eap->set_identifier(this->tls_eap, identifier);
 }
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
index 47e0f8afb..f75e3e0a6 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
@@ -58,8 +58,8 @@ METHOD(eap_ttls_avp_t, build, void,
 {
 	char zero_padding[] = { 0x00, 0x00, 0x00 };
 	chunk_t   avp_padding;
-	u_int8_t  avp_flags;
-	u_int32_t avp_len;
+	uint8_t  avp_flags;
+	uint32_t avp_len;
 
 	avp_flags = 0x40;
 	avp_len = 8 + data.len;
@@ -81,9 +81,9 @@ METHOD(eap_ttls_avp_t, process, status_t,
 	if (this->process_header)
 	{
 		bio_reader_t *header;
-		u_int32_t avp_code;
-		u_int8_t  avp_flags;
-		u_int32_t avp_len;
+		uint32_t avp_code;
+		uint8_t  avp_flags;
+		uint32_t avp_len;
 		bool success;
 
 		len = min(reader->remaining(reader), AVP_HEADER_LEN - this->inpos);
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
index e0b59a681..be6a0812e 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
@@ -75,8 +75,8 @@ METHOD(tls_application_t, process, status_t,
 	eap_packet_t *pkt;
 	eap_code_t code;
 	eap_type_t type, received_type;
-	u_int32_t vendor, received_vendor;
-	u_int16_t eap_len;
+	uint32_t vendor, received_vendor;
+	uint16_t eap_len;
 	size_t eap_pos = 0;
 	bool concatenated = FALSE;
 
@@ -240,7 +240,7 @@ METHOD(tls_application_t, build, status_t,
 	chunk_t data;
 	eap_code_t code;
 	eap_type_t type;
-	u_int32_t vendor;
+	uint32_t vendor;
 
 	if (this->method == NULL && this->start_phase2)
 	{
diff --git a/src/libcharon/plugins/error_notify/Makefile.in b/src/libcharon/plugins/error_notify/Makefile.in
index 03dfe3d60..d3fd2a198 100644
--- a/src/libcharon/plugins/error_notify/Makefile.in
+++ b/src/libcharon/plugins/error_notify/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -16,7 +16,17 @@
 
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -81,8 +91,6 @@ build_triplet = @build@
 host_triplet = @host@
 ipsec_PROGRAMS = error-notify$(EXEEXT)
 subdir = src/libcharon/plugins/error_notify
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -96,6 +104,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -211,12 +220,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -266,6 +277,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -300,6 +312,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -411,6 +424,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -473,7 +487,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/error_notify/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/error_notify/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -843,6 +856,8 @@ uninstall-am: uninstall-ipsecPROGRAMS uninstall-pluginLTLIBRARIES
 	pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \
 	uninstall-ipsecPROGRAMS uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/error_notify/error_notify_listener.c b/src/libcharon/plugins/error_notify/error_notify_listener.c
index ce577c62c..be84ec05b 100644
--- a/src/libcharon/plugins/error_notify/error_notify_listener.c
+++ b/src/libcharon/plugins/error_notify/error_notify_listener.c
@@ -83,6 +83,11 @@ METHOD(listener_t, alert, bool,
 			snprintf(msg.str, sizeof(msg.str), "parsing IKE message from "
 					 "%#H failed", message->get_source(message));
 			break;
+		case ALERT_RETRANSMIT_SEND:
+			msg.type = htonl(ERROR_NOTIFY_RETRANSMIT_SEND);
+			snprintf(msg.str, sizeof(msg.str), "IKE message retransmission "
+					 "number %u", va_arg(args, u_int));
+			break;
 		case ALERT_RETRANSMIT_SEND_TIMEOUT:
 			msg.type = htonl(ERROR_NOTIFY_RETRANSMIT_SEND_TIMEOUT);
 			snprintf(msg.str, sizeof(msg.str),
diff --git a/src/libcharon/plugins/error_notify/error_notify_msg.h b/src/libcharon/plugins/error_notify/error_notify_msg.h
index c66080276..74b590800 100644
--- a/src/libcharon/plugins/error_notify/error_notify_msg.h
+++ b/src/libcharon/plugins/error_notify/error_notify_msg.h
@@ -48,6 +48,7 @@ enum {
 	ERROR_NOTIFY_CERT_EXPIRED = 17,
 	ERROR_NOTIFY_CERT_REVOKED = 18,
 	ERROR_NOTIFY_NO_ISSUER_CERT = 19,
+	ERROR_NOTIFY_RETRANSMIT_SEND = 20,
 };
 
 /**
diff --git a/src/libcharon/plugins/ext_auth/Makefile.in b/src/libcharon/plugins/ext_auth/Makefile.in
index fce2e8e63..c49c55fdb 100644
--- a/src/libcharon/plugins/ext_auth/Makefile.in
+++ b/src/libcharon/plugins/ext_auth/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/ext_auth
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -460,7 +474,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/ext_auth/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/ext_auth/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -774,6 +787,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in
index 2afc5ad76..4674a78b4 100644
--- a/src/libcharon/plugins/farp/Makefile.in
+++ b/src/libcharon/plugins/farp/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/farp
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -201,12 +210,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -256,6 +267,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -290,6 +302,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -401,6 +414,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -458,7 +472,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/farp/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/farp/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -773,6 +786,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/farp/farp_listener.c b/src/libcharon/plugins/farp/farp_listener.c
index 87c84359c..e19fc5972 100644
--- a/src/libcharon/plugins/farp/farp_listener.c
+++ b/src/libcharon/plugins/farp/farp_listener.c
@@ -50,7 +50,7 @@ typedef struct {
 	/** list of remote selectors */
 	linked_list_t *remote;
 	/** reqid of CHILD_SA */
-	u_int32_t reqid;
+	uint32_t reqid;
 } entry_t;
 
 METHOD(listener_t, child_updown, bool,
diff --git a/src/libcharon/plugins/farp/farp_spoofer.c b/src/libcharon/plugins/farp/farp_spoofer.c
index 9f66d7407..c2715bd5a 100644
--- a/src/libcharon/plugins/farp/farp_spoofer.c
+++ b/src/libcharon/plugins/farp/farp_spoofer.c
@@ -54,15 +54,15 @@ struct private_farp_spoofer_t {
  * IP over Ethernet ARP message
  */
 typedef struct __attribute__((packed)) {
-	u_int16_t hardware_type;
-	u_int16_t protocol_type;
-	u_int8_t hardware_size;
-	u_int8_t protocol_size;
-	u_int16_t opcode;
-	u_int8_t sender_mac[6];
-	u_int8_t sender_ip[4];
-	u_int8_t target_mac[6];
-	u_int8_t target_ip[4];
+	uint16_t hardware_type;
+	uint16_t protocol_type;
+	uint8_t hardware_size;
+	uint8_t protocol_size;
+	uint16_t opcode;
+	uint8_t sender_mac[6];
+	uint8_t sender_ip[4];
+	uint8_t target_mac[6];
+	uint8_t target_ip[4];
 } arp_t;
 
 /**
diff --git a/src/libcharon/plugins/forecast/Makefile.in b/src/libcharon/plugins/forecast/Makefile.in
index 4f2a407b4..d29134f33 100644
--- a/src/libcharon/plugins/forecast/Makefile.in
+++ b/src/libcharon/plugins/forecast/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/forecast
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -204,12 +213,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -259,6 +270,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -293,6 +305,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -404,6 +417,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -464,7 +478,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/forecast/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/forecast/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -779,6 +792,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/forecast/forecast_forwarder.c b/src/libcharon/plugins/forecast/forecast_forwarder.c
index 40aaa7f25..ce3909737 100644
--- a/src/libcharon/plugins/forecast/forecast_forwarder.c
+++ b/src/libcharon/plugins/forecast/forecast_forwarder.c
@@ -55,7 +55,7 @@ struct private_kernel_listener_t {
 	/**
 	 * current broadcast address of internal network
 	 */
-	u_int32_t broadcast;
+	uint32_t broadcast;
 
 	/**
 	 * LAN interface index
@@ -105,7 +105,7 @@ static void send_net(private_forecast_forwarder_t *this,
 /**
  * Send a broadcast/multicast packet to a peer
  */
-static void send_peer(private_forecast_forwarder_t *this, u_int32_t dst,
+static void send_peer(private_forecast_forwarder_t *this, uint32_t dst,
 					  void *buf, size_t len, int mark)
 {
 	struct sockaddr_in addr = {
@@ -317,7 +317,7 @@ static void join_groups(private_kernel_listener_t *this, struct sockaddr *addr)
 /**
  * Attach the socket filter to the socket
  */
-static bool attach_filter(int fd, u_int32_t broadcast)
+static bool attach_filter(int fd, uint32_t broadcast)
 {
 	struct sock_filter filter_code[] = {
 		/* destination address: is ... */
diff --git a/src/libcharon/plugins/forecast/forecast_listener.c b/src/libcharon/plugins/forecast/forecast_listener.c
index 8f7f2600c..3f252db2d 100644
--- a/src/libcharon/plugins/forecast/forecast_listener.c
+++ b/src/libcharon/plugins/forecast/forecast_listener.c
@@ -67,7 +67,7 @@ struct private_forecast_listener_t {
 	/**
 	 * Broadcast address on LAN interface, network order
 	 */
-	u_int32_t broadcast;
+	uint32_t broadcast;
 };
 
 /**
@@ -85,13 +85,13 @@ typedef struct {
 	/** remote IKE_SA endpoint */
 	host_t *rhost;
 	/** inbound SPI */
-	u_int32_t spi;
+	uint32_t spi;
 	/** use UDP encapsulation */
 	bool encap;
 	/** whether we should allow reencapsulation of IPsec received forecasts */
 	bool reinject;
 	/** broadcast address used for that entry */
-	u_int32_t broadcast;
+	uint32_t broadcast;
 } entry_t;
 
 /**
@@ -115,7 +115,7 @@ static void entry_destroy(entry_t *entry)
 static bool ts2in(traffic_selector_t *ts,
 				  struct in_addr *addr, struct in_addr *mask)
 {
-	u_int8_t bits;
+	uint8_t bits;
 	host_t *net;
 
 	if (ts->get_type(ts) == TS_IPV4_ADDR_RANGE &&
@@ -179,12 +179,12 @@ static bool manage_rule(struct iptc_handle *ipth, const char *chain,
 static bool manage_pre_esp_in_udp(struct iptc_handle *ipth,
 								  entry_t *entry, bool add)
 {
-	u_int16_t match_size	= XT_ALIGN(sizeof(struct ipt_entry_match)) +
+	uint16_t match_size	= XT_ALIGN(sizeof(struct ipt_entry_match)) +
 							  XT_ALIGN(sizeof(struct xt_udp));
-	u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
-	u_int16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
+	uint16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
+	uint16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
 							  XT_ALIGN(sizeof(struct xt_mark_tginfo2));
-	u_int16_t entry_size	= target_offset + target_size;
+	uint16_t entry_size	= target_offset + target_size;
 	u_char ipt[entry_size], *pos = ipt;
 	struct ipt_entry *e;
 
@@ -240,12 +240,12 @@ static bool manage_pre_esp_in_udp(struct iptc_handle *ipth,
  */
 static bool manage_pre_esp(struct iptc_handle *ipth, entry_t *entry, bool add)
 {
-	u_int16_t match_size	= XT_ALIGN(sizeof(struct ipt_entry_match)) +
+	uint16_t match_size	= XT_ALIGN(sizeof(struct ipt_entry_match)) +
 							  XT_ALIGN(sizeof(struct xt_esp));
-	u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
-	u_int16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
+	uint16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
+	uint16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
 							  XT_ALIGN(sizeof(struct xt_mark_tginfo2));
-	u_int16_t entry_size	= target_offset + target_size;
+	uint16_t entry_size	= target_offset + target_size;
 	u_char ipt[entry_size], *pos = ipt;
 	struct ipt_entry *e;
 
@@ -306,10 +306,10 @@ static bool manage_pre(struct iptc_handle *ipth, entry_t *entry, bool add)
  */
 static bool manage_out(struct iptc_handle *ipth, entry_t *entry, bool add)
 {
-	u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry));
-	u_int16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
+	uint16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry));
+	uint16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
 							  XT_ALIGN(sizeof(struct xt_mark_tginfo2));
-	u_int16_t entry_size	= target_offset + target_size;
+	uint16_t entry_size	= target_offset + target_size;
 	u_char ipt[entry_size], *pos = ipt;
 	struct ipt_entry *e;
 
@@ -617,7 +617,7 @@ METHOD(listener_t, ike_update, bool,
  * Filter to map entries to ts/mark
  */
 static bool ts_filter(entry_t *entry, traffic_selector_t **ts,
-					  traffic_selector_t **out, void *dummy, u_int32_t *mark,
+					  traffic_selector_t **out, void *dummy, uint32_t *mark,
 					  void *dummy2, bool *reinject)
 {
 	*out = *ts;
diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in
index 677c36afe..420b8bdb7 100644
--- a/src/libcharon/plugins/ha/Makefile.in
+++ b/src/libcharon/plugins/ha/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/ha
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -472,7 +486,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/ha/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/ha/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -796,6 +809,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c
index 2b271a8e7..b20ef876a 100644
--- a/src/libcharon/plugins/ha/ha_attribute.c
+++ b/src/libcharon/plugins/ha/ha_attribute.c
@@ -83,7 +83,7 @@ static host_t* offset2host(pool_t *pool, int offset)
 {
 	chunk_t addr;
 	host_t *host;
-	u_int32_t *pos;
+	uint32_t *pos;
 
 	if (offset > pool->size)
 	{
@@ -93,11 +93,11 @@ static host_t* offset2host(pool_t *pool, int offset)
 	addr = chunk_clone(pool->base->get_address(pool->base));
 	if (pool->base->get_family(pool->base) == AF_INET6)
 	{
-		pos = (u_int32_t*)(addr.ptr + 12);
+		pos = (uint32_t*)(addr.ptr + 12);
 	}
 	else
 	{
-		pos = (u_int32_t*)addr.ptr;
+		pos = (uint32_t*)addr.ptr;
 	}
 	*pos = htonl(offset + ntohl(*pos));
 	host = host_create_from_chunk(pool->base->get_family(pool->base), addr, 0);
@@ -111,7 +111,7 @@ static host_t* offset2host(pool_t *pool, int offset)
 static int host2offset(pool_t *pool, host_t *addr)
 {
 	chunk_t host, base;
-	u_int32_t hosti, basei;
+	uint32_t hosti, basei;
 
 	if (addr->get_family(addr) != pool->base->get_family(pool->base))
 	{
@@ -129,8 +129,8 @@ static int host2offset(pool_t *pool, host_t *addr)
 		host = chunk_skip(host, 12);
 		base = chunk_skip(base, 12);
 	}
-	hosti = ntohl(*(u_int32_t*)(host.ptr));
-	basei = ntohl(*(u_int32_t*)(base.ptr));
+	hosti = ntohl(*(uint32_t*)(host.ptr));
+	basei = ntohl(*(uint32_t*)(base.ptr));
 	if (hosti > basei + pool->size)
 	{
 		return -1;
diff --git a/src/libcharon/plugins/ha/ha_cache.c b/src/libcharon/plugins/ha/ha_cache.c
index 0650f7fd9..8394eb722 100644
--- a/src/libcharon/plugins/ha/ha_cache.c
+++ b/src/libcharon/plugins/ha/ha_cache.c
@@ -186,11 +186,13 @@ METHOD(ha_cache_t, delete_, void,
 {
 	entry_t *entry;
 
+	this->mutex->lock(this->mutex);
 	entry = this->cache->remove(this->cache, ike_sa);
 	if (entry)
 	{
 		entry_destroy(entry);
 	}
+	this->mutex->unlock(this->mutex);
 }
 
 /**
@@ -204,7 +206,7 @@ static status_t rekey_children(ike_sa_t *ike_sa)
 	linked_list_t *children;
 	struct {
 		protocol_id_t protocol;
-		u_int32_t spi;
+		uint32_t spi;
 	} *info;
 
 	children = linked_list_create();
diff --git a/src/libcharon/plugins/ha/ha_child.c b/src/libcharon/plugins/ha/ha_child.c
index 7dafb1693..8c9f66aa7 100644
--- a/src/libcharon/plugins/ha/ha_child.c
+++ b/src/libcharon/plugins/ha/ha_child.c
@@ -55,7 +55,7 @@ METHOD(listener_t, child_keys, bool,
 	ha_message_t *m;
 	chunk_t secret;
 	proposal_t *proposal;
-	u_int16_t alg, len;
+	uint16_t alg, len;
 	linked_list_t *local_ts, *remote_ts;
 	enumerator_t *enumerator;
 	traffic_selector_t *ts;
@@ -69,7 +69,7 @@ METHOD(listener_t, child_keys, bool,
 	m = ha_message_create(HA_CHILD_ADD);
 
 	m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
-	m->add_attribute(m, HA_INITIATOR, (u_int8_t)initiator);
+	m->add_attribute(m, HA_INITIATOR, (uint8_t)initiator);
 	m->add_attribute(m, HA_INBOUND_SPI, child_sa->get_spi(child_sa, TRUE));
 	m->add_attribute(m, HA_OUTBOUND_SPI, child_sa->get_spi(child_sa, FALSE));
 	m->add_attribute(m, HA_INBOUND_CPI, child_sa->get_cpi(child_sa, TRUE));
diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c
index ce90f5bfe..ee66b8442 100644
--- a/src/libcharon/plugins/ha/ha_dispatcher.c
+++ b/src/libcharon/plugins/ha/ha_dispatcher.c
@@ -131,8 +131,8 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa = NULL, *old_sa = NULL;
 	ike_version_t version = IKEV2;
-	u_int16_t encr = 0, len = 0, integ = 0, prf = 0, old_prf = PRF_UNDEFINED;
-	u_int16_t dh_grp = 0;
+	uint16_t encr = 0, len = 0, integ = 0, prf = 0, old_prf = PRF_UNDEFINED;
+	uint16_t dh_grp = 0;
 	chunk_t nonce_i = chunk_empty, nonce_r = chunk_empty;
 	chunk_t secret = chunk_empty, old_skd = chunk_empty;
 	chunk_t dh_local = chunk_empty, dh_remote = chunk_empty, psk = chunk_empty;
@@ -486,7 +486,7 @@ static void process_ike_mid(private_ha_dispatcher_t *this,
 	ha_message_value_t value;
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa = NULL;
-	u_int32_t mid = 0;
+	uint32_t mid = 0;
 
 	enumerator = message->create_attribute_enumerator(message);
 	while (enumerator->enumerate(enumerator, &attribute, &value))
@@ -652,11 +652,11 @@ static void process_child_add(private_ha_dispatcher_t *this,
 	child_sa_t *child_sa;
 	proposal_t *proposal;
 	bool initiator = FALSE, failed = FALSE, ok = FALSE;
-	u_int32_t inbound_spi = 0, outbound_spi = 0;
-	u_int16_t inbound_cpi = 0, outbound_cpi = 0;
-	u_int8_t mode = MODE_TUNNEL, ipcomp = 0;
-	u_int16_t encr = 0, integ = 0, len = 0, dh_grp = 0;
-	u_int16_t esn = NO_EXT_SEQ_NUMBERS;
+	uint32_t inbound_spi = 0, outbound_spi = 0;
+	uint16_t inbound_cpi = 0, outbound_cpi = 0;
+	uint8_t mode = MODE_TUNNEL, ipcomp = 0;
+	uint16_t encr = 0, integ = 0, len = 0, dh_grp = 0;
+	uint16_t esn = NO_EXT_SEQ_NUMBERS;
 	u_int seg_i, seg_o;
 	chunk_t nonce_i = chunk_empty, nonce_r = chunk_empty, secret = chunk_empty;
 	chunk_t encr_i, integ_i, encr_r, integ_r;
@@ -777,7 +777,7 @@ static void process_child_add(private_ha_dispatcher_t *this,
 	if (ike_sa->get_version(ike_sa) == IKEV1)
 	{
 		keymat_v1_t *keymat_v1 = (keymat_v1_t*)ike_sa->get_keymat(ike_sa);
-		u_int32_t spi_i, spi_r;
+		uint32_t spi_i, spi_r;
 
 		spi_i = initiator ? inbound_spi : outbound_spi;
 		spi_r = initiator ? outbound_spi : inbound_spi;
@@ -889,7 +889,7 @@ static void process_child_delete(private_ha_dispatcher_t *this,
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa = NULL;
 	child_sa_t *child_sa;
-	u_int32_t spi = 0;
+	uint32_t spi = 0;
 
 	enumerator = message->create_attribute_enumerator(message);
 	while (enumerator->enumerate(enumerator, &attribute, &value))
diff --git a/src/libcharon/plugins/ha/ha_ike.c b/src/libcharon/plugins/ha/ha_ike.c
index 3ffcaee6b..992ccb06c 100644
--- a/src/libcharon/plugins/ha/ha_ike.c
+++ b/src/libcharon/plugins/ha/ha_ike.c
@@ -78,7 +78,7 @@ METHOD(listener_t, ike_keys, bool,
 	ha_message_t *m;
 	chunk_t secret;
 	proposal_t *proposal;
-	u_int16_t alg, len;
+	uint16_t alg, len;
 
 	if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
 	{	/* do not sync SA between nodes */
@@ -168,7 +168,7 @@ METHOD(listener_t, ike_updown, bool,
 	{
 		enumerator_t *enumerator;
 		peer_cfg_t *peer_cfg;
-		u_int32_t extension, condition;
+		uint32_t extension, condition;
 		host_t *addr;
 		ike_sa_id_t *id;
 		identification_t *eap_id;
@@ -349,7 +349,7 @@ METHOD(listener_t, message_hook, bool,
 		ha_message_t *m;
 		notify_payload_t *notify;
 		chunk_t data;
-		u_int32_t seq;
+		uint32_t seq;
 
 		notify = message->get_notify(message, DPD_R_U_THERE);
 		if (notify)
diff --git a/src/libcharon/plugins/ha/ha_kernel.c b/src/libcharon/plugins/ha/ha_kernel.c
index bd43dc351..061741eb7 100644
--- a/src/libcharon/plugins/ha/ha_kernel.c
+++ b/src/libcharon/plugins/ha/ha_kernel.c
@@ -15,8 +15,8 @@
 
 #include "ha_kernel.h"
 
-typedef u_int32_t u32;
-typedef u_int8_t u8;
+typedef uint32_t u32;
+typedef uint8_t u8;
 
 #include <sys/utsname.h>
 #include <string.h>
@@ -115,9 +115,9 @@ static jhash_version_t get_jhash_version()
 /**
  * jhash algorithm of two words, as used in kernel (using 0 as initval)
  */
-static u_int32_t jhash(jhash_version_t version, u_int32_t a, u_int32_t b)
+static uint32_t jhash(jhash_version_t version, uint32_t a, uint32_t b)
 {
-	u_int32_t c = 0;
+	uint32_t c = 0;
 
 	switch (version)
 	{
@@ -162,7 +162,7 @@ static u_int32_t jhash(jhash_version_t version, u_int32_t a, u_int32_t b)
 /**
  * Segmentate a calculated hash
  */
-static u_int hash2segment(private_ha_kernel_t *this, u_int64_t hash)
+static u_int hash2segment(private_ha_kernel_t *this, uint64_t hash)
 {
 	return ((hash * this->count) >> 32) + 1;
 }
@@ -170,11 +170,11 @@ static u_int hash2segment(private_ha_kernel_t *this, u_int64_t hash)
 /**
  * Get a host as an integer for hashing
  */
-static u_int32_t host2int(host_t *host)
+static uint32_t host2int(host_t *host)
 {
 	if (host->get_family(host) == AF_INET)
 	{
-		return *(u_int32_t*)host->get_address(host).ptr;
+		return *(uint32_t*)host->get_address(host).ptr;
 	}
 	return 0;
 }
@@ -183,7 +183,7 @@ METHOD(ha_kernel_t, get_segment, u_int,
 	private_ha_kernel_t *this, host_t *host)
 {
 	unsigned long hash;
-	u_int32_t addr;
+	uint32_t addr;
 
 	addr = host2int(host);
 	hash = jhash(this->version, ntohl(addr), 0);
@@ -192,10 +192,10 @@ METHOD(ha_kernel_t, get_segment, u_int,
 }
 
 METHOD(ha_kernel_t, get_segment_spi, u_int,
-	private_ha_kernel_t *this, host_t *host, u_int32_t spi)
+	private_ha_kernel_t *this, host_t *host, uint32_t spi)
 {
 	unsigned long hash;
-	u_int32_t addr;
+	uint32_t addr;
 
 	addr = host2int(host);
 	hash = jhash(this->version, ntohl(addr), ntohl(spi));
diff --git a/src/libcharon/plugins/ha/ha_kernel.h b/src/libcharon/plugins/ha/ha_kernel.h
index 7b56f1e3a..bd0a3825b 100644
--- a/src/libcharon/plugins/ha/ha_kernel.h
+++ b/src/libcharon/plugins/ha/ha_kernel.h
@@ -45,7 +45,7 @@ struct ha_kernel_t {
 	 * @param spi		SPI to include in hash
 	 * @return			segment number
 	 */
-	u_int (*get_segment_spi)(ha_kernel_t *this, host_t *host, u_int32_t spi);
+	u_int (*get_segment_spi)(ha_kernel_t *this, host_t *host, uint32_t spi);
 
 	/**
 	 * Get the segment an arbitrary integer is in.
diff --git a/src/libcharon/plugins/ha/ha_message.c b/src/libcharon/plugins/ha/ha_message.c
index b40219ce1..42dfaf0e2 100644
--- a/src/libcharon/plugins/ha/ha_message.c
+++ b/src/libcharon/plugins/ha/ha_message.c
@@ -67,10 +67,10 @@ typedef struct ike_sa_id_encoding_t ike_sa_id_encoding_t;
  * Encoding if an ike_sa_id_t
  */
 struct ike_sa_id_encoding_t {
-	u_int8_t ike_version;
-	u_int64_t initiator_spi;
-	u_int64_t responder_spi;
-	u_int8_t initiator;
+	uint8_t ike_version;
+	uint64_t initiator_spi;
+	uint64_t responder_spi;
+	uint8_t initiator;
 } __attribute__((packed));
 
 typedef struct identification_encoding_t identification_encoding_t;
@@ -79,8 +79,8 @@ typedef struct identification_encoding_t identification_encoding_t;
  * Encoding of a identification_t
  */
 struct identification_encoding_t {
-	u_int8_t type;
-	u_int8_t len;
+	uint8_t type;
+	uint8_t len;
 	char encoding[];
 } __attribute__((packed));
 
@@ -90,8 +90,8 @@ typedef struct host_encoding_t host_encoding_t;
  * encoding of a host_t
  */
 struct host_encoding_t {
-	u_int16_t port;
-	u_int8_t family;
+	uint16_t port;
+	uint8_t family;
 	char encoding[];
 } __attribute__((packed));
 
@@ -101,11 +101,11 @@ typedef struct ts_encoding_t ts_encoding_t;
  * encoding of a traffic_selector_t
  */
 struct ts_encoding_t {
-	u_int8_t type;
-	u_int8_t protocol;
-	u_int16_t from_port;
-	u_int16_t to_port;
-	u_int8_t dynamic;
+	uint8_t type;
+	uint8_t protocol;
+	uint16_t from_port;
+	uint16_t to_port;
+	uint8_t dynamic;
 	char encoding[];
 } __attribute__((packed));
 
@@ -139,9 +139,9 @@ METHOD(ha_message_t, add_attribute, void,
 	size_t len;
 	va_list args;
 
-	check_buf(this, sizeof(u_int8_t));
+	check_buf(this, sizeof(uint8_t));
 	this->buf.ptr[this->buf.len] = attribute;
-	this->buf.len += sizeof(u_int8_t);
+	this->buf.len += sizeof(uint8_t);
 
 	va_start(args, attribute);
 	switch (attribute)
@@ -215,13 +215,13 @@ METHOD(ha_message_t, add_attribute, void,
 			this->buf.len += len;
 			break;
 		}
-		/* u_int8_t */
+		/* uint8_t */
 		case HA_IKE_VERSION:
 		case HA_INITIATOR:
 		case HA_IPSEC_MODE:
 		case HA_IPCOMP:
 		{
-			u_int8_t val;
+			uint8_t val;
 
 			val = va_arg(args, u_int);
 			check_buf(this, sizeof(val));
@@ -229,7 +229,7 @@ METHOD(ha_message_t, add_attribute, void,
 			this->buf.len += sizeof(val);
 			break;
 		}
-		/* u_int16_t */
+		/* uint16_t */
 		case HA_ALG_DH:
 		case HA_ALG_PRF:
 		case HA_ALG_OLD_PRF:
@@ -241,26 +241,26 @@ METHOD(ha_message_t, add_attribute, void,
 		case HA_SEGMENT:
 		case HA_ESN:
 		{
-			u_int16_t val;
+			uint16_t val;
 
 			val = va_arg(args, u_int);
 			check_buf(this, sizeof(val));
-			*(u_int16_t*)(this->buf.ptr + this->buf.len) = htons(val);
+			*(uint16_t*)(this->buf.ptr + this->buf.len) = htons(val);
 			this->buf.len += sizeof(val);
 			break;
 		}
-		/** u_int32_t */
+		/** uint32_t */
 		case HA_CONDITIONS:
 		case HA_EXTENSIONS:
 		case HA_INBOUND_SPI:
 		case HA_OUTBOUND_SPI:
 		case HA_MID:
 		{
-			u_int32_t val;
+			uint32_t val;
 
 			val = va_arg(args, u_int);
 			check_buf(this, sizeof(val));
-			*(u_int32_t*)(this->buf.ptr + this->buf.len) = htonl(val);
+			*(uint32_t*)(this->buf.ptr + this->buf.len) = htonl(val);
 			this->buf.len += sizeof(val);
 			break;
 		}
@@ -277,11 +277,11 @@ METHOD(ha_message_t, add_attribute, void,
 			chunk_t chunk;
 
 			chunk = va_arg(args, chunk_t);
-			check_buf(this, chunk.len + sizeof(u_int16_t));
-			*(u_int16_t*)(this->buf.ptr + this->buf.len) = htons(chunk.len);
-			memcpy(this->buf.ptr + this->buf.len + sizeof(u_int16_t),
+			check_buf(this, chunk.len + sizeof(uint16_t));
+			*(uint16_t*)(this->buf.ptr + this->buf.len) = htons(chunk.len);
+			memcpy(this->buf.ptr + this->buf.len + sizeof(uint16_t),
 				   chunk.ptr, chunk.len);
-			this->buf.len += chunk.len + sizeof(u_int16_t);;
+			this->buf.len += chunk.len + sizeof(uint16_t);;
 			break;
 		}
 		/** traffic_selector_t */
@@ -309,7 +309,7 @@ METHOD(ha_message_t, add_attribute, void,
 		default:
 		{
 			DBG1(DBG_CFG, "unable to encode, attribute %d unknown", attribute);
-			this->buf.len -= sizeof(u_int8_t);
+			this->buf.len -= sizeof(uint8_t);
 			break;
 		}
 	}
@@ -435,22 +435,22 @@ METHOD(enumerator_t, attribute_enumerate, bool,
 			this->buf = chunk_skip(this->buf, len + 1);
 			return TRUE;
 		}
-		/* u_int8_t */
+		/* uint8_t */
 		case HA_IKE_VERSION:
 		case HA_INITIATOR:
 		case HA_IPSEC_MODE:
 		case HA_IPCOMP:
 		{
-			if (this->buf.len < sizeof(u_int8_t))
+			if (this->buf.len < sizeof(uint8_t))
 			{
 				return FALSE;
 			}
-			value->u8 = *(u_int8_t*)this->buf.ptr;
+			value->u8 = *(uint8_t*)this->buf.ptr;
 			*attr_out = attr;
-			this->buf = chunk_skip(this->buf, sizeof(u_int8_t));
+			this->buf = chunk_skip(this->buf, sizeof(uint8_t));
 			return TRUE;
 		}
-		/** u_int16_t */
+		/** uint16_t */
 		case HA_ALG_DH:
 		case HA_ALG_PRF:
 		case HA_ALG_OLD_PRF:
@@ -462,29 +462,29 @@ METHOD(enumerator_t, attribute_enumerate, bool,
 		case HA_SEGMENT:
 		case HA_ESN:
 		{
-			if (this->buf.len < sizeof(u_int16_t))
+			if (this->buf.len < sizeof(uint16_t))
 			{
 				return FALSE;
 			}
-			value->u16 = ntohs(*(u_int16_t*)this->buf.ptr);
+			value->u16 = ntohs(*(uint16_t*)this->buf.ptr);
 			*attr_out = attr;
-			this->buf = chunk_skip(this->buf, sizeof(u_int16_t));
+			this->buf = chunk_skip(this->buf, sizeof(uint16_t));
 			return TRUE;
 		}
-		/** u_int32_t */
+		/** uint32_t */
 		case HA_CONDITIONS:
 		case HA_EXTENSIONS:
 		case HA_INBOUND_SPI:
 		case HA_OUTBOUND_SPI:
 		case HA_MID:
 		{
-			if (this->buf.len < sizeof(u_int32_t))
+			if (this->buf.len < sizeof(uint32_t))
 			{
 				return FALSE;
 			}
-			value->u32 = ntohl(*(u_int32_t*)this->buf.ptr);
+			value->u32 = ntohl(*(uint32_t*)this->buf.ptr);
 			*attr_out = attr;
-			this->buf = chunk_skip(this->buf, sizeof(u_int32_t));
+			this->buf = chunk_skip(this->buf, sizeof(uint32_t));
 			return TRUE;
 		}
 		/** chunk_t */
@@ -499,12 +499,12 @@ METHOD(enumerator_t, attribute_enumerate, bool,
 		{
 			size_t len;
 
-			if (this->buf.len < sizeof(u_int16_t))
+			if (this->buf.len < sizeof(uint16_t))
 			{
 				return FALSE;
 			}
-			len = ntohs(*(u_int16_t*)this->buf.ptr);
-			this->buf = chunk_skip(this->buf, sizeof(u_int16_t));
+			len = ntohs(*(uint16_t*)this->buf.ptr);
+			this->buf = chunk_skip(this->buf, sizeof(uint16_t));
 			if (this->buf.len < len)
 			{
 				return FALSE;
diff --git a/src/libcharon/plugins/ha/ha_message.h b/src/libcharon/plugins/ha/ha_message.h
index fe1786edf..630c8af8f 100644
--- a/src/libcharon/plugins/ha/ha_message.h
+++ b/src/libcharon/plugins/ha/ha_message.h
@@ -92,9 +92,9 @@ enum ha_message_attribute_t {
 	HA_REMOTE_ADDR,
 	/** char*, name of configuration */
 	HA_CONFIG_NAME,
-	/** u_int32_t, bitset of ike_condition_t */
+	/** uint32_t, bitset of ike_condition_t */
 	HA_CONDITIONS,
-	/** u_int32_t, bitset of ike_extension_t */
+	/** uint32_t, bitset of ike_extension_t */
 	HA_EXTENSIONS,
 	/** host_t*, local virtual IP */
 	HA_LOCAL_VIP,
@@ -102,7 +102,7 @@ enum ha_message_attribute_t {
 	HA_REMOTE_VIP,
 	/** host_t*, known peer addresses (used for MOBIKE) */
 	HA_PEER_ADDR,
-	/** u_int8_t, initiator of an exchange, TRUE for local */
+	/** uint8_t, initiator of an exchange, TRUE for local */
 	HA_INITIATOR,
 	/** chunk_t, initiators nonce */
 	HA_NONCE_I,
@@ -112,41 +112,41 @@ enum ha_message_attribute_t {
 	HA_SECRET,
 	/** chunk_t, SKd of old SA if rekeying */
 	HA_OLD_SKD,
-	/** u_int16_t, pseudo random function */
+	/** uint16_t, pseudo random function */
 	HA_ALG_PRF,
-	/** u_int16_t, old pseudo random function if rekeying */
+	/** uint16_t, old pseudo random function if rekeying */
 	HA_ALG_OLD_PRF,
-	/** u_int16_t, encryption algorithm */
+	/** uint16_t, encryption algorithm */
 	HA_ALG_ENCR,
-	/** u_int16_t, encryption key size in bytes */
+	/** uint16_t, encryption key size in bytes */
 	HA_ALG_ENCR_LEN,
-	/** u_int16_t, integrity protection algorithm */
+	/** uint16_t, integrity protection algorithm */
 	HA_ALG_INTEG,
-	/** u_int16_t, DH group */
+	/** uint16_t, DH group */
 	HA_ALG_DH,
-	/** u_int8_t, IPsec mode, TUNNEL|TRANSPORT|... */
+	/** uint8_t, IPsec mode, TUNNEL|TRANSPORT|... */
 	HA_IPSEC_MODE,
-	/** u_int8_t, IPComp protocol */
+	/** uint8_t, IPComp protocol */
 	HA_IPCOMP,
-	/** u_int32_t, inbound security parameter index */
+	/** uint32_t, inbound security parameter index */
 	HA_INBOUND_SPI,
-	/** u_int32_t, outbound security parameter index */
+	/** uint32_t, outbound security parameter index */
 	HA_OUTBOUND_SPI,
-	/** u_int16_t, inbound security parameter index */
+	/** uint16_t, inbound security parameter index */
 	HA_INBOUND_CPI,
-	/** u_int16_t, outbound security parameter index */
+	/** uint16_t, outbound security parameter index */
 	HA_OUTBOUND_CPI,
 	/** traffic_selector_t*, local traffic selector */
 	HA_LOCAL_TS,
 	/** traffic_selector_t*, remote traffic selector */
 	HA_REMOTE_TS,
-	/** u_int32_t, message ID */
+	/** uint32_t, message ID */
 	HA_MID,
-	/** u_int16_t, HA segment */
+	/** uint16_t, HA segment */
 	HA_SEGMENT,
-	/** u_int16_t, Extended Sequence numbers */
+	/** uint16_t, Extended Sequence numbers */
 	HA_ESN,
-	/** u_int8_t, IKE version */
+	/** uint8_t, IKE version */
 	HA_IKE_VERSION,
 	/** chunk_t, own DH public value */
 	HA_LOCAL_DH,
@@ -162,9 +162,9 @@ enum ha_message_attribute_t {
  * Union to enumerate typed attributes in a message
  */
 union ha_message_value_t {
-	u_int8_t u8;
-	u_int16_t u16;
-	u_int32_t u32;
+	uint8_t u8;
+	uint16_t u16;
+	uint32_t u32;
 	char *str;
 	chunk_t chunk;
 	ike_sa_id_t *ike_sa_id;
diff --git a/src/libcharon/plugins/ha/ha_segments.h b/src/libcharon/plugins/ha/ha_segments.h
index 76da38082..31d47e371 100644
--- a/src/libcharon/plugins/ha/ha_segments.h
+++ b/src/libcharon/plugins/ha/ha_segments.h
@@ -25,7 +25,7 @@
 
 typedef struct ha_segments_t ha_segments_t;
 
-typedef u_int16_t segment_mask_t;
+typedef uint16_t segment_mask_t;
 
 /**
  * maximum number of segments
diff --git a/src/libcharon/plugins/ha/ha_tunnel.c b/src/libcharon/plugins/ha/ha_tunnel.c
index dd2399366..a0e514614 100644
--- a/src/libcharon/plugins/ha/ha_tunnel.c
+++ b/src/libcharon/plugins/ha/ha_tunnel.c
@@ -79,7 +79,7 @@ struct private_ha_tunnel_t {
 	/**
 	 * Reqid of installed trap
 	 */
-	u_int32_t trap;
+	uint32_t trap;
 
 	/**
 	 * backend for HA SA
@@ -183,10 +183,22 @@ static void setup_tunnel(private_ha_tunnel_t *this,
 	auth_cfg_t *auth_cfg;
 	child_cfg_t *child_cfg;
 	traffic_selector_t *ts;
-	lifetime_cfg_t lifetime = {
-		.time = {
-			.life = 21600, .rekey = 20400, .jitter = 400,
+	peer_cfg_create_t peer = {
+		.cert_policy = CERT_NEVER_SEND,
+		.unique = UNIQUE_KEEP,
+		.rekey_time = 86400, /* 24h */
+		.jitter_time = 7200, /* 2h */
+		.over_time = 3600, /* 1h */
+		.no_mobike = TRUE,
+		.dpd = 30,
+	};
+	child_cfg_create_t child = {
+		.lifetime = {
+			.time = {
+				.life = 21600, .rekey = 20400, .jitter = 400,
+			},
 		},
+		.mode = MODE_TRANSPORT,
 	};
 
 	/* setup credentials */
@@ -208,9 +220,7 @@ static void setup_tunnel(private_ha_tunnel_t *this,
 							 remote, IKEV2_UDP_PORT, FRAGMENTATION_NO, 0);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
-	peer_cfg = peer_cfg_create("ha", ike_cfg, CERT_NEVER_SEND,
-						UNIQUE_KEEP, 0, 86400, 0, 7200, 3600, FALSE, FALSE,
-						TRUE, 30, 0, FALSE, NULL, NULL);
+	peer_cfg = peer_cfg_create("ha", ike_cfg, &peer);
 
 	auth_cfg = auth_cfg_create();
 	auth_cfg->add(auth_cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
@@ -224,9 +234,7 @@ static void setup_tunnel(private_ha_tunnel_t *this,
 				  identification_create_from_string(remote));
 	peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
 
-	child_cfg = child_cfg_create("ha", &lifetime, NULL, TRUE, MODE_TRANSPORT,
-								 ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
-								 0, 0, NULL, NULL, 0);
+	child_cfg = child_cfg_create("ha", &child);
 	ts = traffic_selector_create_dynamic(IPPROTO_UDP, HA_PORT, HA_PORT);
 	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
 	ts = traffic_selector_create_dynamic(IPPROTO_ICMP, 0, 65535);
diff --git a/src/libcharon/plugins/ipseckey/Makefile.in b/src/libcharon/plugins/ipseckey/Makefile.in
index 0b7a29194..38a63ea02 100644
--- a/src/libcharon/plugins/ipseckey/Makefile.in
+++ b/src/libcharon/plugins/ipseckey/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/ipseckey
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -462,7 +476,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/ipseckey/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/ipseckey/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -777,6 +790,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/ipseckey/ipseckey.c b/src/libcharon/plugins/ipseckey/ipseckey.c
index ca126d772..5ca1e27bc 100644
--- a/src/libcharon/plugins/ipseckey/ipseckey.c
+++ b/src/libcharon/plugins/ipseckey/ipseckey.c
@@ -34,17 +34,17 @@ struct private_ipseckey_t {
 	/**
 	 * Precedence
 	 */
-	u_int8_t precedence;
+	uint8_t precedence;
 
 	/**
 	 * Gateway type
 	 */
-	u_int8_t gateway_type;
+	uint8_t gateway_type;
 
 	/**
 	 * Algorithm
 	 */
-	u_int8_t algorithm;
+	uint8_t algorithm;
 
 	/**
 	 * Gateway
@@ -57,7 +57,7 @@ struct private_ipseckey_t {
 	chunk_t public_key;
 };
 
-METHOD(ipseckey_t, get_precedence, u_int8_t,
+METHOD(ipseckey_t, get_precedence, uint8_t,
 	private_ipseckey_t *this)
 {
 	return this->precedence;
@@ -102,7 +102,7 @@ ipseckey_t *ipseckey_create_frm_rr(rr_t *rr)
 {
 	private_ipseckey_t *this;
 	bio_reader_t *reader = NULL;
-	u_int8_t label;
+	uint8_t label;
 	chunk_t tmp;
 
 	INIT(this,
diff --git a/src/libcharon/plugins/ipseckey/ipseckey.h b/src/libcharon/plugins/ipseckey/ipseckey.h
index 5885daeee..b19ec8920 100644
--- a/src/libcharon/plugins/ipseckey/ipseckey.h
+++ b/src/libcharon/plugins/ipseckey/ipseckey.h
@@ -85,7 +85,7 @@ struct ipseckey_t {
 	 *
 	 * @return		precedence
 	 */
-	u_int8_t (*get_precedence)(ipseckey_t *this);
+	uint8_t (*get_precedence)(ipseckey_t *this);
 
 	/**
 	 * Get the type of the gateway.
diff --git a/src/libcharon/plugins/ipseckey/ipseckey_cred.c b/src/libcharon/plugins/ipseckey/ipseckey_cred.c
index 3ff6dd87d..6c041ce26 100644
--- a/src/libcharon/plugins/ipseckey/ipseckey_cred.c
+++ b/src/libcharon/plugins/ipseckey/ipseckey_cred.c
@@ -136,7 +136,7 @@ METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
 	rr_set_t *rrset;
 	rr_t *rrsig;
 	bio_reader_t *reader;
-	u_int32_t nBefore, nAfter;
+	uint32_t nBefore, nAfter;
 	chunk_t ignore;
 	char *fqdn;
 
diff --git a/src/libcharon/plugins/kernel_iph/Makefile.in b/src/libcharon/plugins/kernel_iph/Makefile.in
index de5bfd517..19e7701c6 100644
--- a/src/libcharon/plugins/kernel_iph/Makefile.in
+++ b/src/libcharon/plugins/kernel_iph/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/kernel_iph
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -462,7 +476,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_iph/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_iph/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -776,6 +789,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/kernel_iph/kernel_iph_net.c b/src/libcharon/plugins/kernel_iph/kernel_iph_net.c
index 6a8a96821..efeb98045 100644
--- a/src/libcharon/plugins/kernel_iph/kernel_iph_net.c
+++ b/src/libcharon/plugins/kernel_iph/kernel_iph_net.c
@@ -562,7 +562,8 @@ METHOD(kernel_net_t, get_source_addr, host_t*,
 }
 
 METHOD(kernel_net_t, get_nexthop, host_t*,
-	private_kernel_iph_net_t *this, host_t *dest, int prefix, host_t *src)
+	private_kernel_iph_net_t *this, host_t *dest, int prefix, host_t *src,
+	char **iface)
 {
 	MIB_IPFORWARD_ROW2 route;
 	SOCKADDR_INET best, *sai_dst, *sai_src = NULL;
@@ -592,6 +593,10 @@ METHOD(kernel_net_t, get_nexthop, host_t*,
 	{
 		if (!nexthop->is_anyaddr(nexthop))
 		{
+			if (iface)
+			{
+				*iface = NULL;
+			}
 			return nexthop;
 		}
 		nexthop->destroy(nexthop);
@@ -617,7 +622,7 @@ METHOD(kernel_net_t, del_ip, status_t,
  * Add or remove a route
  */
 static status_t manage_route(private_kernel_iph_net_t *this, bool add,
-					chunk_t dst, u_int8_t prefixlen, host_t *gtw, char *name)
+					chunk_t dst, uint8_t prefixlen, host_t *gtw, char *name)
 {
 	MIB_IPFORWARD_ROW2 row = {
 		.DestinationPrefix = {
@@ -705,14 +710,14 @@ static status_t manage_route(private_kernel_iph_net_t *this, bool add,
 }
 
 METHOD(kernel_net_t, add_route, status_t,
-	private_kernel_iph_net_t *this, chunk_t dst, u_int8_t prefixlen,
+	private_kernel_iph_net_t *this, chunk_t dst, uint8_t prefixlen,
 	host_t *gateway, host_t *src, char *name)
 {
 	return manage_route(this, TRUE, dst, prefixlen, gateway, name);
 }
 
 METHOD(kernel_net_t, del_route, status_t,
-	private_kernel_iph_net_t *this, chunk_t dst, u_int8_t prefixlen,
+	private_kernel_iph_net_t *this, chunk_t dst, uint8_t prefixlen,
 	host_t *gateway, host_t *src, char *name)
 {
 	return manage_route(this, FALSE, dst, prefixlen, gateway, name);
diff --git a/src/libcharon/plugins/kernel_libipsec/Makefile.in b/src/libcharon/plugins/kernel_libipsec/Makefile.in
index 018a25a62..9bfdb950f 100644
--- a/src/libcharon/plugins/kernel_libipsec/Makefile.in
+++ b/src/libcharon/plugins/kernel_libipsec/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/kernel_libipsec
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -205,12 +214,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -260,6 +271,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -294,6 +306,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -405,6 +418,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -466,7 +480,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_libipsec/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_libipsec/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -781,6 +794,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
index 4c8771e96..77e37e249 100644
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
@@ -108,7 +108,7 @@ struct route_entry_t {
 	/** Destination net */
 	chunk_t dst_net;
 	/** Destination net prefixlen */
-	u_int8_t prefixlen;
+	uint8_t prefixlen;
 	/** Reference to exclude route, if any */
 	exclude_route_t *exclude;
 };
@@ -151,15 +151,15 @@ typedef struct policy_entry_t policy_entry_t;
  */
 struct policy_entry_t {
 	/** Direction of this policy: in, out, forward */
-	u_int8_t direction;
+	uint8_t direction;
 	/** Parameters of installed policy */
 	struct {
 		/** Subnet and port */
 		host_t *net;
 		/** Subnet mask */
-		u_int8_t mask;
+		uint8_t mask;
 		/** Protocol */
-		u_int8_t proto;
+		uint8_t proto;
 	} src, dst;
 	/** Associated route installed for this policy */
 	route_entry_t *route;
@@ -222,7 +222,7 @@ static inline bool policy_entry_equals(policy_entry_t *a,
 /**
  * Expiration callback
  */
-static void expire(u_int8_t protocol, u_int32_t spi, host_t *dst, bool hard)
+static void expire(uint8_t protocol, uint32_t spi, host_t *dst, bool hard)
 {
 	charon->kernel->expire(charon->kernel, protocol, spi, dst, hard);
 }
@@ -235,55 +235,51 @@ METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
 	private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
-	u_int8_t protocol, u_int32_t *spi)
+	uint8_t protocol, uint32_t *spi)
 {
 	return ipsec->sas->get_spi(ipsec->sas, src, dst, protocol, spi);
 }
 
 METHOD(kernel_ipsec_t, get_cpi, status_t,
 	private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
-	u_int16_t *cpi)
+	uint16_t *cpi)
 {
 	return NOT_SUPPORTED;
 }
 
 METHOD(kernel_ipsec_t, add_sa, status_t,
-	private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
-	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
-	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
-	u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
-	bool initiator, bool encap, bool esn, bool inbound, bool update,
-	linked_list_t *src_ts, linked_list_t *dst_ts)
+	private_kernel_libipsec_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_add_sa_t *data)
 {
-	return ipsec->sas->add_sa(ipsec->sas, src, dst, spi, protocol, reqid, mark,
-							  tfc, lifetime, enc_alg, enc_key, int_alg, int_key,
-							  mode, ipcomp, cpi, initiator, encap, esn,
-							  inbound, update);
+	return ipsec->sas->add_sa(ipsec->sas, id->src, id->dst, id->spi, id->proto,
+					data->reqid, id->mark, data->tfc, data->lifetime,
+					data->enc_alg, data->enc_key, data->int_alg, data->int_key,
+					data->mode, data->ipcomp, data->cpi, data->initiator,
+					data->encap, data->esn, data->inbound, data->update);
 }
 
 METHOD(kernel_ipsec_t, update_sa, status_t,
-	private_kernel_libipsec_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
-	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
-	bool encap, bool new_encap, mark_t mark)
+	private_kernel_libipsec_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_update_sa_t *data)
 {
 	return NOT_SUPPORTED;
 }
 
 METHOD(kernel_ipsec_t, query_sa, status_t,
-	private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes,
-	u_int64_t *packets, time_t *time)
+	private_kernel_libipsec_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_query_sa_t *data, uint64_t *bytes, uint64_t *packets,
+	time_t *time)
 {
-	return ipsec->sas->query_sa(ipsec->sas, src, dst, spi, protocol, mark,
-								bytes, packets, time);
+	return ipsec->sas->query_sa(ipsec->sas, id->src, id->dst, id->spi,
+								id->proto, id->mark, bytes, packets, time);
 }
 
 METHOD(kernel_ipsec_t, del_sa, status_t,
-	private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
+	private_kernel_libipsec_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_del_sa_t *data)
 {
-	return ipsec->sas->del_sa(ipsec->sas, src, dst, spi, protocol, cpi, mark);
+	return ipsec->sas->del_sa(ipsec->sas, id->src, id->dst, id->spi, id->proto,
+							  data->cpi, id->mark);
 }
 
 METHOD(kernel_ipsec_t, flush_sas, status_t,
@@ -312,7 +308,7 @@ static void add_exclude_route(private_kernel_libipsec_ipsec_t *this,
 	if (!route->exclude)
 	{
 		DBG2(DBG_KNL, "installing new exclude route for %H src %H", dst, src);
-		gtw = charon->kernel->get_nexthop(charon->kernel, dst, -1, NULL);
+		gtw = charon->kernel->get_nexthop(charon->kernel, dst, -1, NULL, NULL);
 		if (gtw)
 		{
 			char *if_name = NULL;
@@ -438,7 +434,8 @@ static bool install_route(private_kernel_libipsec_ipsec_t *this,
 	);
 #ifndef __linux__
 	/* on Linux we cant't install a gateway */
-	route->gateway = charon->kernel->get_nexthop(charon->kernel, dst, -1, src);
+	route->gateway = charon->kernel->get_nexthop(charon->kernel, dst, -1, src,
+												 NULL);
 #endif
 
 	if (policy->route)
@@ -509,22 +506,22 @@ static bool install_route(private_kernel_libipsec_ipsec_t *this,
 }
 
 METHOD(kernel_ipsec_t, add_policy, status_t,
-	private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark,
-	policy_priority_t priority)
+	private_kernel_libipsec_ipsec_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_manage_policy_t *data)
 {
 	policy_entry_t *policy, *found = NULL;
 	status_t status;
 
-	status = ipsec->policies->add_policy(ipsec->policies, src, dst, src_ts,
-								dst_ts, direction, type, sa, mark, priority);
+	status = ipsec->policies->add_policy(ipsec->policies, data->src, data->dst,
+										 id->src_ts, id->dst_ts, id->dir,
+										 data->type, data->sa, id->mark,
+										 data->prio);
 	if (status != SUCCESS)
 	{
 		return status;
 	}
 	/* we track policies in order to install routes */
-	policy = create_policy_entry(src_ts, dst_ts, direction);
+	policy = create_policy_entry(id->src_ts, id->dst_ts, id->dir);
 
 	this->mutex->lock(this->mutex);
 	if (this->policies->find_first(this->policies,
@@ -540,7 +537,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	}
 	policy->refs++;
 
-	if (!install_route(this, src, dst, src_ts, dst_ts, policy))
+	if (!install_route(this, data->src, data->dst, id->src_ts, id->dst_ts,
+					   policy))
 	{
 		return FAILED;
 	}
@@ -548,26 +546,25 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 }
 
 METHOD(kernel_ipsec_t, query_policy, status_t,
-	private_kernel_libipsec_ipsec_t *this, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
-	time_t *use_time)
+	private_kernel_libipsec_ipsec_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_query_policy_t *data, time_t *use_time)
 {
 	return NOT_SUPPORTED;
 }
 
 METHOD(kernel_ipsec_t, del_policy, status_t,
-	private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
-	mark_t mark, policy_priority_t priority)
+	private_kernel_libipsec_ipsec_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_manage_policy_t *data)
 {
 	policy_entry_t *policy, *found = NULL;
 	status_t status;
 
-	status = ipsec->policies->del_policy(ipsec->policies, src, dst, src_ts,
-								dst_ts, direction, type, sa, mark, priority);
+	status = ipsec->policies->del_policy(ipsec->policies, data->src, data->dst,
+										 id->src_ts, id->dst_ts, id->dir,
+										 data->type, data->sa, id->mark,
+										 data->prio);
 
-	policy = create_policy_entry(src_ts, dst_ts, direction);
+	policy = create_policy_entry(id->src_ts, id->dst_ts, id->dir);
 
 	this->mutex->lock(this->mutex);
 	if (this->policies->find_first(this->policies,
@@ -596,8 +593,8 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 									  route->src_ip, route->if_name) != SUCCESS)
 		{
 			DBG1(DBG_KNL, "error uninstalling route installed with "
-						  "policy %R === %R %N", src_ts, dst_ts,
-						   policy_dir_names, direction);
+				 "policy %R === %R %N", id->src_ts, id->dst_ts,
+				 policy_dir_names, id->dir);
 		}
 		remove_exclude_route(this, route);
 	}
@@ -641,7 +638,7 @@ METHOD(kernel_ipsec_t, bypass_socket, bool,
 }
 
 METHOD(kernel_ipsec_t, enable_udp_decap, bool,
-	private_kernel_libipsec_ipsec_t *this, int fd, int family, u_int16_t port)
+	private_kernel_libipsec_ipsec_t *this, int fd, int family, uint16_t port)
 {
 	return NOT_SUPPORTED;
 }
diff --git a/src/libcharon/plugins/kernel_netlink/Makefile.am b/src/libcharon/plugins/kernel_netlink/Makefile.am
index 973e2c2f4..41c7304c6 100644
--- a/src/libcharon/plugins/kernel_netlink/Makefile.am
+++ b/src/libcharon/plugins/kernel_netlink/Makefile.am
@@ -20,6 +20,8 @@ libstrongswan_kernel_netlink_la_SOURCES = \
 	kernel_netlink_net.h kernel_netlink_net.c \
 	kernel_netlink_shared.h kernel_netlink_shared.c
 
+libstrongswan_kernel_netlink_la_LIBADD = $(DLLIB)
+
 libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version
 
 
diff --git a/src/libcharon/plugins/kernel_netlink/Makefile.in b/src/libcharon/plugins/kernel_netlink/Makefile.in
index 55dcabf6f..2435dea92 100644
--- a/src/libcharon/plugins/kernel_netlink/Makefile.in
+++ b/src/libcharon/plugins/kernel_netlink/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -81,8 +91,6 @@ host_triplet = @host@
 TESTS = tests$(EXEEXT)
 check_PROGRAMS = $(am__EXEEXT_1)
 subdir = src/libcharon/plugins/kernel_netlink
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -96,6 +104,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -129,7 +138,8 @@ am__uninstall_files_from_dir = { \
   }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
-libstrongswan_kernel_netlink_la_LIBADD =
+am__DEPENDENCIES_1 =
+libstrongswan_kernel_netlink_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
 am_libstrongswan_kernel_netlink_la_OBJECTS = kernel_netlink_plugin.lo \
 	kernel_netlink_ipsec.lo kernel_netlink_net.lo \
 	kernel_netlink_shared.lo
@@ -241,12 +251,14 @@ am__tty_colors = { \
     std='[m'; \
   fi; \
 }
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -296,6 +308,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -330,6 +343,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -441,6 +455,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -487,6 +502,7 @@ libstrongswan_kernel_netlink_la_SOURCES = \
 	kernel_netlink_net.h kernel_netlink_net.c \
 	kernel_netlink_shared.h kernel_netlink_shared.c
 
+libstrongswan_kernel_netlink_la_LIBADD = $(DLLIB)
 libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version
 tests_SOURCES = \
 	tests.h tests.c \
@@ -520,7 +536,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_netlink/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_netlink/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -1001,6 +1016,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \
 	uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 6d9d63a98..9c2a7c315 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1,11 +1,11 @@
 /*
- * Copyright (C) 2006-2015 Tobias Brunner
+ * Copyright (C) 2006-2016 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2008-2016 Andreas Steffen
  * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -18,6 +18,7 @@
  * for more details.
  */
 
+#define _GNU_SOURCE
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <stdint.h>
@@ -26,11 +27,13 @@
 #include <linux/rtnetlink.h>
 #include <linux/xfrm.h>
 #include <linux/udp.h>
+#include <net/if.h>
 #include <unistd.h>
 #include <time.h>
 #include <errno.h>
 #include <string.h>
 #include <fcntl.h>
+#include <dlfcn.h>
 
 #include "kernel_netlink_ipsec.h"
 #include "kernel_netlink_shared.h"
@@ -38,6 +41,7 @@
 #include <daemon.h>
 #include <utils/debug.h>
 #include <threading/mutex.h>
+#include <threading/condvar.h>
 #include <collections/array.h>
 #include <collections/hashtable.h>
 #include <collections/linked_list.h>
@@ -72,7 +76,7 @@
 #endif
 
 /** Base priority for installed policies */
-#define PRIO_BASE 384
+#define PRIO_BASE 100000
 
 /** Default lifetime of an acquire XFRM state (in seconds) */
 #define DEFAULT_ACQUIRE_LIFETIME 165
@@ -287,6 +291,11 @@ struct private_kernel_netlink_ipsec_t {
 	mutex_t *mutex;
 
 	/**
+	 * Condvar to synchronize access to individual policies
+	 */
+	condvar_t *condvar;
+
+	/**
 	 * Hash table of installed policies (policy_entry_t)
 	 */
 	hashtable_t *policies;
@@ -326,6 +335,12 @@ struct private_kernel_netlink_ipsec_t {
 	 * Installed port based IKE bypass policies, as bypass_t
 	 */
 	array_t *bypass;
+
+	/**
+	 * Custom priority calculation function
+	 */
+	uint32_t (*get_priority)(kernel_ipsec_policy_id_t *id,
+							 kernel_ipsec_manage_policy_t *data);
 };
 
 typedef struct route_entry_t route_entry_t;
@@ -347,7 +362,7 @@ struct route_entry_t {
 	chunk_t dst_net;
 
 	/** Destination net prefixlen */
-	u_int8_t prefixlen;
+	uint8_t prefixlen;
 };
 
 /**
@@ -413,8 +428,9 @@ static bool ipsec_sa_equals(ipsec_sa_t *sa, ipsec_sa_t *other_sa)
 {
 	return sa->src->ip_equals(sa->src, other_sa->src) &&
 		   sa->dst->ip_equals(sa->dst, other_sa->dst) &&
-		   memeq(&sa->mark, &other_sa->mark, sizeof(mark_t)) &&
-		   memeq(&sa->cfg, &other_sa->cfg, sizeof(ipsec_sa_cfg_t));
+		   sa->mark.value == other_sa->mark.value &&
+		   sa->mark.mask == other_sa->mark.mask &&
+		   ipsec_sa_cfg_equals(&sa->cfg, &other_sa->cfg);
 }
 
 /**
@@ -463,14 +479,17 @@ static void ipsec_sa_destroy(private_kernel_netlink_ipsec_t *this,
 }
 
 typedef struct policy_sa_t policy_sa_t;
-typedef struct policy_sa_fwd_t policy_sa_fwd_t;
+typedef struct policy_sa_out_t policy_sa_out_t;
 
 /**
  * Mapping between a policy and an IPsec SA.
  */
 struct policy_sa_t {
 	/** Priority assigned to the policy when installed with this SA */
-	u_int32_t priority;
+	uint32_t priority;
+
+	/** Automatic priority assigned to the policy when installed with this SA */
+	uint32_t auto_priority;
 
 	/** Type of the policy */
 	policy_type_t type;
@@ -480,10 +499,10 @@ struct policy_sa_t {
 };
 
 /**
- * For forward policies we also cache the traffic selectors in order to install
+ * For outbound policies we also cache the traffic selectors in order to install
  * the route.
  */
-struct policy_sa_fwd_t {
+struct policy_sa_out_t {
 	/** Generic interface */
 	policy_sa_t generic;
 
@@ -495,7 +514,7 @@ struct policy_sa_fwd_t {
 };
 
 /**
- * Create a policy_sa(_fwd)_t object
+ * Create a policy_sa(_in)_t object
  */
 static policy_sa_t *policy_sa_create(private_kernel_netlink_ipsec_t *this,
 	policy_dir_t dir, policy_type_t type, host_t *src, host_t *dst,
@@ -504,14 +523,14 @@ static policy_sa_t *policy_sa_create(private_kernel_netlink_ipsec_t *this,
 {
 	policy_sa_t *policy;
 
-	if (dir == POLICY_FWD)
+	if (dir == POLICY_OUT)
 	{
-		policy_sa_fwd_t *fwd;
-		INIT(fwd,
+		policy_sa_out_t *out;
+		INIT(out,
 			.src_ts = src_ts->clone(src_ts),
 			.dst_ts = dst_ts->clone(dst_ts),
 		);
-		policy = &fwd->generic;
+		policy = &out->generic;
 	}
 	else
 	{
@@ -523,16 +542,16 @@ static policy_sa_t *policy_sa_create(private_kernel_netlink_ipsec_t *this,
 }
 
 /**
- * Destroy a policy_sa(_fwd)_t object
+ * Destroy a policy_sa(_in)_t object
  */
 static void policy_sa_destroy(policy_sa_t *policy, policy_dir_t *dir,
 							  private_kernel_netlink_ipsec_t *this)
 {
-	if (*dir == POLICY_FWD)
+	if (*dir == POLICY_OUT)
 	{
-		policy_sa_fwd_t *fwd = (policy_sa_fwd_t*)policy;
-		fwd->src_ts->destroy(fwd->src_ts);
-		fwd->dst_ts->destroy(fwd->dst_ts);
+		policy_sa_out_t *out = (policy_sa_out_t*)policy;
+		out->src_ts->destroy(out->src_ts);
+		out->dst_ts->destroy(out->dst_ts);
 	}
 	ipsec_sa_destroy(this, policy->sa);
 	free(policy);
@@ -546,13 +565,13 @@ typedef struct policy_entry_t policy_entry_t;
 struct policy_entry_t {
 
 	/** Direction of this policy: in, out, forward */
-	u_int8_t direction;
+	uint8_t direction;
 
 	/** Parameters of installed policy */
 	struct xfrm_selector sel;
 
 	/** Optional mark */
-	u_int32_t mark;
+	uint32_t mark;
 
 	/** Associated route installed for this policy */
 	route_entry_t *route;
@@ -561,7 +580,13 @@ struct policy_entry_t {
 	linked_list_t *used_by;
 
 	/** reqid for this policy */
-	u_int32_t reqid;
+	uint32_t reqid;
+
+	/** Number of threads waiting to work on this policy */
+	int waiting;
+
+	/** TRUE if a thread is working on this policy */
+	bool working;
 };
 
 /**
@@ -604,39 +629,73 @@ static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key)
 }
 
 /**
+ * Determine number of set bits in 16 bit port mask
+ */
+static inline uint32_t port_mask_bits(uint16_t port_mask)
+{
+	uint32_t bits;
+	uint16_t bit_mask = 0x8000;
+
+	port_mask = ntohs(port_mask);
+
+	for (bits = 0; bits < 16; bits++)
+	{
+		if (!(port_mask & bit_mask))
+		{
+			break;
+		}
+		bit_mask >>= 1;
+	}
+	return bits;
+}
+
+/**
  * Calculate the priority of a policy
+ *
+ * bits 0-0:  restriction to network interface (0..1)   1 bit
+ * bits 1-6:  src + dst port mask bits (2 * 0..16)      6 bits
+ * bits 7-7:  restriction to protocol (0..1)            1 bit
+ * bits 8-16: src + dst network mask bits (2 * 0..128)  9 bits
+ *                                                     17 bits
+ *
+ * smallest value: 000000000 0 000000 0:      0, lowest priority = 100'000
+ * largest value : 100000000 1 100000 1: 65'729, highst priority =  34'271
  */
-static inline u_int32_t get_priority(policy_entry_t *policy,
-									 policy_priority_t prio)
+static uint32_t get_priority(policy_entry_t *policy, policy_priority_t prio,
+							 char *interface)
 {
-	u_int32_t priority = PRIO_BASE;
+	uint32_t priority = PRIO_BASE, sport_mask_bits, dport_mask_bits;
+
 	switch (prio)
 	{
 		case POLICY_PRIORITY_FALLBACK:
-			priority <<= 1;
-			/* fall-through */
+			priority += PRIO_BASE;
+			/* fall-through to next case */
 		case POLICY_PRIORITY_ROUTED:
-			priority <<= 1;
-			/* fall-through */
+			priority += PRIO_BASE;
+			/* fall-through to next case */
 		case POLICY_PRIORITY_DEFAULT:
-			priority <<= 1;
-			/* fall-through */
+			priority += PRIO_BASE;
+			/* fall-through to next case */
 		case POLICY_PRIORITY_PASS:
 			break;
 	}
-	/* calculate priority based on selector size, small size = high prio */
-	priority -= policy->sel.prefixlen_s;
-	priority -= policy->sel.prefixlen_d;
-	priority <<= 2; /* make some room for the two flags */
-	priority += policy->sel.sport_mask || policy->sel.dport_mask ? 0 : 2;
-	priority += policy->sel.proto ? 0 : 1;
+	sport_mask_bits = port_mask_bits(policy->sel.sport_mask);
+	dport_mask_bits = port_mask_bits(policy->sel.dport_mask);
+
+	/* calculate priority */
+	priority -= (policy->sel.prefixlen_s + policy->sel.prefixlen_d) * 256;
+	priority -=  policy->sel.proto ? 128 : 0;
+	priority -= (sport_mask_bits + dport_mask_bits) * 2;
+	priority -= (interface != NULL);
+
 	return priority;
 }
 
 /**
  * Convert the general ipsec mode to the one defined in xfrm.h
  */
-static u_int8_t mode2kernel(ipsec_mode_t mode)
+static uint8_t mode2kernel(ipsec_mode_t mode)
 {
 	switch (mode)
 	{
@@ -663,7 +722,7 @@ static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
 /**
  * Convert a struct xfrm_address to a host_t
  */
-static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
+static host_t* xfrm2host(int family, xfrm_address_t *xfrm, uint16_t port)
 {
 	chunk_t chunk;
 
@@ -685,7 +744,7 @@ static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
  * Convert a traffic selector address range to subnet and its mask.
  */
 static void ts2subnet(traffic_selector_t* ts,
-					  xfrm_address_t *net, u_int8_t *mask)
+					  xfrm_address_t *net, uint8_t *mask)
 {
 	host_t *net_host;
 	chunk_t net_chunk;
@@ -700,7 +759,7 @@ static void ts2subnet(traffic_selector_t* ts,
  * Convert a traffic selector port range to port/portmask
  */
 static void ts2ports(traffic_selector_t* ts,
-					 u_int16_t *port, u_int16_t *mask)
+					 uint16_t *port, uint16_t *mask)
 {
 	uint16_t from, to, bitmask;
 	int bit;
@@ -739,10 +798,11 @@ static void ts2ports(traffic_selector_t* ts,
  * Convert a pair of traffic_selectors to an xfrm_selector
  */
 static struct xfrm_selector ts2selector(traffic_selector_t *src,
-										traffic_selector_t *dst)
+										traffic_selector_t *dst,
+										char *interface)
 {
 	struct xfrm_selector sel;
-	u_int16_t port;
+	uint16_t port;
 
 	memset(&sel, 0, sizeof(sel));
 	sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
@@ -763,7 +823,7 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
 		sel.dport = htons(traffic_selector_icmp_code(port));
 		sel.dport_mask = sel.dport ? ~0 : 0;
 	}
-	sel.ifindex = 0;
+	sel.ifindex = interface ? if_nametoindex(interface) : 0;
 	sel.user = 0;
 
 	return sel;
@@ -775,8 +835,8 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
 static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
 {
 	u_char *addr;
-	u_int8_t prefixlen;
-	u_int16_t port = 0;
+	uint8_t prefixlen;
+	uint16_t port = 0;
 	host_t *host = NULL;
 
 	if (src)
@@ -833,7 +893,7 @@ static void process_acquire(private_kernel_netlink_ipsec_t *this,
 	struct rtattr *rta;
 	size_t rtasize;
 	traffic_selector_t *src_ts, *dst_ts;
-	u_int32_t reqid = 0;
+	uint32_t reqid = 0;
 	int proto = 0;
 
 	acquire = NLMSG_DATA(hdr);
@@ -878,8 +938,8 @@ static void process_expire(private_kernel_netlink_ipsec_t *this,
 						   struct nlmsghdr *hdr)
 {
 	struct xfrm_user_expire *expire;
-	u_int32_t spi;
-	u_int8_t protocol;
+	uint32_t spi;
+	uint8_t protocol;
 	host_t *dst;
 
 	expire = NLMSG_DATA(hdr);
@@ -913,7 +973,7 @@ static void process_migrate(private_kernel_netlink_ipsec_t *this,
 	host_t *local = NULL, *remote = NULL;
 	host_t *old_src = NULL, *old_dst = NULL;
 	host_t *new_src = NULL, *new_dst = NULL;
-	u_int32_t reqid = 0;
+	uint32_t reqid = 0;
 	policy_dir_t dir;
 
 	policy_id = NLMSG_DATA(hdr);
@@ -981,7 +1041,7 @@ static void process_mapping(private_kernel_netlink_ipsec_t *this,
 							struct nlmsghdr *hdr)
 {
 	struct xfrm_user_mapping *mapping;
-	u_int32_t spi;
+	uint32_t spi;
 
 	mapping = NLMSG_DATA(hdr);
 	spi = mapping->id.spi;
@@ -1033,7 +1093,8 @@ static bool receive_events(private_kernel_netlink_ipsec_t *this, int fd,
 				/* no data ready, select again */
 				return TRUE;
 			default:
-				DBG1(DBG_KNL, "unable to receive from xfrm event socket");
+				DBG1(DBG_KNL, "unable to receive from XFRM event socket: %s "
+					 "(%d)", strerror(errno), errno);
 				sleep(1);
 				return TRUE;
 		}
@@ -1061,8 +1122,8 @@ static bool receive_events(private_kernel_netlink_ipsec_t *this, int fd,
 				process_mapping(this, hdr);
 				break;
 			default:
-				DBG1(DBG_KNL, "received unknown event from xfrm event "
-							  "socket: %d", hdr->nlmsg_type);
+				DBG1(DBG_KNL, "received unknown event from XFRM event "
+					 "socket: %d", hdr->nlmsg_type);
 				break;
 		}
 		hdr = NLMSG_NEXT(hdr, len);
@@ -1080,13 +1141,13 @@ METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
  * Get an SPI for a specific protocol from the kernel.
  */
 static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
-	host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
-	u_int32_t *spi)
+	host_t *src, host_t *dst, uint8_t proto, uint32_t min, uint32_t max,
+	uint32_t *spi)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *hdr, *out;
 	struct xfrm_userspi_info *userspi;
-	u_int32_t received_spi = 0;
+	uint32_t received_spi = 0;
 	size_t len;
 
 	memset(&request, 0, sizeof(request));
@@ -1147,7 +1208,7 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
 	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
-	u_int8_t protocol, u_int32_t *spi)
+	uint8_t protocol, uint32_t *spi)
 {
 	if (get_spi_internal(this, src, dst, protocol,
 						 0xc0000000, 0xcFFFFFFF, spi) != SUCCESS)
@@ -1162,9 +1223,9 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
 
 METHOD(kernel_ipsec_t, get_cpi, status_t,
 	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
-	u_int16_t *cpi)
+	uint16_t *cpi)
 {
-	u_int32_t received_spi = 0;
+	uint32_t received_spi = 0;
 
 	if (get_spi_internal(this, src, dst, IPPROTO_COMP,
 						 0x100, 0xEFFF, &received_spi) != SUCCESS)
@@ -1173,13 +1234,24 @@ METHOD(kernel_ipsec_t, get_cpi, status_t,
 		return FAILED;
 	}
 
-	*cpi = htons((u_int16_t)ntohl(received_spi));
+	*cpi = htons((uint16_t)ntohl(received_spi));
 
 	DBG2(DBG_KNL, "got CPI %.4x", ntohs(*cpi));
 	return SUCCESS;
 }
 
 /**
+ * Format the mark for debug messages
+ */
+static void format_mark(char *buf, int buflen, mark_t mark)
+{
+	if (mark.value)
+	{
+		snprintf(buf, buflen, " (mark %u/0x%08x)", mark.value, mark.mask);
+	}
+}
+
+/**
  * Add a XFRM mark to message if required
  */
 static bool add_mark(struct nlmsghdr *hdr, int buflen, mark_t mark)
@@ -1200,53 +1272,67 @@ static bool add_mark(struct nlmsghdr *hdr, int buflen, mark_t mark)
 }
 
 METHOD(kernel_ipsec_t, add_sa, status_t,
-	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
-	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
-	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
-	u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
-	bool initiator, bool encap, bool esn, bool inbound, bool update,
-	linked_list_t* src_ts, linked_list_t* dst_ts)
+	private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_add_sa_t *data)
 {
 	netlink_buf_t request;
-	char *alg_name;
+	char *alg_name, markstr[32] = "";
 	struct nlmsghdr *hdr;
 	struct xfrm_usersa_info *sa;
-	u_int16_t icv_size = 64;
-	ipsec_mode_t original_mode = mode;
+	uint16_t icv_size = 64, ipcomp = data->ipcomp;
+	ipsec_mode_t mode = data->mode, original_mode = data->mode;
 	traffic_selector_t *first_src_ts, *first_dst_ts;
 	status_t status = FAILED;
 
 	/* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
 	 * we are in the recursive call below */
-	if (ipcomp != IPCOMP_NONE && cpi != 0)
+	if (ipcomp != IPCOMP_NONE && data->cpi != 0)
 	{
 		lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
-		add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
-			   tfc, &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED,
-			   chunk_empty, mode, ipcomp, 0, 0, initiator, FALSE, FALSE,
-			   inbound, update, src_ts, dst_ts);
+		kernel_ipsec_sa_id_t ipcomp_id = {
+			.src = id->src,
+			.dst = id->dst,
+			.spi = htonl(ntohs(data->cpi)),
+			.proto = IPPROTO_COMP,
+			.mark = id->mark,
+		};
+		kernel_ipsec_add_sa_t ipcomp_sa = {
+			.reqid = data->reqid,
+			.mode = data->mode,
+			.src_ts = data->src_ts,
+			.dst_ts = data->dst_ts,
+			.lifetime = &lft,
+			.enc_alg = ENCR_UNDEFINED,
+			.int_alg = AUTH_UNDEFINED,
+			.tfc = data->tfc,
+			.ipcomp = data->ipcomp,
+			.initiator = data->initiator,
+			.inbound = data->inbound,
+			.update = data->update,
+		};
+		add_sa(this, &ipcomp_id, &ipcomp_sa);
 		ipcomp = IPCOMP_NONE;
 		/* use transport mode ESP SA, IPComp uses tunnel mode */
 		mode = MODE_TRANSPORT;
 	}
 
 	memset(&request, 0, sizeof(request));
+	format_mark(markstr, sizeof(markstr), id->mark);
 
-	DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}  (mark "
-				  "%u/0x%08x)", ntohl(spi), reqid, mark.value, mark.mask);
+	DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}%s",
+		 ntohl(id->spi), data->reqid, markstr);
 
 	hdr = &request.hdr;
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-	hdr->nlmsg_type = update ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
+	hdr->nlmsg_type = data->update ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
 
 	sa = NLMSG_DATA(hdr);
-	host2xfrm(src, &sa->saddr);
-	host2xfrm(dst, &sa->id.daddr);
-	sa->id.spi = spi;
-	sa->id.proto = protocol;
-	sa->family = src->get_family(src);
+	host2xfrm(id->src, &sa->saddr);
+	host2xfrm(id->dst, &sa->id.daddr);
+	sa->id.spi = id->spi;
+	sa->id.proto = id->proto;
+	sa->family = id->src->get_family(id->src);
 	sa->mode = mode2kernel(mode);
 	switch (mode)
 	{
@@ -1260,10 +1346,13 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 				 * selector can be installed other traffic would get dropped */
 				break;
 			}
-			if (src_ts->get_first(src_ts, (void**)&first_src_ts) == SUCCESS &&
-				dst_ts->get_first(dst_ts, (void**)&first_dst_ts) == SUCCESS)
+			if (data->src_ts->get_first(data->src_ts,
+										(void**)&first_src_ts) == SUCCESS &&
+				data->dst_ts->get_first(data->dst_ts,
+										(void**)&first_dst_ts) == SUCCESS)
 			{
-				sa->sel = ts2selector(first_src_ts, first_dst_ts);
+				sa->sel = ts2selector(first_src_ts, first_dst_ts,
+									  data->interface);
 				if (!this->proto_port_transport)
 				{
 					/* don't install proto/port on SA. This would break
@@ -1279,18 +1368,18 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			break;
 	}
 
-	sa->reqid = reqid;
-	sa->lft.soft_byte_limit = XFRM_LIMIT(lifetime->bytes.rekey);
-	sa->lft.hard_byte_limit = XFRM_LIMIT(lifetime->bytes.life);
-	sa->lft.soft_packet_limit = XFRM_LIMIT(lifetime->packets.rekey);
-	sa->lft.hard_packet_limit = XFRM_LIMIT(lifetime->packets.life);
+	sa->reqid = data->reqid;
+	sa->lft.soft_byte_limit = XFRM_LIMIT(data->lifetime->bytes.rekey);
+	sa->lft.hard_byte_limit = XFRM_LIMIT(data->lifetime->bytes.life);
+	sa->lft.soft_packet_limit = XFRM_LIMIT(data->lifetime->packets.rekey);
+	sa->lft.hard_packet_limit = XFRM_LIMIT(data->lifetime->packets.life);
 	/* we use lifetimes since added, not since used */
-	sa->lft.soft_add_expires_seconds = lifetime->time.rekey;
-	sa->lft.hard_add_expires_seconds = lifetime->time.life;
+	sa->lft.soft_add_expires_seconds = data->lifetime->time.rekey;
+	sa->lft.hard_add_expires_seconds = data->lifetime->time.life;
 	sa->lft.soft_use_expires_seconds = 0;
 	sa->lft.hard_use_expires_seconds = 0;
 
-	switch (enc_alg)
+	switch (data->enc_alg)
 	{
 		case ENCR_UNDEFINED:
 			/* no encryption */
@@ -1313,71 +1402,73 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		{
 			struct xfrm_algo_aead *algo;
 
-			alg_name = lookup_algorithm(ENCRYPTION_ALGORITHM, enc_alg);
+			alg_name = lookup_algorithm(ENCRYPTION_ALGORITHM, data->enc_alg);
 			if (alg_name == NULL)
 			{
 				DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
-						 encryption_algorithm_names, enc_alg);
+						 encryption_algorithm_names, data->enc_alg);
 					goto failed;
 			}
 			DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
-				 encryption_algorithm_names, enc_alg, enc_key.len * 8);
+				 encryption_algorithm_names, data->enc_alg,
+				 data->enc_key.len * 8);
 
 			algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AEAD,
-								   sizeof(*algo) + enc_key.len);
+								   sizeof(*algo) + data->enc_key.len);
 			if (!algo)
 			{
 				goto failed;
 			}
-			algo->alg_key_len = enc_key.len * 8;
+			algo->alg_key_len = data->enc_key.len * 8;
 			algo->alg_icv_len = icv_size;
 			strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
 			algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
-			memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
+			memcpy(algo->alg_key, data->enc_key.ptr, data->enc_key.len);
 			break;
 		}
 		default:
 		{
 			struct xfrm_algo *algo;
 
-			alg_name = lookup_algorithm(ENCRYPTION_ALGORITHM, enc_alg);
+			alg_name = lookup_algorithm(ENCRYPTION_ALGORITHM, data->enc_alg);
 			if (alg_name == NULL)
 			{
 				DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
-					 encryption_algorithm_names, enc_alg);
+					 encryption_algorithm_names, data->enc_alg);
 				goto failed;
 			}
 			DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
-				 encryption_algorithm_names, enc_alg, enc_key.len * 8);
+				 encryption_algorithm_names, data->enc_alg,
+				 data->enc_key.len * 8);
 
 			algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_CRYPT,
-								   sizeof(*algo) + enc_key.len);
+								   sizeof(*algo) + data->enc_key.len);
 			if (!algo)
 			{
 				goto failed;
 			}
-			algo->alg_key_len = enc_key.len * 8;
+			algo->alg_key_len = data->enc_key.len * 8;
 			strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
 			algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
-			memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
+			memcpy(algo->alg_key, data->enc_key.ptr, data->enc_key.len);
 		}
 	}
 
-	if (int_alg != AUTH_UNDEFINED)
+	if (data->int_alg != AUTH_UNDEFINED)
 	{
 		u_int trunc_len = 0;
 
-		alg_name = lookup_algorithm(INTEGRITY_ALGORITHM, int_alg);
+		alg_name = lookup_algorithm(INTEGRITY_ALGORITHM, data->int_alg);
 		if (alg_name == NULL)
 		{
 			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
-				 integrity_algorithm_names, int_alg);
+				 integrity_algorithm_names, data->int_alg);
 			goto failed;
 		}
 		DBG2(DBG_KNL, "  using integrity algorithm %N with key size %d",
-			 integrity_algorithm_names, int_alg, int_key.len * 8);
+			 integrity_algorithm_names, data->int_alg, data->int_key.len * 8);
 
-		switch (int_alg)
+		switch (data->int_alg)
 		{
 			case AUTH_HMAC_MD5_128:
 			case AUTH_HMAC_SHA2_256_128:
@@ -1398,31 +1489,31 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			 * use specified truncation size supported by newer kernels.
 			 * also use this for untruncated MD5 and SHA1. */
 			algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AUTH_TRUNC,
-								   sizeof(*algo) + int_key.len);
+								   sizeof(*algo) + data->int_key.len);
 			if (!algo)
 			{
 				goto failed;
 			}
-			algo->alg_key_len = int_key.len * 8;
+			algo->alg_key_len = data->int_key.len * 8;
 			algo->alg_trunc_len = trunc_len;
 			strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
 			algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
-			memcpy(algo->alg_key, int_key.ptr, int_key.len);
+			memcpy(algo->alg_key, data->int_key.ptr, data->int_key.len);
 		}
 		else
 		{
 			struct xfrm_algo* algo;
 
 			algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AUTH,
-								   sizeof(*algo) + int_key.len);
+								   sizeof(*algo) + data->int_key.len);
 			if (!algo)
 			{
 				goto failed;
 			}
-			algo->alg_key_len = int_key.len * 8;
+			algo->alg_key_len = data->int_key.len * 8;
 			strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
 			algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
-			memcpy(algo->alg_key, int_key.ptr, int_key.len);
+			memcpy(algo->alg_key, data->int_key.ptr, data->int_key.len);
 		}
 	}
 
@@ -1451,7 +1542,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
 	}
 
-	if (encap)
+	if (data->encap)
 	{
 		struct xfrm_encap_tmpl *tmpl;
 
@@ -1461,8 +1552,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			goto failed;
 		}
 		tmpl->encap_type = UDP_ENCAP_ESPINUDP;
-		tmpl->encap_sport = htons(src->get_port(src));
-		tmpl->encap_dport = htons(dst->get_port(dst));
+		tmpl->encap_sport = htons(id->src->get_port(id->src));
+		tmpl->encap_dport = htons(id->dst->get_port(id->dst));
 		memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
 		/* encap_oa could probably be derived from the
 		 * traffic selectors [rfc4306, p39]. In the netlink kernel
@@ -1476,14 +1567,14 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		 * checks it marks them "checksum ok" so OA isn't needed. */
 	}
 
-	if (!add_mark(hdr, sizeof(request), mark))
+	if (!add_mark(hdr, sizeof(request), id->mark))
 	{
 		goto failed;
 	}
 
-	if (tfc && protocol == IPPROTO_ESP && mode == MODE_TUNNEL)
+	if (data->tfc && id->proto == IPPROTO_ESP && mode == MODE_TUNNEL)
 	{	/* the kernel supports TFC padding only for tunnel mode ESP SAs */
-		u_int32_t *tfcpad;
+		uint32_t *tfcpad;
 
 		tfcpad = netlink_reserve(hdr, sizeof(request), XFRMA_TFCPAD,
 								 sizeof(*tfcpad));
@@ -1491,19 +1582,25 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		{
 			goto failed;
 		}
-		*tfcpad = tfc;
+		*tfcpad = data->tfc;
 	}
 
-	if (protocol != IPPROTO_COMP)
+	if (id->proto != IPPROTO_COMP)
 	{
-		if (replay_window != 0 && (esn || replay_window > 32))
+		/* generally, we don't need a replay window for outbound SAs, however,
+		 * when using ESN the kernel rejects the attribute if it is 0 */
+		if (!data->inbound && data->replay_window)
+		{
+			data->replay_window = data->esn ? 1 : 0;
+		}
+		if (data->replay_window != 0 && (data->esn || data->replay_window > 32))
 		{
 			/* for ESN or larger replay windows we need the new
 			 * XFRMA_REPLAY_ESN_VAL attribute to configure a bitmap */
 			struct xfrm_replay_state_esn *replay;
-			u_int32_t bmp_size;
+			uint32_t bmp_size;
 
-			bmp_size = round_up(replay_window, sizeof(u_int32_t) * 8) / 8;
+			bmp_size = round_up(data->replay_window, sizeof(uint32_t) * 8) / 8;
 			replay = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_ESN_VAL,
 									 sizeof(*replay) + bmp_size);
 			if (!replay)
@@ -1511,11 +1608,12 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 				goto failed;
 			}
 			/* bmp_len contains number uf __u32's */
-			replay->bmp_len = bmp_size / sizeof(u_int32_t);
-			replay->replay_window = replay_window;
-			DBG2(DBG_KNL, "  using replay window of %u packets", replay_window);
+			replay->bmp_len = bmp_size / sizeof(uint32_t);
+			replay->replay_window = data->replay_window;
+			DBG2(DBG_KNL, "  using replay window of %u packets",
+				 data->replay_window);
 
-			if (esn)
+			if (data->esn)
 			{
 				DBG2(DBG_KNL, "  using extended sequence numbers (ESN)");
 				sa->flags |= XFRM_STATE_ESN;
@@ -1523,22 +1621,16 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		}
 		else
 		{
-			DBG2(DBG_KNL, "  using replay window of %u packets", replay_window);
-			sa->replay_window = replay_window;
+			DBG2(DBG_KNL, "  using replay window of %u packets",
+				 data->replay_window);
+			sa->replay_window = data->replay_window;
 		}
 	}
 
 	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
 	{
-		if (mark.value)
-		{
-			DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x  "
-						  "(mark %u/0x%08x)", ntohl(spi), mark.value, mark.mask);
-		}
-		else
-		{
-			DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
-		}
+		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x%s", ntohl(id->spi),
+			 markstr);
 		goto failed;
 	}
 
@@ -1555,10 +1647,9 @@ failed:
  * Allocates into one the replay state structure we get from the kernel.
  */
 static void get_replay_state(private_kernel_netlink_ipsec_t *this,
-							 u_int32_t spi, u_int8_t protocol,
-							 host_t *dst, mark_t mark,
+							 kernel_ipsec_sa_id_t *sa,
 							 struct xfrm_replay_state_esn **replay_esn,
-							 u_int32_t *replay_esn_len,
+							 uint32_t *replay_esn_len,
 							 struct xfrm_replay_state **replay,
 							 struct xfrm_lifetime_cur **lifetime)
 {
@@ -1572,7 +1663,7 @@ static void get_replay_state(private_kernel_netlink_ipsec_t *this,
 	memset(&request, 0, sizeof(request));
 
 	DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x",
-				   ntohl(spi));
+		 ntohl(sa->spi));
 
 	hdr = &request.hdr;
 	hdr->nlmsg_flags = NLM_F_REQUEST;
@@ -1582,12 +1673,12 @@ static void get_replay_state(private_kernel_netlink_ipsec_t *this,
 	aevent_id = NLMSG_DATA(hdr);
 	aevent_id->flags = XFRM_AE_RVAL;
 
-	host2xfrm(dst, &aevent_id->sa_id.daddr);
-	aevent_id->sa_id.spi = spi;
-	aevent_id->sa_id.proto = protocol;
-	aevent_id->sa_id.family = dst->get_family(dst);
+	host2xfrm(sa->dst, &aevent_id->sa_id.daddr);
+	aevent_id->sa_id.spi = sa->spi;
+	aevent_id->sa_id.proto = sa->proto;
+	aevent_id->sa_id.family = sa->dst->get_family(sa->dst);
 
-	if (!add_mark(hdr, sizeof(request), mark))
+	if (!add_mark(hdr, sizeof(request), sa->mark))
 	{
 		return;
 	}
@@ -1608,8 +1699,7 @@ static void get_replay_state(private_kernel_netlink_ipsec_t *this,
 				{
 					struct nlmsgerr *err = NLMSG_DATA(hdr);
 					DBG1(DBG_KNL, "querying replay state from SAD entry "
-								  "failed: %s (%d)", strerror(-err->error),
-								  -err->error);
+						 "failed: %s (%d)", strerror(-err->error), -err->error);
 					break;
 				}
 				default:
@@ -1657,9 +1747,9 @@ static void get_replay_state(private_kernel_netlink_ipsec_t *this,
 }
 
 METHOD(kernel_ipsec_t, query_sa, status_t,
-	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, mark_t mark,
-	u_int64_t *bytes, u_int64_t *packets, time_t *time)
+	private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_query_sa_t *data, uint64_t *bytes, uint64_t *packets,
+	time_t *time)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *out = NULL, *hdr;
@@ -1667,11 +1757,13 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 	struct xfrm_usersa_info *sa = NULL;
 	status_t status = FAILED;
 	size_t len;
+	char markstr[32] = "";
 
 	memset(&request, 0, sizeof(request));
+	format_mark(markstr, sizeof(markstr), id->mark);
 
-	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x  (mark %u/0x%08x)",
-				   ntohl(spi), mark.value, mark.mask);
+	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x%s", ntohl(id->spi),
+		 markstr);
 
 	hdr = &request.hdr;
 	hdr->nlmsg_flags = NLM_F_REQUEST;
@@ -1679,12 +1771,12 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
 
 	sa_id = NLMSG_DATA(hdr);
-	host2xfrm(dst, &sa_id->daddr);
-	sa_id->spi = spi;
-	sa_id->proto = protocol;
-	sa_id->family = dst->get_family(dst);
+	host2xfrm(id->dst, &sa_id->daddr);
+	sa_id->spi = id->spi;
+	sa_id->proto = id->proto;
+	sa_id->family = id->dst->get_family(id->dst);
 
-	if (!add_mark(hdr, sizeof(request), mark))
+	if (!add_mark(hdr, sizeof(request), id->mark))
 	{
 		return FAILED;
 	}
@@ -1705,19 +1797,9 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 				{
 					struct nlmsgerr *err = NLMSG_DATA(hdr);
 
-					if (mark.value)
-					{
-						DBG1(DBG_KNL, "querying SAD entry with SPI %.8x  "
-									  "(mark %u/0x%08x) failed: %s (%d)",
-									   ntohl(spi), mark.value, mark.mask,
-									   strerror(-err->error), -err->error);
-					}
-					else
-					{
-						DBG1(DBG_KNL, "querying SAD entry with SPI %.8x "
-									  "failed: %s (%d)", ntohl(spi),
-									   strerror(-err->error), -err->error);
-					}
+					DBG1(DBG_KNL, "querying SAD entry with SPI %.8x%s failed: "
+						 "%s (%d)", ntohl(id->spi), markstr,
+						 strerror(-err->error), -err->error);
 					break;
 				}
 				default:
@@ -1732,7 +1814,8 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 
 	if (sa == NULL)
 	{
-		DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
+		DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x%s",
+			 ntohl(id->spi), markstr);
 	}
 	else
 	{
@@ -1758,23 +1841,33 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 }
 
 METHOD(kernel_ipsec_t, del_sa, status_t,
-	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
+	private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_del_sa_t *data)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *hdr;
 	struct xfrm_usersa_id *sa_id;
+	char markstr[32] = "";
 
 	/* if IPComp was used, we first delete the additional IPComp SA */
-	if (cpi)
-	{
-		del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0, mark);
+	if (data->cpi)
+	{
+		kernel_ipsec_sa_id_t ipcomp_id = {
+			.src = id->src,
+			.dst = id->dst,
+			.spi = htonl(ntohs(data->cpi)),
+			.proto = IPPROTO_COMP,
+			.mark = id->mark,
+		};
+		kernel_ipsec_del_sa_t ipcomp = {};
+		del_sa(this, &ipcomp_id, &ipcomp);
 	}
 
 	memset(&request, 0, sizeof(request));
+	format_mark(markstr, sizeof(markstr), id->mark);
 
-	DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x  (mark %u/0x%08x)",
-				   ntohl(spi), mark.value, mark.mask);
+	DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x%s", ntohl(id->spi),
+		 markstr);
 
 	hdr = &request.hdr;
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
@@ -1782,12 +1875,12 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
 
 	sa_id = NLMSG_DATA(hdr);
-	host2xfrm(dst, &sa_id->daddr);
-	sa_id->spi = spi;
-	sa_id->proto = protocol;
-	sa_id->family = dst->get_family(dst);
+	host2xfrm(id->dst, &sa_id->daddr);
+	sa_id->spi = id->spi;
+	sa_id->proto = id->proto;
+	sa_id->family = id->dst->get_family(id->dst);
 
-	if (!add_mark(hdr, sizeof(request), mark))
+	if (!add_mark(hdr, sizeof(request), id->mark))
 	{
 		return FAILED;
 	}
@@ -1795,30 +1888,21 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 	switch (this->socket_xfrm->send_ack(this->socket_xfrm, hdr))
 	{
 		case SUCCESS:
-			DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x (mark %u/0x%08x)",
-				 ntohl(spi), mark.value, mark.mask);
+			DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x%s",
+				 ntohl(id->spi), markstr);
 			return SUCCESS;
 		case NOT_FOUND:
 			return NOT_FOUND;
 		default:
-			if (mark.value)
-			{
-				DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x "
-					 "(mark %u/0x%08x)", ntohl(spi), mark.value, mark.mask);
-			}
-			else
-			{
-				DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x",
-					 ntohl(spi));
-			}
+			DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x%s",
+				 ntohl(id->spi), markstr);
 			return FAILED;
 	}
 }
 
 METHOD(kernel_ipsec_t, update_sa, status_t,
-	private_kernel_netlink_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
-	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
-	bool old_encap, bool new_encap, mark_t mark)
+	private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_update_sa_t *data)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *hdr, *out = NULL;
@@ -1831,19 +1915,33 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	struct xfrm_replay_state *replay = NULL;
 	struct xfrm_replay_state_esn *replay_esn = NULL;
 	struct xfrm_lifetime_cur *lifetime = NULL;
-	u_int32_t replay_esn_len = 0;
+	uint32_t replay_esn_len = 0;
+	kernel_ipsec_del_sa_t del = { 0 };
 	status_t status = FAILED;
+	char markstr[32] = "";
 
 	/* if IPComp is used, we first update the IPComp SA */
-	if (cpi)
-	{
-		update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0,
-				  src, dst, new_src, new_dst, FALSE, FALSE, mark);
+	if (data->cpi)
+	{
+		kernel_ipsec_sa_id_t ipcomp_id = {
+			.src = id->src,
+			.dst = id->dst,
+			.spi = htonl(ntohs(data->cpi)),
+			.proto = IPPROTO_COMP,
+			.mark = id->mark,
+		};
+		kernel_ipsec_update_sa_t ipcomp = {
+			.new_src = data->new_src,
+			.new_dst = data->new_dst,
+		};
+		update_sa(this, &ipcomp_id, &ipcomp);
 	}
 
 	memset(&request, 0, sizeof(request));
+	format_mark(markstr, sizeof(markstr), id->mark);
 
-	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
+	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x%s for update",
+		 ntohl(id->spi), markstr);
 
 	/* query the existing SA first */
 	hdr = &request.hdr;
@@ -1852,12 +1950,12 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
 
 	sa_id = NLMSG_DATA(hdr);
-	host2xfrm(dst, &sa_id->daddr);
-	sa_id->spi = spi;
-	sa_id->proto = protocol;
-	sa_id->family = dst->get_family(dst);
+	host2xfrm(id->dst, &sa_id->daddr);
+	sa_id->spi = id->spi;
+	sa_id->proto = id->proto;
+	sa_id->family = id->dst->get_family(id->dst);
 
-	if (!add_mark(hdr, sizeof(request), mark))
+	if (!add_mark(hdr, sizeof(request), id->mark))
 	{
 		return FAILED;
 	}
@@ -1892,23 +1990,25 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	}
 	if (out_sa == NULL)
 	{
-		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x%s",
+			 ntohl(id->spi), markstr);
 		goto failed;
 	}
 
-	get_replay_state(this, spi, protocol, dst, mark, &replay_esn,
-					 &replay_esn_len, &replay, &lifetime);
+	get_replay_state(this, id, &replay_esn, &replay_esn_len, &replay,
+					 &lifetime);
 
 	/* delete the old SA (without affecting the IPComp SA) */
-	if (del_sa(this, src, dst, spi, protocol, 0, mark) != SUCCESS)
+	if (del_sa(this, id, &del) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x",
-					   ntohl(spi));
+		DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x%s",
+			 ntohl(id->spi), markstr);
 		goto failed;
 	}
 
-	DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
-				   ntohl(spi), src, dst, new_src, new_dst);
+	DBG2(DBG_KNL, "updating SAD entry with SPI %.8x%s from %#H..%#H to "
+		 "%#H..%#H", ntohl(id->spi), markstr, id->src, id->dst, data->new_src,
+		 data->new_dst);
 	/* copy over the SA from out to request */
 	hdr = &request.hdr;
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
@@ -1916,15 +2016,15 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
 	sa = NLMSG_DATA(hdr);
 	memcpy(sa, NLMSG_DATA(out), sizeof(struct xfrm_usersa_info));
-	sa->family = new_dst->get_family(new_dst);
+	sa->family = data->new_dst->get_family(data->new_dst);
 
-	if (!src->ip_equals(src, new_src))
+	if (!id->src->ip_equals(id->src, data->new_src))
 	{
-		host2xfrm(new_src, &sa->saddr);
+		host2xfrm(data->new_src, &sa->saddr);
 	}
-	if (!dst->ip_equals(dst, new_dst))
+	if (!id->dst->ip_equals(id->dst, data->new_dst))
 	{
-		host2xfrm(new_dst, &sa->id.daddr);
+		host2xfrm(data->new_dst, &sa->id.daddr);
 	}
 
 	rta = XFRM_RTA(out, struct xfrm_usersa_info);
@@ -1932,13 +2032,13 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	while (RTA_OK(rta, rtasize))
 	{
 		/* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
-		if (rta->rta_type != XFRMA_ENCAP || new_encap)
+		if (rta->rta_type != XFRMA_ENCAP || data->new_encap)
 		{
 			if (rta->rta_type == XFRMA_ENCAP)
 			{	/* update encap tmpl */
 				tmpl = RTA_DATA(rta);
-				tmpl->encap_sport = ntohs(new_src->get_port(new_src));
-				tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
+				tmpl->encap_sport = ntohs(data->new_src->get_port(data->new_src));
+				tmpl->encap_dport = ntohs(data->new_dst->get_port(data->new_dst));
 			}
 			netlink_add_attribute(hdr, rta->rta_type,
 								  chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)),
@@ -1947,7 +2047,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 		rta = RTA_NEXT(rta, rtasize);
 	}
 
-	if (tmpl == NULL && new_encap)
+	if (tmpl == NULL && data->new_encap)
 	{	/* add tmpl if we are enabling it */
 		tmpl = netlink_reserve(hdr, sizeof(request), XFRMA_ENCAP, sizeof(*tmpl));
 		if (!tmpl)
@@ -1955,8 +2055,8 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 			goto failed;
 		}
 		tmpl->encap_type = UDP_ENCAP_ESPINUDP;
-		tmpl->encap_sport = ntohs(new_src->get_port(new_src));
-		tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
+		tmpl->encap_sport = ntohs(data->new_src->get_port(data->new_src));
+		tmpl->encap_dport = ntohs(data->new_dst->get_port(data->new_dst));
 		memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
 	}
 
@@ -1987,7 +2087,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	else
 	{
 		DBG1(DBG_KNL, "unable to copy replay state from old SAD entry with "
-			 "SPI %.8x", ntohl(spi));
+			 "SPI %.8x%s", ntohl(id->spi), markstr);
 	}
 	if (lifetime)
 	{
@@ -2004,12 +2104,13 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	else
 	{
 		DBG1(DBG_KNL, "unable to copy usage stats from old SAD entry with "
-			 "SPI %.8x", ntohl(spi));
+			 "SPI %.8x%s", ntohl(id->spi), markstr);
 	}
 
 	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x%s",
+			 ntohl(id->spi), markstr);
 		goto failed;
 	}
 
@@ -2032,7 +2133,7 @@ METHOD(kernel_ipsec_t, flush_sas, status_t,
 	struct nlmsghdr *hdr;
 	struct xfrm_usersa_flush *flush;
 	struct {
-		u_int8_t proto;
+		uint8_t proto;
 		char *name;
 	} protos[] = {
 		{ IPPROTO_AH, "AH" },
@@ -2066,6 +2167,118 @@ METHOD(kernel_ipsec_t, flush_sas, status_t,
 }
 
 /**
+ * Unlock the mutex and signal waiting threads
+ */
+static void policy_change_done(private_kernel_netlink_ipsec_t *this,
+							   policy_entry_t *policy)
+{
+	policy->working = FALSE;
+	if (policy->waiting)
+	{	/* don't need to wake threads waiting for other policies */
+		this->condvar->broadcast(this->condvar);
+	}
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Install a route for the given policy if enabled and required
+ */
+static void install_route(private_kernel_netlink_ipsec_t *this,
+	policy_entry_t *policy, policy_sa_t *mapping, ipsec_sa_t *ipsec)
+{
+	policy_sa_out_t *out = (policy_sa_out_t*)mapping;
+	route_entry_t *route;
+	host_t *iface;
+
+	INIT(route,
+		.prefixlen = policy->sel.prefixlen_d,
+	);
+
+	if (charon->kernel->get_address_by_ts(charon->kernel, out->src_ts,
+										  &route->src_ip, NULL) == SUCCESS)
+	{
+		if (!ipsec->dst->is_anyaddr(ipsec->dst))
+		{
+			route->gateway = charon->kernel->get_nexthop(charon->kernel,
+												ipsec->dst, -1, ipsec->src,
+												&route->if_name);
+		}
+		else
+		{	/* for shunt policies */
+			iface = xfrm2host(policy->sel.family, &policy->sel.daddr, 0);
+			route->gateway = charon->kernel->get_nexthop(charon->kernel,
+												iface, policy->sel.prefixlen_d,
+												route->src_ip, &route->if_name);
+			iface->destroy(iface);
+		}
+		route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
+		memcpy(route->dst_net.ptr, &policy->sel.daddr, route->dst_net.len);
+
+		/* get the interface to install the route for, if we haven't one yet.
+		 * If we have a local address, use it. Otherwise (for shunt policies)
+		 * use the route's source address. */
+		if (!route->if_name)
+		{
+			iface = ipsec->src;
+			if (iface->is_anyaddr(iface))
+			{
+				iface = route->src_ip;
+			}
+			if (!charon->kernel->get_interface(charon->kernel, iface,
+											   &route->if_name))
+			{
+				route_entry_destroy(route);
+				return;
+			}
+		}
+		if (policy->route)
+		{
+			route_entry_t *old = policy->route;
+			if (route_entry_equals(old, route))
+			{
+				route_entry_destroy(route);
+				return;
+			}
+			/* uninstall previously installed route */
+			if (charon->kernel->del_route(charon->kernel, old->dst_net,
+										  old->prefixlen, old->gateway,
+										  old->src_ip, old->if_name) != SUCCESS)
+			{
+				DBG1(DBG_KNL, "error uninstalling route installed with policy "
+					 "%R === %R %N", out->src_ts, out->dst_ts, policy_dir_names,
+					 policy->direction);
+			}
+			route_entry_destroy(old);
+			policy->route = NULL;
+		}
+
+		DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s", out->dst_ts,
+			 route->gateway, route->src_ip, route->if_name);
+		switch (charon->kernel->add_route(charon->kernel, route->dst_net,
+										  route->prefixlen, route->gateway,
+										  route->src_ip, route->if_name))
+		{
+			default:
+				DBG1(DBG_KNL, "unable to install source route for %H",
+					 route->src_ip);
+				/* FALL */
+			case ALREADY_DONE:
+				/* route exists, do not uninstall */
+				route_entry_destroy(route);
+				break;
+			case SUCCESS:
+				/* cache the installed route */
+				policy->route = route;
+				break;
+		}
+	}
+	else
+	{
+		free(route);
+	}
+}
+
+/**
  * Add or update a policy in the kernel.
  *
  * Note: The mutex has to be locked when entering this function
@@ -2111,11 +2324,11 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 	policy_info->lft.soft_use_expires_seconds = 0;
 	policy_info->lft.hard_use_expires_seconds = 0;
 
-	if (mapping->type == POLICY_IPSEC)
+	if (mapping->type == POLICY_IPSEC && ipsec->cfg.reqid)
 	{
 		struct xfrm_user_tmpl *tmpl;
 		struct {
-			u_int8_t proto;
+			uint8_t proto;
 			bool use;
 		} protos[] = {
 			{ IPPROTO_COMP, ipsec->cfg.ipcomp.transform != IPCOMP_NONE },
@@ -2136,7 +2349,7 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 							   count * sizeof(*tmpl));
 		if (!tmpl)
 		{
-			this->mutex->unlock(this->mutex);
+			policy_change_done(this, policy);
 			return FAILED;
 		}
 
@@ -2169,7 +2382,7 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 
 	if (!add_mark(hdr, sizeof(request), ipsec->mark))
 	{
-		this->mutex->unlock(this->mutex);
+		policy_change_done(this, policy);
 		return FAILED;
 	}
 	this->mutex->unlock(this->mutex);
@@ -2181,169 +2394,84 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 		hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
 		status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
 	}
+
+	this->mutex->lock(this->mutex);
 	if (status != SUCCESS)
 	{
+		policy_change_done(this, policy);
 		return FAILED;
 	}
-
-	/* find the policy again */
-	this->mutex->lock(this->mutex);
-	policy = this->policies->get(this->policies, &clone);
-	if (!policy ||
-		 policy->used_by->find_first(policy->used_by,
-									 NULL, (void**)&mapping) != SUCCESS)
-	{	/* policy or mapping is already gone, ignore */
-		this->mutex->unlock(this->mutex);
-		return SUCCESS;
-	}
-
 	/* install a route, if:
-	 * - this is a forward policy (to just get one for each child)
-	 * - we are in tunnel/BEET mode or install a bypass policy
+	 * - this is an outbound policy (to just get one for each child)
 	 * - routing is not disabled via strongswan.conf
+	 * - the selector is not for a specific protocol/port
+	 * - we are in tunnel/BEET mode or install a bypass policy
 	 */
-	if (policy->direction == POLICY_FWD && this->install_routes &&
-		(mapping->type != POLICY_IPSEC || ipsec->cfg.mode != MODE_TRANSPORT))
+	if (policy->direction == POLICY_OUT && this->install_routes &&
+		!policy->sel.proto && !policy->sel.dport && !policy->sel.sport)
 	{
-		policy_sa_fwd_t *fwd = (policy_sa_fwd_t*)mapping;
-		route_entry_t *route;
-		host_t *iface;
-
-		INIT(route,
-			.prefixlen = policy->sel.prefixlen_s,
-		);
-
-		if (charon->kernel->get_address_by_ts(charon->kernel, fwd->dst_ts,
-											  &route->src_ip, NULL) == SUCCESS)
-		{
-			/* get the nexthop to src (src as we are in POLICY_FWD) */
-			if (!ipsec->src->is_anyaddr(ipsec->src))
-			{
-				route->gateway = charon->kernel->get_nexthop(charon->kernel,
-													ipsec->src, -1, ipsec->dst);
-			}
-			else
-			{	/* for shunt policies */
-				iface = xfrm2host(policy->sel.family, &policy->sel.saddr, 0);
-				route->gateway = charon->kernel->get_nexthop(charon->kernel,
-												iface, policy->sel.prefixlen_s,
-												route->src_ip);
-				iface->destroy(iface);
-			}
-			route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
-			memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
-
-			/* get the interface to install the route for. If we have a local
-			 * address, use it. Otherwise (for shunt policies) use the
-			 * routes source address. */
-			iface = ipsec->dst;
-			if (iface->is_anyaddr(iface))
-			{
-				iface = route->src_ip;
-			}
-			/* install route via outgoing interface */
-			if (!charon->kernel->get_interface(charon->kernel, iface,
-											   &route->if_name))
-			{
-				this->mutex->unlock(this->mutex);
-				route_entry_destroy(route);
-				return SUCCESS;
-			}
-
-			if (policy->route)
-			{
-				route_entry_t *old = policy->route;
-				if (route_entry_equals(old, route))
-				{
-					this->mutex->unlock(this->mutex);
-					route_entry_destroy(route);
-					return SUCCESS;
-				}
-				/* uninstall previously installed route */
-				if (charon->kernel->del_route(charon->kernel, old->dst_net,
-										old->prefixlen, old->gateway,
-										old->src_ip, old->if_name) != SUCCESS)
-				{
-					DBG1(DBG_KNL, "error uninstalling route installed with "
-								  "policy %R === %R %N", fwd->src_ts,
-								   fwd->dst_ts, policy_dir_names,
-								   policy->direction);
-				}
-				route_entry_destroy(old);
-				policy->route = NULL;
-			}
-
-			DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s",
-				 fwd->src_ts, route->gateway, route->src_ip, route->if_name);
-			switch (charon->kernel->add_route(charon->kernel, route->dst_net,
-											  route->prefixlen, route->gateway,
-											  route->src_ip, route->if_name))
-			{
-				default:
-					DBG1(DBG_KNL, "unable to install source route for %H",
-								   route->src_ip);
-					/* FALL */
-				case ALREADY_DONE:
-					/* route exists, do not uninstall */
-					route_entry_destroy(route);
-					break;
-				case SUCCESS:
-					/* cache the installed route */
-					policy->route = route;
-					break;
-			}
-		}
-		else
+		if (mapping->type == POLICY_PASS ||
+		   (mapping->type == POLICY_IPSEC && ipsec->cfg.mode != MODE_TRANSPORT))
 		{
-			free(route);
+			install_route(this, policy, mapping, ipsec);
 		}
 	}
-	this->mutex->unlock(this->mutex);
+	policy_change_done(this, policy);
 	return SUCCESS;
 }
 
 METHOD(kernel_ipsec_t, add_policy, status_t,
-	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
-	mark_t mark, policy_priority_t priority)
+	private_kernel_netlink_ipsec_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_manage_policy_t *data)
 {
 	policy_entry_t *policy, *current;
 	policy_sa_t *assigned_sa, *current_sa;
 	enumerator_t *enumerator;
 	bool found = FALSE, update = TRUE;
+	char markstr[32] = "";
+	uint32_t cur_priority = 0;
+	int use_count;
 
 	/* create a policy */
 	INIT(policy,
-		.sel = ts2selector(src_ts, dst_ts),
-		.mark = mark.value & mark.mask,
-		.direction = direction,
-		.reqid = sa->reqid,
+		.sel = ts2selector(id->src_ts, id->dst_ts, id->interface),
+		.mark = id->mark.value & id->mark.mask,
+		.direction = id->dir,
+		.reqid = data->sa->reqid,
 	);
+	format_mark(markstr, sizeof(markstr), id->mark);
 
 	/* find the policy, which matches EXACTLY */
 	this->mutex->lock(this->mutex);
 	current = this->policies->get(this->policies, policy);
 	if (current)
 	{
-		if (current->reqid && sa->reqid && current->reqid != sa->reqid)
+		if (current->reqid && data->sa->reqid &&
+			current->reqid != data->sa->reqid)
 		{
-			DBG1(DBG_CFG, "unable to install policy %R === %R %N (mark "
-				 "%u/0x%08x) for reqid %u, the same policy for reqid %u exists",
-				 src_ts, dst_ts, policy_dir_names, direction,
-				 mark.value, mark.mask, sa->reqid, current->reqid);
+			DBG1(DBG_CFG, "unable to install policy %R === %R %N%s for reqid "
+				 "%u, the same policy for reqid %u exists",
+				 id->src_ts, id->dst_ts, policy_dir_names, id->dir, markstr,
+				 data->sa->reqid, current->reqid);
 			policy_entry_destroy(this, policy);
 			this->mutex->unlock(this->mutex);
 			return INVALID_STATE;
 		}
 		/* use existing policy */
-		DBG2(DBG_KNL, "policy %R === %R %N  (mark %u/0x%08x) "
-					  "already exists, increasing refcount",
-					   src_ts, dst_ts, policy_dir_names, direction,
-					   mark.value, mark.mask);
+		DBG2(DBG_KNL, "policy %R === %R %N%s already exists, increasing "
+			 "refcount", id->src_ts, id->dst_ts, policy_dir_names, id->dir,
+			 markstr);
 		policy_entry_destroy(this, policy);
 		policy = current;
 		found = TRUE;
+
+		policy->waiting++;
+		while (policy->working)
+		{
+			this->condvar->wait(this->condvar, this->mutex);
+		}
+		policy->waiting--;
+		policy->working = TRUE;
 	}
 	else
 	{	/* use the new one, if we have no such policy */
@@ -2352,28 +2480,52 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	}
 
 	/* cache the assigned IPsec SA */
-	assigned_sa = policy_sa_create(this, direction, type, src, dst, src_ts,
-								   dst_ts, mark, sa);
-	assigned_sa->priority = get_priority(policy, priority);
+	assigned_sa = policy_sa_create(this, id->dir, data->type, data->src,
+						data->dst, id->src_ts, id->dst_ts, id->mark, data->sa);
+	assigned_sa->auto_priority = get_priority(policy, data->prio, id->interface);
+	assigned_sa->priority = this->get_priority ? this->get_priority(id, data)
+											   : data->manual_prio;
+	assigned_sa->priority = assigned_sa->priority ?: assigned_sa->auto_priority;
 
 	/* insert the SA according to its priority */
 	enumerator = policy->used_by->create_enumerator(policy->used_by);
 	while (enumerator->enumerate(enumerator, (void**)&current_sa))
 	{
-		if (current_sa->priority >= assigned_sa->priority)
+		if (current_sa->priority > assigned_sa->priority)
 		{
 			break;
 		}
-		update = FALSE;
+		if (current_sa->priority == assigned_sa->priority)
+		{
+			/* in case of equal manual prios order SAs by automatic priority */
+			if (current_sa->auto_priority > assigned_sa->auto_priority)
+			{
+				break;
+			}
+			/* prefer SAs with a reqid over those without */
+			if (current_sa->auto_priority == assigned_sa->auto_priority &&
+				(!current_sa->sa->cfg.reqid || assigned_sa->sa->cfg.reqid))
+			{
+				break;
+			}
+		}
+		if (update)
+		{
+			cur_priority = current_sa->priority;
+			update = FALSE;
+		}
 	}
-	policy->used_by->insert_before(policy->used_by, enumerator,
-								   assigned_sa);
+	policy->used_by->insert_before(policy->used_by, enumerator, assigned_sa);
 	enumerator->destroy(enumerator);
 
+	use_count = policy->used_by->get_count(policy->used_by);
 	if (!update)
 	{	/* we don't update the policy if the priority is lower than that of
 		 * the currently installed one */
-		this->mutex->unlock(this->mutex);
+		policy_change_done(this, policy);
+		DBG2(DBG_KNL, "not updating policy %R === %R %N%s [priority %u,"
+			 "refcount %d]", id->src_ts, id->dst_ts, policy_dir_names,
+			 id->dir, markstr, cur_priority, use_count);
 		return SUCCESS;
 	}
 
@@ -2382,36 +2534,36 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 		found = TRUE;
 	}
 
-	DBG2(DBG_KNL, "%s policy %R === %R %N  (mark %u/0x%08x)",
-				   found ? "updating" : "adding", src_ts, dst_ts,
-				   policy_dir_names, direction, mark.value, mark.mask);
+	DBG2(DBG_KNL, "%s policy %R === %R %N%s [priority %u, refcount %d]",
+		 found ? "updating" : "adding", id->src_ts, id->dst_ts,
+		 policy_dir_names, id->dir, markstr, assigned_sa->priority, use_count);
 
 	if (add_policy_internal(this, policy, assigned_sa, found) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "unable to %s policy %R === %R %N",
-					   found ? "update" : "add", src_ts, dst_ts,
-					   policy_dir_names, direction);
+		DBG1(DBG_KNL, "unable to %s policy %R === %R %N%s",
+			 found ? "update" : "add", id->src_ts, id->dst_ts,
+			 policy_dir_names, id->dir, markstr);
 		return FAILED;
 	}
 	return SUCCESS;
 }
 
 METHOD(kernel_ipsec_t, query_policy, status_t,
-	private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
-	time_t *use_time)
+	private_kernel_netlink_ipsec_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_query_policy_t *data, time_t *use_time)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *out = NULL, *hdr;
 	struct xfrm_userpolicy_id *policy_id;
 	struct xfrm_userpolicy_info *policy = NULL;
 	size_t len;
+	char markstr[32] = "";
 
 	memset(&request, 0, sizeof(request));
+	format_mark(markstr, sizeof(markstr), id->mark);
 
-	DBG2(DBG_KNL, "querying policy %R === %R %N  (mark %u/0x%08x)",
-				   src_ts, dst_ts, policy_dir_names, direction,
-				   mark.value, mark.mask);
+	DBG2(DBG_KNL, "querying policy %R === %R %N%s", id->src_ts, id->dst_ts,
+		 policy_dir_names, id->dir, markstr);
 
 	hdr = &request.hdr;
 	hdr->nlmsg_flags = NLM_F_REQUEST;
@@ -2419,10 +2571,10 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
 
 	policy_id = NLMSG_DATA(hdr);
-	policy_id->sel = ts2selector(src_ts, dst_ts);
-	policy_id->dir = direction;
+	policy_id->sel = ts2selector(id->src_ts, id->dst_ts, id->interface);
+	policy_id->dir = id->dir;
 
-	if (!add_mark(hdr, sizeof(request), mark))
+	if (!add_mark(hdr, sizeof(request), id->mark))
 	{
 		return FAILED;
 	}
@@ -2443,7 +2595,7 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 				{
 					struct nlmsgerr *err = NLMSG_DATA(hdr);
 					DBG1(DBG_KNL, "querying policy failed: %s (%d)",
-								   strerror(-err->error), -err->error);
+						 strerror(-err->error), -err->error);
 					break;
 				}
 				default:
@@ -2458,8 +2610,8 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 
 	if (policy == NULL)
 	{
-		DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
-					   policy_dir_names, direction);
+		DBG2(DBG_KNL, "unable to query policy %R === %R %N%s", id->src_ts,
+			 id->dst_ts, policy_dir_names, id->dir, markstr);
 		free(out);
 		return FAILED;
 	}
@@ -2479,10 +2631,8 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 }
 
 METHOD(kernel_ipsec_t, del_policy, status_t,
-	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
-	mark_t mark, policy_priority_t prio)
+	private_kernel_netlink_ipsec_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_manage_policy_t *data)
 {
 	policy_entry_t *current, policy;
 	enumerator_t *enumerator;
@@ -2491,78 +2641,94 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	struct nlmsghdr *hdr;
 	struct xfrm_userpolicy_id *policy_id;
 	bool is_installed = TRUE;
-	u_int32_t priority;
+	uint32_t priority, auto_priority, cur_priority;
 	ipsec_sa_t assigned_sa = {
-		.src = src,
-		.dst = dst,
-		.mark = mark,
-		.cfg = *sa,
+		.src = data->src,
+		.dst = data->dst,
+		.mark = id->mark,
+		.cfg = *data->sa,
 	};
+	char markstr[32] = "";
+	int use_count;
+	status_t status = SUCCESS;
 
-	DBG2(DBG_KNL, "deleting policy %R === %R %N  (mark %u/0x%08x)",
-				   src_ts, dst_ts, policy_dir_names, direction,
-				   mark.value, mark.mask);
+	format_mark(markstr, sizeof(markstr), id->mark);
+
+	DBG2(DBG_KNL, "deleting policy %R === %R %N%s", id->src_ts, id->dst_ts,
+		 policy_dir_names, id->dir, markstr);
 
 	/* create a policy */
 	memset(&policy, 0, sizeof(policy_entry_t));
-	policy.sel = ts2selector(src_ts, dst_ts);
-	policy.mark = mark.value & mark.mask;
-	policy.direction = direction;
+	policy.sel = ts2selector(id->src_ts, id->dst_ts, id->interface);
+	policy.mark = id->mark.value & id->mark.mask;
+	policy.direction = id->dir;
 
 	/* find the policy */
 	this->mutex->lock(this->mutex);
 	current = this->policies->get(this->policies, &policy);
 	if (!current)
 	{
-		if (mark.value)
-		{
-			DBG1(DBG_KNL, "deleting policy %R === %R %N  (mark %u/0x%08x) "
-						  "failed, not found", src_ts, dst_ts, policy_dir_names,
-						   direction, mark.value, mark.mask);
-		}
-		else
-		{
-			DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found",
-						   src_ts, dst_ts, policy_dir_names, direction);
-		}
+		DBG1(DBG_KNL, "deleting policy %R === %R %N%s failed, not found",
+			 id->src_ts, id->dst_ts, policy_dir_names, id->dir, markstr);
 		this->mutex->unlock(this->mutex);
 		return NOT_FOUND;
 	}
+	current->waiting++;
+	while (current->working)
+	{
+		this->condvar->wait(this->condvar, this->mutex);
+	}
+	current->working = TRUE;
+	current->waiting--;
 
 	/* remove mapping to SA by reqid and priority */
-	priority = get_priority(current, prio);
+	auto_priority = get_priority(current, data->prio,id->interface);
+	priority = this->get_priority ? this->get_priority(id, data)
+								  : data->manual_prio;
+	priority = priority ?: auto_priority;
+
 	enumerator = current->used_by->create_enumerator(current->used_by);
 	while (enumerator->enumerate(enumerator, (void**)&mapping))
 	{
-		if (priority == mapping->priority && type == mapping->type &&
+		if (priority == mapping->priority &&
+			auto_priority == mapping->auto_priority &&
+			data->type == mapping->type &&
 			ipsec_sa_equals(mapping->sa, &assigned_sa))
 		{
 			current->used_by->remove_at(current->used_by, enumerator);
-			policy_sa_destroy(mapping, &direction, this);
+			policy_sa_destroy(mapping, &id->dir, this);
 			break;
 		}
-		is_installed = FALSE;
+		if (is_installed)
+		{
+			cur_priority = mapping->priority;
+			is_installed = FALSE;
+		}
 	}
 	enumerator->destroy(enumerator);
 
-	if (current->used_by->get_count(current->used_by) > 0)
+	use_count = current->used_by->get_count(current->used_by);
+	if (use_count > 0)
 	{	/* policy is used by more SAs, keep in kernel */
 		DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
 		if (!is_installed)
 		{	/* no need to update as the policy was not installed for this SA */
-			this->mutex->unlock(this->mutex);
+			policy_change_done(this, current);
+			DBG2(DBG_KNL, "not updating policy %R === %R %N%s [priority %u, "
+				 "refcount %d]", id->src_ts, id->dst_ts, policy_dir_names,
+				 id->dir, markstr, cur_priority, use_count);
 			return SUCCESS;
 		}
+		current->used_by->get_first(current->used_by, (void**)&mapping);
 
-		DBG2(DBG_KNL, "updating policy %R === %R %N  (mark %u/0x%08x)",
-					   src_ts, dst_ts, policy_dir_names, direction,
-					   mark.value, mark.mask);
+		DBG2(DBG_KNL, "updating policy %R === %R %N%s [priority %u, "
+			 "refcount %d]", id->src_ts, id->dst_ts, policy_dir_names, id->dir,
+			 markstr, mapping->priority, use_count);
 
-		current->used_by->get_first(current->used_by, (void**)&mapping);
 		if (add_policy_internal(this, current, mapping, TRUE) != SUCCESS)
 		{
-			DBG1(DBG_KNL, "unable to update policy %R === %R %N",
-						   src_ts, dst_ts, policy_dir_names, direction);
+			DBG1(DBG_KNL, "unable to update policy %R === %R %N%s",
+				 id->src_ts, id->dst_ts, policy_dir_names, id->dir, markstr);
 			return FAILED;
 		}
 		return SUCCESS;
@@ -2577,11 +2743,11 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 
 	policy_id = NLMSG_DATA(hdr);
 	policy_id->sel = current->sel;
-	policy_id->dir = direction;
+	policy_id->dir = id->dir;
 
-	if (!add_mark(hdr, sizeof(request), mark))
+	if (!add_mark(hdr, sizeof(request), id->mark))
 	{
-		this->mutex->unlock(this->mutex);
+		policy_change_done(this, current);
 		return FAILED;
 	}
 
@@ -2592,32 +2758,32 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 									  route->prefixlen, route->gateway,
 									  route->src_ip, route->if_name) != SUCCESS)
 		{
-			DBG1(DBG_KNL, "error uninstalling route installed with "
-						  "policy %R === %R %N", src_ts, dst_ts,
-						   policy_dir_names, direction);
+			DBG1(DBG_KNL, "error uninstalling route installed with policy "
+				 "%R === %R %N%s", id->src_ts, id->dst_ts, policy_dir_names,
+				 id->dir, markstr);
 		}
 	}
-
-	this->policies->remove(this->policies, current);
-	policy_entry_destroy(this, current);
 	this->mutex->unlock(this->mutex);
 
 	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
 	{
-		if (mark.value)
-		{
-			DBG1(DBG_KNL, "unable to delete policy %R === %R %N  "
-						  "(mark %u/0x%08x)", src_ts, dst_ts, policy_dir_names,
-						   direction, mark.value, mark.mask);
-		}
-		else
-		{
-			DBG1(DBG_KNL, "unable to delete policy %R === %R %N",
-						   src_ts, dst_ts, policy_dir_names, direction);
-		}
-		return FAILED;
+		DBG1(DBG_KNL, "unable to delete policy %R === %R %N%s", id->src_ts,
+			 id->dst_ts, policy_dir_names, id->dir, markstr);
+		status = FAILED;
 	}
-	return SUCCESS;
+
+	this->mutex->lock(this->mutex);
+	if (!current->waiting)
+	{	/* only if no other thread still needs the policy */
+		this->policies->remove(this->policies, current);
+		policy_entry_destroy(this, current);
+		this->mutex->unlock(this->mutex);
+	}
+	else
+	{
+		policy_change_done(this, current);
+	}
+	return status;
 }
 
 METHOD(kernel_ipsec_t, flush_policies, status_t,
@@ -2676,15 +2842,15 @@ static bool add_socket_bypass(private_kernel_netlink_ipsec_t *this,
 	policy.dir = XFRM_POLICY_OUT;
 	if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
 	{
-		DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
-					   strerror(errno));
+		DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s (%d)",
+			 strerror(errno), errno);
 		return FALSE;
 	}
 	policy.dir = XFRM_POLICY_IN;
 	if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
 	{
-		DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
-					   strerror(errno));
+		DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s (%d)",
+			 strerror(errno), errno);
 		return FALSE;
 	}
 	return TRUE;
@@ -2699,7 +2865,7 @@ typedef struct {
 	/** layer 4 protocol */
 	int proto;
 	/** port number, network order */
-	u_int16_t port;
+	uint16_t port;
 } bypass_t;
 
 /**
@@ -2839,7 +3005,7 @@ METHOD(kernel_ipsec_t, bypass_socket, bool,
 }
 
 METHOD(kernel_ipsec_t, enable_udp_decap, bool,
-	private_kernel_netlink_ipsec_t *this, int fd, int family, u_int16_t port)
+	private_kernel_netlink_ipsec_t *this, int fd, int family, uint16_t port)
 {
 	int type = UDP_ENCAP_ESPINUDP;
 
@@ -2873,6 +3039,7 @@ METHOD(kernel_ipsec_t, destroy, void,
 	enumerator->destroy(enumerator);
 	this->policies->destroy(this->policies);
 	this->sas->destroy(this->sas);
+	this->condvar->destroy(this->condvar);
 	this->mutex->destroy(this->mutex);
 	free(this);
 }
@@ -2912,6 +3079,9 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 								(hashtable_equals_t)ipsec_sa_equals, 32),
 		.bypass = array_create(sizeof(bypass_t), 0),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
+		.get_priority = dlsym(RTLD_DEFAULT,
+							  "kernel_netlink_get_priority_custom"),
 		.policy_update = lib->settings->get_bool(lib->settings,
 					"%s.plugins.kernel-netlink.policy_update", FALSE, lib->ns),
 		.install_routes = lib->settings->get_bool(lib->settings,
@@ -2955,7 +3125,8 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 		this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
 		if (this->socket_xfrm_events <= 0)
 		{
-			DBG1(DBG_KNL, "unable to create XFRM event socket");
+			DBG1(DBG_KNL, "unable to create XFRM event socket: %s (%d)",
+				 strerror(errno), errno);
 			destroy(this);
 			return NULL;
 		}
@@ -2963,7 +3134,8 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 						 XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING);
 		if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
 		{
-			DBG1(DBG_KNL, "unable to bind XFRM event socket");
+			DBG1(DBG_KNL, "unable to bind XFRM event socket: %s (%d)",
+				 strerror(errno), errno);
 			destroy(this);
 			return NULL;
 		}
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
index f4394a14f..93c2ccccb 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2008-2014 Tobias Brunner
+ * Copyright (C) 2008-2016 Tobias Brunner
  * Copyright (C) 2005-2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -278,7 +278,7 @@ struct route_entry_t {
 	chunk_t dst_net;
 
 	/** Destination net prefixlen */
-	u_int8_t prefixlen;
+	uint8_t prefixlen;
 };
 
 /**
@@ -513,12 +513,12 @@ struct private_kernel_netlink_net_t {
 	/**
 	 * MTU to set on installed routes
 	 */
-	u_int32_t mtu;
+	uint32_t mtu;
 
 	/**
 	 * MSS to set on installed routes
 	 */
-	u_int32_t mss;
+	uint32_t mss;
 };
 
 /**
@@ -526,7 +526,7 @@ struct private_kernel_netlink_net_t {
  */
 static status_t manage_srcroute(private_kernel_netlink_net_t *this,
 								int nlmsg_type, int flags, chunk_t dst_net,
-								u_int8_t prefixlen, host_t *gateway,
+								uint8_t prefixlen, host_t *gateway,
 								host_t *src_ip, char *if_name);
 
 /**
@@ -1217,7 +1217,7 @@ static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *h
 	struct rtmsg* msg = NLMSG_DATA(hdr);
 	struct rtattr *rta = RTM_RTA(msg);
 	size_t rtasize = RTM_PAYLOAD(hdr);
-	u_int32_t rta_oif = 0;
+	uint32_t rta_oif = 0;
 	host_t *host = NULL;
 
 	/* ignore routes added by us or in the local routing table (local addrs) */
@@ -1243,7 +1243,7 @@ static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *h
 			case RTA_OIF:
 				if (RTA_PAYLOAD(rta) == sizeof(rta_oif))
 				{
-					rta_oif = *(u_int32_t*)RTA_DATA(rta);
+					rta_oif = *(uint32_t*)RTA_DATA(rta);
 				}
 				break;
 		}
@@ -1297,7 +1297,8 @@ static bool receive_events(private_kernel_netlink_net_t *this, int fd,
 				/* no data ready, select again */
 				return TRUE;
 			default:
-				DBG1(DBG_KNL, "unable to receive from rt event socket");
+				DBG1(DBG_KNL, "unable to receive from RT event socket %s (%d)",
+					 strerror(errno), errno);
 				sleep(1);
 				return TRUE;
 		}
@@ -1501,6 +1502,32 @@ static int get_interface_index(private_kernel_netlink_net_t *this, char* name)
 }
 
 /**
+ * get the name of an interface by index (allocated)
+ */
+static char *get_interface_name_by_index(private_kernel_netlink_net_t *this,
+										 int index)
+{
+	iface_entry_t *iface;
+	char *name = NULL;
+
+	DBG2(DBG_KNL, "getting iface name for index %d", index);
+
+	this->lock->read_lock(this->lock);
+	if (this->ifaces->find_first(this->ifaces, (void*)iface_entry_by_index,
+								(void**)&iface, &index) == SUCCESS)
+	{
+		name = strdup(iface->ifname);
+	}
+	this->lock->unlock(this->lock);
+
+	if (!name)
+	{
+		DBG1(DBG_KNL, "unable to get interface name for %d", index);
+	}
+	return name;
+}
+
+/**
  * check if an address or net (addr with prefix net bits) is in
  * subnet (net with net_len net bits)
  */
@@ -1545,10 +1572,10 @@ typedef struct {
 	chunk_t src;
 	chunk_t dst;
 	host_t *src_host;
-	u_int8_t dst_len;
-	u_int32_t table;
-	u_int32_t oif;
-	u_int32_t priority;
+	uint8_t dst_len;
+	uint32_t table;
+	uint32_t oif;
+	uint32_t priority;
 } rt_entry_t;
 
 /**
@@ -1630,20 +1657,20 @@ static rt_entry_t *parse_route(struct nlmsghdr *hdr, rt_entry_t *route)
 			case RTA_OIF:
 				if (RTA_PAYLOAD(rta) == sizeof(route->oif))
 				{
-					route->oif = *(u_int32_t*)RTA_DATA(rta);
+					route->oif = *(uint32_t*)RTA_DATA(rta);
 				}
 				break;
 			case RTA_PRIORITY:
 				if (RTA_PAYLOAD(rta) == sizeof(route->priority))
 				{
-					route->priority = *(u_int32_t*)RTA_DATA(rta);
+					route->priority = *(uint32_t*)RTA_DATA(rta);
 				}
 				break;
 #ifdef HAVE_RTA_TABLE
 			case RTA_TABLE:
 				if (RTA_PAYLOAD(rta) == sizeof(route->table))
 				{
-					route->table = *(u_int32_t*)RTA_DATA(rta);
+					route->table = *(uint32_t*)RTA_DATA(rta);
 				}
 				break;
 #endif /* HAVE_RTA_TABLE*/
@@ -1658,7 +1685,7 @@ static rt_entry_t *parse_route(struct nlmsghdr *hdr, rt_entry_t *route)
  */
 static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 						 int prefix, bool nexthop, host_t *candidate,
-						 u_int recursion)
+						 char **iface, u_int recursion)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *hdr, *out, *current;
@@ -1774,16 +1801,16 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 					}
 					route->src_host = src;
 				}
-				/* insert route, sorted by priority and network prefix */
+				/* insert route, sorted by network prefix and priority */
 				enumerator = routes->create_enumerator(routes);
 				while (enumerator->enumerate(enumerator, &other))
 				{
-					if (route->priority < other->priority)
+					if (route->dst_len > other->dst_len)
 					{
 						break;
 					}
-					if (route->priority == other->priority &&
-						route->dst_len > other->dst_len)
+					if (route->dst_len == other->dst_len &&
+						route->priority < other->priority)
 					{
 						break;
 					}
@@ -1860,7 +1887,7 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 			if (gtw && !gtw->ip_equals(gtw, dest))
 			{
 				route->src_host = get_route(this, gtw, -1, FALSE, candidate,
-											recursion + 1);
+											iface, recursion + 1);
 			}
 			DESTROY_IF(gtw);
 			if (route->src_host)
@@ -1878,10 +1905,18 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 	enumerator->destroy(enumerator);
 
 	if (nexthop)
-	{	/* nexthop lookup, return gateway if any */
+	{	/* nexthop lookup, return gateway and oif if any */
+		if (iface)
+		{
+			*iface = NULL;
+		}
 		if (best || routes->get_first(routes, (void**)&best) == SUCCESS)
 		{
 			addr = host_create_from_chunk(msg->rtm_family, best->gtw, 0);
+			if (iface && route->oif)
+			{
+				*iface = get_interface_name_by_index(this, route->oif);
+			}
 		}
 		if (!addr && !match_net)
 		{	/* fallback to destination address */
@@ -1901,8 +1936,16 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 
 	if (addr)
 	{
-		DBG2(DBG_KNL, "using %H as %s to reach %H/%d", addr,
-			 nexthop ? "nexthop" : "address", dest, prefix);
+		if (nexthop && iface && *iface)
+		{
+			DBG2(DBG_KNL, "using %H as nexthop and %s as dev to reach %H/%d",
+				 addr, *iface, dest, prefix);
+		}
+		else
+		{
+			DBG2(DBG_KNL, "using %H as %s to reach %H/%d", addr,
+				 nexthop ? "nexthop" : "address", dest, prefix);
+		}
 	}
 	else if (!recursion)
 	{
@@ -1915,13 +1958,14 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 METHOD(kernel_net_t, get_source_addr, host_t*,
 	private_kernel_netlink_net_t *this, host_t *dest, host_t *src)
 {
-	return get_route(this, dest, -1, FALSE, src, 0);
+	return get_route(this, dest, -1, FALSE, src, NULL, 0);
 }
 
 METHOD(kernel_net_t, get_nexthop, host_t*,
-	private_kernel_netlink_net_t *this, host_t *dest, int prefix, host_t *src)
+	private_kernel_netlink_net_t *this, host_t *dest, int prefix, host_t *src,
+	char **iface)
 {
-	return get_route(this, dest, prefix, TRUE, src, 0);
+	return get_route(this, dest, prefix, TRUE, src, iface, 0);
 }
 
 /**
@@ -2144,7 +2188,7 @@ METHOD(kernel_net_t, del_ip, status_t,
  */
 static status_t manage_srcroute(private_kernel_netlink_net_t *this,
 								int nlmsg_type, int flags, chunk_t dst_net,
-								u_int8_t prefixlen, host_t *gateway,
+								uint8_t prefixlen, host_t *gateway,
 								host_t *src_ip, char *if_name)
 {
 	netlink_buf_t request;
@@ -2160,7 +2204,7 @@ static status_t manage_srcroute(private_kernel_netlink_net_t *this,
 	if (this->routing_table == 0 && prefixlen == 0)
 	{
 		chunk_t half_net;
-		u_int8_t half_prefixlen;
+		uint8_t half_prefixlen;
 		status_t status;
 
 		half_net = chunk_alloca(dst_net.len);
@@ -2206,22 +2250,22 @@ static status_t manage_srcroute(private_kernel_netlink_net_t *this,
 	if (this->mtu || this->mss)
 	{
 		chunk = chunk_alloca(RTA_LENGTH((sizeof(struct rtattr) +
-										 sizeof(u_int32_t)) * 2));
+										 sizeof(uint32_t)) * 2));
 		chunk.len = 0;
 		rta = (struct rtattr*)chunk.ptr;
 		if (this->mtu)
 		{
 			rta->rta_type = RTAX_MTU;
-			rta->rta_len = RTA_LENGTH(sizeof(u_int32_t));
-			memcpy(RTA_DATA(rta), &this->mtu, sizeof(u_int32_t));
+			rta->rta_len = RTA_LENGTH(sizeof(uint32_t));
+			memcpy(RTA_DATA(rta), &this->mtu, sizeof(uint32_t));
 			chunk.len = rta->rta_len;
 		}
 		if (this->mss)
 		{
 			rta = (struct rtattr*)(chunk.ptr + RTA_ALIGN(chunk.len));
 			rta->rta_type = RTAX_ADVMSS;
-			rta->rta_len = RTA_LENGTH(sizeof(u_int32_t));
-			memcpy(RTA_DATA(rta), &this->mss, sizeof(u_int32_t));
+			rta->rta_len = RTA_LENGTH(sizeof(uint32_t));
+			memcpy(RTA_DATA(rta), &this->mss, sizeof(uint32_t));
 			chunk.len = RTA_ALIGN(chunk.len) + rta->rta_len;
 		}
 		netlink_add_attribute(hdr, RTA_METRICS, chunk, sizeof(request));
@@ -2231,7 +2275,7 @@ static status_t manage_srcroute(private_kernel_netlink_net_t *this,
 }
 
 METHOD(kernel_net_t, add_route, status_t,
-	private_kernel_netlink_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
+	private_kernel_netlink_net_t *this, chunk_t dst_net, uint8_t prefixlen,
 	host_t *gateway, host_t *src_ip, char *if_name)
 {
 	status_t status;
@@ -2262,7 +2306,7 @@ METHOD(kernel_net_t, add_route, status_t,
 }
 
 METHOD(kernel_net_t, del_route, status_t,
-	private_kernel_netlink_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
+	private_kernel_netlink_net_t *this, chunk_t dst_net, uint8_t prefixlen,
 	host_t *gateway, host_t *src_ip, char *if_name)
 {
 	status_t status;
@@ -2384,7 +2428,7 @@ static status_t init_address_list(private_kernel_netlink_net_t *this)
  * create or delete a rule to use our routing table
  */
 static status_t manage_rule(private_kernel_netlink_net_t *this, int nlmsg_type,
-							int family, u_int32_t table, u_int32_t prio)
+							int family, uint32_t table, uint32_t prio)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *hdr;
@@ -2644,7 +2688,8 @@ kernel_netlink_net_t *kernel_netlink_net_create()
 		this->socket_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
 		if (this->socket_events < 0)
 		{
-			DBG1(DBG_KNL, "unable to create RT event socket");
+			DBG1(DBG_KNL, "unable to create RT event socket: %s (%d)",
+				 strerror(errno), errno);
 			destroy(this);
 			return NULL;
 		}
@@ -2652,7 +2697,8 @@ kernel_netlink_net_t *kernel_netlink_net_create()
 						 RTMGRP_IPV4_ROUTE | RTMGRP_IPV6_ROUTE | RTMGRP_LINK;
 		if (bind(this->socket_events, (struct sockaddr*)&addr, sizeof(addr)))
 		{
-			DBG1(DBG_KNL, "unable to bind RT event socket");
+			DBG1(DBG_KNL, "unable to bind RT event socket: %s (%d)",
+				 strerror(errno), errno);
 			destroy(this);
 			return NULL;
 		}
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
index f7ce992a3..7165b655b 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
@@ -309,7 +309,7 @@ static status_t send_once(private_netlink_socket_t *this, struct nlmsghdr *in,
 	while (!entry->complete)
 	{
 		if (this->parallel &&
-			lib->watcher->get_state(lib->watcher) == WATCHER_RUNNING)
+			lib->watcher->get_state(lib->watcher) != WATCHER_STOPPED)
 		{
 			if (this->timeout)
 			{
@@ -594,13 +594,15 @@ netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names,
 	}
 	if (this->socket == -1)
 	{
-		DBG1(DBG_KNL, "unable to create netlink socket");
+		DBG1(DBG_KNL, "unable to create netlink socket: %s (%d)",
+			 strerror(errno), errno);
 		destroy(this);
 		return NULL;
 	}
 	if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)))
 	{
-		DBG1(DBG_KNL, "unable to bind netlink socket");
+		DBG1(DBG_KNL, "unable to bind netlink socket: %s (%d)",
+			 strerror(errno), errno);
 		destroy(this);
 		return NULL;
 	}
diff --git a/src/libcharon/plugins/kernel_pfkey/Makefile.in b/src/libcharon/plugins/kernel_pfkey/Makefile.in
index f2876a272..8866f13d4 100644
--- a/src/libcharon/plugins/kernel_pfkey/Makefile.in
+++ b/src/libcharon/plugins/kernel_pfkey/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/kernel_pfkey
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -462,7 +476,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfkey/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfkey/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -776,6 +789,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index d505f1c33..1b22ea549 100644
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2008-2015 Tobias Brunner
+ * Copyright (C) 2008-2016 Tobias Brunner
  * Copyright (C) 2008 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -141,17 +141,17 @@
 #define SOL_UDP IPPROTO_UDP
 #endif
 
-/** base priority for installed policies */
-#define PRIO_BASE 384
+/** Base priority for installed policies */
+#define PRIO_BASE 100000
 
 #ifdef __APPLE__
 /** from xnu/bsd/net/pfkeyv2.h */
 #define SADB_X_EXT_NATT 0x002
 	struct sadb_sa_2 {
 		struct sadb_sa	sa;
-		u_int16_t		sadb_sa_natt_port;
-		u_int16_t		sadb_reserved0;
-		u_int32_t		sadb_reserved1;
+		uint16_t		sadb_sa_natt_port;
+		uint16_t		sadb_reserved0;
+		uint32_t		sadb_reserved1;
 	};
 #endif
 
@@ -286,7 +286,7 @@ struct route_entry_t {
 	chunk_t dst_net;
 
 	/** destination net prefixlen */
-	u_int8_t prefixlen;
+	uint8_t prefixlen;
 
 	/** reference to exclude route, if any */
 	exclude_route_t *exclude;
@@ -352,7 +352,7 @@ static bool ipsec_sa_equals(ipsec_sa_t *sa, ipsec_sa_t *other_sa)
 {
 	return sa->src->ip_equals(sa->src, other_sa->src) &&
 		   sa->dst->ip_equals(sa->dst, other_sa->dst) &&
-		   memeq(&sa->cfg, &other_sa->cfg, sizeof(ipsec_sa_cfg_t));
+		   ipsec_sa_cfg_equals(&sa->cfg, &other_sa->cfg);
 }
 
 /**
@@ -400,14 +400,17 @@ static void ipsec_sa_destroy(private_kernel_pfkey_ipsec_t *this,
 }
 
 typedef struct policy_sa_t policy_sa_t;
-typedef struct policy_sa_in_t policy_sa_in_t;
+typedef struct policy_sa_out_t policy_sa_out_t;
 
 /**
  * Mapping between a policy and an IPsec SA.
  */
 struct policy_sa_t {
 	/** Priority assigned to the policy when installed with this SA */
-	u_int32_t priority;
+	uint32_t priority;
+
+	/** Base priority assigned to the policy when installed with this SA */
+	uint32_t auto_priority;
 
 	/** Type of the policy */
 	policy_type_t type;
@@ -417,10 +420,10 @@ struct policy_sa_t {
 };
 
 /**
- * For input policies we also cache the traffic selectors in order to install
+ * For outbound policies we also cache the traffic selectors in order to install
  * the route.
  */
-struct policy_sa_in_t {
+struct policy_sa_out_t {
 	/** Generic interface */
 	policy_sa_t generic;
 
@@ -440,14 +443,14 @@ static policy_sa_t *policy_sa_create(private_kernel_pfkey_ipsec_t *this,
 {
 	policy_sa_t *policy;
 
-	if (dir == POLICY_IN)
+	if (dir == POLICY_OUT)
 	{
-		policy_sa_in_t *in;
-		INIT(in,
+		policy_sa_out_t *out;
+		INIT(out,
 			.src_ts = src_ts->clone(src_ts),
 			.dst_ts = dst_ts->clone(dst_ts),
 		);
-		policy = &in->generic;
+		policy = &out->generic;
 	}
 	else
 	{
@@ -464,11 +467,11 @@ static policy_sa_t *policy_sa_create(private_kernel_pfkey_ipsec_t *this,
 static void policy_sa_destroy(policy_sa_t *policy, policy_dir_t *dir,
 							  private_kernel_pfkey_ipsec_t *this)
 {
-	if (*dir == POLICY_IN)
+	if (*dir == POLICY_OUT)
 	{
-		policy_sa_in_t *in = (policy_sa_in_t*)policy;
-		in->src_ts->destroy(in->src_ts);
-		in->dst_ts->destroy(in->dst_ts);
+		policy_sa_out_t *out = (policy_sa_out_t*)policy;
+		out->src_ts->destroy(out->src_ts);
+		out->dst_ts->destroy(out->dst_ts);
 	}
 	ipsec_sa_destroy(this, policy->sa);
 	free(policy);
@@ -481,19 +484,19 @@ typedef struct policy_entry_t policy_entry_t;
  */
 struct policy_entry_t {
 	/** Index assigned by the kernel */
-	u_int32_t index;
+	uint32_t index;
 
 	/** Direction of this policy: in, out, forward */
-	u_int8_t direction;
+	uint8_t direction;
 
 	/** Parameters of installed policy */
 	struct {
 		/** Subnet and port */
 		host_t *net;
 		/** Subnet mask */
-		u_int8_t mask;
+		uint8_t mask;
 		/** Protocol */
-		u_int8_t proto;
+		uint8_t proto;
 	} src, dst;
 
 	/** Associated route installed for this policy */
@@ -514,8 +517,8 @@ static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
 	INIT(policy,
 		.direction = dir,
 	);
-	u_int16_t port;
-	u_int8_t proto;
+	uint16_t port;
+	uint8_t proto;
 
 	src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
 	dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
@@ -583,40 +586,51 @@ static inline bool policy_entry_equals(policy_entry_t *current,
  * compare the given kernel index with that of a policy
  */
 static inline bool policy_entry_match_byindex(policy_entry_t *current,
-											  u_int32_t *index)
+											  uint32_t *index)
 {
 	return current->index == *index;
 }
 
 /**
  * Calculate the priority of a policy
+ *
+ * This is the same formula we use in the kernel-netlink interface, but some
+ * features are currently not or only partially supported by PF_KEY.
+ *
+ * bits 0-0:  reserved for interface restriction (0..1)     1 bit
+ * bits 1-6:  src + dst port mask bits (2 * 0..16)          6 bits
+ * bits 7-7:  restriction to protocol (0..1)                1 bit
+ * bits 8-16: src + dst network mask bits (2 * 0..128)      9 bits
+ *                                                         17 bits
+ *
+ * smallest value: 000000000 0 000000 0:      0, lowest priority = 100'000
+ * largest value : 100000000 1 100000 0: 65'728, highst priority =  34'272
  */
-static inline u_int32_t get_priority(policy_entry_t *policy,
+static inline uint32_t get_priority(policy_entry_t *policy,
 									 policy_priority_t prio)
 {
-	u_int32_t priority = PRIO_BASE;
+	uint32_t priority = PRIO_BASE;
+
 	switch (prio)
 	{
 		case POLICY_PRIORITY_FALLBACK:
-			priority <<= 1;
+			priority += PRIO_BASE;
 			/* fall-through */
 		case POLICY_PRIORITY_ROUTED:
-			priority <<= 1;
+			priority += PRIO_BASE;
 			/* fall-through */
 		case POLICY_PRIORITY_DEFAULT:
-			priority <<= 1;
-			/* fall-trough */
+			priority += PRIO_BASE;
+			/* fall-through */
 		case POLICY_PRIORITY_PASS:
 			break;
 	}
-	/* calculate priority based on selector size, small size = high prio */
-	priority -= policy->src.mask;
-	priority -= policy->dst.mask;
-	priority <<= 2; /* make some room for the two flags */
-	priority += policy->src.net->get_port(policy->src.net) ||
-				policy->dst.net->get_port(policy->dst.net) ?
-				0 : 2;
-	priority += policy->src.proto != IPSEC_PROTO_ANY ? 0 : 1;
+
+	/* calculate priority */
+	priority -= (policy->src.mask + policy->dst.mask) * 256;
+	priority -=  policy->src.proto != IPSEC_PROTO_ANY ? 128 : 0;
+	priority -= policy->src.net->get_port(policy->src.net) ? 32 : 0;
+	priority -= policy->dst.net->get_port(policy->dst.net) ? 32 : 0;
 	return priority;
 }
 
@@ -697,7 +711,7 @@ ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
 /**
  * convert a protocol identifier to the PF_KEY sa type
  */
-static u_int8_t proto2satype(u_int8_t proto)
+static uint8_t proto2satype(uint8_t proto)
 {
 	switch (proto)
 	{
@@ -715,7 +729,7 @@ static u_int8_t proto2satype(u_int8_t proto)
 /**
  * convert a PF_KEY sa type to a protocol identifier
  */
-static u_int8_t satype2proto(u_int8_t satype)
+static uint8_t satype2proto(uint8_t satype)
 {
 	switch (satype)
 	{
@@ -733,7 +747,7 @@ static u_int8_t satype2proto(u_int8_t satype)
 /**
  * convert the general ipsec mode to the one defined in ipsec.h
  */
-static u_int8_t mode2kernel(ipsec_mode_t mode)
+static uint8_t mode2kernel(ipsec_mode_t mode)
 {
 	switch (mode)
 	{
@@ -753,7 +767,7 @@ static u_int8_t mode2kernel(ipsec_mode_t mode)
 /**
  * convert the general policy direction to the one defined in ipsec.h
  */
-static u_int8_t dir2kernel(policy_dir_t dir)
+static uint8_t dir2kernel(policy_dir_t dir)
 {
 	switch (dir)
 	{
@@ -773,7 +787,7 @@ static u_int8_t dir2kernel(policy_dir_t dir)
 /**
  * convert the policy type to the one defined in ipsec.h
  */
-static inline u_int16_t type2kernel(policy_type_t type)
+static inline uint16_t type2kernel(policy_type_t type)
 {
 	switch (type)
 	{
@@ -791,7 +805,7 @@ static inline u_int16_t type2kernel(policy_type_t type)
 /**
  * convert the policy direction in ipsec.h to the general one.
  */
-static policy_dir_t kernel2dir(u_int8_t  dir)
+static policy_dir_t kernel2dir(uint8_t  dir)
 {
 	switch (dir)
 	{
@@ -898,7 +912,7 @@ static kernel_algorithm_t compression_algs[] = {
 static int lookup_algorithm(transform_type_t type, int ikev2)
 {
 	kernel_algorithm_t *list;
-	u_int16_t alg = 0;
+	uint16_t alg = 0;
 
 	switch (type)
 	{
@@ -929,7 +943,7 @@ static int lookup_algorithm(transform_type_t type, int ikev2)
 /**
  * Helper to set a port in a sockaddr_t, the port has to be in host order
  */
-static void set_port(sockaddr_t *addr, u_int16_t port)
+static void set_port(sockaddr_t *addr, uint16_t port)
 {
 	switch (addr->sa_family)
 	{
@@ -971,8 +985,8 @@ static size_t hostcpy(void *dest, host_t *host, bool include_port)
 /**
  * add a host to the given sadb_msg
  */
-static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type,
-						 u_int8_t proto, u_int8_t prefixlen, bool include_port)
+static void add_addr_ext(struct sadb_msg *msg, host_t *host, uint16_t type,
+						 uint8_t proto, uint8_t prefixlen, bool include_port)
 {
 	struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
 	size_t len;
@@ -988,7 +1002,7 @@ static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type,
 /**
  * adds an empty address extension to the given sadb_msg
  */
-static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
+static void add_anyaddr_ext(struct sadb_msg *msg, int family, uint8_t type)
 {
 	socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
 										  sizeof(struct sockaddr_in6);
@@ -1039,7 +1053,7 @@ static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
 {
 	traffic_selector_t *ts;
 	host_t *host;
-	u_int8_t proto;
+	uint8_t proto;
 
 	proto = address->sadb_address_proto;
 	proto = proto == IPSEC_PROTO_ANY ? 0 : proto;
@@ -1240,7 +1254,7 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this,
 							struct sadb_msg* msg)
 {
 	pfkey_msg_t response;
-	u_int32_t index, reqid = 0;
+	uint32_t index, reqid = 0;
 	traffic_selector_t *src_ts, *dst_ts;
 	policy_entry_t *policy;
 	policy_sa_t *sa;
@@ -1292,8 +1306,8 @@ static void process_expire(private_kernel_pfkey_ipsec_t *this,
 						   struct sadb_msg* msg)
 {
 	pfkey_msg_t response;
-	u_int8_t protocol;
-	u_int32_t spi;
+	uint8_t protocol;
+	uint32_t spi;
 	host_t *dst;
 	bool hard;
 
@@ -1330,7 +1344,7 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this,
 	pfkey_msg_t response;
 	traffic_selector_t *src_ts, *dst_ts;
 	policy_dir_t dir;
-	u_int32_t reqid = 0;
+	uint32_t reqid = 0;
 	host_t *local = NULL, *remote = NULL;
 
 	DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
@@ -1350,13 +1364,13 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this,
 	if (response.x_kmaddress)
 	{
 		sockaddr_t *local_addr, *remote_addr;
-		u_int32_t local_len;
+		uint32_t local_len;
 
 		local_addr  = (sockaddr_t*)&response.x_kmaddress[1];
 		local = host_create_from_sockaddr(local_addr);
 		local_len = (local_addr->sa_family == AF_INET6)?
 					sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
-		remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
+		remote_addr = (sockaddr_t*)((uint8_t*)local_addr + local_len);
 		remote = host_create_from_sockaddr(remote_addr);
 		DBG2(DBG_KNL, "  kmaddress: %H...%H", local, remote);
 	}
@@ -1384,7 +1398,7 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this,
 							struct sadb_msg* msg)
 {
 	pfkey_msg_t response;
-	u_int32_t spi;
+	uint32_t spi;
 	sockaddr_t *sa;
 	host_t *dst, *new;
 
@@ -1517,14 +1531,14 @@ static bool receive_events(private_kernel_pfkey_ipsec_t *this, int fd,
  */
 
 static status_t get_spi_internal(private_kernel_pfkey_ipsec_t *this,
-	host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
-	u_int32_t *spi)
+	host_t *src, host_t *dst, uint8_t proto, uint32_t min, uint32_t max,
+	uint32_t *spi)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
 	struct sadb_spirange *range;
 	pfkey_msg_t response;
-	u_int32_t received_spi = 0;
+	uint32_t received_spi = 0;
 	size_t len;
 
 	memset(&request, 0, sizeof(request));
@@ -1570,7 +1584,7 @@ static status_t get_spi_internal(private_kernel_pfkey_ipsec_t *this,
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
 	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
-	u_int8_t protocol, u_int32_t *spi)
+	uint8_t protocol, uint32_t *spi)
 {
 	if (get_spi_internal(this, src, dst, protocol,
 						 0xc0000000, 0xcFFFFFFF, spi) != SUCCESS)
@@ -1585,9 +1599,9 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
 
 METHOD(kernel_ipsec_t, get_cpi, status_t,
 	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
-	u_int16_t *cpi)
+	uint16_t *cpi)
 {
-	u_int32_t received_spi = 0;
+	uint32_t received_spi = 0;
 
 	DBG2(DBG_KNL, "getting CPI");
 
@@ -1598,20 +1612,15 @@ METHOD(kernel_ipsec_t, get_cpi, status_t,
 		return FAILED;
 	}
 
-	*cpi = htons((u_int16_t)ntohl(received_spi));
+	*cpi = htons((uint16_t)ntohl(received_spi));
 
 	DBG2(DBG_KNL, "got CPI %.4x", ntohs(*cpi));
 	return SUCCESS;
 }
 
 METHOD(kernel_ipsec_t, add_sa, status_t,
-	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
-	u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
-	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
-	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
-	u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
-	bool initiator, bool encap, bool esn, bool inbound, bool update,
-	linked_list_t *src_ts, linked_list_t *dst_ts)
+	private_kernel_pfkey_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_add_sa_t *data)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1620,22 +1629,42 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	struct sadb_lifetime *lft;
 	struct sadb_key *key;
 	size_t len;
+	uint16_t ipcomp = data->ipcomp;
+	ipsec_mode_t mode = data->mode;
 
 	/* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
 	 * we are in the recursive call below */
-	if (ipcomp != IPCOMP_NONE && cpi != 0)
+	if (ipcomp != IPCOMP_NONE && data->cpi != 0)
 	{
 		lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
-		add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
-			   tfc, &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED,
-			   chunk_empty, mode, ipcomp, 0, 0, FALSE, FALSE, FALSE, inbound,
-			   update, NULL, NULL);
+		kernel_ipsec_sa_id_t ipcomp_id = {
+			.src = id->src,
+			.dst = id->dst,
+			.spi = htonl(ntohs(data->cpi)),
+			.proto = IPPROTO_COMP,
+			.mark = id->mark,
+		};
+		kernel_ipsec_add_sa_t ipcomp_sa = {
+			.reqid = data->reqid,
+			.mode = data->mode,
+			.src_ts = data->src_ts,
+			.dst_ts = data->dst_ts,
+			.lifetime = &lft,
+			.enc_alg = ENCR_UNDEFINED,
+			.int_alg = AUTH_UNDEFINED,
+			.tfc = data->tfc,
+			.ipcomp = data->ipcomp,
+			.initiator = data->initiator,
+			.inbound = data->inbound,
+			.update = data->update,
+		};
+		add_sa(this, &ipcomp_id, &ipcomp_sa);
 		ipcomp = IPCOMP_NONE;
 		/* use transport mode ESP SA, IPComp uses tunnel mode */
 		mode = MODE_TRANSPORT;
 	}
 
-	if (update)
+	if (data->update)
 	{
 		/* As we didn't know the reqid during SPI allocation, we used reqid
 		 * zero. Unfortunately we can't SADB_UPDATE to the new reqid, hence we
@@ -1643,10 +1672,16 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		 * selector does not count for that, therefore we have to delete
 		 * that state before installing the new SA to avoid deleting the
 		 * the new state after installing it. */
-		mark_t zeromark = {0, 0};
-
-		if (this->public.interface.del_sa(&this->public.interface,
-					src, dst, spi, protocol, 0, zeromark) != SUCCESS)
+		kernel_ipsec_sa_id_t del_id = {
+			.src = id->src,
+			.dst = id->dst,
+			.spi = id->spi,
+			.proto = id->proto,
+		};
+		kernel_ipsec_del_sa_t del = { 0 };
+
+		if (this->public.interface.del_sa(&this->public.interface, &del_id,
+										  &del) != SUCCESS)
 		{
 			DBG1(DBG_KNL, "deleting SPI allocation SA failed");
 		}
@@ -1655,20 +1690,20 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	memset(&request, 0, sizeof(request));
 
 	DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
-				   ntohl(spi), reqid);
+		 ntohl(id->spi), data->reqid);
 
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_ADD;
-	msg->sadb_msg_satype = proto2satype(protocol);
+	msg->sadb_msg_satype = proto2satype(id->proto);
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
 
 #ifdef __APPLE__
-	if (encap)
+	if (data->encap)
 	{
 		struct sadb_sa_2 *sa_2;
 		sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
-		sa_2->sadb_sa_natt_port = dst->get_port(dst);
+		sa_2->sadb_sa_natt_port = id->dst->get_port(id->dst);
 		sa = &sa_2->sa;
 		sa->sadb_sa_flags |= SADB_X_EXT_NATT;
 		len = sizeof(struct sadb_sa_2);
@@ -1681,22 +1716,29 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	}
 	sa->sadb_sa_exttype = SADB_EXT_SA;
 	sa->sadb_sa_len = PFKEY_LEN(len);
-	sa->sadb_sa_spi = spi;
-	if (protocol == IPPROTO_COMP)
+	sa->sadb_sa_spi = id->spi;
+	if (id->proto == IPPROTO_COMP)
 	{
-		sa->sadb_sa_encrypt = lookup_algorithm(COMPRESSION_ALGORITHM, ipcomp);
+		sa->sadb_sa_encrypt = lookup_algorithm(COMPRESSION_ALGORITHM,
+											   ipcomp);
 	}
 	else
 	{
 		/* Linux interprets sadb_sa_replay as number of packets/bits in the
-		 * replay window, whereas on BSD it's the size of the window in bytes */
+		 * replay window, whereas on BSD it's the size of the window in bytes.
+		 * Only set for the inbound SA as it's not relevant for the outbound
+		 * SA and might waste memory with large windows. */
+		if (data->inbound)
+		{
 #ifdef __linux__
-		sa->sadb_sa_replay = min(replay_window, 32);
+			sa->sadb_sa_replay = min(data->replay_window, 32);
 #else
-		sa->sadb_sa_replay = (replay_window + 7) / 8;
+			sa->sadb_sa_replay = (data->replay_window + 7) / 8;
 #endif
-		sa->sadb_sa_auth = lookup_algorithm(INTEGRITY_ALGORITHM, int_alg);
-		sa->sadb_sa_encrypt = lookup_algorithm(ENCRYPTION_ALGORITHM, enc_alg);
+		}
+		sa->sadb_sa_auth = lookup_algorithm(INTEGRITY_ALGORITHM, data->int_alg);
+		sa->sadb_sa_encrypt = lookup_algorithm(ENCRYPTION_ALGORITHM,
+											   data->enc_alg);
 	}
 	PFKEY_EXT_ADD(msg, sa);
 
@@ -1704,86 +1746,88 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
 	sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
 	sa2->sadb_x_sa2_mode = mode2kernel(mode);
-	sa2->sadb_x_sa2_reqid = reqid;
+	sa2->sadb_x_sa2_reqid = data->reqid;
 	PFKEY_EXT_ADD(msg, sa2);
 
-	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
+	add_addr_ext(msg, id->src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE);
+	add_addr_ext(msg, id->dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
 
 	lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
 	lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
 	lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
-	lft->sadb_lifetime_allocations = lifetime->packets.rekey;
-	lft->sadb_lifetime_bytes = lifetime->bytes.rekey;
-	lft->sadb_lifetime_addtime = lifetime->time.rekey;
+	lft->sadb_lifetime_allocations = data->lifetime->packets.rekey;
+	lft->sadb_lifetime_bytes = data->lifetime->bytes.rekey;
+	lft->sadb_lifetime_addtime = data->lifetime->time.rekey;
 	lft->sadb_lifetime_usetime = 0; /* we only use addtime */
 	PFKEY_EXT_ADD(msg, lft);
 
 	lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
 	lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
 	lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
-	lft->sadb_lifetime_allocations = lifetime->packets.life;
-	lft->sadb_lifetime_bytes = lifetime->bytes.life;
-	lft->sadb_lifetime_addtime = lifetime->time.life;
+	lft->sadb_lifetime_allocations = data->lifetime->packets.life;
+	lft->sadb_lifetime_bytes = data->lifetime->bytes.life;
+	lft->sadb_lifetime_addtime = data->lifetime->time.life;
 	lft->sadb_lifetime_usetime = 0; /* we only use addtime */
 	PFKEY_EXT_ADD(msg, lft);
 
-	if (enc_alg != ENCR_UNDEFINED)
+	if (data->enc_alg != ENCR_UNDEFINED)
 	{
 		if (!sa->sadb_sa_encrypt)
 		{
 			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
-						   encryption_algorithm_names, enc_alg);
+				 encryption_algorithm_names, data->enc_alg);
 			return FAILED;
 		}
 		DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
-						 encryption_algorithm_names, enc_alg, enc_key.len * 8);
+			 encryption_algorithm_names, data->enc_alg, data->enc_key.len * 8);
 
 		key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
 		key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
-		key->sadb_key_bits = enc_key.len * 8;
-		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
-		memcpy(key + 1, enc_key.ptr, enc_key.len);
+		key->sadb_key_bits = data->enc_key.len * 8;
+		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + data->enc_key.len);
+		memcpy(key + 1, data->enc_key.ptr, data->enc_key.len);
 
 		PFKEY_EXT_ADD(msg, key);
 	}
 
-	if (int_alg != AUTH_UNDEFINED)
+	if (data->int_alg != AUTH_UNDEFINED)
 	{
 		if (!sa->sadb_sa_auth)
 		{
 			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
-						   integrity_algorithm_names, int_alg);
+				 integrity_algorithm_names, data->int_alg);
 			return FAILED;
 		}
 		DBG2(DBG_KNL, "  using integrity algorithm %N with key size %d",
-						 integrity_algorithm_names, int_alg, int_key.len * 8);
+			 integrity_algorithm_names, data->int_alg, data->int_key.len * 8);
 
 		key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
 		key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
-		key->sadb_key_bits = int_key.len * 8;
-		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
-		memcpy(key + 1, int_key.ptr, int_key.len);
+		key->sadb_key_bits = data->int_key.len * 8;
+		key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + data->int_key.len);
+		memcpy(key + 1, data->int_key.ptr, data->int_key.len);
 
 		PFKEY_EXT_ADD(msg, key);
 	}
 
 #ifdef HAVE_NATT
-	if (encap)
+	if (data->encap)
 	{
-		add_encap_ext(msg, src, dst);
+		add_encap_ext(msg, id->src, id->dst);
 	}
 #endif /*HAVE_NATT*/
 
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
+		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x",
+			 ntohl(id->spi));
 		return FAILED;
 	}
 	else if (out->sadb_msg_errno)
 	{
 		DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
-				ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+			 ntohl(id->spi), strerror(out->sadb_msg_errno),
+			 out->sadb_msg_errno);
 		free(out);
 		return FAILED;
 	}
@@ -1793,9 +1837,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 }
 
 METHOD(kernel_ipsec_t, update_sa, status_t,
-	private_kernel_pfkey_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
-	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
-	bool encap, bool new_encap, mark_t mark)
+	private_kernel_pfkey_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_update_sa_t *data)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1806,72 +1849,84 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	/* we can't update the SA if any of the ip addresses have changed.
 	 * that's because we can't use SADB_UPDATE and by deleting and readding the
 	 * SA the sequence numbers would get lost */
-	if (!src->ip_equals(src, new_src) ||
-		!dst->ip_equals(dst, new_dst))
+	if (!id->src->ip_equals(id->src, data->new_src) ||
+		!id->dst->ip_equals(id->dst, data->new_dst))
 	{
 		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address "
-					  "changes are not supported", ntohl(spi));
+			 "changes are not supported", ntohl(id->spi));
 		return NOT_SUPPORTED;
 	}
 
 	/* if IPComp is used, we first update the IPComp SA */
-	if (cpi)
-	{
-		update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0,
-				  src, dst, new_src, new_dst, FALSE, FALSE, mark);
+	if (data->cpi)
+	{
+		kernel_ipsec_sa_id_t ipcomp_id = {
+			.src = id->src,
+			.dst = id->dst,
+			.spi = htonl(ntohs(data->cpi)),
+			.proto = IPPROTO_COMP,
+			.mark = id->mark,
+		};
+		kernel_ipsec_update_sa_t ipcomp = {
+			.new_src = data->new_src,
+			.new_dst = data->new_dst,
+		};
+		update_sa(this, &ipcomp_id, &ipcomp);
 	}
 
 	memset(&request, 0, sizeof(request));
 
-	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
+	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update",
+		 ntohl(id->spi));
 
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_GET;
-	msg->sadb_msg_satype = proto2satype(protocol);
+	msg->sadb_msg_satype = proto2satype(id->proto);
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
 
 	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
 	sa->sadb_sa_exttype = SADB_EXT_SA;
 	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
-	sa->sadb_sa_spi = spi;
+	sa->sadb_sa_spi = id->spi;
 	PFKEY_EXT_ADD(msg, sa);
 
 	/* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
 	 * it is not used for anything. */
-	add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
+	add_anyaddr_ext(msg, id->dst->get_family(id->dst), SADB_EXT_ADDRESS_SRC);
+	add_addr_ext(msg, id->dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
 
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
+		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
+			 ntohl(id->spi));
 		return FAILED;
 	}
 	else if (out->sadb_msg_errno)
 	{
 		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
-					   ntohl(spi), strerror(out->sadb_msg_errno),
-					   out->sadb_msg_errno);
+			 ntohl(id->spi), strerror(out->sadb_msg_errno),
+			 out->sadb_msg_errno);
 		free(out);
 		return FAILED;
 	}
 	else if (parse_pfkey_message(out, &response) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing "
-					  "response from kernel failed", ntohl(spi));
+			 "response from kernel failed", ntohl(id->spi));
 		free(out);
 		return FAILED;
 	}
 
 	DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
-				   ntohl(spi), src, dst, new_src, new_dst);
+		 ntohl(id->spi), id->src, id->dst, data->new_src, data->new_dst);
 
 	memset(&request, 0, sizeof(request));
 
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_UPDATE;
-	msg->sadb_msg_satype = proto2satype(protocol);
+	msg->sadb_msg_satype = proto2satype(id->proto);
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
 
 #ifdef __APPLE__
@@ -1880,9 +1935,9 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 		sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
 		sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2));
 		memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa));
-		if (encap)
+		if (data->encap)
 		{
-			sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst);
+			sa_2->sadb_sa_natt_port = data->new_dst->get_port(data->new_dst);
 			sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT;
 		}
 	}
@@ -1908,9 +1963,9 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	}
 
 #ifdef HAVE_NATT
-	if (new_encap)
+	if (data->new_encap)
 	{
-		add_encap_ext(msg, new_src, new_dst);
+		add_encap_ext(msg, data->new_src, data->new_dst);
 	}
 #endif /*HAVE_NATT*/
 
@@ -1918,14 +1973,14 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x",
+			 ntohl(id->spi));
 		return FAILED;
 	}
 	else if (out->sadb_msg_errno)
 	{
 		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
-					   ntohl(spi), strerror(out->sadb_msg_errno),
-					   out->sadb_msg_errno);
+			 ntohl(id->spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
 		free(out);
 		return FAILED;
 	}
@@ -1935,9 +1990,9 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 }
 
 METHOD(kernel_ipsec_t, query_sa, status_t,
-	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, mark_t mark,
-	u_int64_t *bytes, u_int64_t *packets, time_t *time)
+	private_kernel_pfkey_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_query_sa_t *data, uint64_t *bytes, uint64_t *packets,
+	time_t *time)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1947,42 +2002,44 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 
 	memset(&request, 0, sizeof(request));
 
-	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
+	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(id->spi));
 
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_GET;
-	msg->sadb_msg_satype = proto2satype(protocol);
+	msg->sadb_msg_satype = proto2satype(id->proto);
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
 
 	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
 	sa->sadb_sa_exttype = SADB_EXT_SA;
 	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
-	sa->sadb_sa_spi = spi;
+	sa->sadb_sa_spi = id->spi;
 	PFKEY_EXT_ADD(msg, sa);
 
 	/* the Linux Kernel doesn't care for the src address, but other systems do
 	 * (e.g. FreeBSD)
 	 */
-	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
+	add_addr_ext(msg, id->src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE);
+	add_addr_ext(msg, id->dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
 
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
+		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
+			 ntohl(id->spi));
 		return FAILED;
 	}
 	else if (out->sadb_msg_errno)
 	{
 		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
-					   ntohl(spi), strerror(out->sadb_msg_errno),
-					   out->sadb_msg_errno);
+			 ntohl(id->spi), strerror(out->sadb_msg_errno),
+			 out->sadb_msg_errno);
 		free(out);
 		return FAILED;
 	}
 	else if (parse_pfkey_message(out, &response) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
+		DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
+			 ntohl(id->spi));
 		free(out);
 		return FAILED;
 	}
@@ -2013,8 +2070,8 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 }
 
 METHOD(kernel_ipsec_t, del_sa, status_t,
-	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
+	private_kernel_pfkey_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_del_sa_t *data)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -2022,48 +2079,57 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 	size_t len;
 
 	/* if IPComp was used, we first delete the additional IPComp SA */
-	if (cpi)
+	if (data->cpi)
 	{
-		del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0, mark);
+		kernel_ipsec_sa_id_t ipcomp_id = {
+			.src = id->src,
+			.dst = id->dst,
+			.spi = htonl(ntohs(data->cpi)),
+			.proto = IPPROTO_COMP,
+			.mark = id->mark,
+		};
+		kernel_ipsec_del_sa_t ipcomp = { 0 };
+		del_sa(this, &ipcomp_id, &ipcomp);
 	}
 
 	memset(&request, 0, sizeof(request));
 
-	DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
+	DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(id->spi));
 
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_DELETE;
-	msg->sadb_msg_satype = proto2satype(protocol);
+	msg->sadb_msg_satype = proto2satype(id->proto);
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
 
 	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
 	sa->sadb_sa_exttype = SADB_EXT_SA;
 	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
-	sa->sadb_sa_spi = spi;
+	sa->sadb_sa_spi = id->spi;
 	PFKEY_EXT_ADD(msg, sa);
 
 	/* the Linux Kernel doesn't care for the src address, but other systems do
 	 * (e.g. FreeBSD)
 	 */
-	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
+	add_addr_ext(msg, id->src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE);
+	add_addr_ext(msg, id->dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
 
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
+		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x",
+			 ntohl(id->spi));
 		return FAILED;
 	}
 	else if (out->sadb_msg_errno)
 	{
 		DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
-					   ntohl(spi), strerror(out->sadb_msg_errno),
-					   out->sadb_msg_errno);
+			 ntohl(id->spi), strerror(out->sadb_msg_errno),
+			 out->sadb_msg_errno);
 		free(out);
 		return FAILED;
 	}
 
-	DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
+	DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(id->spi));
 	free(out);
 	return SUCCESS;
 }
@@ -2074,7 +2140,7 @@ METHOD(kernel_ipsec_t, flush_sas, status_t,
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
 	struct {
-		u_int8_t proto;
+		uint8_t proto;
 		char *name;
 	} protos[] = {
 		{ SADB_SATYPE_AH, "AH" },
@@ -2138,7 +2204,7 @@ static void add_exclude_route(private_kernel_pfkey_ipsec_t *this,
 	if (!route->exclude)
 	{
 		DBG2(DBG_KNL, "installing new exclude route for %H src %H", dst, src);
-		gtw = charon->kernel->get_nexthop(charon->kernel, dst, -1, NULL);
+		gtw = charon->kernel->get_nexthop(charon->kernel, dst, -1, NULL, NULL);
 		if (gtw)
 		{
 			char *if_name = NULL;
@@ -2226,56 +2292,58 @@ static void remove_exclude_route(private_kernel_pfkey_ipsec_t *this,
 }
 
 /**
- * Try to install a route to the given inbound policy
+ * Try to install a route to the given outbound policy
  */
 static bool install_route(private_kernel_pfkey_ipsec_t *this,
-						  policy_entry_t *policy, policy_sa_in_t *in)
+						  policy_entry_t *policy, policy_sa_out_t *out)
 {
 	route_entry_t *route, *old;
 	host_t *host, *src, *dst;
 	bool is_virtual;
 
-	if (charon->kernel->get_address_by_ts(charon->kernel, in->dst_ts, &host,
+	if (charon->kernel->get_address_by_ts(charon->kernel, out->src_ts, &host,
 										  &is_virtual) != SUCCESS)
 	{
 		return FALSE;
 	}
 
-	/* switch src/dst, as we handle an IN policy */
-	src = in->generic.sa->dst;
-	dst = in->generic.sa->src;
-
 	INIT(route,
-		.prefixlen = policy->src.mask,
+		.prefixlen = policy->dst.mask,
 		.src_ip = host,
-		.dst_net = chunk_clone(policy->src.net->get_address(policy->src.net)),
+		.dst_net = chunk_clone(policy->dst.net->get_address(policy->dst.net)),
 	);
 
+	src = out->generic.sa->src;
+	dst = out->generic.sa->dst;
+
 	if (!dst->is_anyaddr(dst))
 	{
 		route->gateway = charon->kernel->get_nexthop(charon->kernel, dst, -1,
-													 src);
+													 src, &route->if_name);
 
 		/* if the IP is virtual, we install the route over the interface it has
 		 * been installed on. Otherwise we use the interface we use for IKE, as
 		 * this is required for example on Linux. */
 		if (is_virtual)
 		{
+			free(route->if_name);
+			route->if_name = NULL;
 			src = route->src_ip;
 		}
 	}
 	else
 	{	/* for shunt policies */
 		route->gateway = charon->kernel->get_nexthop(charon->kernel,
-											policy->src.net, policy->src.mask,
-											route->src_ip);
+											policy->dst.net, policy->dst.mask,
+											route->src_ip, &route->if_name);
 
 		/* we don't have a source address, use the address we found */
 		src = route->src_ip;
 	}
 
 	/* get interface for route, using source address */
-	if (!charon->kernel->get_interface(charon->kernel, src, &route->if_name))
+	if (!route->if_name &&
+		!charon->kernel->get_interface(charon->kernel, src, &route->if_name))
 	{
 		route_entry_destroy(route);
 		return FALSE;
@@ -2296,7 +2364,7 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
 									  old->src_ip, old->if_name) != SUCCESS)
 		{
 			DBG1(DBG_KNL, "error uninstalling route installed with policy "
-				 "%R === %R %N", in->src_ts, in->dst_ts,
+				 "%R === %R %N", out->src_ts, out->dst_ts,
 				policy_dir_names, policy->direction);
 		}
 		route_entry_destroy(old);
@@ -2306,22 +2374,22 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
 	/* if remote traffic selector covers the IKE peer, add an exclude route */
 	if (charon->kernel->get_features(charon->kernel) & KERNEL_REQUIRE_EXCLUDE_ROUTE)
 	{
-		if (in->src_ts->is_host(in->src_ts, dst))
+		if (out->dst_ts->is_host(out->dst_ts, dst))
 		{
 			DBG1(DBG_KNL, "can't install route for %R === %R %N, conflicts "
-				 "with IKE traffic", in->src_ts, in->dst_ts, policy_dir_names,
+				 "with IKE traffic", out->src_ts, out->dst_ts, policy_dir_names,
 				 policy->direction);
 			route_entry_destroy(route);
 			return FALSE;
 		}
-		if (in->src_ts->includes(in->src_ts, dst))
+		if (out->dst_ts->includes(out->dst_ts, dst))
 		{
-			add_exclude_route(this, route, in->generic.sa->dst, dst);
+			add_exclude_route(this, route, out->generic.sa->src, dst);
 		}
 	}
 
 	DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s",
-		 in->src_ts, route->gateway, route->src_ip, route->if_name);
+		 out->dst_ts, route->gateway, route->src_ip, route->if_name);
 
 	switch (charon->kernel->add_route(charon->kernel, route->dst_net,
 									  route->prefixlen, route->gateway,
@@ -2338,7 +2406,7 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
 			return TRUE;
 		default:
 			DBG1(DBG_KNL, "installing route failed: %R via %H src %H dev %s",
-				 in->src_ts, route->gateway, route->src_ip, route->if_name);
+				 out->dst_ts, route->gateway, route->src_ip, route->if_name);
 			remove_exclude_route(this, route);
 			route_entry_destroy(route);
 			return FALSE;
@@ -2381,53 +2449,56 @@ static status_t add_policy_internal(private_kernel_pfkey_ipsec_t *this,
 	pol->sadb_x_policy_priority = mapping->priority;
 #endif
 
-	/* one or more sadb_x_ipsecrequest extensions are added to the
-	 * sadb_x_policy extension */
-	proto_mode = ipsec->cfg.mode;
+	if (mapping->type == POLICY_IPSEC && ipsec->cfg.reqid)
+	{
+		/* one or more sadb_x_ipsecrequest extensions are added to the
+		 * sadb_x_policy extension */
+		proto_mode = ipsec->cfg.mode;
+
+		req = (struct sadb_x_ipsecrequest*)(pol + 1);
 
-	req = (struct sadb_x_ipsecrequest*)(pol + 1);
+		if (ipsec->cfg.ipcomp.transform != IPCOMP_NONE)
+		{
+			req->sadb_x_ipsecrequest_proto = IPPROTO_COMP;
+
+			/* !!! the length here MUST be in octets instead of 64 bit words */
+			req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
+			req->sadb_x_ipsecrequest_mode = mode2kernel(ipsec->cfg.mode);
+			req->sadb_x_ipsecrequest_reqid = ipsec->cfg.reqid;
+			req->sadb_x_ipsecrequest_level = (policy->direction == POLICY_OUT) ?
+											IPSEC_LEVEL_UNIQUE : IPSEC_LEVEL_USE;
+			if (ipsec->cfg.mode == MODE_TUNNEL)
+			{
+				len = hostcpy(req + 1, ipsec->src, FALSE);
+				req->sadb_x_ipsecrequest_len += len;
+				len = hostcpy((char*)(req + 1) + len, ipsec->dst, FALSE);
+				req->sadb_x_ipsecrequest_len += len;
+				/* use transport mode for other SAs */
+				proto_mode = MODE_TRANSPORT;
+			}
 
-	if (ipsec->cfg.ipcomp.transform != IPCOMP_NONE)
-	{
-		req->sadb_x_ipsecrequest_proto = IPPROTO_COMP;
+			pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
+			req = (struct sadb_x_ipsecrequest*)((char*)(req) +
+												req->sadb_x_ipsecrequest_len);
+		}
 
+		req->sadb_x_ipsecrequest_proto = ipsec->cfg.esp.use ? IPPROTO_ESP
+															: IPPROTO_AH;
 		/* !!! the length here MUST be in octets instead of 64 bit words */
 		req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
-		req->sadb_x_ipsecrequest_mode = mode2kernel(ipsec->cfg.mode);
+		req->sadb_x_ipsecrequest_mode = mode2kernel(proto_mode);
 		req->sadb_x_ipsecrequest_reqid = ipsec->cfg.reqid;
-		req->sadb_x_ipsecrequest_level = (policy->direction == POLICY_OUT) ?
-										  IPSEC_LEVEL_UNIQUE : IPSEC_LEVEL_USE;
-		if (ipsec->cfg.mode == MODE_TUNNEL)
+		req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
+		if (proto_mode == MODE_TUNNEL)
 		{
 			len = hostcpy(req + 1, ipsec->src, FALSE);
 			req->sadb_x_ipsecrequest_len += len;
 			len = hostcpy((char*)(req + 1) + len, ipsec->dst, FALSE);
 			req->sadb_x_ipsecrequest_len += len;
-			/* use transport mode for other SAs */
-			proto_mode = MODE_TRANSPORT;
 		}
 
 		pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
-		req = (struct sadb_x_ipsecrequest*)((char*)(req) +
-											req->sadb_x_ipsecrequest_len);
-	}
-
-	req->sadb_x_ipsecrequest_proto = ipsec->cfg.esp.use ? IPPROTO_ESP
-														: IPPROTO_AH;
-	/* !!! the length here MUST be in octets instead of 64 bit words */
-	req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
-	req->sadb_x_ipsecrequest_mode = mode2kernel(proto_mode);
-	req->sadb_x_ipsecrequest_reqid = ipsec->cfg.reqid;
-	req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
-	if (proto_mode == MODE_TUNNEL)
-	{
-		len = hostcpy(req + 1, ipsec->src, FALSE);
-		req->sadb_x_ipsecrequest_len += len;
-		len = hostcpy((char*)(req + 1) + len, ipsec->dst, FALSE);
-		req->sadb_x_ipsecrequest_len += len;
 	}
-
-	pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
 	PFKEY_EXT_ADD(msg, pol);
 
 	add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
@@ -2492,37 +2563,42 @@ static status_t add_policy_internal(private_kernel_pfkey_ipsec_t *this,
 	free(out);
 
 	/* install a route, if:
-	 * - this is an inbound policy (to just get one for each child)
-	 * - we are in tunnel mode or install a bypass policy
+	 * - this is an outbound policy (to just get one for each child)
 	 * - routing is not disabled via strongswan.conf
+	 * - the selector is not for a specific protocol/port
+	 * - we are in tunnel mode or install a bypass policy
 	 */
-	if (policy->direction == POLICY_IN && this->install_routes &&
-		(mapping->type != POLICY_IPSEC || ipsec->cfg.mode != MODE_TRANSPORT))
+	if (policy->direction == POLICY_OUT && this->install_routes &&
+		policy->src.proto == IPSEC_PROTO_ANY &&
+		!policy->src.net->get_port(policy->src.net) &&
+		!policy->dst.net->get_port(policy->dst.net))
 	{
-		install_route(this, policy, (policy_sa_in_t*)mapping);
+		if (mapping->type == POLICY_PASS ||
+		   (mapping->type == POLICY_IPSEC && ipsec->cfg.mode != MODE_TRANSPORT))
+		{
+			install_route(this, policy, (policy_sa_out_t*)mapping);
+		}
 	}
 	this->mutex->unlock(this->mutex);
 	return SUCCESS;
 }
 
 METHOD(kernel_ipsec_t, add_policy, status_t,
-	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
-	mark_t mark, policy_priority_t priority)
+	private_kernel_pfkey_ipsec_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_manage_policy_t *data)
 {
 	policy_entry_t *policy, *found = NULL;
 	policy_sa_t *assigned_sa, *current_sa;
 	enumerator_t *enumerator;
 	bool update = TRUE;
 
-	if (dir2kernel(direction) == IPSEC_DIR_INVALID)
+	if (dir2kernel(id->dir) == IPSEC_DIR_INVALID)
 	{	/* FWD policies are not supported on all platforms */
 		return SUCCESS;
 	}
 
 	/* create a policy */
-	policy = create_policy_entry(src_ts, dst_ts, direction);
+	policy = create_policy_entry(id->src_ts, id->dst_ts, id->dir);
 
 	/* find a matching policy */
 	this->mutex->lock(this->mutex);
@@ -2531,7 +2607,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 								  (void**)&found, policy) == SUCCESS)
 	{	/* use existing policy */
 		DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
-					  "refcount", src_ts, dst_ts, policy_dir_names, direction);
+			 "refcount", id->src_ts, id->dst_ts, policy_dir_names, id->dir);
 		policy_entry_destroy(policy, this);
 		policy = found;
 	}
@@ -2542,18 +2618,35 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	}
 
 	/* cache the assigned IPsec SA */
-	assigned_sa = policy_sa_create(this, direction, type, src, dst, src_ts,
-								   dst_ts, sa);
-	assigned_sa->priority = get_priority(policy, priority);
+	assigned_sa = policy_sa_create(this, id->dir, data->type, data->src,
+								   data->dst, id->src_ts, id->dst_ts, data->sa);
+	assigned_sa->auto_priority = get_priority(policy, data->prio);
+	assigned_sa->priority = data->manual_prio ? data->manual_prio :
+												assigned_sa->auto_priority;
+
 
 	/* insert the SA according to its priority */
 	enumerator = policy->used_by->create_enumerator(policy->used_by);
 	while (enumerator->enumerate(enumerator, (void**)&current_sa))
 	{
-		if (current_sa->priority >= assigned_sa->priority)
+		if (current_sa->priority > assigned_sa->priority)
 		{
 			break;
 		}
+		if (current_sa->priority == assigned_sa->priority)
+		{
+			/* in case of equal manual prios order SAs by automatic priority */
+			if (current_sa->auto_priority > assigned_sa->auto_priority)
+			{
+				break;
+			}
+			/* prefer SAs with a reqid over those without */
+			if (current_sa->auto_priority == assigned_sa->auto_priority &&
+				(!current_sa->sa->cfg.reqid || assigned_sa->sa->cfg.reqid))
+			{
+				break;
+			}
+		}
 		update = FALSE;
 	}
 	policy->used_by->insert_before(policy->used_by, enumerator, assigned_sa);
@@ -2567,23 +2660,22 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	}
 
 	DBG2(DBG_KNL, "%s policy %R === %R %N",
-				   found ? "updating" : "adding", src_ts, dst_ts,
-				   policy_dir_names, direction);
+		 found ? "updating" : "adding", id->src_ts, id->dst_ts,
+		 policy_dir_names, id->dir);
 
 	if (add_policy_internal(this, policy, assigned_sa, found) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to %s policy %R === %R %N",
-					   found ? "update" : "add", src_ts, dst_ts,
-					   policy_dir_names, direction);
+			 found ? "update" : "add", id->src_ts, id->dst_ts,
+			 policy_dir_names, id->dir);
 		return FAILED;
 	}
 	return SUCCESS;
 }
 
 METHOD(kernel_ipsec_t, query_policy, status_t,
-	private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
-	time_t *use_time)
+	private_kernel_pfkey_ipsec_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_query_policy_t *data, time_t *use_time)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -2592,16 +2684,16 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 	pfkey_msg_t response;
 	size_t len;
 
-	if (dir2kernel(direction) == IPSEC_DIR_INVALID)
+	if (dir2kernel(id->dir) == IPSEC_DIR_INVALID)
 	{	/* FWD policies are not supported on all platforms */
 		return NOT_FOUND;
 	}
 
-	DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
-				   policy_dir_names, direction);
+	DBG2(DBG_KNL, "querying policy %R === %R %N", id->src_ts, id->dst_ts,
+		 policy_dir_names, id->dir);
 
 	/* create a policy */
-	policy = create_policy_entry(src_ts, dst_ts, direction);
+	policy = create_policy_entry(id->src_ts, id->dst_ts, id->dir);
 
 	/* find a matching policy */
 	this->mutex->lock(this->mutex);
@@ -2609,8 +2701,8 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 								  (linked_list_match_t)policy_entry_equals,
 								  (void**)&found, policy) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
-					   dst_ts, policy_dir_names, direction);
+		DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found",
+			 id->src_ts, id->dst_ts, policy_dir_names, id->dir);
 		policy_entry_destroy(policy, this);
 		this->mutex->unlock(this->mutex);
 		return NOT_FOUND;
@@ -2630,7 +2722,7 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 	pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
 	pol->sadb_x_policy_id = policy->index;
 	pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
-	pol->sadb_x_policy_dir = dir2kernel(direction);
+	pol->sadb_x_policy_dir = dir2kernel(id->dir);
 	pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
 	PFKEY_EXT_ADD(msg, pol);
 
@@ -2643,30 +2735,31 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
-					   policy_dir_names, direction);
+		DBG1(DBG_KNL, "unable to query policy %R === %R %N", id->src_ts,
+			 id->dst_ts, policy_dir_names, id->dir);
 		return FAILED;
 	}
 	else if (out->sadb_msg_errno)
 	{
-		DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
-					   dst_ts, policy_dir_names, direction,
-					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)",
+			 id->src_ts, id->dst_ts, policy_dir_names, id->dir,
+			 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
 		free(out);
 		return FAILED;
 	}
 	else if (parse_pfkey_message(out, &response) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
-					  "from kernel failed", src_ts, dst_ts, policy_dir_names,
-					   direction);
+			 "from kernel failed", id->src_ts, id->dst_ts, policy_dir_names,
+			 id->dir);
 		free(out);
 		return FAILED;
 	}
 	else if (response.lft_current == NULL)
 	{
 		DBG2(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
-					  "use time", src_ts, dst_ts, policy_dir_names, direction);
+			 "use time", id->src_ts, id->dst_ts, policy_dir_names,
+			 id->dir);
 		free(out);
 		return FAILED;
 	}
@@ -2686,10 +2779,8 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 }
 
 METHOD(kernel_ipsec_t, del_policy, status_t,
-	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
-	mark_t mark, policy_priority_t prio)
+	private_kernel_pfkey_ipsec_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_manage_policy_t *data)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -2698,24 +2789,24 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	policy_sa_t *mapping, *to_remove = NULL;
 	enumerator_t *enumerator;
 	bool first = TRUE, is_installed = TRUE;
-	u_int32_t priority;
+	uint32_t priority, auto_priority;
 	size_t len;
 	ipsec_sa_t assigned_sa = {
-		.src = src,
-		.dst = dst,
-		.cfg = *sa,
+		.src = data->src,
+		.dst = data->dst,
+		.cfg = *data->sa,
 	};
 
-	if (dir2kernel(direction) == IPSEC_DIR_INVALID)
+	if (dir2kernel(id->dir) == IPSEC_DIR_INVALID)
 	{	/* FWD policies are not supported on all platforms */
 		return SUCCESS;
 	}
 
-	DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
-				   policy_dir_names, direction);
+	DBG2(DBG_KNL, "deleting policy %R === %R %N", id->src_ts, id->dst_ts,
+		 policy_dir_names, id->dir);
 
 	/* create a policy */
-	policy = create_policy_entry(src_ts, dst_ts, direction);
+	policy = create_policy_entry(id->src_ts, id->dst_ts, id->dir);
 
 	/* find a matching policy */
 	this->mutex->lock(this->mutex);
@@ -2723,8 +2814,8 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 								  (linked_list_match_t)policy_entry_equals,
 								  (void**)&found, policy) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
-					   dst_ts, policy_dir_names, direction);
+		DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found",
+			 id->src_ts, id->dst_ts, policy_dir_names, id->dir);
 		policy_entry_destroy(policy, this);
 		this->mutex->unlock(this->mutex);
 		return NOT_FOUND;
@@ -2734,11 +2825,14 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 
 	/* remove mapping to SA by reqid and priority, if multiple match, which
 	 * could happen when rekeying due to an address change, remove the oldest */
-	priority = get_priority(policy, prio);
+	auto_priority = get_priority(policy, data->prio);
+	priority = data->manual_prio ? data->manual_prio : auto_priority;
 	enumerator = policy->used_by->create_enumerator(policy->used_by);
 	while (enumerator->enumerate(enumerator, (void**)&mapping))
 	{
 		if (priority == mapping->priority &&
+			auto_priority == mapping->auto_priority &&
+			data->type == mapping->type &&
 			ipsec_sa_equals(mapping->sa, &assigned_sa))
 		{
 			to_remove = mapping;
@@ -2762,7 +2856,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	if (policy->used_by->get_count(policy->used_by) > 0)
 	{	/* policy is used by more SAs, keep in kernel */
 		DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
-		policy_sa_destroy(mapping, &direction, this);
+		policy_sa_destroy(mapping, &id->dir, this);
 
 		if (!is_installed)
 		{	/* no need to update as the policy was not installed for this SA */
@@ -2770,13 +2864,13 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 			return SUCCESS;
 		}
 
-		DBG2(DBG_KNL, "updating policy %R === %R %N", src_ts, dst_ts,
-					   policy_dir_names, direction);
+		DBG2(DBG_KNL, "updating policy %R === %R %N", id->src_ts, id->dst_ts,
+			 policy_dir_names, id->dir);
 		policy->used_by->get_first(policy->used_by, (void**)&mapping);
 		if (add_policy_internal(this, policy, mapping, TRUE) != SUCCESS)
 		{
 			DBG1(DBG_KNL, "unable to update policy %R === %R %N",
-						   src_ts, dst_ts, policy_dir_names, direction);
+				 id->src_ts, id->dst_ts, policy_dir_names, id->dir);
 			return FAILED;
 		}
 		return SUCCESS;
@@ -2793,7 +2887,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
 	pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
 	pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
-	pol->sadb_x_policy_dir = dir2kernel(direction);
+	pol->sadb_x_policy_dir = dir2kernel(id->dir);
 	pol->sadb_x_policy_type = type2kernel(mapping->type);
 	PFKEY_EXT_ADD(msg, pol);
 
@@ -2810,28 +2904,28 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 									  route->src_ip, route->if_name) != SUCCESS)
 		{
 			DBG1(DBG_KNL, "error uninstalling route installed with "
-						  "policy %R === %R %N", src_ts, dst_ts,
-						   policy_dir_names, direction);
+				 "policy %R === %R %N", id->src_ts, id->dst_ts,
+				 policy_dir_names, id->dir);
 		}
 		remove_exclude_route(this, route);
 	}
 
 	this->policies->remove(this->policies, found, NULL);
-	policy_sa_destroy(mapping, &direction, this);
+	policy_sa_destroy(mapping, &id->dir, this);
 	policy_entry_destroy(policy, this);
 	this->mutex->unlock(this->mutex);
 
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
-					   policy_dir_names, direction);
+		DBG1(DBG_KNL, "unable to delete policy %R === %R %N", id->src_ts,
+			 id->dst_ts, policy_dir_names, id->dir);
 		return FAILED;
 	}
 	else if (out->sadb_msg_errno)
 	{
-		DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
-					   dst_ts, policy_dir_names, direction,
-					   strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+		DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)",
+			 id->src_ts, id->dst_ts, policy_dir_names, id->dir,
+			 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
 		free(out);
 		return FAILED;
 	}
@@ -2876,7 +2970,7 @@ METHOD(kernel_ipsec_t, flush_policies, status_t,
  * Register a socket for ACQUIRE/EXPIRE messages
  */
 static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this,
-									  u_int8_t satype)
+									  uint8_t satype)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -2931,7 +3025,7 @@ METHOD(kernel_ipsec_t, bypass_socket, bool,
 	}
 
 	memset(&policy, 0, sizeof(policy));
-	policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
+	policy.sadb_x_policy_len = sizeof(policy) / sizeof(uint64_t);
 	policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
 	policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
 
@@ -2953,7 +3047,7 @@ METHOD(kernel_ipsec_t, bypass_socket, bool,
 }
 
 METHOD(kernel_ipsec_t, enable_udp_decap, bool,
-	private_kernel_pfkey_ipsec_t *this, int fd, int family, u_int16_t port)
+	private_kernel_pfkey_ipsec_t *this, int fd, int family, uint16_t port)
 {
 #ifndef __APPLE__
 	int type = UDP_ENCAP_ESPINUDP;
diff --git a/src/libcharon/plugins/kernel_pfroute/Makefile.in b/src/libcharon/plugins/kernel_pfroute/Makefile.in
index 77d83cbca..1c3f49120 100644
--- a/src/libcharon/plugins/kernel_pfroute/Makefile.in
+++ b/src/libcharon/plugins/kernel_pfroute/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/kernel_pfroute
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -462,7 +476,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfroute/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfroute/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -776,6 +789,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c
index 4eebdfdad..236e3417f 100644
--- a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009-2013 Tobias Brunner
+ * Copyright (C) 2009-2016 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -209,7 +209,7 @@ struct route_entry_t {
 	chunk_t dst_net;
 
 	/** Destination net prefixlen */
-	u_int8_t prefixlen;
+	uint8_t prefixlen;
 };
 
 /**
@@ -420,7 +420,7 @@ struct private_kernel_pfroute_net_t
  * Forward declaration
  */
 static status_t manage_route(private_kernel_pfroute_net_t *this, int op,
-							 chunk_t dst_net, u_int8_t prefixlen,
+							 chunk_t dst_net, uint8_t prefixlen,
 							 host_t *gateway, char *if_name);
 
 /**
@@ -1381,7 +1381,7 @@ static void add_rt_ifname(struct rt_msghdr *hdr, int type, char *name)
  * Add or remove a route
  */
 static status_t manage_route(private_kernel_pfroute_net_t *this, int op,
-							 chunk_t dst_net, u_int8_t prefixlen,
+							 chunk_t dst_net, uint8_t prefixlen,
 							 host_t *gateway, char *if_name)
 {
 	struct {
@@ -1473,7 +1473,7 @@ static status_t manage_route(private_kernel_pfroute_net_t *this, int op,
 }
 
 METHOD(kernel_net_t, add_route, status_t,
-	private_kernel_pfroute_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
+	private_kernel_pfroute_net_t *this, chunk_t dst_net, uint8_t prefixlen,
 	host_t *gateway, host_t *src_ip, char *if_name)
 {
 	status_t status;
@@ -1502,7 +1502,7 @@ METHOD(kernel_net_t, add_route, status_t,
 }
 
 METHOD(kernel_net_t, del_route, status_t,
-	private_kernel_pfroute_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
+	private_kernel_pfroute_net_t *this, chunk_t dst_net, uint8_t prefixlen,
 	host_t *gateway, host_t *src_ip, char *if_name)
 {
 	status_t status;
@@ -1533,7 +1533,7 @@ METHOD(kernel_net_t, del_route, status_t,
  * address.
  */
 static host_t *get_route(private_kernel_pfroute_net_t *this, bool nexthop,
-						 host_t *dest, host_t *src)
+						 host_t *dest, host_t *src, char **iface)
 {
 	struct {
 		struct rt_msghdr hdr;
@@ -1612,6 +1612,15 @@ retry:
 							host = gtw;
 						}
 					}
+					if (type == RTAX_IFP && addr->sa_family == AF_LINK)
+					{
+						struct sockaddr_dl *sdl = (struct sockaddr_dl*)addr;
+						if (iface)
+						{
+							free(*iface);
+							*iface = strndup(sdl->sdl_data, sdl->sdl_nlen);
+						}
+					}
 				}
 				else
 				{
@@ -1680,13 +1689,18 @@ retry:
 METHOD(kernel_net_t, get_source_addr, host_t*,
 	private_kernel_pfroute_net_t *this, host_t *dest, host_t *src)
 {
-	return get_route(this, FALSE, dest, src);
+	return get_route(this, FALSE, dest, src, NULL);
 }
 
 METHOD(kernel_net_t, get_nexthop, host_t*,
-	private_kernel_pfroute_net_t *this, host_t *dest, int prefix, host_t *src)
+	private_kernel_pfroute_net_t *this, host_t *dest, int prefix, host_t *src,
+	char **iface)
 {
-	return get_route(this, TRUE, dest, src);
+	if (iface)
+	{
+		*iface = NULL;
+	}
+	return get_route(this, TRUE, dest, src, iface);
 }
 
 /**
diff --git a/src/libcharon/plugins/kernel_wfp/Makefile.in b/src/libcharon/plugins/kernel_wfp/Makefile.in
index cfe643f26..e002b4f0d 100644
--- a/src/libcharon/plugins/kernel_wfp/Makefile.in
+++ b/src/libcharon/plugins/kernel_wfp/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -16,7 +16,17 @@
 
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -81,8 +91,6 @@ build_triplet = @build@
 host_triplet = @host@
 noinst_PROGRAMS = ipsecdump$(EXEEXT)
 subdir = src/libcharon/plugins/kernel_wfp
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -96,6 +104,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -211,12 +220,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -266,6 +277,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -300,6 +312,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -411,6 +424,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -479,7 +493,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_wfp/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_wfp/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -809,6 +822,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	tags tags-am uninstall uninstall-am \
 	uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
index e1c429885..6ad26b72f 100644
--- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
+++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
@@ -45,7 +45,7 @@ struct private_kernel_wfp_ipsec_t {
 	/**
 	 * Mix value to distribute SPI allocation randomly
 	 */
-	u_int32_t mixspi;
+	uint32_t mixspi;
 
 	/**
 	 * IKE bypass filters, as UINT64 filter LUID
@@ -103,16 +103,16 @@ struct private_kernel_wfp_ipsec_t {
  */
 typedef struct {
 	/** SPI for this SA */
-	u_int32_t spi;
+	uint32_t spi;
 	/** protocol, IPPROTO_ESP/IPPROTO_AH */
-	u_int8_t protocol;
+	uint8_t protocol;
 	/** hard lifetime of SA */
-	u_int32_t lifetime;
+	uint32_t lifetime;
 	/** destination host address for this SPI */
 	host_t *dst;
 	struct {
 		/** algorithm */
-		u_int16_t alg;
+		uint16_t alg;
 		/** key */
 		chunk_t key;
 	} integ, encr;
@@ -144,13 +144,13 @@ typedef struct {
 	/** policy destinaiton addresses */
 	traffic_selector_t *dst;
 	/** WFP allocated LUID for inbound filter ID */
-	u_int64_t policy_in;
+	uint64_t policy_in;
 	/** WFP allocated LUID for outbound filter ID */
-	u_int64_t policy_out;
+	uint64_t policy_out;
 	/** WFP allocated LUID for forward inbound filter ID, tunnel mode only */
-	u_int64_t policy_fwd_in;
+	uint64_t policy_fwd_in;
 	/** WFP allocated LUID for forward outbound filter ID, tunnel mode only */
-	u_int64_t policy_fwd_out;
+	uint64_t policy_fwd_out;
 	/** have installed a route for it? */
 	bool route;
 } sp_entry_t;
@@ -170,7 +170,7 @@ static void sp_entry_destroy(sp_entry_t *sp)
  */
 typedef struct {
 	/** reqid of entry */
-	u_int32_t reqid;
+	uint32_t reqid;
 	/** outer address on local host */
 	host_t *local;
 	/** outer address on remote host */
@@ -186,17 +186,17 @@ typedef struct {
 	/** UDP encapsulation */
 	bool encap;
 	/** provider context, for tunnel mode only */
-	u_int64_t provider;
+	uint64_t provider;
 	/** WFP allocated LUID for SA context */
-	u_int64_t sa_id;
+	uint64_t sa_id;
 	/** WFP allocated LUID for tunnel mode IP-IPv4 inbound filter */
-	u_int64_t ip_ipv4_in;
+	uint64_t ip_ipv4_in;
 	/** WFP allocated LUID for tunnel mode IP-IPv4 outbound filter */
-	u_int64_t ip_ipv4_out;
+	uint64_t ip_ipv4_out;
 	/** WFP allocated LUID for tunnel mode IP-IPv6 inbound filter */
-	u_int64_t ip_ipv6_in;
+	uint64_t ip_ipv6_in;
 	/** WFP allocated LUID for tunnel mode IP-IPv6 outbound filter */
-	u_int64_t ip_ipv6_out;
+	uint64_t ip_ipv6_out;
 } entry_t;
 
 /**
@@ -206,7 +206,7 @@ typedef struct {
 	/** destination net of route */
 	host_t *dst;
 	/** prefix length of dst */
-	u_int8_t mask;
+	uint8_t mask;
 	/** source address for route */
 	host_t *src;
 	/** gateway of route, NULL if directly attached */
@@ -348,9 +348,9 @@ static FWPM_FILTER_CONDITION0 *append_condition(FWPM_FILTER_CONDITION0 *conds[],
 /**
  * Convert an IPv4 prefix to a host order subnet mask
  */
-static u_int32_t prefix2mask(u_int8_t prefix)
+static uint32_t prefix2mask(uint8_t prefix)
 {
-	u_int8_t netmask[4] = {};
+	uint8_t netmask[4] = {};
 	int i;
 
 	for (i = 0; i < sizeof(netmask); i++)
@@ -370,7 +370,7 @@ static u_int32_t prefix2mask(u_int8_t prefix)
  * Convert a 16-bit range to a WFP condition
  */
 static void range2cond(FWPM_FILTER_CONDITION0 *cond,
-					   u_int16_t from, u_int16_t to)
+					   uint16_t from, uint16_t to)
 {
 	if (from == to)
 	{
@@ -399,11 +399,11 @@ static bool ts2condition(traffic_selector_t *ts, const GUID *target,
 	FWPM_FILTER_CONDITION0 *cond;
 	FWP_BYTE_ARRAY16 *addr;
 	FWP_RANGE0 *range;
-	u_int16_t from_port, to_port;
+	uint16_t from_port, to_port;
 	void *from, *to;
-	u_int8_t proto;
+	uint8_t proto;
 	host_t *net;
-	u_int8_t prefix;
+	uint8_t prefix;
 
 	from = ts->get_from_address(ts).ptr;
 	to = ts->get_to_address(ts).ptr;
@@ -496,7 +496,7 @@ static bool ts2condition(traffic_selector_t *ts, const GUID *target,
 	{
 		if (target == &FWPM_CONDITION_IP_LOCAL_ADDRESS)
 		{
-			u_int8_t from_type, to_type, from_code, to_code;
+			uint8_t from_type, to_type, from_code, to_code;
 
 			from_type = traffic_selector_icmp_type(from_port);
 			to_type = traffic_selector_icmp_type(to_port);
@@ -736,7 +736,7 @@ static bool install_sp(private_kernel_wfp_ipsec_t *this, sp_entry_t *sp,
  */
 static bool install_ipip_ale(private_kernel_wfp_ipsec_t *this,
 							 host_t *local, host_t *remote, GUID *context,
-							 bool inbound, int proto, u_int64_t *filter_id)
+							 bool inbound, int proto, uint64_t *filter_id)
 {
 	traffic_selector_t *lts, *rts;
 	FWPM_FILTER_CONDITION0 *conds = NULL;
@@ -1013,7 +1013,7 @@ static bool install_sa(private_kernel_wfp_ipsec_t *this, entry_t *entry,
 		.ipVersion = version,
 	};
 	struct {
-		u_int16_t alg;
+		uint16_t alg;
 		chunk_t key;
 	} integ = {}, encr = {};
 	DWORD res;
@@ -1099,9 +1099,9 @@ static bool install_sa(private_kernel_wfp_ipsec_t *this, entry_t *entry,
  */
 static void host2address6(host_t *host, void *out)
 {
-	u_int32_t *src, *dst = out;
+	uint32_t *src, *dst = out;
 
-	src = (u_int32_t*)host->get_address(host).ptr;
+	src = (uint32_t*)host->get_address(host).ptr;
 
 	dst[0] = untoh32(&src[3]);
 	dst[1] = untoh32(&src[2]);
@@ -1273,7 +1273,7 @@ static bool generate_guid(private_kernel_wfp_ipsec_t *this, GUID *guid)
 	{
 		return FALSE;
 	}
-	ok = rng->get_bytes(rng, sizeof(GUID), (u_int8_t*)guid);
+	ok = rng->get_bytes(rng, sizeof(GUID), (uint8_t*)guid);
 	rng->destroy(rng);
 	return ok;
 }
@@ -1379,7 +1379,7 @@ static bool install_tunnel_sps(private_kernel_wfp_ipsec_t *this, entry_t *entry)
  * Reduce refcount, or uninstall a route if all refs gone
  */
 static bool uninstall_route(private_kernel_wfp_ipsec_t *this,
-							host_t *dst, u_int8_t mask, host_t *src, host_t *gtw)
+							host_t *dst, uint8_t mask, host_t *src, host_t *gtw)
 {
 	route_t *route, key = {
 		.dst = dst,
@@ -1421,7 +1421,7 @@ static bool uninstall_route(private_kernel_wfp_ipsec_t *this,
  * Install a single route, or refcount if exists
  */
 static bool install_route(private_kernel_wfp_ipsec_t *this,
-						  host_t *dst, u_int8_t mask, host_t *src, host_t *gtw)
+						  host_t *dst, uint8_t mask, host_t *src, host_t *gtw)
 {
 	route_t *route, key = {
 		.dst = dst,
@@ -1476,7 +1476,7 @@ static bool manage_route(private_kernel_wfp_ipsec_t *this,
 						 bool add)
 {
 	host_t *src, *dst, *gtw;
-	u_int8_t mask;
+	uint8_t mask;
 	bool done;
 
 	if (!dst_ts->to_subnet(dst_ts, &dst, &mask))
@@ -1489,7 +1489,7 @@ static bool manage_route(private_kernel_wfp_ipsec_t *this,
 		dst->destroy(dst);
 		return FALSE;
 	}
-	gtw = charon->kernel->get_nexthop(charon->kernel, remote, -1, local);
+	gtw = charon->kernel->get_nexthop(charon->kernel, remote, -1, local, NULL);
 	if (add)
 	{
 		done = install_route(this, dst, mask, src, gtw);
@@ -1578,7 +1578,7 @@ static bool install(private_kernel_wfp_ipsec_t *this, entry_t *entry)
  */
 typedef struct {
 	/** reqid this trap is installed for */
-	u_int32_t reqid;
+	uint32_t reqid;
 	/** is this a forward policy trap for tunnel mode? */
 	bool fwd;
 	/** do we have installed a route for this trap policy? */
@@ -1629,7 +1629,7 @@ static u_int hash_trap(trap_t *trap)
 static void acquire(private_kernel_wfp_ipsec_t *this, UINT64 filter_id,
 					traffic_selector_t *src, traffic_selector_t *dst)
 {
-	u_int32_t reqid = 0;
+	uint32_t reqid = 0;
 	trap_t *trap, key = {
 		.filter_id = filter_id,
 	};
@@ -1654,7 +1654,7 @@ static void acquire(private_kernel_wfp_ipsec_t *this, UINT64 filter_id,
  * Create a single host traffic selector from an FWP address definition
  */
 static traffic_selector_t *addr2ts(FWP_IP_VERSION version, void *data,
-					u_int8_t protocol, u_int16_t from_port, u_int16_t to_port)
+					uint8_t protocol, uint16_t from_port, uint16_t to_port)
 {
 	ts_type_t type;
 	UINT32 ints[4];
@@ -1689,9 +1689,9 @@ static void WINAPI event_callback(void *user, const FWPM_NET_EVENT1 *event)
 {
 	private_kernel_wfp_ipsec_t *this = user;
 	traffic_selector_t *local = NULL, *remote = NULL;
-	u_int8_t protocol = 0;
-	u_int16_t from_local = 0, to_local = 65535;
-	u_int16_t from_remote = 0, to_remote = 65535;
+	uint8_t protocol = 0;
+	uint16_t from_local = 0, to_local = 65535;
+	uint16_t from_remote = 0, to_remote = 65535;
 
 	if ((event->header.flags & FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET) &&
 		(event->header.flags & FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET))
@@ -1861,7 +1861,7 @@ static bool uninstall_trap(private_kernel_wfp_ipsec_t *this, trap_t *trap)
  * Create and install a new trap entry
  */
 static bool add_trap(private_kernel_wfp_ipsec_t *this,
-					 u_int32_t reqid, bool fwd, host_t *local, host_t *remote,
+					 uint32_t reqid, bool fwd, host_t *local, host_t *remote,
 					 traffic_selector_t *src, traffic_selector_t *dst)
 {
 	trap_t *trap;
@@ -1893,7 +1893,7 @@ static bool add_trap(private_kernel_wfp_ipsec_t *this,
  * Uninstall and remove a new trap entry
  */
 static bool remove_trap(private_kernel_wfp_ipsec_t *this,
-						u_int32_t reqid, bool fwd,
+						uint32_t reqid, bool fwd,
 						traffic_selector_t *src, traffic_selector_t *dst)
 {
 	enumerator_t *enumerator;
@@ -1949,10 +1949,10 @@ static bool init_spi(private_kernel_wfp_ipsec_t *this)
 	{
 		return FALSE;
 	}
-	ok = rng->get_bytes(rng, sizeof(this->nextspi), (u_int8_t*)&this->nextspi);
+	ok = rng->get_bytes(rng, sizeof(this->nextspi), (uint8_t*)&this->nextspi);
 	if (ok)
 	{
-		ok = rng->get_bytes(rng, sizeof(this->mixspi), (u_int8_t*)&this->mixspi);
+		ok = rng->get_bytes(rng, sizeof(this->mixspi), (uint8_t*)&this->mixspi);
 	}
 	rng->destroy(rng);
 	return ok;
@@ -1966,7 +1966,7 @@ static u_int permute(u_int x, u_int p)
 	u_int qr;
 
 	x = x % p;
-	qr = ((u_int64_t)x * x) % p;
+	qr = ((uint64_t)x * x) % p;
 	if (x <= p / 2)
 	{
 		return qr;
@@ -1976,7 +1976,7 @@ static u_int permute(u_int x, u_int p)
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
 	private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst,
-	u_int8_t protocol, u_int32_t *spi)
+	uint8_t protocol, uint32_t *spi)
 {
 	/* To avoid sequencial SPIs, we use a one-to-one permuation function on
 	 * an incrementing counter, that is a full period PRNG for the range we
@@ -1993,7 +1993,7 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
 
 METHOD(kernel_ipsec_t, get_cpi, status_t,
 	private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst,
-	u_int16_t *cpi)
+	uint16_t *cpi)
 {
 	return NOT_SUPPORTED;
 }
@@ -2005,7 +2005,7 @@ typedef struct {
 	/* backref to kernel backend */
 	private_kernel_wfp_ipsec_t *this;
 	/* SPI of expiring SA */
-	u_int32_t spi;
+	uint32_t spi;
 	/* destination address of expiring SA */
 	host_t *dst;
 	/* is this a hard expire, or a rekey request? */
@@ -2027,7 +2027,7 @@ static void expire_data_destroy(expire_data_t *data)
 static job_requeue_t expire_job(expire_data_t *data)
 {
 	private_kernel_wfp_ipsec_t *this = data->this;
-	u_int8_t protocol;
+	uint8_t protocol;
 	entry_t *entry = NULL;
 	sa_entry_t key = {
 		.spi = data->spi,
@@ -2074,8 +2074,8 @@ static job_requeue_t expire_job(expire_data_t *data)
 /**
  * Schedule an expire event for an SA
  */
-static void schedule_expire(private_kernel_wfp_ipsec_t *this, u_int32_t spi,
-							host_t *dst, u_int32_t lifetime, bool hard)
+static void schedule_expire(private_kernel_wfp_ipsec_t *this, uint32_t spi,
+							host_t *dst, uint32_t lifetime, bool hard)
 {
 	expire_data_t *data;
 
@@ -2093,57 +2093,55 @@ static void schedule_expire(private_kernel_wfp_ipsec_t *this, u_int32_t spi,
 }
 
 METHOD(kernel_ipsec_t, add_sa, status_t,
-	private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
-	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
-	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
-	u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
-	bool initiator, bool encap, bool esn, bool inbound, bool update,
-	linked_list_t *src_ts, linked_list_t *dst_ts)
+	private_kernel_wfp_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_add_sa_t *data)
 {
 	host_t *local, *remote;
 	entry_t *entry;
 
-	if (inbound)
+	if (data->inbound)
 	{
 		/* comes first, create new entry */
-		local = dst->clone(dst);
-		remote = src->clone(src);
+		local = id->dst->clone(id->dst);
+		remote = id->src->clone(id->src);
 
 		INIT(entry,
-			.reqid = reqid,
+			.reqid = data->reqid,
 			.isa = {
-				.spi = spi,
+				.spi = id->spi,
 				.dst = local,
-				.protocol = protocol,
-				.lifetime = lifetime->time.life,
+				.protocol = id->proto,
+				.lifetime = data->lifetime->time.life,
 				.encr = {
-					.alg = enc_alg,
-					.key = chunk_clone(enc_key),
+					.alg = data->enc_alg,
+					.key = chunk_clone(data->enc_key),
 				},
 				.integ = {
-					.alg = int_alg,
-					.key = chunk_clone(int_key),
+					.alg = data->int_alg,
+					.key = chunk_clone(data->int_key),
 				},
 			},
 			.sps = array_create(0, 0),
 			.local = local,
 			.remote = remote,
-			.mode = mode,
-			.encap = encap,
+			.mode = data->mode,
+			.encap = data->encap,
 		);
 
-		if (lifetime->time.life)
+		if (data->lifetime->time.life)
 		{
-			schedule_expire(this, spi, local, lifetime->time.life, TRUE);
+			schedule_expire(this, id->spi, local,
+							data->lifetime->time.life, TRUE);
 		}
-		if (lifetime->time.rekey && lifetime->time.rekey != lifetime->time.life)
+		if (data->lifetime->time.rekey &&
+			data->lifetime->time.rekey != data->lifetime->time.life)
 		{
-			schedule_expire(this, spi, local, lifetime->time.rekey, FALSE);
+			schedule_expire(this, id->spi, local,
+							data->lifetime->time.rekey, FALSE);
 		}
 
 		this->mutex->lock(this->mutex);
-		this->tsas->put(this->tsas, (void*)(uintptr_t)reqid, entry);
+		this->tsas->put(this->tsas, (void*)(uintptr_t)data->reqid, entry);
 		this->isas->put(this->isas, &entry->isa, entry);
 		this->mutex->unlock(this->mutex);
 	}
@@ -2151,29 +2149,29 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	{
 		/* comes after inbound, update entry */
 		this->mutex->lock(this->mutex);
-		entry = this->tsas->remove(this->tsas, (void*)(uintptr_t)reqid);
+		entry = this->tsas->remove(this->tsas, (void*)(uintptr_t)data->reqid);
 		this->mutex->unlock(this->mutex);
 
 		if (!entry)
 		{
 			DBG1(DBG_KNL, "adding outbound SA failed, no inbound SA found "
-				 "for reqid %u ", reqid);
+				 "for reqid %u ", data->reqid);
 			return NOT_FOUND;
 		}
 		/* TODO: should we check for local/remote, mode etc.? */
 
 		entry->osa = (sa_entry_t){
-			.spi = spi,
+			.spi = id->spi,
 			.dst = entry->remote,
-			.protocol = protocol,
-			.lifetime = lifetime->time.life,
+			.protocol = id->proto,
+			.lifetime = data->lifetime->time.life,
 			.encr = {
-				.alg = enc_alg,
-				.key = chunk_clone(enc_key),
+				.alg = data->enc_alg,
+				.key = chunk_clone(data->enc_key),
 			},
 			.integ = {
-				.alg = int_alg,
-				.key = chunk_clone(int_key),
+				.alg = data->int_alg,
+				.key = chunk_clone(data->int_key),
 			},
 		};
 
@@ -2186,14 +2184,13 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 }
 
 METHOD(kernel_ipsec_t, update_sa, status_t,
-	private_kernel_wfp_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
-	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
-	bool encap, bool new_encap, mark_t mark)
+	private_kernel_wfp_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_update_sa_t *data)
 {
 	entry_t *entry;
 	sa_entry_t key = {
-		.dst = dst,
-		.spi = spi,
+		.dst = id->dst,
+		.spi = id->spi,
 	};
 	UINT64 sa_id = 0;
 	IPSEC_SA_CONTEXT1 *ctx;
@@ -2233,16 +2230,16 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 		DBG1(DBG_KNL, "getting WFP SA context for updated failed: 0x%08x", res);
 		return FAILED;
 	}
-	if (!hosts2traffic(this, new_dst, new_src, &ctx->inboundSa->traffic) ||
-		!hosts2traffic(this, new_dst, new_src, &ctx->outboundSa->traffic))
+	if (!hosts2traffic(this, data->new_dst, data->new_src, &ctx->inboundSa->traffic) ||
+		!hosts2traffic(this, data->new_dst, data->new_src, &ctx->outboundSa->traffic))
 	{
 		FwpmFreeMemory0((void**)&ctx);
 		return FAILED;
 	}
 
-	if (new_encap != encap)
+	if (data->new_encap != data->encap)
 	{
-		if (new_encap)
+		if (data->new_encap)
 		{
 			ctx->inboundSa->udpEncapsulation = &ports;
 			ctx->outboundSa->udpEncapsulation = &ports;
@@ -2273,8 +2270,8 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 
 		entry->local->destroy(entry->local);
 		entry->remote->destroy(entry->remote);
-		entry->local = new_dst->clone(new_dst);
-		entry->remote = new_src->clone(new_src);
+		entry->local = data->new_dst->clone(data->new_dst);
+		entry->remote = data->new_src->clone(data->new_src);
 		entry->isa.dst = entry->local;
 		entry->osa.dst = entry->remote;
 
@@ -2290,9 +2287,9 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 }
 
 METHOD(kernel_ipsec_t, query_sa, status_t,
-	private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes,
-	u_int64_t *packets, time_t *time)
+	private_kernel_wfp_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_query_sa_t *data, uint64_t *bytes, uint64_t *packets,
+	time_t *time)
 {
 	/* It does not seem that WFP provides any means of getting per-SA traffic
 	 * statistics. IPsecGetStatistics0/1() provides global stats, and
@@ -2302,13 +2299,13 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 }
 
 METHOD(kernel_ipsec_t, del_sa, status_t,
-	private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
+	private_kernel_wfp_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_del_sa_t *data)
 {
 	entry_t *entry;
 	sa_entry_t key = {
-		.dst = dst,
-		.spi = spi,
+		.dst = id->dst,
+		.spi = id->spi,
 	};
 
 	this->mutex->lock(this->mutex);
@@ -2341,25 +2338,23 @@ METHOD(kernel_ipsec_t, flush_sas, status_t,
 }
 
 METHOD(kernel_ipsec_t, add_policy, status_t,
-	private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark,
-	policy_priority_t priority)
+	private_kernel_wfp_ipsec_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_manage_policy_t *data)
 {
 	status_t status = SUCCESS;
 	entry_t *entry;
 	sp_entry_t *sp;
 	sa_entry_t key = {
-		.spi = sa->esp.use ? sa->esp.spi : sa->ah.spi,
-		.dst = dst,
+		.spi = data->sa->esp.use ? data->sa->esp.spi : data->sa->ah.spi,
+		.dst = data->dst,
 	};
 
-	if (sa->esp.use && sa->ah.use)
+	if (data->sa->esp.use && data->sa->ah.use)
 	{
 		return NOT_SUPPORTED;
 	}
 
-	switch (type)
+	switch (data->type)
 	{
 		case POLICY_IPSEC:
 			break;
@@ -2368,7 +2363,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 			return NOT_SUPPORTED;
 	}
 
-	switch (direction)
+	switch (id->dir)
 	{
 		case POLICY_OUT:
 			break;
@@ -2380,18 +2375,20 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 			return NOT_SUPPORTED;
 	}
 
-	switch (priority)
+	switch (data->prio)
 	{
 		case POLICY_PRIORITY_DEFAULT:
 			break;
 		case POLICY_PRIORITY_ROUTED:
-			if (!add_trap(this, sa->reqid, FALSE, src, dst, src_ts, dst_ts))
+			if (!add_trap(this, data->sa->reqid, FALSE, data->src, data->dst,
+						  id->src_ts, id->dst_ts))
 			{
 				return FAILED;
 			}
-			if (sa->mode == MODE_TUNNEL)
+			if (data->sa->mode == MODE_TUNNEL)
 			{
-				if (!add_trap(this, sa->reqid, TRUE, src, dst, src_ts, dst_ts))
+				if (!add_trap(this, data->sa->reqid, TRUE, data->src, data->dst,
+							  id->src_ts, id->dst_ts))
 				{
 					return FAILED;
 				}
@@ -2406,14 +2403,14 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	entry = this->osas->get(this->osas, &key);
 	if (entry)
 	{
-		if (sa->mode == MODE_TUNNEL || array_count(entry->sps) == 0)
+		if (data->sa->mode == MODE_TUNNEL || array_count(entry->sps) == 0)
 		{
 			INIT(sp,
-				.src = src_ts->clone(src_ts),
-				.dst = dst_ts->clone(dst_ts),
+				.src = id->src_ts->clone(id->src_ts),
+				.dst = id->dst_ts->clone(id->dst_ts),
 			);
 			array_insert(entry->sps, -1, sp);
-			if (array_count(entry->sps) == sa->policy_count)
+			if (array_count(entry->sps) == data->sa->policy_count)
 			{
 				if (!install(this, entry))
 				{
@@ -2442,25 +2439,24 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 }
 
 METHOD(kernel_ipsec_t, query_policy, status_t,
-	private_kernel_wfp_ipsec_t *this, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
-	time_t *use_time)
+	private_kernel_wfp_ipsec_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_query_policy_t *data, time_t *use_time)
 {
 	/* see query_sa() for some notes */
 	return NOT_SUPPORTED;
 }
 
 METHOD(kernel_ipsec_t, del_policy, status_t,
-	private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
-	mark_t mark, policy_priority_t priority)
+	private_kernel_wfp_ipsec_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_manage_policy_t *data)
 {
-	if (direction == POLICY_OUT && priority == POLICY_PRIORITY_ROUTED)
+	if (id->dir == POLICY_OUT && data->prio == POLICY_PRIORITY_ROUTED)
 	{
-		if (remove_trap(this, sa->reqid, FALSE, src_ts, dst_ts))
+		if (remove_trap(this, data->sa->reqid, FALSE, id->src_ts,
+						id->dst_ts))
 		{
-			remove_trap(this, sa->reqid, TRUE, src_ts, dst_ts);
+			remove_trap(this, data->sa->reqid, TRUE, id->src_ts,
+						id->dst_ts);
 			return SUCCESS;
 		}
 		return NOT_FOUND;
@@ -2479,7 +2475,7 @@ METHOD(kernel_ipsec_t, flush_policies, status_t,
  * Add a bypass policy for a specific UDP port
  */
 static bool add_bypass(private_kernel_wfp_ipsec_t *this,
-					   int family, u_int16_t port, bool inbound, UINT64 *luid)
+					   int family, uint16_t port, bool inbound, UINT64 *luid)
 {
 	FWPM_FILTER_CONDITION0 *cond, *conds = NULL;
 	int count = 0;
@@ -2547,7 +2543,7 @@ METHOD(kernel_ipsec_t, bypass_socket, bool,
 	} saddr;
 	int addrlen = sizeof(saddr);
 	UINT64 filter_out, filter_in = 0;
-	u_int16_t port;
+	uint16_t port;
 
 	if (getsockname(fd, &saddr.sa, &addrlen) == SOCKET_ERROR)
 	{
@@ -2584,7 +2580,7 @@ METHOD(kernel_ipsec_t, bypass_socket, bool,
 }
 
 METHOD(kernel_ipsec_t, enable_udp_decap, bool,
-	private_kernel_wfp_ipsec_t *this, int fd, int family, u_int16_t port)
+	private_kernel_wfp_ipsec_t *this, int fd, int family, uint16_t port)
 {
 	return FALSE;
 }
diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in
index 63bbf1975..e0c2cba50 100644
--- a/src/libcharon/plugins/led/Makefile.in
+++ b/src/libcharon/plugins/led/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/led
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -200,12 +209,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -255,6 +266,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -289,6 +301,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -400,6 +413,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -457,7 +471,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/led/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/led/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -771,6 +784,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in
index 14fcd6f4c..856bdd8aa 100644
--- a/src/libcharon/plugins/load_tester/Makefile.in
+++ b/src/libcharon/plugins/load_tester/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -16,7 +16,17 @@
 
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -81,8 +91,6 @@ build_triplet = @build@
 host_triplet = @host@
 ipsec_PROGRAMS = load-tester$(EXEEXT)
 subdir = src/libcharon/plugins/load_tester
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -96,6 +104,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -213,12 +222,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -268,6 +279,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -302,6 +314,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -413,6 +426,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -478,7 +492,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/load_tester/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/load_tester/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -852,6 +865,8 @@ uninstall-am: uninstall-ipsecPROGRAMS uninstall-pluginLTLIBRARIES
 	pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \
 	uninstall-ipsecPROGRAMS uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/load_tester/load_tester.c b/src/libcharon/plugins/load_tester/load_tester.c
index f5a998ecc..94b934d09 100644
--- a/src/libcharon/plugins/load_tester/load_tester.c
+++ b/src/libcharon/plugins/load_tester/load_tester.c
@@ -65,7 +65,7 @@ static FILE* make_connection()
 static int initiate(unsigned int count, unsigned int delay)
 {
 	FILE *stream;
-	char c;
+	int c;
 
 	stream = make_connection();
 	if (!stream)
diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
index 8f6abde0c..28421c212 100644
--- a/src/libcharon/plugins/load_tester/load_tester_config.c
+++ b/src/libcharon/plugins/load_tester/load_tester_config.c
@@ -124,7 +124,7 @@ struct private_load_tester_config_t {
 	/**
 	 * Current port for unique initiator ports
 	 */
-	u_int16_t unique_port;
+	uint16_t unique_port;
 
 	/**
 	 * IKE_SA rekeying delay
@@ -154,7 +154,7 @@ struct private_load_tester_config_t {
 	/**
 	 * Dynamic source port, if used
 	 */
-	u_int16_t port;
+	uint16_t port;
 
 	/**
 	 * IKE version to use for load testing
@@ -454,8 +454,8 @@ static void generate_auth_cfg(private_load_tester_config_t *this, char *str,
 /**
  * Parse a protoport specifier
  */
-static bool parse_protoport(char *token, u_int16_t *from_port,
-							u_int16_t *to_port, u_int8_t *protocol)
+static bool parse_protoport(char *token, uint16_t *from_port,
+							uint16_t *to_port, uint8_t *protocol)
 {
 	char *sep, *port = "", *endptr;
 	struct protoent *proto;
@@ -494,7 +494,7 @@ static bool parse_protoport(char *token, u_int16_t *from_port,
 			{
 				return FALSE;
 			}
-			*protocol = (u_int8_t)p;
+			*protocol = (uint8_t)p;
 		}
 	}
 	if (streq(port, "%any"))
@@ -557,8 +557,8 @@ static void add_ts(private_load_tester_config_t *this,
 	{
 		enumerator_t *enumerator;
 		char *subnet, *pos;
-		u_int16_t from_port, to_port;
-		u_int8_t proto;
+		uint16_t from_port, to_port;
+		uint8_t proto;
 
 		enumerator = enumerator_create_token(string, ",", " ");
 		while (enumerator->enumerate(enumerator, &subnet))
@@ -688,13 +688,25 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
 	peer_cfg_t *peer_cfg;
 	char local[32], *remote;
 	host_t *addr;
-	ipsec_mode_t mode = MODE_TUNNEL;
-	lifetime_cfg_t lifetime = {
-		.time = {
-			.life = this->child_rekey * 2,
-			.rekey = this->child_rekey,
-			.jitter = 0
-		}
+	peer_cfg_create_t peer = {
+		.cert_policy = CERT_SEND_IF_ASKED,
+		.unique = UNIQUE_NO,
+		.keyingtries = 1,
+		.rekey_time = this->ike_rekey,
+		.over_time = this->ike_rekey,
+		.no_mobike = TRUE,
+		.dpd = this->dpd_delay,
+		.dpd_timeout = this->dpd_timeout,
+	};
+	child_cfg_create_t child = {
+		.lifetime = {
+			.time = {
+				.life = this->child_rekey * 2,
+				.rekey = this->child_rekey,
+				.jitter = 0
+			},
+		},
+		.mode = MODE_TUNNEL,
 	};
 
 	if (num)
@@ -737,14 +749,8 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
 								 FRAGMENTATION_NO, 0);
 	}
 	ike_cfg->add_proposal(ike_cfg, this->proposal->clone(this->proposal));
-	peer_cfg = peer_cfg_create("load-test", ike_cfg,
-							   CERT_SEND_IF_ASKED, UNIQUE_NO, 1, /* keytries */
-							   this->ike_rekey, 0, /* rekey, reauth */
-							   0, this->ike_rekey, /* jitter, overtime */
-							   FALSE, FALSE, TRUE, /* mobike, aggressive, pull */
-							   this->dpd_delay,   /* dpd_delay */
-							   this->dpd_timeout, /* dpd_timeout */
-							   FALSE, NULL, NULL);
+	peer_cfg = peer_cfg_create("load-test", ike_cfg, &peer);
+
 	if (this->vip)
 	{
 		peer_cfg->add_virtual_ip(peer_cfg, this->vip->clone(this->vip));
@@ -768,17 +774,15 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
 	{
 		if (streq(this->mode, "transport"))
 		{
-			mode = MODE_TRANSPORT;
+			child.mode = MODE_TRANSPORT;
 		}
 		else if (streq(this->mode, "beet"))
 		{
-			mode = MODE_BEET;
+			child.mode = MODE_BEET;
 		}
 	}
 
-	child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE, mode,
-								 ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
-								 0, 0, NULL, NULL, 0);
+	child_cfg = child_cfg_create("load-test", &child);
 	child_cfg->add_proposal(child_cfg, this->esp->clone(this->esp));
 
 	if (num)
diff --git a/src/libcharon/plugins/load_tester/load_tester_creds.c b/src/libcharon/plugins/load_tester/load_tester_creds.c
index d62c7295d..2f482962a 100644
--- a/src/libcharon/plugins/load_tester/load_tester_creds.c
+++ b/src/libcharon/plugins/load_tester/load_tester_creds.c
@@ -57,7 +57,7 @@ struct private_load_tester_creds_t {
 	/**
 	 * serial number to issue certificates
 	 */
-	u_int32_t serial;
+	uint32_t serial;
 
 	/**
 	 * Preshared key for IKE
@@ -307,7 +307,7 @@ METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
 	identification_t *dn = NULL;
 	linked_list_t *sans;
 	char buf[128];
-	u_int32_t serial;
+	uint32_t serial;
 	time_t now;
 
 	if (this->ca == NULL)
diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
index 6a86bb899..4e20c8f3a 100644
--- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c
+++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
@@ -36,7 +36,7 @@ struct private_load_tester_ipsec_t {
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
 	private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
-	u_int8_t protocol, u_int32_t *spi)
+	uint8_t protocol, uint32_t *spi)
 {
 	*spi = (uint32_t)ref_get(&this->spi);
 	return SUCCESS;
@@ -44,69 +44,58 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
 
 METHOD(kernel_ipsec_t, get_cpi, status_t,
 	private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
-	u_int16_t *cpi)
+	uint16_t *cpi)
 {
 	return FAILED;
 }
 
 METHOD(kernel_ipsec_t, add_sa, status_t,
-	private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
-	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
-	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
-	u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
-	bool initiator, bool encap, bool esn, bool inbound, bool update,
-	linked_list_t *src_ts, linked_list_t *dst_ts)
+	private_load_tester_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_add_sa_t *data)
 {
 	return SUCCESS;
 }
 
 METHOD(kernel_ipsec_t, update_sa, status_t,
-	private_load_tester_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
-	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src,
-	host_t *new_dst, bool encap, bool new_encap, mark_t mark)
+	private_load_tester_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_update_sa_t *data)
 {
 	return SUCCESS;
 }
 
 METHOD(kernel_ipsec_t, query_sa, status_t,
-	private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, mark_t mark,
-	u_int64_t *bytes, u_int64_t *packets, time_t *time)
+	private_load_tester_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_query_sa_t *data, uint64_t *bytes, uint64_t *packets,
+	time_t *time)
 {
 	return NOT_SUPPORTED;
 }
 
 METHOD(kernel_ipsec_t, del_sa, status_t,
-	private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
+	private_load_tester_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_del_sa_t *data)
 {
 	return SUCCESS;
 }
 
 METHOD(kernel_ipsec_t, add_policy, status_t,
-	private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
-	mark_t mark, policy_priority_t priority)
+	private_load_tester_ipsec_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_manage_policy_t *data)
 {
 	return SUCCESS;
 }
 
 METHOD(kernel_ipsec_t, query_policy, status_t,
-	private_load_tester_ipsec_t *this, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
-	time_t *use_time)
+	private_load_tester_ipsec_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_query_policy_t *data, time_t *use_time)
 {
 	*use_time = 1;
 	return SUCCESS;
 }
 
 METHOD(kernel_ipsec_t, del_policy, status_t,
-	private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
-	mark_t mark, policy_priority_t priority)
+	private_load_tester_ipsec_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_manage_policy_t *data)
 {
 	return SUCCESS;
 }
diff --git a/src/libcharon/plugins/lookip/Makefile.in b/src/libcharon/plugins/lookip/Makefile.in
index 9b56d94fe..69aa3792c 100644
--- a/src/libcharon/plugins/lookip/Makefile.in
+++ b/src/libcharon/plugins/lookip/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -16,7 +16,17 @@
 
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -81,8 +91,6 @@ build_triplet = @build@
 host_triplet = @host@
 ipsec_PROGRAMS = lookip$(EXEEXT)
 subdir = src/libcharon/plugins/lookip
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -96,6 +104,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -209,12 +218,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -264,6 +275,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -298,6 +310,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -409,6 +422,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -469,7 +483,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/lookip/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/lookip/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -839,6 +852,8 @@ uninstall-am: uninstall-ipsecPROGRAMS uninstall-pluginLTLIBRARIES
 	pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \
 	uninstall-ipsecPROGRAMS uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in
index 5cc654967..78525bf6c 100644
--- a/src/libcharon/plugins/maemo/Makefile.in
+++ b/src/libcharon/plugins/maemo/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -16,7 +16,17 @@
 
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -80,8 +90,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/maemo
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -95,6 +103,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -205,12 +214,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -260,6 +271,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -294,6 +306,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -405,6 +418,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -468,7 +482,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/maemo/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/maemo/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -805,6 +818,8 @@ uninstall-am: uninstall-dbusserviceDATA uninstall-pluginLTLIBRARIES
 	pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \
 	uninstall-dbusserviceDATA uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 org.strongswan.charon.service: $(srcdir)/org.strongswan.charon.service.in
 	$(AM_V_GEN) \
diff --git a/src/libcharon/plugins/maemo/maemo_service.c b/src/libcharon/plugins/maemo/maemo_service.c
index 2e96f8fb4..3e5861b87 100644
--- a/src/libcharon/plugins/maemo/maemo_service.c
+++ b/src/libcharon/plugins/maemo/maemo_service.c
@@ -236,12 +236,23 @@ static gboolean initiate_connection(private_maemo_service_t *this,
 	traffic_selector_t *ts;
 	auth_cfg_t *auth;
 	certificate_t *cert;
-	lifetime_cfg_t lifetime = {
-		.time = {
-			.life = 10800, /* 3h */
-			.rekey = 10200, /* 2h50min */
-			.jitter = 300 /* 5min */
-		}
+	peer_cfg_create_t peer = {
+		.cert_policy = CERT_SEND_IF_ASKED,
+		.unique = UNIQUE_REPLACE,
+		.keyingtries = 1,
+		.rekey_time = 36000, /* 10h */
+		.jitter_time = 600, /* 10min */
+		.over_time = 600, /* 10min */
+	};
+	child_cfg_create_t child = {
+		.lifetime = {
+			.time = {
+				.life = 10800, /* 3h */
+				.rekey = 10200, /* 2h50min */
+				.jitter = 300 /* 5min */
+			},
+		},
+		.mode = MODE_TUNNEL,
 	};
 
 	if (this->status == VPN_STATUS_CONNECTED ||
@@ -329,14 +340,7 @@ static gboolean initiate_connection(private_maemo_service_t *this,
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
 
-	peer_cfg = peer_cfg_create(this->current, ike_cfg,
-							   CERT_SEND_IF_ASKED,
-							   UNIQUE_REPLACE, 1, /* keyingtries */
-							   36000, 0, /* rekey 10h, reauth none */
-							   600, 600, /* jitter, over 10min */
-							   TRUE, FALSE, TRUE, /* mobike, aggressive, pull */
-							   0, 0, /* DPD delay, timeout */
-							   FALSE, NULL, NULL); /* mediation */
+	peer_cfg = peer_cfg_create(this->current, ike_cfg, &peer);
 	peer_cfg->add_virtual_ip(peer_cfg,  host_create_from_string("0.0.0.0", 0));
 
 	auth = auth_cfg_create();
@@ -348,9 +352,7 @@ static gboolean initiate_connection(private_maemo_service_t *this,
 	auth->add(auth, AUTH_RULE_IDENTITY, gateway);
 	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 
-	child_cfg = child_cfg_create(this->current, &lifetime, NULL /* updown */,
-								 TRUE, MODE_TUNNEL, ACTION_NONE, ACTION_NONE,
-								 ACTION_NONE, FALSE, 0, 0, NULL, NULL, 0);
+	child_cfg = child_cfg_create(this->current, &child);
 	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 	child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP));
 	ts = traffic_selector_create_dynamic(0, 0, 65535);
diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in
index 32c428487..fe301a7d9 100644
--- a/src/libcharon/plugins/medcli/Makefile.in
+++ b/src/libcharon/plugins/medcli/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/medcli
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -463,7 +477,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/medcli/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/medcli/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -779,6 +792,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c
index 25b138387..4452739c1 100644
--- a/src/libcharon/plugins/medcli/medcli_config.c
+++ b/src/libcharon/plugins/medcli/medcli_config.c
@@ -82,12 +82,25 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
 	child_cfg_t *child_cfg;
 	chunk_t me, other;
 	char *address, *local_net, *remote_net;
-	lifetime_cfg_t lifetime = {
-		.time = {
-			.life = this->rekey * 60 + this->rekey,
-			.rekey = this->rekey,
-			.jitter = this->rekey
-		}
+	peer_cfg_create_t peer = {
+		.cert_policy = CERT_NEVER_SEND,
+		.unique = UNIQUE_REPLACE,
+		.keyingtries = 1,
+		.rekey_time = this->rekey * 60,
+		.jitter_time = this->rekey * 5,
+		.over_time = this->rekey * 3,
+		.dpd = this->dpd,
+		.mediation = TRUE,
+	};
+	child_cfg_create_t child = {
+		.lifetime = {
+			.time = {
+				.life = this->rekey * 60 + this->rekey,
+				.rekey = this->rekey,
+				.jitter = this->rekey
+			},
+		},
+		.mode = MODE_TUNNEL,
 	};
 
 	/* query mediation server config:
@@ -107,14 +120,7 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
 							 address, IKEV2_UDP_PORT, FRAGMENTATION_NO, 0);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
-	med_cfg = peer_cfg_create(
-		"mediation", ike_cfg,
-		CERT_NEVER_SEND, UNIQUE_REPLACE,
-		1, this->rekey*60, 0,			/* keytries, rekey, reauth */
-		this->rekey*5, this->rekey*3,	/* jitter, overtime */
-		TRUE, FALSE, TRUE,				/* mobike, aggressive, pull */
-		this->dpd, 0,					/* DPD delay, timeout */
-		TRUE, NULL, NULL);				/* mediation, med by, peer id */
+	med_cfg = peer_cfg_create("mediation", ike_cfg, &peer);
 	e->destroy(e);
 
 	auth = auth_cfg_create();
@@ -144,15 +150,10 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
 		DESTROY_IF(e);
 		return NULL;
 	}
-	peer_cfg = peer_cfg_create(
-		name, this->ike->get_ref(this->ike),
-		CERT_NEVER_SEND, UNIQUE_REPLACE,
-		1, this->rekey*60, 0,			/* keytries, rekey, reauth */
-		this->rekey*5, this->rekey*3,	/* jitter, overtime */
-		TRUE, FALSE, TRUE,				/* mobike, aggressive, pull */
-		this->dpd, 0,					/* DPD delay, timeout */
-		FALSE, med_cfg,					/* mediation, med by */
-		identification_create_from_encoding(ID_KEY_ID, other));
+	peer.mediation = FALSE;
+	peer.mediated_by = med_cfg;
+	peer.peer_id = identification_create_from_encoding(ID_KEY_ID, other);
+	peer_cfg = peer_cfg_create(name, this->ike->get_ref(this->ike), &peer);
 
 	auth = auth_cfg_create();
 	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
@@ -165,9 +166,7 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
 			  identification_create_from_encoding(ID_KEY_ID, other));
 	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 
-	child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
-								 ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
-								 0, 0, NULL, NULL, 0);
+	child_cfg = child_cfg_create(name, &child);
 	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 	child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP));
 	child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
@@ -205,12 +204,24 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool,
 	chunk_t me, other;
 	child_cfg_t *child_cfg;
 	auth_cfg_t *auth;
-	lifetime_cfg_t lifetime = {
-		.time = {
-			.life = this->rekey * 60 + this->rekey,
-			.rekey = this->rekey,
-			.jitter = this->rekey
-		}
+	peer_cfg_create_t peer = {
+		.cert_policy = CERT_NEVER_SEND,
+		.unique = UNIQUE_REPLACE,
+		.keyingtries = 1,
+		.rekey_time = this->rekey * 60,
+		.jitter_time = this->rekey * 5,
+		.over_time = this->rekey * 3,
+		.dpd = this->dpd,
+	};
+	child_cfg_create_t child = {
+		.lifetime = {
+			.time = {
+				.life = this->rekey * 60 + this->rekey,
+				.rekey = this->rekey,
+				.jitter = this->rekey
+			},
+		},
+		.mode = MODE_TUNNEL,
 	};
 
 	DESTROY_IF(this->current);
@@ -220,14 +231,7 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool,
 		this->current = NULL;
 		return FALSE;
 	}
-	this->current = peer_cfg_create(
-				name, this->ike->get_ref(this->ike),
-				CERT_NEVER_SEND, UNIQUE_REPLACE,
-				1, this->rekey*60, 0,			/* keytries, rekey, reauth */
-				this->rekey*5, this->rekey*3,	/* jitter, overtime */
-				TRUE, FALSE, TRUE,				/* mobike, aggressive, pull */
-				this->dpd, 0,					/* DPD delay, timeout */
-				FALSE, NULL, NULL);				/* mediation, med by, peer id */
+	this->current = peer_cfg_create(name, this->ike->get_ref(this->ike), &peer);
 
 	auth = auth_cfg_create();
 	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
@@ -240,9 +244,7 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool,
 			  identification_create_from_encoding(ID_KEY_ID, other));
 	this->current->add_auth_cfg(this->current, auth, FALSE);
 
-	child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
-								 ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
-								 0, 0, NULL, NULL, 0);
+	child_cfg = child_cfg_create(name, &child);
 	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 	child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP));
 	child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in
index de0217a80..d4154fea4 100644
--- a/src/libcharon/plugins/medsrv/Makefile.in
+++ b/src/libcharon/plugins/medsrv/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/medsrv
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -462,7 +476,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/medsrv/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/medsrv/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -777,6 +790,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/medsrv/medsrv_config.c b/src/libcharon/plugins/medsrv/medsrv_config.c
index 02d805e06..be7f481b6 100644
--- a/src/libcharon/plugins/medsrv/medsrv_config.c
+++ b/src/libcharon/plugins/medsrv/medsrv_config.c
@@ -87,14 +87,18 @@ METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*,
 
 		if (e->enumerate(e, &name))
 		{
-			peer_cfg = peer_cfg_create(
-				name, this->ike->get_ref(this->ike),
-				CERT_NEVER_SEND, UNIQUE_REPLACE,
-				1, this->rekey*60, 0,			/* keytries, rekey, reauth */
-				this->rekey*5, this->rekey*3,	/* jitter, overtime */
-				TRUE, FALSE, TRUE,				/* mobike, aggressive, pull */
-				this->dpd, 0,					/* DPD delay, timeout */
-				TRUE, NULL, NULL);				/* mediation, med by, peer id */
+			peer_cfg_create_t peer = {
+				.cert_policy = CERT_NEVER_SEND,
+				.unique = UNIQUE_REPLACE,
+				.keyingtries = 1,
+				.rekey_time = this->rekey * 60,
+				.jitter_time = this->rekey * 5,
+				.over_time = this->rekey * 3,
+				.dpd = this->dpd,
+				.mediation = TRUE,
+			};
+			peer_cfg = peer_cfg_create(name, this->ike->get_ref(this->ike),
+									   &peer);
 			e->destroy(e);
 
 			auth = auth_cfg_create();
diff --git a/src/libcharon/plugins/osx_attr/Makefile.in b/src/libcharon/plugins/osx_attr/Makefile.in
index 6a1a81f08..ec488defe 100644
--- a/src/libcharon/plugins/osx_attr/Makefile.in
+++ b/src/libcharon/plugins/osx_attr/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/osx_attr
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -463,7 +477,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/osx_attr/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/osx_attr/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -777,6 +790,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/p_cscf/Makefile.am b/src/libcharon/plugins/p_cscf/Makefile.am
index 1e00a56a8..f37f3f514 100644
--- a/src/libcharon/plugins/p_cscf/Makefile.am
+++ b/src/libcharon/plugins/p_cscf/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/p_cscf/Makefile.in b/src/libcharon/plugins/p_cscf/Makefile.in
index 7f78db85a..67ab4bfe3 100644
--- a/src/libcharon/plugins/p_cscf/Makefile.in
+++ b/src/libcharon/plugins/p_cscf/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/p_cscf
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -433,7 +447,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
@@ -462,7 +475,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/p_cscf/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/p_cscf/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -776,6 +788,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/radattr/Makefile.in b/src/libcharon/plugins/radattr/Makefile.in
index 3f39ba237..9b7ab4c53 100644
--- a/src/libcharon/plugins/radattr/Makefile.in
+++ b/src/libcharon/plugins/radattr/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/radattr
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -204,12 +213,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -259,6 +270,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -293,6 +305,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -404,6 +417,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -463,7 +477,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/radattr/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/radattr/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -777,6 +790,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/resolve/Makefile.in b/src/libcharon/plugins/resolve/Makefile.in
index 70d97cc32..38b709ef0 100644
--- a/src/libcharon/plugins/resolve/Makefile.in
+++ b/src/libcharon/plugins/resolve/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/resolve
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -462,7 +476,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/resolve/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/resolve/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -776,6 +789,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/resolve/resolve_handler.c b/src/libcharon/plugins/resolve/resolve_handler.c
index ec3decc4d..9077b51d4 100644
--- a/src/libcharon/plugins/resolve/resolve_handler.c
+++ b/src/libcharon/plugins/resolve/resolve_handler.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2016 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -21,6 +21,8 @@
 #include <unistd.h>
 
 #include <utils/debug.h>
+#include <utils/process.h>
+#include <collections/array.h>
 #include <threading/mutex.h>
 
 /* path to resolvconf executable */
@@ -47,12 +49,12 @@ struct private_resolve_handler_t {
 	char *file;
 
 	/**
-	 * use resolvconf instead of writing directly to resolv.conf
+	 * Use resolvconf instead of writing directly to resolv.conf
 	 */
 	bool use_resolvconf;
 
 	/**
-	 * prefix to be used for interface names sent to resolvconf
+	 * Prefix to be used for interface names sent to resolvconf
 	 */
 	char *iface_prefix;
 
@@ -60,13 +62,55 @@ struct private_resolve_handler_t {
 	 * Mutex to access file exclusively
 	 */
 	mutex_t *mutex;
+
+	/**
+	 * Reference counting for DNS servers dns_server_t
+	 */
+	array_t *servers;
 };
 
 /**
+ * Reference counting for DNS servers
+ */
+typedef struct {
+
+	/**
+	 * DNS server address
+	 */
+	host_t *server;
+
+	/**
+	 * Reference count
+	 */
+	u_int refcount;
+
+} dns_server_t;
+
+/**
+ * Compare a server and a stored reference
+ */
+static int dns_server_find(const void *a, const void *b)
+{
+	host_t *server = (host_t*)a;
+	dns_server_t *item = (dns_server_t*)b;
+	return chunk_compare(server->get_address(server),
+						 item->server->get_address(item->server));
+}
+
+/**
+ * Sort references by DNS server
+ */
+static int dns_server_sort(const void *a, const void *b, void *user)
+{
+	const dns_server_t *da = a, *db = b;
+	return chunk_compare(da->server->get_address(da->server),
+						 db->server->get_address(db->server));
+}
+
+/**
  * Writes the given nameserver to resolv.conf
  */
-static bool write_nameserver(private_resolve_handler_t *this,
-							 identification_t *server, host_t *addr)
+static bool write_nameserver(private_resolve_handler_t *this, host_t *addr)
 {
 	FILE *in, *out;
 	char buf[1024];
@@ -79,8 +123,7 @@ static bool write_nameserver(private_resolve_handler_t *this,
 	out = fopen(this->file, "w");
 	if (out)
 	{
-		fprintf(out, "nameserver %H   # by strongSwan, from %Y\n", addr,
-				server);
+		fprintf(out, "nameserver %H   # by strongSwan\n", addr);
 		DBG1(DBG_IKE, "installing DNS server %H to %s", addr, this->file);
 		handled = TRUE;
 
@@ -104,8 +147,7 @@ static bool write_nameserver(private_resolve_handler_t *this,
 /**
  * Removes the given nameserver from resolv.conf
  */
-static void remove_nameserver(private_resolve_handler_t *this,
-							  identification_t *server, host_t *addr)
+static void remove_nameserver(private_resolve_handler_t *this, host_t *addr)
 {
 	FILE *in, *out;
 	char line[1024], matcher[512];
@@ -119,8 +161,7 @@ static void remove_nameserver(private_resolve_handler_t *this,
 		if (out)
 		{
 			snprintf(matcher, sizeof(matcher),
-					 "nameserver %H   # by strongSwan, from %Y\n",
-					 addr, server);
+					 "nameserver %H   # by strongSwan\n", addr);
 
 			/* copy all, but matching line */
 			while (fgets(line, sizeof(line), in))
@@ -144,50 +185,91 @@ static void remove_nameserver(private_resolve_handler_t *this,
 /**
  * Add or remove the given nameserver by invoking resolvconf.
  */
-static bool invoke_resolvconf(private_resolve_handler_t *this,
-							  identification_t *server, host_t *addr,
+static bool invoke_resolvconf(private_resolve_handler_t *this, host_t *addr,
 							  bool install)
 {
-	char cmd[128];
-	bool success = TRUE;
+	process_t *process;
+	FILE *shell;
+	int in, out, retval;
 
 	/* we use the nameserver's IP address as part of the interface name to
 	 * make them unique */
-	if (snprintf(cmd, sizeof(cmd), "%s %s %s%H", RESOLVCONF_EXEC,
-				install ? "-a" : "-d", this->iface_prefix, addr) >= sizeof(cmd))
+	process = process_start_shell(NULL, install ? &in : NULL, &out, NULL,
+							"2>&1 %s %s %s%H", RESOLVCONF_EXEC,
+							install ? "-a" : "-d", this->iface_prefix, addr);
+
+	if (!process)
 	{
 		return FALSE;
 	}
-
 	if (install)
 	{
-		FILE *out;
-
-		out = popen(cmd, "w");
-		if (!out)
+		shell = fdopen(in, "w");
+		if (shell)
 		{
-			return FALSE;
+			DBG1(DBG_IKE, "installing DNS server %H via resolvconf", addr);
+			fprintf(shell, "nameserver %H\n", addr);
+			fclose(shell);
 		}
-		DBG1(DBG_IKE, "installing DNS server %H via resolvconf", addr);
-		fprintf(out, "nameserver %H\n", addr);
-		success = !ferror(out);
-		if (pclose(out))
+		else
 		{
+			close(in);
+			close(out);
+			process->wait(process, NULL);
 			return FALSE;
 		}
 	}
 	else
 	{
-		ignore_result(system(cmd));
+		DBG1(DBG_IKE, "removing DNS server %H via resolvconf", addr);
+	}
+	shell = fdopen(out, "r");
+	if (shell)
+	{
+		while (TRUE)
+		{
+			char resp[128], *e;
+
+			if (fgets(resp, sizeof(resp), shell) == NULL)
+			{
+				if (ferror(shell))
+				{
+					DBG1(DBG_IKE, "error reading from resolvconf");
+				}
+				break;
+			}
+			else
+			{
+				e = resp + strlen(resp);
+				if (e > resp && e[-1] == '\n')
+				{
+					e[-1] = '\0';
+				}
+				DBG1(DBG_IKE, "resolvconf: %s", resp);
+			}
+		}
+		fclose(shell);
+	}
+	else
+	{
+		close(out);
+	}
+	if (!process->wait(process, &retval) || retval != EXIT_SUCCESS)
+	{
+		if (install)
+		{	/* revert changes when installing fails */
+			invoke_resolvconf(this, addr, FALSE);
+			return FALSE;
+		}
 	}
-	return success;
+	return TRUE;
 }
 
 METHOD(attribute_handler_t, handle, bool,
 	private_resolve_handler_t *this, ike_sa_t *ike_sa,
 	configuration_attribute_type_t type, chunk_t data)
 {
-	identification_t *server;
+	dns_server_t *found = NULL;
 	host_t *addr;
 	bool handled;
 
@@ -208,16 +290,34 @@ METHOD(attribute_handler_t, handle, bool,
 		DESTROY_IF(addr);
 		return FALSE;
 	}
-	server = ike_sa->get_other_id(ike_sa);
 
 	this->mutex->lock(this->mutex);
-	if (this->use_resolvconf)
+	if (array_bsearch(this->servers, addr, dns_server_find, &found) == -1)
 	{
-		handled = invoke_resolvconf(this, server, addr, TRUE);
+		if (this->use_resolvconf)
+		{
+			handled = invoke_resolvconf(this, addr, TRUE);
+		}
+		else
+		{
+			handled = write_nameserver(this, addr);
+		}
+		if (handled)
+		{
+			INIT(found,
+				.server = addr->clone(addr),
+				.refcount = 1,
+			);
+			array_insert_create(&this->servers, ARRAY_TAIL, found);
+			array_sort(this->servers, dns_server_sort, NULL);
+		}
 	}
 	else
 	{
-		handled = write_nameserver(this, server, addr);
+		DBG1(DBG_IKE, "DNS server %H already installed, increasing refcount",
+			 addr);
+		found->refcount++;
+		handled = TRUE;
 	}
 	this->mutex->unlock(this->mutex);
 	addr->destroy(addr);
@@ -233,9 +333,9 @@ METHOD(attribute_handler_t, release, void,
 	private_resolve_handler_t *this, ike_sa_t *ike_sa,
 	configuration_attribute_type_t type, chunk_t data)
 {
-	identification_t *server;
+	dns_server_t *found = NULL;
 	host_t *addr;
-	int family;
+	int family, idx;
 
 	switch (type)
 	{
@@ -249,16 +349,30 @@ METHOD(attribute_handler_t, release, void,
 			return;
 	}
 	addr = host_create_from_chunk(family, data, 0);
-	server = ike_sa->get_other_id(ike_sa);
 
 	this->mutex->lock(this->mutex);
-	if (this->use_resolvconf)
-	{
-		invoke_resolvconf(this, server, addr, FALSE);
-	}
-	else
+	idx = array_bsearch(this->servers, addr, dns_server_find, &found);
+	if (idx != -1)
 	{
-		remove_nameserver(this, server, addr);
+		if (--found->refcount > 0)
+		{
+			DBG1(DBG_IKE, "DNS server %H still used, decreasing refcount",
+				 addr);
+		}
+		else
+		{
+			if (this->use_resolvconf)
+			{
+				invoke_resolvconf(this, addr, FALSE);
+			}
+			else
+			{
+				remove_nameserver(this, addr);
+			}
+			array_remove(this->servers, idx, NULL);
+			found->server->destroy(found->server);
+			free(found);
+		}
 	}
 	this->mutex->unlock(this->mutex);
 
@@ -341,6 +455,7 @@ METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t*,
 METHOD(resolve_handler_t, destroy, void,
 	private_resolve_handler_t *this)
 {
+	array_destroy(this->servers);
 	this->mutex->destroy(this->mutex);
 	free(this);
 }
diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in
index 221cda71a..72a168cb5 100644
--- a/src/libcharon/plugins/smp/Makefile.in
+++ b/src/libcharon/plugins/smp/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/smp
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -201,12 +210,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -256,6 +267,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -290,6 +302,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -401,6 +414,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -461,7 +475,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/smp/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/smp/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -774,6 +787,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
index 56b19c792..56891b263 100644
--- a/src/libcharon/plugins/smp/smp.c
+++ b/src/libcharon/plugins/smp/smp.c
@@ -374,7 +374,7 @@ static void request_control_terminate(xmlTextReaderPtr reader,
 		xmlTextReaderNodeType(reader) == XML_READER_TYPE_TEXT)
 	{
 		const char *str;
-		u_int32_t id;
+		uint32_t id;
 		status_t status;
 
 		str = xmlTextReaderConstValue(reader);
diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in
index 3dcfaf4a6..112d8d218 100644
--- a/src/libcharon/plugins/socket_default/Makefile.in
+++ b/src/libcharon/plugins/socket_default/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/socket_default
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -462,7 +476,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/socket_default/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/socket_default/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -776,6 +789,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c
index 6e432d9cf..ba22b0c2b 100644
--- a/src/libcharon/plugins/socket_default/socket_default_socket.c
+++ b/src/libcharon/plugins/socket_default/socket_default_socket.c
@@ -84,12 +84,12 @@ struct private_socket_default_socket_t {
 	/**
 	 * Configured port (or random, if initially 0)
 	 */
-	u_int16_t port;
+	uint16_t port;
 
 	/**
 	 * Configured port for NAT-T (or random, if initially 0)
 	 */
-	u_int16_t natt;
+	uint16_t natt;
 
 	/**
 	 * IPv4 socket (500 or port)
@@ -114,22 +114,22 @@ struct private_socket_default_socket_t {
 	/**
 	 * DSCP value set on IPv4 socket
 	 */
-	u_int8_t dscp4;
+	uint8_t dscp4;
 
 	/**
 	 * DSCP value set on IPv4 socket for NAT-T (4500 or natt)
 	 */
-	u_int8_t dscp4_natt;
+	uint8_t dscp4_natt;
 
 	/**
 	 * DSCP value set on IPv6 socket (500 or port)
 	 */
-	u_int8_t dscp6;
+	uint8_t dscp6;
 
 	/**
 	 * DSCP value set on IPv6 socket for NAT-T (4500 or natt)
 	 */
-	u_int8_t dscp6_natt;
+	uint8_t dscp6_natt;
 
 	/**
 	 * Maximum packet size to receive
@@ -153,7 +153,7 @@ struct private_socket_default_socket_t {
  */
 #ifdef IP_PKTINFO
 
-static host_t *get_dst_v4(struct cmsghdr *cmsgptr, u_int16_t port)
+static host_t *get_dst_v4(struct cmsghdr *cmsgptr, uint16_t port)
 {
 	struct sockaddr_in dst = {
 		.sin_family = AF_INET,
@@ -174,7 +174,7 @@ static host_t *get_dst_v4(struct cmsghdr *cmsgptr, u_int16_t port)
 
 #elif defined(IP_RECVDSTADDR)
 
-static host_t *get_dst_v4(struct cmsghdr *cmsgptr, u_int16_t port)
+static host_t *get_dst_v4(struct cmsghdr *cmsgptr, uint16_t port)
 {
 	struct sockaddr_in dst = {
 		.sin_family = AF_INET,
@@ -193,7 +193,7 @@ static host_t *get_dst_v4(struct cmsghdr *cmsgptr, u_int16_t port)
 
 #else /* IP_PKTINFO || IP_RECVDSTADDR */
 
-static host_t *get_dst_v4(struct cmsghdr *cmsgptr, u_int16_t port)
+static host_t *get_dst_v4(struct cmsghdr *cmsgptr, uint16_t port)
 {
 	return NULL;
 }
@@ -206,7 +206,7 @@ static host_t *get_dst_v4(struct cmsghdr *cmsgptr, u_int16_t port)
  */
 #ifdef HAVE_IN6_PKTINFO
 
-static host_t *get_dst_v6(struct cmsghdr *cmsgptr, u_int16_t port)
+static host_t *get_dst_v6(struct cmsghdr *cmsgptr, uint16_t port)
 {
 	struct in6_pktinfo *pktinfo;
 	struct sockaddr_in6 dst = {
@@ -225,7 +225,7 @@ static host_t *get_dst_v6(struct cmsghdr *cmsgptr, u_int16_t port)
 
 #else /* HAVE_IN6_PKTINFO */
 
-static host_t *get_dst_v6(struct cmsghdr *cmsgptr, u_int16_t port)
+static host_t *get_dst_v6(struct cmsghdr *cmsgptr, uint16_t port)
 {
 	return NULL;
 }
@@ -241,7 +241,7 @@ METHOD(socket_t, receiver, status_t,
 	host_t *source = NULL, *dest = NULL;
 	int i, rr, index, bytes_read = 0, selected = -1;
 	bool oldstate;
-	u_int16_t port = 0;
+	uint16_t port = 0;
 	struct pollfd pfd[] = {
 		{ .fd = this->ipv4,			.events = POLLIN },
 		{ .fd = this->ipv4_natt,	.events = POLLIN },
@@ -464,7 +464,7 @@ METHOD(socket_t, sender, status_t,
 	host_t *src, *dst;
 	struct msghdr msg;
 	struct iovec iov;
-	u_int8_t *dscp;
+	uint8_t *dscp;
 
 	src = packet->get_source(packet);
 	dst = packet->get_destination(packet);
@@ -521,7 +521,7 @@ METHOD(socket_t, sender, status_t,
 	{
 		if (family == AF_INET)
 		{
-			u_int8_t ds4;
+			uint8_t ds4;
 
 			ds4 = packet->get_dscp(packet) << 2;
 			if (setsockopt(skt, SOL_IP, IP_TOS, &ds4, sizeof(ds4)) == 0)
@@ -584,7 +584,7 @@ METHOD(socket_t, sender, status_t,
 	return SUCCESS;
 }
 
-METHOD(socket_t, get_port, u_int16_t,
+METHOD(socket_t, get_port, uint16_t,
 	private_socket_default_socket_t *this, bool nat_t)
 {
 	return nat_t ? this->natt : this->port;
@@ -610,7 +610,7 @@ METHOD(socket_t, supported_families, socket_family_t,
  * open a socket to send and receive packets
  */
 static int open_socket(private_socket_default_socket_t *this,
-					   int family, u_int16_t *port)
+					   int family, uint16_t *port)
 {
 	int on = TRUE;
 	union {
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in
index 88bc22f5e..9f5f4a2e9 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.in
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/socket_dynamic
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -462,7 +476,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/socket_dynamic/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/socket_dynamic/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -776,6 +789,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
index b89cae47b..ba92e10f2 100644
--- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
+++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
@@ -107,7 +107,7 @@ struct dynsock_t {
 	/**
 	 * Bound source port
 	 */
-	u_int16_t port;
+	uint16_t port;
 };
 
 /**
@@ -324,7 +324,7 @@ METHOD(socket_t, receiver, status_t,
 /**
  * Get the port allocated dynamically using bind()
  */
-static bool get_dynamic_port(int fd, int family, u_int16_t *port)
+static bool get_dynamic_port(int fd, int family, uint16_t *port)
 {
 	union {
 		struct sockaddr_storage ss;
@@ -367,7 +367,7 @@ static bool get_dynamic_port(int fd, int family, u_int16_t *port)
  * open a socket to send and receive packets
  */
 static int open_socket(private_socket_dynamic_socket_t *this,
-					   int family, u_int16_t *port)
+					   int family, uint16_t *port)
 {
 	union {
 		struct sockaddr_storage ss;
@@ -481,7 +481,7 @@ static dynsock_t *get_any_socket(private_socket_dynamic_socket_t *this,
  * Find/Create a socket to send from host
  */
 static dynsock_t *find_socket(private_socket_dynamic_socket_t *this,
-							  int family, u_int16_t port)
+							  int family, uint16_t port)
 {
 	dynsock_t *skt, lookup = {
 		.family = family,
@@ -636,7 +636,7 @@ METHOD(socket_t, sender, status_t,
 	return SUCCESS;
 }
 
-METHOD(socket_t, get_port, u_int16_t,
+METHOD(socket_t, get_port, uint16_t,
 	private_socket_dynamic_socket_t *this, bool nat_t)
 {
 	/* we return 0 here for users that have no explicit port configured, the
diff --git a/src/libcharon/plugins/socket_win/Makefile.in b/src/libcharon/plugins/socket_win/Makefile.in
index 683011062..1b6b9f64a 100644
--- a/src/libcharon/plugins/socket_win/Makefile.in
+++ b/src/libcharon/plugins/socket_win/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/socket_win
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -463,7 +477,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/socket_win/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/socket_win/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -777,6 +790,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/socket_win/socket_win_socket.c b/src/libcharon/plugins/socket_win/socket_win_socket.c
index 94af08e80..c42783c77 100644
--- a/src/libcharon/plugins/socket_win/socket_win_socket.c
+++ b/src/libcharon/plugins/socket_win/socket_win_socket.c
@@ -51,7 +51,7 @@ struct private_socket_win_socket_t {
 	/**
 	 * Port for each socket
 	 */
-	u_int16_t ports[SOCKET_COUNT];
+	uint16_t ports[SOCKET_COUNT];
 
 	/**
 	 * IPv4/IPv6 dual-use sockets
@@ -205,7 +205,7 @@ METHOD(socket_t, receiver, status_t,
 METHOD(socket_t, sender, status_t,
 	private_socket_win_socket_t *this, packet_t *packet)
 {
-	u_int16_t port;
+	uint16_t port;
 	int i = -1, j;
 	host_t *src, *dst;
 	WSAMSG msg;
@@ -316,7 +316,7 @@ METHOD(socket_t, sender, status_t,
 	return SUCCESS;
 }
 
-METHOD(socket_t, get_port, u_int16_t,
+METHOD(socket_t, get_port, uint16_t,
 	private_socket_win_socket_t *this, bool nat)
 {
 	return this->ports[nat != 0];
diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in
index b09379b02..b9cae90ec 100644
--- a/src/libcharon/plugins/sql/Makefile.in
+++ b/src/libcharon/plugins/sql/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/sql
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -201,12 +210,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -256,6 +267,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -290,6 +302,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -401,6 +414,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -459,7 +473,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/sql/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/sql/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -775,6 +788,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/sql/sql_config.c b/src/libcharon/plugins/sql/sql_config.c
index ce24d180a..bbc20dca7 100644
--- a/src/libcharon/plugins/sql/sql_config.c
+++ b/src/libcharon/plugins/sql/sql_config.c
@@ -170,12 +170,22 @@ static child_cfg_t *build_child_cfg(private_sql_config_t *this, enumerator_t *e)
 	if (e->enumerate(e, &id, &name, &lifetime, &rekeytime, &jitter, &updown,
 						&hostaccess, &mode, &start, &dpd, &close, &ipcomp, &reqid))
 	{
-		lifetime_cfg_t lft = {
-			.time = { .life = lifetime, .rekey = rekeytime, .jitter = jitter }
+		child_cfg_create_t child = {
+			.mode = mode,
+			.reqid = reqid,
+			.ipcomp = ipcomp,
+			.lifetime = {
+				.time = {
+					.life = lifetime, .rekey = rekeytime, .jitter = jitter
+				},
+			},
+			.start_action = start,
+			.dpd_action = dpd,
+			.close_action = close,
+			.updown = updown,
+			.hostaccess = hostaccess,
 		};
-		child_cfg = child_cfg_create(name, &lft, updown, hostaccess, mode,
-									 start, dpd, close, ipcomp, 0, reqid,
-									 NULL, NULL, 0);
+		child_cfg = child_cfg_create(name, &child);
 		add_esp_proposals(this, child_cfg, id);
 		add_traffic_selectors(this, child_cfg, id);
 		return child_cfg;
@@ -290,6 +300,7 @@ static ike_cfg_t* get_ike_cfg_by_id(private_sql_config_t *this, int id)
 	return ike_cfg;
 }
 
+#ifdef ME
 /**
  * Query a peer config by its id
  */
@@ -322,6 +333,7 @@ static peer_cfg_t *get_peer_cfg_by_id(private_sql_config_t *this, int id)
 	}
 	return peer_cfg;
 }
+#endif /* ME */
 
 /**
  * Check if the two IDs match (the first one is optional)
@@ -353,7 +365,7 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
 			&mediation, &mediated_by, &p_type, &p_data))
 	{
 		identification_t *local_id, *remote_id, *peer_id = NULL;
-		peer_cfg_t *peer_cfg, *mediated_cfg;
+		peer_cfg_t *peer_cfg, *mediated_cfg = NULL;
 		ike_cfg_t *ike;
 		host_t *vip = NULL;
 		auth_cfg_t *auth;
@@ -367,22 +379,38 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
 			continue;
 		}
 		ike = get_ike_cfg_by_id(this, ike_cfg);
+
+#ifdef ME
 		mediated_cfg = mediated_by ? get_peer_cfg_by_id(this, mediated_by) : NULL;
 		if (p_type)
 		{
 			peer_id = identification_create_from_encoding(p_type, p_data);
 		}
+#endif
 		if (virtual)
 		{
 			vip = host_create_from_string(virtual, 0);
 		}
 		if (ike)
 		{
-			peer_cfg = peer_cfg_create(
-					name, ike, cert_policy, uniqueid,
-					keyingtries, rekeytime, reauthtime, jitter, overtime,
-					mobike, FALSE, TRUE, dpd_delay, 0,
-					mediation, mediated_cfg, peer_id);
+			peer_cfg_create_t peer = {
+				.cert_policy = cert_policy,
+				.unique = uniqueid,
+				.keyingtries = keyingtries,
+				.rekey_time = rekeytime,
+				.reauth_time = reauthtime,
+				.jitter_time = jitter,
+				.over_time = overtime,
+				.no_mobike = !mobike,
+				.dpd = dpd_delay,
+#ifdef ME
+				.mediation = mediation,
+				.mediated_by = mediated_cfg,
+				.peer_id = peer_id,
+#endif /* ME */
+			};
+
+			peer_cfg = peer_cfg_create(name, ike, &peer);
 			if (vip)
 			{
 				peer_cfg->add_virtual_ip(peer_cfg, vip);
diff --git a/src/libcharon/plugins/sql/sql_logger.c b/src/libcharon/plugins/sql/sql_logger.c
index 0fa06eac5..46a894028 100644
--- a/src/libcharon/plugins/sql/sql_logger.c
+++ b/src/libcharon/plugins/sql/sql_logger.c
@@ -63,7 +63,7 @@ METHOD(logger_t, log_, void,
 		chunk_t local_spi, remote_spi;
 		host_t *local_host, *remote_host;
 		identification_t *local_id, *remote_id;
-		u_int64_t ispi, rspi;
+		uint64_t ispi, rspi;
 		ike_sa_id_t *id;
 
 		id = ike_sa->get_id(ike_sa);
diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index 2b22b333a..9f63cb0b5 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/stroke
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -205,12 +214,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -260,6 +271,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -294,6 +306,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -405,6 +418,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -474,7 +488,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/stroke/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/stroke/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -796,6 +809,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index d0eb2aac3..f2d110434 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -252,7 +252,7 @@ static void swap_ends(stroke_msg_t *msg)
 static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg)
 {
 	ike_cfg_t *ike_cfg;
-	u_int16_t ikeport;
+	uint16_t ikeport;
 	char me[256], other[256];
 
 	swap_ends(msg);
@@ -616,12 +616,17 @@ static mem_pool_t *create_pool_range(char *str)
 static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 								  stroke_msg_t *msg, ike_cfg_t *ike_cfg)
 {
-	identification_t *peer_id = NULL;
-	peer_cfg_t *mediated_by = NULL;
-	unique_policy_t unique;
-	u_int32_t rekey = 0, reauth = 0, over, jitter;
 	peer_cfg_t *peer_cfg;
 	auth_cfg_t *auth_cfg;
+	peer_cfg_create_t peer = {
+		.cert_policy = msg->add_conn.me.sendcert,
+		.keyingtries = msg->add_conn.rekey.tries,
+		.no_mobike = !msg->add_conn.mobike,
+		.aggressive = msg->add_conn.aggressive,
+		.push_mode = msg->add_conn.pushmode,
+		.dpd = msg->add_conn.dpd.delay,
+		.dpd_timeout = msg->add_conn.dpd.timeout,
+	};
 
 #ifdef ME
 	if (msg->add_conn.ikeme.mediation && msg->add_conn.ikeme.mediated_by)
@@ -633,14 +638,17 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 
 	if (msg->add_conn.ikeme.mediation)
 	{
+		peer.mediation = TRUE;
 		/* force unique connections for mediation connections */
 		msg->add_conn.unique = 1;
 	}
 
 	if (msg->add_conn.ikeme.mediated_by)
 	{
-		mediated_by = charon->backends->get_peer_cfg_by_name(charon->backends,
-											msg->add_conn.ikeme.mediated_by);
+		peer_cfg_t *mediated_by;
+
+		mediated_by = charon->backends->get_peer_cfg_by_name(
+							charon->backends, msg->add_conn.ikeme.mediated_by);
 		if (!mediated_by)
 		{
 			DBG1(DBG_CFG, "mediation connection '%s' not found, aborting",
@@ -655,58 +663,55 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 			mediated_by->destroy(mediated_by);
 			return NULL;
 		}
+		peer.mediated_by = mediated_by;
 		if (msg->add_conn.ikeme.peerid)
 		{
-			peer_id = identification_create_from_string(msg->add_conn.ikeme.peerid);
+			peer.peer_id = identification_create_from_string(
+												msg->add_conn.ikeme.peerid);
 		}
 		else if (msg->add_conn.other.id)
 		{
-			peer_id = identification_create_from_string(msg->add_conn.other.id);
+			peer.peer_id = identification_create_from_string(
+												msg->add_conn.other.id);
 		}
 	}
 #endif /* ME */
 
-	jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100;
-	over = msg->add_conn.rekey.margin;
+	peer.jitter_time = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100;
+	peer.over_time = msg->add_conn.rekey.margin;
 	if (msg->add_conn.rekey.reauth)
 	{
-		reauth = msg->add_conn.rekey.ike_lifetime - over;
+		peer.reauth_time = msg->add_conn.rekey.ike_lifetime - peer.over_time;
 	}
 	else
 	{
-		rekey = msg->add_conn.rekey.ike_lifetime - over;
+		peer.rekey_time = msg->add_conn.rekey.ike_lifetime - peer.over_time;
 	}
 	switch (msg->add_conn.unique)
 	{
 		case 1: /* yes */
 		case 2: /* replace */
-			unique = UNIQUE_REPLACE;
+			peer.unique = UNIQUE_REPLACE;
 			break;
 		case 3: /* keep */
-			unique = UNIQUE_KEEP;
+			peer.unique = UNIQUE_KEEP;
 			break;
 		case 4: /* never */
-			unique = UNIQUE_NEVER;
+			peer.unique = UNIQUE_NEVER;
 			break;
 		default: /* no */
-			unique = UNIQUE_NO;
+			peer.unique = UNIQUE_NO;
 			break;
 	}
 	if (msg->add_conn.dpd.action == 0)
 	{	/* dpdaction=none disables DPD */
-		msg->add_conn.dpd.delay = 0;
+		peer.dpd = 0;
 	}
 
 	/* other.sourceip is managed in stroke_attributes. If it is set, we define
 	 * the pool name as the connection name, which the attribute provider
 	 * uses to serve pool addresses. */
-	peer_cfg = peer_cfg_create(msg->add_conn.name, ike_cfg,
-		msg->add_conn.me.sendcert, unique,
-		msg->add_conn.rekey.tries, rekey, reauth, jitter, over,
-		msg->add_conn.mobike, msg->add_conn.aggressive,
-		msg->add_conn.pushmode == 0,
-		msg->add_conn.dpd.delay, msg->add_conn.dpd.timeout,
-		msg->add_conn.ikeme.mediation, mediated_by, peer_id);
+	peer_cfg = peer_cfg_create(msg->add_conn.name, ike_cfg, &peer);
 
 	if (msg->add_conn.other.sourceip)
 	{
@@ -883,8 +888,8 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 /**
  * Parse a protoport specifier
  */
-static bool parse_protoport(char *token, u_int16_t *from_port,
-							u_int16_t *to_port, u_int8_t *protocol)
+static bool parse_protoport(char *token, uint16_t *from_port,
+							uint16_t *to_port, uint8_t *protocol)
 {
 	char *sep, *port = "", *endptr;
 	struct protoent *proto;
@@ -923,7 +928,7 @@ static bool parse_protoport(char *token, u_int16_t *from_port,
 			{
 				return FALSE;
 			}
-			*protocol = (u_int8_t)p;
+			*protocol = (uint8_t)p;
 		}
 	}
 	if (streq(port, "%any"))
@@ -1002,8 +1007,8 @@ static void add_ts(private_stroke_config_t *this,
 		{
 			enumerator_t *enumerator;
 			char *subnet, *pos;
-			u_int16_t from_port, to_port;
-			u_int8_t proto;
+			uint16_t from_port, to_port;
+			uint8_t proto;
 
 			enumerator = enumerator_create_token(end->subnets, ",", " ");
 			while (enumerator->enumerate(enumerator, &subnet))
@@ -1070,45 +1075,50 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
 									stroke_msg_t *msg)
 {
 	child_cfg_t *child_cfg;
-	lifetime_cfg_t lifetime = {
-		.time = {
-			.life = msg->add_conn.rekey.ipsec_lifetime,
-			.rekey = msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin,
-			.jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100
+	child_cfg_create_t child = {
+		.lifetime = {
+			.time = {
+				.life = msg->add_conn.rekey.ipsec_lifetime,
+				.rekey = msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin,
+				.jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100
+			},
+			.bytes = {
+				.life = msg->add_conn.rekey.life_bytes,
+				.rekey = msg->add_conn.rekey.life_bytes - msg->add_conn.rekey.margin_bytes,
+				.jitter = msg->add_conn.rekey.margin_bytes * msg->add_conn.rekey.fuzz / 100
+			},
+			.packets = {
+				.life = msg->add_conn.rekey.life_packets,
+				.rekey = msg->add_conn.rekey.life_packets - msg->add_conn.rekey.margin_packets,
+				.jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100
+			},
 		},
-		.bytes = {
-			.life = msg->add_conn.rekey.life_bytes,
-			.rekey = msg->add_conn.rekey.life_bytes - msg->add_conn.rekey.margin_bytes,
-			.jitter = msg->add_conn.rekey.margin_bytes * msg->add_conn.rekey.fuzz / 100
+		.mark_in = {
+			.value = msg->add_conn.mark_in.value,
+			.mask = msg->add_conn.mark_in.mask
 		},
-		.packets = {
-			.life = msg->add_conn.rekey.life_packets,
-			.rekey = msg->add_conn.rekey.life_packets - msg->add_conn.rekey.margin_packets,
-			.jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100
-		}
-	};
-	mark_t mark_in = {
-		.value = msg->add_conn.mark_in.value,
-		.mask = msg->add_conn.mark_in.mask
-	};
-	mark_t mark_out = {
-		.value = msg->add_conn.mark_out.value,
-		.mask = msg->add_conn.mark_out.mask
+		.mark_out = {
+			.value = msg->add_conn.mark_out.value,
+			.mask = msg->add_conn.mark_out.mask
+		},
+		.reqid = msg->add_conn.reqid,
+		.mode = msg->add_conn.mode,
+		.proxy_mode = msg->add_conn.proxy_mode,
+		.ipcomp = msg->add_conn.ipcomp,
+		.tfc = msg->add_conn.tfc,
+		.inactivity = msg->add_conn.inactivity,
+		.dpd_action = map_action(msg->add_conn.dpd.action),
+		.close_action = map_action(msg->add_conn.close_action),
+		.updown = msg->add_conn.me.updown,
+		.hostaccess = msg->add_conn.me.hostaccess,
+		.suppress_policies = !msg->add_conn.install_policy,
 	};
 
-	child_cfg = child_cfg_create(
-				msg->add_conn.name, &lifetime, msg->add_conn.me.updown,
-				msg->add_conn.me.hostaccess, msg->add_conn.mode, ACTION_NONE,
-				map_action(msg->add_conn.dpd.action),
-				map_action(msg->add_conn.close_action), msg->add_conn.ipcomp,
-				msg->add_conn.inactivity, msg->add_conn.reqid,
-				&mark_in, &mark_out, msg->add_conn.tfc);
+	child_cfg = child_cfg_create(msg->add_conn.name, &child);
 	if (msg->add_conn.replay_window != -1)
 	{
 		child_cfg->set_replay_window(child_cfg, msg->add_conn.replay_window);
 	}
-	child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode,
-											msg->add_conn.install_policy);
 	add_ts(this, &msg->add_conn.me, child_cfg, TRUE);
 	add_ts(this, &msg->add_conn.other, child_cfg, FALSE);
 
diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
index 36da5ff21..fb60d3973 100644
--- a/src/libcharon/plugins/stroke/stroke_control.c
+++ b/src/libcharon/plugins/stroke/stroke_control.c
@@ -198,7 +198,7 @@ METHOD(stroke_control_t, initiate, void,
 /**
  * Parse a terminate/rekey specifier
  */
-static bool parse_specifier(char *string, u_int32_t *id,
+static bool parse_specifier(char *string, uint32_t *id,
 							char **name, bool *child, bool *all)
 {
 	int len;
@@ -266,7 +266,7 @@ static bool parse_specifier(char *string, u_int32_t *id,
  * Report the result of a terminate() call to console
  */
 static void report_terminate_status(private_stroke_control_t *this,
-						status_t status, FILE *out, u_int32_t id, bool child)
+						status_t status, FILE *out, uint32_t id, bool child)
 {
 	char *prefix, *postfix;
 
@@ -300,7 +300,7 @@ static void report_terminate_status(private_stroke_control_t *this,
 /**
  * Call the charon controller to terminate a CHILD_SA
  */
-static void charon_terminate(private_stroke_control_t *this, u_int32_t id,
+static void charon_terminate(private_stroke_control_t *this, uint32_t id,
 							 stroke_msg_t *msg, FILE *out, bool child)
 {
 	if (msg->output_verbosity >= 0)
@@ -336,7 +336,7 @@ METHOD(stroke_control_t, terminate, void,
 	private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
 {
 	char *name;
-	u_int32_t id;
+	uint32_t id;
 	bool child, all;
 	ike_sa_t *ike_sa;
 	enumerator_t *enumerator;
@@ -424,7 +424,7 @@ METHOD(stroke_control_t, rekey, void,
 	private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
 {
 	char *name;
-	u_int32_t id;
+	uint32_t id;
 	bool child, all, finished = FALSE;
 	ike_sa_t *ike_sa;
 	enumerator_t *enumerator;
@@ -591,13 +591,13 @@ METHOD(stroke_control_t, purge_ike, void,
 /**
  * Find an existing CHILD_SA/reqid
  */
-static u_int32_t find_reqid(child_cfg_t *child_cfg)
+static uint32_t find_reqid(child_cfg_t *child_cfg)
 {
 	enumerator_t *enumerator, *children;
 	child_sa_t *child_sa;
 	ike_sa_t *ike_sa;
 	char *name;
-	u_int32_t reqid;
+	uint32_t reqid;
 
 	reqid = charon->traps->find_reqid(charon->traps, child_cfg);
 	if (reqid)
@@ -636,7 +636,7 @@ static void charon_route(peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
 						 char *name, FILE *out)
 {
 	ipsec_mode_t mode;
-	u_int32_t reqid;
+	uint32_t reqid;
 
 	mode = child_cfg->get_mode(child_cfg);
 	if (mode == MODE_PASS || mode == MODE_DROP)
@@ -731,7 +731,7 @@ METHOD(stroke_control_t, unroute, void,
 {
 	child_sa_t *child_sa;
 	enumerator_t *enumerator;
-	u_int32_t id = 0;
+	uint32_t id = 0;
 
 	if (charon->shunts->uninstall(charon->shunts, msg->unroute.name))
 	{
diff --git a/src/libcharon/plugins/stroke/stroke_counter.c b/src/libcharon/plugins/stroke/stroke_counter.c
index 5fa1fb165..e93fd4ef2 100644
--- a/src/libcharon/plugins/stroke/stroke_counter.c
+++ b/src/libcharon/plugins/stroke/stroke_counter.c
@@ -58,7 +58,7 @@ struct private_stroke_counter_t {
 	/**
 	 * Global counter values
 	 */
-	u_int64_t counter[COUNTER_MAX];
+	uint64_t counter[COUNTER_MAX];
 
 	/**
 	 * Counters for specific connection names, char* => entry_t
@@ -78,7 +78,7 @@ typedef struct {
 	/** connection name */
 	char *name;
 	/** counter values for connection */
-	u_int64_t counter[COUNTER_MAX];
+	uint64_t counter[COUNTER_MAX];
 } entry_t;
 
 /**
@@ -290,7 +290,7 @@ METHOD(listener_t, message_hook, bool,
  * Print a single counter value to out
  */
 static void print_counter(FILE *out, stroke_counter_type_t type,
-						  u_int64_t counter)
+						  uint64_t counter)
 {
 	fprintf(out, "%-18N %12llu\n", stroke_counter_type_names, type, counter);
 }
@@ -300,7 +300,7 @@ static void print_counter(FILE *out, stroke_counter_type_t type,
  */
 static void print_one(private_stroke_counter_t *this, FILE *out, char *name)
 {
-	u_int64_t counter[COUNTER_MAX];
+	uint64_t counter[COUNTER_MAX];
 	entry_t *entry;
 	int i;
 
@@ -365,7 +365,7 @@ static void print_all(private_stroke_counter_t *this, FILE *out)
  */
 static void print_global(private_stroke_counter_t *this, FILE *out)
 {
-	u_int64_t counter[COUNTER_MAX];
+	uint64_t counter[COUNTER_MAX];
 	int i;
 
 	this->lock->lock(this->lock);
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index 42928882a..929e6fc84 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -754,6 +754,8 @@ typedef struct {
 	chunk_t keyid;
 	/** number of tries */
 	int try;
+	/** provided PIN */
+	shared_key_t *shared;
 } pin_cb_data_t;
 
 /**
@@ -798,7 +800,9 @@ static shared_key_t* pin_cb(pin_cb_data_t *data, shared_key_type_t type,
 			{
 				*match_other = ID_MATCH_NONE;
 			}
-			return shared_key_create(SHARED_PIN, chunk_clone(secret));
+			DESTROY_IF(data->shared);
+			data->shared = shared_key_create(SHARED_PIN, chunk_clone(secret));
+			return data->shared->get_ref(data->shared);
 		}
 	}
 	return NULL;
@@ -815,7 +819,7 @@ static bool load_pin(mem_cred_t *secrets, chunk_t line, int line_nr,
 	private_key_t *key = NULL;
 	u_int slot;
 	chunk_t chunk;
-	shared_key_t *shared;
+	shared_key_t *shared = NULL;
 	identification_t *id;
 	mem_cred_t *mem = NULL;
 	callback_cred_t *cb = NULL;
@@ -867,10 +871,11 @@ static bool load_pin(mem_cred_t *secrets, chunk_t line, int line_nr,
 			return TRUE;
 		}
 		/* use callback credential set to prompt for the pin */
-		pin_data.prompt = prompt;
-		pin_data.card = smartcard;
-		pin_data.keyid = chunk;
-		pin_data.try = 0;
+		pin_data = (pin_cb_data_t){
+			.prompt = prompt,
+			.card = smartcard,
+			.keyid = chunk,
+		};
 		cb = callback_cred_create_shared((void*)pin_cb, &pin_data);
 		lib->credmgr->add_local_set(lib->credmgr, &cb->set, FALSE);
 	}
@@ -880,30 +885,48 @@ static bool load_pin(mem_cred_t *secrets, chunk_t line, int line_nr,
 		shared = shared_key_create(SHARED_PIN, secret);
 		id = identification_create_from_encoding(ID_KEY_ID, chunk);
 		mem = mem_cred_create();
-		mem->add_shared(mem, shared, id, NULL);
+		mem->add_shared(mem, shared->get_ref(shared), id, NULL);
 		lib->credmgr->add_local_set(lib->credmgr, &mem->set, FALSE);
 	}
 
 	/* unlock: smartcard needs the pin and potentially calls public set */
 	key = (private_key_t*)load_from_smartcard(format, slot, module, keyid,
 											  CRED_PRIVATE_KEY, KEY_ANY);
+
+	if (key)
+	{
+		DBG1(DBG_CFG, "  loaded private key from %.*s", (int)sc.len, sc.ptr);
+		secrets->add_key(secrets, key);
+	}
 	if (mem)
 	{
+		if (!key)
+		{
+			shared->destroy(shared);
+			shared = NULL;
+		}
 		lib->credmgr->remove_local_set(lib->credmgr, &mem->set);
 		mem->destroy(mem);
 	}
 	if (cb)
 	{
+		if (key)
+		{
+			shared = pin_data.shared;
+		}
+		else
+		{
+			DESTROY_IF(pin_data.shared);
+		}
 		lib->credmgr->remove_local_set(lib->credmgr, &cb->set);
 		cb->destroy(cb);
 	}
-	chunk_clear(&chunk);
-
-	if (key)
+	if (shared)
 	{
-		DBG1(DBG_CFG, "  loaded private key from %.*s", (int)sc.len, sc.ptr);
-		secrets->add_key(secrets, key);
+		id = identification_create_from_encoding(ID_KEY_ID, chunk);
+		secrets->add_shared(secrets, shared, id, NULL);
 	}
+	chunk_clear(&chunk);
 	return TRUE;
 }
 
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index 0371c7032..6c5703a16 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -206,7 +206,7 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 {
 	time_t use_in, use_out, rekey, now;
-	u_int64_t bytes_in, bytes_out, packets_in, packets_out;
+	uint64_t bytes_in, bytes_out, packets_in, packets_out;
 	proposal_t *proposal;
 	linked_list_t *my_ts, *other_ts;
 	child_cfg_t *config;
@@ -244,7 +244,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 			proposal = child_sa->get_proposal(child_sa);
 			if (proposal)
 			{
-				u_int16_t alg, ks;
+				uint16_t alg, ks;
 				bool first = TRUE;
 
 				if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
@@ -286,7 +286,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 			{
 				fprintf(out, " (%" PRIu64 " pkt%s, %" PRIu64 "s ago)",
 						packets_in, (packets_in == 1) ? "": "s",
-						(u_int64_t)(now - use_in));
+						(uint64_t)(now - use_in));
 			}
 
 			child_sa->get_usestats(child_sa, FALSE,
@@ -296,7 +296,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 			{
 				fprintf(out, " (%" PRIu64 " pkt%s, %" PRIu64 "s ago)",
 						packets_out, (packets_out == 1) ? "": "s",
-						(u_int64_t)(now - use_out));
+						(uint64_t)(now - use_out));
 			}
 			fprintf(out, ", rekeying ");
 
@@ -474,7 +474,7 @@ METHOD(stroke_list_t, status, void,
 		ike_version_t ike_version;
 		char *pool;
 		host_t *host;
-		u_int32_t dpd;
+		uint32_t dpd;
 		time_t since, now;
 		u_int size, online, offline, i;
 		struct utsname utsname;
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index ee32dbca2..4f7483666 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -613,7 +613,7 @@ static void stroke_config(private_stroke_socket_t *this,
 static bool on_accept(private_stroke_socket_t *this, stream_t *stream)
 {
 	stroke_msg_t *msg;
-	u_int16_t len;
+	uint16_t len;
 	FILE *out;
 
 	/* read length */
diff --git a/src/libcharon/plugins/systime_fix/Makefile.in b/src/libcharon/plugins/systime_fix/Makefile.in
index 0daff4434..125e3c176 100644
--- a/src/libcharon/plugins/systime_fix/Makefile.in
+++ b/src/libcharon/plugins/systime_fix/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/systime_fix
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -458,7 +472,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/systime_fix/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/systime_fix/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -772,6 +785,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.in b/src/libcharon/plugins/tnc_ifmap/Makefile.in
index f124a1b38..0ea265e10 100644
--- a/src/libcharon/plugins/tnc_ifmap/Makefile.in
+++ b/src/libcharon/plugins/tnc_ifmap/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/tnc_ifmap
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -206,12 +215,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -261,6 +272,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -295,6 +307,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -406,6 +419,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -473,7 +487,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/tnc_ifmap/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/tnc_ifmap/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -791,6 +804,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
index 2bad4fab0..ad4f2f8c2 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
@@ -145,7 +145,7 @@ tnc_ifmap_listener_t *tnc_ifmap_listener_create(bool reload)
 {
 	private_tnc_ifmap_listener_t *this;
 	job_t *job;
-	u_int32_t reschedule;
+	uint32_t reschedule;
 
 	INIT(this,
 		.public = {
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.c
index f2c00a528..ea48338cd 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.c
@@ -40,7 +40,7 @@ struct private_tnc_ifmap_renew_session_job_t {
 	/**
 	 * Reschedule time interval in seconds
 	 */
-	u_int32_t reschedule;
+	uint32_t reschedule;
 };
 
 METHOD(job_t, destroy, void,
@@ -83,7 +83,7 @@ METHOD(job_t, get_priority, job_priority_t,
  * Described in header
  */
 tnc_ifmap_renew_session_job_t *tnc_ifmap_renew_session_job_create(
-								tnc_ifmap_soap_t *ifmap, u_int32_t reschedule)
+								tnc_ifmap_soap_t *ifmap, uint32_t reschedule)
 {
 	private_tnc_ifmap_renew_session_job_t *this;
 
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.h b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.h
index f1587a1f6..18a3d5734 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.h
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.h
@@ -46,6 +46,6 @@ struct tnc_ifmap_renew_session_job_t {
  * @param reschedule	reschedule time in seconds
  */
 tnc_ifmap_renew_session_job_t *tnc_ifmap_renew_session_job_create(
-								tnc_ifmap_soap_t *ifmap, u_int32_t reschedule);
+								tnc_ifmap_soap_t *ifmap, uint32_t reschedule);
 
 #endif /** TNC_IFMAP_RENEW_SESSION_JOB_H_ @}*/
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
index a652e7067..8e69de095 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
@@ -186,7 +186,7 @@ METHOD(tnc_ifmap_soap_t, purgePublisher, bool,
  * Create an access-request based on device_name and ike_sa_id
  */
 static xmlNodePtr create_access_request(private_tnc_ifmap_soap_t *this,
-										u_int32_t id)
+										uint32_t id)
 {
 	xmlNodePtr node;
 	char buf[BUF_LEN];
@@ -415,7 +415,7 @@ METHOD(tnc_ifmap_soap_t, publish_ike_sa, bool,
 	identification_t *id, *eap_id, *group;
 	host_t *host;
 	auth_cfg_t *auth;
-	u_int32_t ike_sa_id;
+	uint32_t ike_sa_id;
 	bool is_user = FALSE, first = TRUE, success;
 
 	/* extract relevant data from IKE_SA*/
@@ -584,7 +584,7 @@ METHOD(tnc_ifmap_soap_t, publish_virtual_ips, bool,
 {
 	tnc_ifmap_soap_msg_t *soap_msg;
 	xmlNodePtr request, node;
-	u_int32_t ike_sa_id;
+	uint32_t ike_sa_id;
 	enumerator_t *enumerator;
 	host_t *vip;
 	bool success;
diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.in b/src/libcharon/plugins/tnc_pdp/Makefile.in
index bfd8cf820..f2398c3f4 100644
--- a/src/libcharon/plugins/tnc_pdp/Makefile.in
+++ b/src/libcharon/plugins/tnc_pdp/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/tnc_pdp
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -207,12 +216,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -262,6 +273,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -296,6 +308,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -407,6 +420,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -476,7 +490,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/tnc_pdp/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/tnc_pdp/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -791,6 +804,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
index 91456f8da..17f0cd464 100644
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
@@ -74,7 +74,7 @@ struct private_tnc_pdp_t {
 	/**
 	 * PT-TLS port of the server
 	 */
-	u_int16_t pt_tls_port;
+	uint16_t pt_tls_port;
 
 	/**
 	 * PT-TLS IPv4 socket
@@ -158,7 +158,7 @@ static void free_client_entry(client_entry_t *this)
 /**
  * Open IPv4 or IPv6 UDP socket
  */
-static int open_udp_socket(int family, u_int16_t port)
+static int open_udp_socket(int family, uint16_t port)
 {
 	int on = TRUE;
 	struct sockaddr_storage addr;
@@ -233,7 +233,7 @@ static int open_udp_socket(int family, u_int16_t port)
 /**
  * Open IPv4 or IPv6 TCP socket
  */
-static int open_tcp_socket(int family, u_int16_t port)
+static int open_tcp_socket(int family, uint16_t port)
 {
 	int on = TRUE;
 	struct sockaddr_storage addr;
@@ -339,8 +339,8 @@ static void send_message(private_tnc_pdp_t *this, radius_message_t *message,
 /**
  * Encrypt a MS-MPPE-Send/Recv-Key
  */
-static chunk_t encrypt_mppe_key(private_tnc_pdp_t *this, u_int8_t type,
-								chunk_t key, u_int16_t *salt,
+static chunk_t encrypt_mppe_key(private_tnc_pdp_t *this, uint8_t type,
+								chunk_t key, uint16_t *salt,
 								radius_message_t *request)
 {
 	chunk_t a, r, seed, data;
@@ -420,8 +420,8 @@ static void send_response(private_tnc_pdp_t *this, radius_message_t *request,
 {
 	radius_message_t *response;
 	chunk_t data, recv, send;
-	u_int32_t tunnel_type;
-	u_int16_t salt = 0;
+	uint32_t tunnel_type;
+	uint16_t salt = 0;
 
 	response = radius_message_create(code);
 	data = eap->get_data(eap);
@@ -477,7 +477,7 @@ static void process_eap(private_tnc_pdp_t *this, radius_message_t *request,
 	eap_payload_t *in, *out = NULL;
 	eap_method_t *method;
 	eap_type_t eap_type;
-	u_int32_t eap_vendor;
+	uint32_t eap_vendor;
 	chunk_t data, message = chunk_empty, msk = chunk_empty;
 	chunk_t user_name = chunk_empty, nas_id = chunk_empty;
 	identification_t *group = NULL;
diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in
index a1c64ca1b..84eed9a45 100644
--- a/src/libcharon/plugins/uci/Makefile.in
+++ b/src/libcharon/plugins/uci/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/uci
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -201,12 +210,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -256,6 +267,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -290,6 +302,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -401,6 +414,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -461,7 +475,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/uci/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/uci/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -778,6 +791,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/uci/uci_config.c b/src/libcharon/plugins/uci/uci_config.c
index 2a8e40380..e0578fe9b 100644
--- a/src/libcharon/plugins/uci/uci_config.c
+++ b/src/libcharon/plugins/uci/uci_config.c
@@ -126,12 +126,23 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool,
 	child_cfg_t *child_cfg;
 	ike_cfg_t *ike_cfg;
 	auth_cfg_t *auth;
-	lifetime_cfg_t lifetime = {
-		.time = {
-			.life = create_rekey(esp_rekey) + 300,
-			.rekey = create_rekey(esp_rekey),
-			.jitter = 300
-		}
+	peer_cfg_create_t peer = {
+		.cert_policy = CERT_SEND_IF_ASKED,
+		.unique = UNIQUE_NO,
+		.keyingtries = 1,
+		.jitter_time = 1800,
+		.over_time = 900,
+		.dpd = 60,
+	};
+	child_cfg_create_t child = {
+		.lifetime = {
+			.time = {
+				.life = create_rekey(esp_rekey) + 300,
+				.rekey = create_rekey(esp_rekey),
+				.jitter = 300
+			},
+		},
+		.mode = MODE_TUNNEL,
 	};
 
 	/* defaults */
@@ -157,13 +168,8 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool,
 								 remote_addr, IKEV2_UDP_PORT,
 								 FRAGMENTATION_NO, 0);
 		ike_cfg->add_proposal(ike_cfg, create_proposal(ike_proposal, PROTO_IKE));
-		this->peer_cfg = peer_cfg_create(
-					name, ike_cfg, CERT_SEND_IF_ASKED, UNIQUE_NO,
-					1, create_rekey(ike_rekey), 0,  /* keytries, rekey, reauth */
-					1800, 900,						/* jitter, overtime */
-					TRUE, FALSE, TRUE,			/* mobike, aggressive, pull */
-					60, 0,						/* DPD delay, timeout */
-					FALSE, NULL, NULL);			/* mediation, med by, peer id */
+		peer.rekey_time = create_rekey(ike_rekey);
+		this->peer_cfg = peer_cfg_create(name, ike_cfg, &peer);
 		auth = auth_cfg_create();
 		auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
 		auth->add(auth, AUTH_RULE_IDENTITY,
@@ -179,9 +185,7 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool,
 		}
 		this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, FALSE);
 
-		child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
-									 ACTION_NONE, ACTION_NONE, ACTION_NONE,
-									 FALSE, 0, 0, NULL, NULL, 0);
+		child_cfg = child_cfg_create(name, &child);
 		child_cfg->add_proposal(child_cfg, create_proposal(esp_proposal, PROTO_ESP));
 		child_cfg->add_traffic_selector(child_cfg, TRUE, create_ts(local_net));
 		child_cfg->add_traffic_selector(child_cfg, FALSE, create_ts(remote_net));
diff --git a/src/libcharon/plugins/unity/Makefile.in b/src/libcharon/plugins/unity/Makefile.in
index 00bb1498c..cfc1c5f4c 100644
--- a/src/libcharon/plugins/unity/Makefile.in
+++ b/src/libcharon/plugins/unity/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/unity
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -202,12 +211,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -257,6 +268,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -291,6 +303,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -402,6 +415,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -462,7 +476,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/unity/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/unity/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -778,6 +791,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/unity/unity_handler.c b/src/libcharon/plugins/unity/unity_handler.c
index 9fc9be61a..570727823 100644
--- a/src/libcharon/plugins/unity/unity_handler.c
+++ b/src/libcharon/plugins/unity/unity_handler.c
@@ -206,7 +206,9 @@ static job_requeue_t add_exclude_async(entry_t *entry)
 {
 	enumerator_t *enumerator;
 	child_cfg_t *child_cfg;
-	lifetime_cfg_t lft = { .time = { .life = 0 } };
+	child_cfg_create_t child = {
+		.mode = MODE_PASS,
+	};
 	ike_sa_t *ike_sa;
 	char name[128];
 	host_t *host;
@@ -216,9 +218,7 @@ static job_requeue_t add_exclude_async(entry_t *entry)
 	{
 		create_shunt_name(ike_sa, entry->ts, name, sizeof(name));
 
-		child_cfg = child_cfg_create(name, &lft, NULL, TRUE, MODE_PASS,
-									 ACTION_NONE, ACTION_NONE, ACTION_NONE,
-									 FALSE, 0, 0, NULL, NULL, FALSE);
+		child_cfg = child_cfg_create(name, &child);
 		child_cfg->add_traffic_selector(child_cfg, FALSE,
 										entry->ts->clone(entry->ts));
 		host = ike_sa->get_my_host(ike_sa);
diff --git a/src/libcharon/plugins/unity/unity_provider.c b/src/libcharon/plugins/unity/unity_provider.c
index 1e297a39e..07f5f9b61 100644
--- a/src/libcharon/plugins/unity/unity_provider.c
+++ b/src/libcharon/plugins/unity/unity_provider.c
@@ -53,7 +53,7 @@ static void append_ts(bio_writer_t *writer, traffic_selector_t *ts)
 {
 	host_t *net, *mask;
 	chunk_t padding;
-	u_int8_t bits;
+	uint8_t bits;
 
 	if (!ts->to_subnet(ts, &net, &bits))
 	{
@@ -115,7 +115,7 @@ METHOD(enumerator_t, attribute_destroy, void,
  */
 static bool use_ts(traffic_selector_t *ts)
 {
-	u_int8_t mask;
+	uint8_t mask;
 	host_t *net;
 
 	if (ts->get_type(ts) != TS_IPV4_ADDR_RANGE)
diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in
index 863e14430..612535d85 100644
--- a/src/libcharon/plugins/updown/Makefile.in
+++ b/src/libcharon/plugins/updown/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/updown
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -462,7 +476,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/updown/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/updown/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -777,6 +790,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c
index e51caab10..6a1581c85 100644
--- a/src/libcharon/plugins/updown/updown_listener.c
+++ b/src/libcharon/plugins/updown/updown_listener.c
@@ -55,7 +55,7 @@ typedef struct cache_entry_t cache_entry_t;
  */
 struct cache_entry_t {
 	/** requid of the CHILD_SA */
-	u_int32_t reqid;
+	uint32_t reqid;
 	/** cached interface name */
 	char *iface;
 };
@@ -63,7 +63,7 @@ struct cache_entry_t {
 /**
  * Insert an interface name to the cache
  */
-static void cache_iface(private_updown_listener_t *this, u_int32_t reqid,
+static void cache_iface(private_updown_listener_t *this, uint32_t reqid,
 						char *iface)
 {
 	cache_entry_t *entry = malloc_thing(cache_entry_t);
@@ -77,7 +77,7 @@ static void cache_iface(private_updown_listener_t *this, u_int32_t reqid,
 /**
  * Remove a cached interface name and return it.
  */
-static char* uncache_iface(private_updown_listener_t *this, u_int32_t reqid)
+static char* uncache_iface(private_updown_listener_t *this, uint32_t reqid)
 {
 	enumerator_t *enumerator;
 	cache_entry_t *entry;
@@ -257,7 +257,7 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa,
 {
 	host_t *me, *other, *host;
 	char *iface;
-	u_int8_t mask;
+	uint8_t mask;
 	mark_t mark;
 	bool is_host, is_ipv6;
 	int out;
@@ -344,13 +344,13 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa,
 	}
 	push_vip_env(this, ike_sa, envp, countof(envp), TRUE);
 	push_vip_env(this, ike_sa, envp, countof(envp), FALSE);
-	mark = config->get_mark(config, TRUE);
+	mark = child_sa->get_mark(child_sa, TRUE);
 	if (mark.value)
 	{
 		push_env(envp, countof(envp), "PLUTO_MARK_IN=%u/0x%08x",
 				 mark.value, mark.mask);
 	}
-	mark = config->get_mark(config, FALSE);
+	mark = child_sa->get_mark(child_sa, FALSE);
 	if (mark.value)
 	{
 		push_env(envp, countof(envp), "PLUTO_MARK_OUT=%u/0x%08x",
diff --git a/src/libcharon/plugins/vici/Makefile.in b/src/libcharon/plugins/vici/Makefile.in
index 86ed00792..b943c09ce 100644
--- a/src/libcharon/plugins/vici/Makefile.in
+++ b/src/libcharon/plugins/vici/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -84,8 +94,6 @@ check_PROGRAMS = $(am__EXEEXT_1)
 @USE_PYTHON_EGGS_TRUE@am__append_2 = python
 @USE_PERL_CPAN_TRUE@am__append_3 = perl
 subdir = src/libcharon/plugins/vici
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -99,6 +107,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -274,6 +283,7 @@ am__tty_colors = { \
   fi; \
 }
 DIST_SUBDIRS = ruby python perl
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -305,6 +315,7 @@ ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -354,6 +365,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -388,6 +400,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -499,6 +512,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -602,7 +616,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/vici/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/vici/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -1319,6 +1332,8 @@ uninstall-am: uninstall-ipseclibLTLIBRARIES \
 	tags tags-am uninstall uninstall-am \
 	uninstall-ipseclibLTLIBRARIES uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index 52929bd74..cf5a85a8d 100644
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -277,8 +277,8 @@ Terminates an SA while streaming _control-log_ events.
 	{
 		child = <terminate a CHILD_SA by configuration name>
 		ike = <terminate an IKE_SA by configuration name>
-		child_id = <terminate a CHILD_SA by its reqid>
-		ike_id = <terminate an IKE_SA by its unique id>
+		child-id = <terminate a CHILD_SA by its reqid>
+		ike-id = <terminate an IKE_SA by its unique id>
 		timeout = <timeout in ms before returning>
 		loglevel = <loglevel to issue "control-log" events for>
 	} => {
@@ -337,7 +337,7 @@ events.
 	{
 		noblock = <use non-blocking mode if key is set>
 		ike = <filter listed IKE_SAs by its name>
-		ike_id = <filter listed IKE_SA by its unique id>
+		ike-id = <filter listed IKE_SA by its unique id>
 	} => {
 		# completes after streaming list-sa events
 	}
@@ -734,6 +734,8 @@ _list-conns_ command.
 				<list of valid remote IKE endpoint addresses>
 			]
 			version = <IKE version as string, IKEv1|IKEv2 or 0 for any>
+			reauth_time = <IKE_SA reauthentication interval in seconds>
+			rekey_time = <IKE_SA rekeying interval in seconds>
 
 			local*, remote* = { # multiple local and remote auth sections
 				class = <authentication type>
@@ -758,6 +760,9 @@ _list-conns_ command.
 			children = {
 				<CHILD_SA config name>* = {
 					mode = <IPsec mode>
+					rekey_time = <CHILD_SA rekeying interval in seconds>
+					rekey_bytes = <CHILD_SA rekeying interval in bytes>
+					rekey_packets = <CHILD_SA rekeying interval in packets>
 					local-ts = [
 						<list of local traffic selectors>
 					]
diff --git a/src/libcharon/plugins/vici/libvici.c b/src/libcharon/plugins/vici/libvici.c
index 7c98c8b69..0b549a511 100644
--- a/src/libcharon/plugins/vici/libvici.c
+++ b/src/libcharon/plugins/vici/libvici.c
@@ -123,7 +123,7 @@ static bool read_error(vici_conn_t *conn, int err)
 /**
  * Handle a command response message
  */
-static bool handle_response(vici_conn_t *conn, u_int32_t len)
+static bool handle_response(vici_conn_t *conn, uint32_t len)
 {
 	chunk_t buf;
 
@@ -140,11 +140,11 @@ static bool handle_response(vici_conn_t *conn, u_int32_t len)
 /**
  * Dispatch received event message
  */
-static bool handle_event(vici_conn_t *conn, u_int32_t len)
+static bool handle_event(vici_conn_t *conn, uint32_t len)
 {
 	vici_message_t *message;
 	event_t *event;
-	u_int8_t namelen;
+	uint8_t namelen;
 	char name[257], *buf;
 
 	if (len < sizeof(namelen))
@@ -198,8 +198,8 @@ static bool handle_event(vici_conn_t *conn, u_int32_t len)
 CALLBACK(on_read, bool,
 	vici_conn_t *conn, stream_t *stream)
 {
-	u_int32_t len;
-	u_int8_t op;
+	uint32_t len;
+	uint8_t op;
 	ssize_t hlen;
 
 	hlen = stream->read(stream, &len, sizeof(len), FALSE);
@@ -358,8 +358,8 @@ vici_res_t* vici_submit(vici_req_t *req, vici_conn_t *conn)
 	vici_message_t *message;
 	vici_res_t *res;
 	chunk_t data;
-	u_int32_t len;
-	u_int8_t namelen, op;
+	uint32_t len;
+	uint8_t namelen, op;
 
 	message = req->b->finalize(req->b);
 	if (!message)
@@ -678,8 +678,8 @@ void vici_free_res(vici_res_t *res)
 int vici_register(vici_conn_t *conn, char *name, vici_event_cb_t cb, void *user)
 {
 	event_t *event;
-	u_int32_t len;
-	u_int8_t namelen, op;
+	uint32_t len;
+	uint8_t namelen, op;
 	int ret = 1;
 
 	op = cb ? VICI_EVENT_REGISTER : VICI_EVENT_UNREGISTER;
diff --git a/src/libcharon/plugins/vici/perl/Makefile.in b/src/libcharon/plugins/vici/perl/Makefile.in
index 550d3e980..e32e9668c 100644
--- a/src/libcharon/plugins/vici/perl/Makefile.in
+++ b/src/libcharon/plugins/vici/perl/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -14,7 +14,17 @@
 
 @SET_MAKE@
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -78,7 +88,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/vici/perl
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -92,6 +101,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -116,12 +126,14 @@ am__can_run_installinfo = \
     *) (install-info --version) >/dev/null 2>&1;; \
   esac
 am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+am__DIST_COMMON = $(srcdir)/Makefile.in
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -171,6 +183,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -205,6 +218,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -316,6 +330,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -370,7 +385,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/vici/perl/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/vici/perl/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -547,6 +561,8 @@ uninstall-am:
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags-am uninstall uninstall-am
 
+.PRECIOUS: Makefile
+
 
 all-local: Vici-Session/pm_to_blib
 
diff --git a/src/libcharon/plugins/vici/python/MANIFEST.in b/src/libcharon/plugins/vici/python/MANIFEST.in
index 1aba38f67..9d5d250d0 100644
--- a/src/libcharon/plugins/vici/python/MANIFEST.in
+++ b/src/libcharon/plugins/vici/python/MANIFEST.in
@@ -1 +1,2 @@
 include LICENSE
+include README.rst
diff --git a/src/libcharon/plugins/vici/python/Makefile.am b/src/libcharon/plugins/vici/python/Makefile.am
index 5936f2a5e..20a6f436d 100644
--- a/src/libcharon/plugins/vici/python/Makefile.am
+++ b/src/libcharon/plugins/vici/python/Makefile.am
@@ -1,4 +1,4 @@
-EXTRA_DIST = LICENSE MANIFEST.in \
+EXTRA_DIST = LICENSE README.rst MANIFEST.in \
 	setup.py.in \
 	vici/test/__init__.py \
 	vici/test/test_protocol.py \
@@ -10,26 +10,34 @@ EXTRA_DIST = LICENSE MANIFEST.in \
 
 $(srcdir)/setup.py: $(srcdir)/setup.py.in
 	$(AM_V_GEN) sed \
-	-e "s:@EGG_VERSION@:$(PACKAGE_VERSION):" \
+	-e "s:@EGG_VERSION@:$(PYTHON_PACKAGE_VERSION):" \
 	$(srcdir)/setup.py.in > $@
 
-all-local: dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg
+all-local: dist/vici-$(PYTHON_PACKAGE_VERSION)-py$(PYTHON_VERSION).egg
 
-dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg: $(EXTRA_DIST) $(srcdir)/setup.py
+dist/vici-$(PYTHON_PACKAGE_VERSION)-py$(PYTHON_VERSION).egg: $(EXTRA_DIST) $(srcdir)/setup.py
 	(cd $(srcdir); $(PYTHON) setup.py bdist_egg \
 		-b $(shell readlink -f $(builddir))/build \
 		-d $(shell readlink -f $(builddir))/dist)
 
+package: $(EXTRA_DIST) $(srcdir)/setup.py
+	(cd $(srcdir); $(PYTHON) setup.py sdist \
+		-d $(shell readlink -f $(builddir))/dist \
+		bdist_wheel --universal \
+		-d $(shell readlink -f $(builddir))/dist)
+
 clean-local:
 	(cd $(srcdir); [ ! -f setup.py ] || $(PYTHON) setup.py clean -a)
 	rm -rf $(srcdir)/setup.py $(srcdir)/vici.egg-info $(builddir)/dist
 
 if PYTHON_EGGS_INSTALL
-install-exec-local: dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg
+install-exec-local: dist/vici-$(PYTHON_PACKAGE_VERSION)-py$(PYTHON_VERSION).egg
 	$(EASY_INSTALL) $(PYTHONEGGINSTALLDIR) \
-		dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg
+		dist/vici-$(PYTHON_PACKAGE_VERSION)-py$(PYTHON_VERSION).egg
 endif
 
 if USE_PY_TEST
   TESTS = $(PY_TEST)
 endif
+
+.PHONY: package
diff --git a/src/libcharon/plugins/vici/python/Makefile.in b/src/libcharon/plugins/vici/python/Makefile.in
index 894a7e275..7d1c64267 100644
--- a/src/libcharon/plugins/vici/python/Makefile.in
+++ b/src/libcharon/plugins/vici/python/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -14,7 +14,17 @@
 
 @SET_MAKE@
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -78,7 +88,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/vici/python
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -92,6 +101,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -138,12 +148,14 @@ am__tty_colors = { \
     std='[m'; \
   fi; \
 }
+am__DIST_COMMON = $(srcdir)/Makefile.in
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -193,6 +205,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -227,6 +240,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -338,6 +352,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -366,7 +381,7 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-EXTRA_DIST = LICENSE MANIFEST.in \
+EXTRA_DIST = LICENSE README.rst MANIFEST.in \
 	setup.py.in \
 	vici/test/__init__.py \
 	vici/test/test_protocol.py \
@@ -392,7 +407,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/vici/python/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/vici/python/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -663,26 +677,36 @@ uninstall-am:
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags-am uninstall uninstall-am
 
+.PRECIOUS: Makefile
+
 
 $(srcdir)/setup.py: $(srcdir)/setup.py.in
 	$(AM_V_GEN) sed \
-	-e "s:@EGG_VERSION@:$(PACKAGE_VERSION):" \
+	-e "s:@EGG_VERSION@:$(PYTHON_PACKAGE_VERSION):" \
 	$(srcdir)/setup.py.in > $@
 
-all-local: dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg
+all-local: dist/vici-$(PYTHON_PACKAGE_VERSION)-py$(PYTHON_VERSION).egg
 
-dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg: $(EXTRA_DIST) $(srcdir)/setup.py
+dist/vici-$(PYTHON_PACKAGE_VERSION)-py$(PYTHON_VERSION).egg: $(EXTRA_DIST) $(srcdir)/setup.py
 	(cd $(srcdir); $(PYTHON) setup.py bdist_egg \
 		-b $(shell readlink -f $(builddir))/build \
 		-d $(shell readlink -f $(builddir))/dist)
 
+package: $(EXTRA_DIST) $(srcdir)/setup.py
+	(cd $(srcdir); $(PYTHON) setup.py sdist \
+		-d $(shell readlink -f $(builddir))/dist \
+		bdist_wheel --universal \
+		-d $(shell readlink -f $(builddir))/dist)
+
 clean-local:
 	(cd $(srcdir); [ ! -f setup.py ] || $(PYTHON) setup.py clean -a)
 	rm -rf $(srcdir)/setup.py $(srcdir)/vici.egg-info $(builddir)/dist
 
-@PYTHON_EGGS_INSTALL_TRUE@install-exec-local: dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg
+@PYTHON_EGGS_INSTALL_TRUE@install-exec-local: dist/vici-$(PYTHON_PACKAGE_VERSION)-py$(PYTHON_VERSION).egg
 @PYTHON_EGGS_INSTALL_TRUE@	$(EASY_INSTALL) $(PYTHONEGGINSTALLDIR) \
-@PYTHON_EGGS_INSTALL_TRUE@		dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg
+@PYTHON_EGGS_INSTALL_TRUE@		dist/vici-$(PYTHON_PACKAGE_VERSION)-py$(PYTHON_VERSION).egg
+
+.PHONY: package
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/vici/python/README.rst b/src/libcharon/plugins/vici/python/README.rst
new file mode 100644
index 000000000..3990f6300
--- /dev/null
+++ b/src/libcharon/plugins/vici/python/README.rst
@@ -0,0 +1,24 @@
+About
+-----
+
+The strongSwan VICI protocol allows external applications to monitor, configure
+and control the IKE daemon charon. This Python package provides a native client
+side implementation of the VICI protocol, well suited to script automated tasks
+in a reliable way.
+
+
+Example Usage
+-------------
+
+.. code-block:: python
+
+    >>> import vici
+    >>> s = vici.Session()
+    >>> s.version()
+    OrderedDict([('daemon', b'charon'), ('version', b'5.4.0'),
+    ('sysname', b'Linux'), ('release', b'3.13.0-27-generic'), ('machine', b'x86_64')])
+    >>> s.load_pool({"p1": {"addrs": "10.0.0.0/24"}})
+    OrderedDict([('success', b'yes')])
+    >>> s.get_pools()
+    OrderedDict([('p1', OrderedDict([('base', b'10.0.0.0'), ('size', b'254'),
+    ('online', b'0'), ('offline', b'0')]))])
diff --git a/src/libcharon/plugins/vici/python/setup.py.in b/src/libcharon/plugins/vici/python/setup.py.in
index 0e4ad8236..62b0c5899 100644
--- a/src/libcharon/plugins/vici/python/setup.py.in
+++ b/src/libcharon/plugins/vici/python/setup.py.in
@@ -1,25 +1,21 @@
 from setuptools import setup
 
-
-long_description = (
-    "The strongSwan VICI protocol allows external application to monitor, "
-    "configure and control the IKE daemon charon. This python package provides "
-    "a native client side implementation of the VICI protocol, well suited to "
-    "script automated tasks in a reliable way."
-)
+with open('README.rst') as file:
+    long_description = file.read()
 
 setup(
     name="vici",
     version="@EGG_VERSION@",
-    description="Native python interface for strongSwan VICI",
-    author="Bjorn Schuberg",
+    description="Native Python interface for strongSwan's VICI protocol",
+    long_description=long_description,
+    author="strongSwan Project",
+    author_email="info@strongswan.org",
     url="https://wiki.strongswan.org/projects/strongswan/wiki/Vici",
     license="MIT",
     packages=["vici"],
-    long_description=long_description,
     include_package_data=True,
     classifiers=(
-        "Development Status :: 3 - Alpha",
+        "Development Status :: 5 - Production/Stable",
         "Intended Audience :: Developers",
         "Intended Audience :: System Administrators",
         "License :: OSI Approved :: MIT License",
diff --git a/src/libcharon/plugins/vici/python/vici/protocol.py b/src/libcharon/plugins/vici/python/vici/protocol.py
index 855a7b2e2..4951817eb 100644
--- a/src/libcharon/plugins/vici/python/vici/protocol.py
+++ b/src/libcharon/plugins/vici/python/vici/protocol.py
@@ -20,15 +20,22 @@ class Transport(object):
         self.socket.sendall(struct.pack("!I", len(packet)) + packet)
 
     def receive(self):
-        raw_length = self.socket.recv(self.HEADER_LENGTH)
+        raw_length = self._recvall(self.HEADER_LENGTH)
         length, = struct.unpack("!I", raw_length)
-        payload = self.socket.recv(length)
+        payload = self._recvall(length)
         return payload
 
     def close(self):
         self.socket.shutdown(socket.SHUT_RDWR)
         self.socket.close()
 
+    def _recvall(self, count):
+        """Ensure to read count bytes from the socket"""
+        data = b""
+        while len(data) < count:
+            data += self.socket.recv(count - len(data))
+        return data
+
 
 class Packet(object):
     CMD_REQUEST = 0         # Named request message
diff --git a/src/libcharon/plugins/vici/ruby/Makefile.in b/src/libcharon/plugins/vici/ruby/Makefile.in
index b87d83de4..aceb28adc 100644
--- a/src/libcharon/plugins/vici/ruby/Makefile.in
+++ b/src/libcharon/plugins/vici/ruby/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -14,7 +14,17 @@
 
 @SET_MAKE@
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -78,7 +88,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/vici/ruby
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -92,6 +101,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -116,12 +126,14 @@ am__can_run_installinfo = \
     *) (install-info --version) >/dev/null 2>&1;; \
   esac
 am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+am__DIST_COMMON = $(srcdir)/Makefile.in
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -171,6 +183,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -205,6 +218,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -316,6 +330,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -360,7 +375,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/vici/ruby/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/vici/ruby/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -455,8 +469,8 @@ distclean-generic:
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
-@RUBY_GEMS_INSTALL_FALSE@uninstall-local:
 @RUBY_GEMS_INSTALL_FALSE@install-data-local:
+@RUBY_GEMS_INSTALL_FALSE@uninstall-local:
 clean: clean-am
 
 clean-am: clean-generic clean-libtool clean-local mostlyclean-am
@@ -538,6 +552,8 @@ uninstall-am: uninstall-local
 	mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \
 	uninstall-am uninstall-local
 
+.PRECIOUS: Makefile
+
 
 vici.gemspec: $(srcdir)/vici.gemspec.in
 	$(AM_V_GEN) sed \
diff --git a/src/libcharon/plugins/vici/suites/test_socket.c b/src/libcharon/plugins/vici/suites/test_socket.c
index 8d545c6c1..d0c0fa76f 100644
--- a/src/libcharon/plugins/vici/suites/test_socket.c
+++ b/src/libcharon/plugins/vici/suites/test_socket.c
@@ -32,7 +32,7 @@ static void echo_inbound(void *user, u_int id, chunk_t buf)
 
 	ck_assert_int_eq(data->id, id);
 	/* count number of bytes, including the header */
-	data->bytes += buf.len + sizeof(u_int32_t);
+	data->bytes += buf.len + sizeof(uint32_t);
 	/* echo back data chunk */
 	data->s->send(data->s, id, chunk_clone(buf));
 }
@@ -81,7 +81,7 @@ START_TEST(test_echo)
 		0x00,0x00,0x00,0x0A,	0x21,0x22,0x23,0x24,0x25,0x26,0x27,0x28,0x29,0x02A,
 	);
 	char buf[m.len];
-	u_int32_t len;
+	uint32_t len;
 
 	lib->processor->set_threads(lib->processor, 4);
 
diff --git a/src/libcharon/plugins/vici/vici_attribute.c b/src/libcharon/plugins/vici/vici_attribute.c
index 9064d3d8c..e0d9b4ae8 100644
--- a/src/libcharon/plugins/vici/vici_attribute.c
+++ b/src/libcharon/plugins/vici/vici_attribute.c
@@ -233,7 +233,7 @@ static bool have_vips_from_pool(mem_pool_t *pool, linked_list_t *vips)
 	enumerator_t *enumerator;
 	host_t *host;
 	chunk_t start, end, current;
-	u_int32_t size;
+	uint32_t size;
 	bool found = FALSE;
 
 	host = pool->get_base(pool);
@@ -477,10 +477,10 @@ CALLBACK(pool_li, bool,
 		{
 			if (host->get_family(host) == AF_INET)
 			{	/* IPv4 attributes contain a subnet mask */
-				u_int32_t netmask = 0;
+				uint32_t netmask = 0;
 
 				if (mask)
-				{	/* shifting u_int32_t by 32 or more is undefined */
+				{	/* shifting uint32_t by 32 or more is undefined */
 					mask = 32 - mask;
 					netmask = htonl((0xFFFFFFFF >> mask) << mask);
 				}
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index 6ebbedc47..d919e1d94 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -57,22 +57,32 @@
 /**
  * Magic value for an undefined lifetime
  */
-#define LFT_UNDEFINED (~(u_int64_t)0)
+#define LFT_UNDEFINED (~(uint64_t)0)
 
 /**
  * Default IKE rekey time
  */
-#define LFT_DEFAULT_IKE_REKEY (4 * 60 * 60)
+#define LFT_DEFAULT_IKE_REKEY_TIME		(4 * 60 * 60)
 
 /**
  * Default CHILD rekey time
  */
-#define LFT_DEFAULT_CHILD_REKEY (1 * 60 * 60)
+#define LFT_DEFAULT_CHILD_REKEY_TIME	(1 * 60 * 60)
+
+/**
+ * Default CHILD rekey bytes
+ */
+#define LFT_DEFAULT_CHILD_REKEY_BYTES		0
+
+/**
+ * Default CHILD rekey packets
+ */
+#define LFT_DEFAULT_CHILD_REKEY_PACKETS		0
 
 /**
  * Undefined replay window
  */
-#define REPLAY_UNDEFINED (~(u_int32_t)0)
+#define REPLAY_UNDEFINED (~(uint32_t)0)
 
 typedef struct private_vici_config_t private_vici_config_t;
 
@@ -242,7 +252,7 @@ typedef struct {
 typedef struct {
 	request_data_t *request;
 	auth_cfg_t *cfg;
-	u_int32_t round;
+	uint32_t round;
 } auth_data_t;
 
 /**
@@ -259,20 +269,20 @@ static void free_auth_data(auth_data_t *data)
  */
 typedef struct {
 	request_data_t *request;
-	u_int32_t version;
+	uint32_t version;
 	bool aggressive;
 	bool encap;
 	bool mobike;
 	bool send_certreq;
 	bool pull;
 	cert_policy_t send_cert;
-	u_int64_t dpd_delay;
-	u_int64_t dpd_timeout;
+	uint64_t dpd_delay;
+	uint64_t dpd_timeout;
 	fragmentation_t fragmentation;
 	unique_policy_t unique;
-	u_int32_t keyingtries;
-	u_int32_t local_port;
-	u_int32_t remote_port;
+	uint32_t keyingtries;
+	uint32_t local_port;
+	uint32_t remote_port;
 	char *local_addrs;
 	char *remote_addrs;
 	linked_list_t *local;
@@ -281,10 +291,10 @@ typedef struct {
 	linked_list_t *children;
 	linked_list_t *vips;
 	char *pools;
-	u_int64_t reauth_time;
-	u_int64_t rekey_time;
-	u_int64_t over_time;
-	u_int64_t rand_time;
+	uint64_t reauth_time;
+	uint64_t rekey_time;
+	uint64_t over_time;
+	uint64_t rand_time;
 } peer_data_t;
 
 /**
@@ -422,24 +432,12 @@ static void free_peer_data(peer_data_t *data)
  */
 typedef struct {
 	request_data_t *request;
-	lifetime_cfg_t lft;
-	char* updown;
-	bool hostaccess;
-	bool ipcomp;
-	bool policies;
-	ipsec_mode_t mode;
-	u_int32_t replay_window;
-	action_t dpd_action;
-	action_t start_action;
-	action_t close_action;
-	u_int32_t reqid;
-	u_int32_t tfc;
-	mark_t mark_in;
-	mark_t mark_out;
-	u_int64_t inactivity;
 	linked_list_t *proposals;
 	linked_list_t *local_ts;
 	linked_list_t *remote_ts;
+	uint32_t replay_window;
+	bool policies;
+	child_cfg_create_t cfg;
 } child_data_t;
 
 /**
@@ -447,35 +445,39 @@ typedef struct {
  */
 static void log_child_data(child_data_t *data, char *name)
 {
+	child_cfg_create_t *cfg = &data->cfg;
+
 	DBG2(DBG_CFG, "  child %s:", name);
-	DBG2(DBG_CFG, "   rekey_time = %llu", data->lft.time.rekey);
-	DBG2(DBG_CFG, "   life_time = %llu", data->lft.time.life);
-	DBG2(DBG_CFG, "   rand_time = %llu", data->lft.time.jitter);
-	DBG2(DBG_CFG, "   rekey_bytes = %llu", data->lft.bytes.rekey);
-	DBG2(DBG_CFG, "   life_bytes = %llu", data->lft.bytes.life);
-	DBG2(DBG_CFG, "   rand_bytes = %llu", data->lft.bytes.jitter);
-	DBG2(DBG_CFG, "   rekey_packets = %llu", data->lft.packets.rekey);
-	DBG2(DBG_CFG, "   life_packets = %llu", data->lft.packets.life);
-	DBG2(DBG_CFG, "   rand_packets = %llu", data->lft.packets.jitter);
-	DBG2(DBG_CFG, "   updown = %s", data->updown);
-	DBG2(DBG_CFG, "   hostaccess = %u", data->hostaccess);
-	DBG2(DBG_CFG, "   ipcomp = %u", data->ipcomp);
-	DBG2(DBG_CFG, "   mode = %N", ipsec_mode_names, data->mode);
+	DBG2(DBG_CFG, "   rekey_time = %llu", cfg->lifetime.time.rekey);
+	DBG2(DBG_CFG, "   life_time = %llu", cfg->lifetime.time.life);
+	DBG2(DBG_CFG, "   rand_time = %llu", cfg->lifetime.time.jitter);
+	DBG2(DBG_CFG, "   rekey_bytes = %llu", cfg->lifetime.bytes.rekey);
+	DBG2(DBG_CFG, "   life_bytes = %llu", cfg->lifetime.bytes.life);
+	DBG2(DBG_CFG, "   rand_bytes = %llu", cfg->lifetime.bytes.jitter);
+	DBG2(DBG_CFG, "   rekey_packets = %llu", cfg->lifetime.packets.rekey);
+	DBG2(DBG_CFG, "   life_packets = %llu", cfg->lifetime.packets.life);
+	DBG2(DBG_CFG, "   rand_packets = %llu", cfg->lifetime.packets.jitter);
+	DBG2(DBG_CFG, "   updown = %s", cfg->updown);
+	DBG2(DBG_CFG, "   hostaccess = %u", cfg->hostaccess);
+	DBG2(DBG_CFG, "   ipcomp = %u", cfg->ipcomp);
+	DBG2(DBG_CFG, "   mode = %N", ipsec_mode_names, cfg->mode);
 	DBG2(DBG_CFG, "   policies = %u", data->policies);
 	if (data->replay_window != REPLAY_UNDEFINED)
 	{
 		DBG2(DBG_CFG, "   replay_window = %u", data->replay_window);
 	}
-	DBG2(DBG_CFG, "   dpd_action = %N", action_names, data->dpd_action);
-	DBG2(DBG_CFG, "   start_action = %N", action_names, data->start_action);
-	DBG2(DBG_CFG, "   close_action = %N", action_names, data->close_action);
-	DBG2(DBG_CFG, "   reqid = %u", data->reqid);
-	DBG2(DBG_CFG, "   tfc = %d", data->tfc);
+	DBG2(DBG_CFG, "   dpd_action = %N", action_names, cfg->dpd_action);
+	DBG2(DBG_CFG, "   start_action = %N", action_names, cfg->start_action);
+	DBG2(DBG_CFG, "   close_action = %N", action_names, cfg->close_action);
+	DBG2(DBG_CFG, "   reqid = %u", cfg->reqid);
+	DBG2(DBG_CFG, "   tfc = %d", cfg->tfc);
+	DBG2(DBG_CFG, "   priority = %d", cfg->priority);
+	DBG2(DBG_CFG, "   interface = %s", cfg->interface);
 	DBG2(DBG_CFG, "   mark_in = %u/%u",
-		 data->mark_in.value, data->mark_in.mask);
+		 cfg->mark_in.value, cfg->mark_in.mask);
 	DBG2(DBG_CFG, "   mark_out = %u/%u",
-		 data->mark_out.value, data->mark_out.mask);
-	DBG2(DBG_CFG, "   inactivity = %llu", data->inactivity);
+		 cfg->mark_out.value, cfg->mark_out.mask);
+	DBG2(DBG_CFG, "   inactivity = %llu", cfg->inactivity);
 	DBG2(DBG_CFG, "   proposals = %#P", data->proposals);
 	DBG2(DBG_CFG, "   local_ts = %#R", data->local_ts);
 	DBG2(DBG_CFG, "   remote_ts = %#R", data->remote_ts);
@@ -492,7 +494,8 @@ static void free_child_data(child_data_t *data)
 									offsetof(traffic_selector_t, destroy));
 	data->remote_ts->destroy_offset(data->remote_ts,
 									offsetof(traffic_selector_t, destroy));
-	free(data->updown);
+	free(data->cfg.updown);
+	free(data->cfg.interface);
 }
 
 /**
@@ -568,8 +571,8 @@ CALLBACK(parse_ts, bool,
 	struct protoent *protoent;
 	struct servent *svc;
 	long int p;
-	u_int16_t from = 0, to = 0xffff;
-	u_int8_t proto = 0;
+	uint16_t from = 0, to = 0xffff;
+	uint8_t proto = 0;
 
 	if (!vici_stringify(v, buf, sizeof(buf)))
 	{
@@ -613,7 +616,7 @@ CALLBACK(parse_ts, bool,
 				{
 					return FALSE;
 				}
-				proto = (u_int8_t)p;
+				proto = (uint8_t)p;
 			}
 		}
 		if (streq(port, "opaque"))
@@ -809,10 +812,10 @@ CALLBACK(parse_action, bool,
 }
 
 /**
- * Parse a u_int32_t
+ * Parse a uint32_t
  */
 CALLBACK(parse_uint32, bool,
-	u_int32_t *out, chunk_t v)
+	uint32_t *out, chunk_t v)
 {
 	char buf[16], *end;
 	u_long l;
@@ -831,10 +834,10 @@ CALLBACK(parse_uint32, bool,
 }
 
 /**
- * Parse a u_int64_t
+ * Parse a uint64_t
  */
 CALLBACK(parse_uint64, bool,
-	u_int64_t *out, chunk_t v)
+	uint64_t *out, chunk_t v)
 {
 	char buf[16], *end;
 	unsigned long long l;
@@ -856,7 +859,7 @@ CALLBACK(parse_uint64, bool,
  * Parse a relative time
  */
 CALLBACK(parse_time, bool,
-	u_int64_t *out, chunk_t v)
+	uint64_t *out, chunk_t v)
 {
 	char buf[16], *end;
 	u_long l;
@@ -906,7 +909,7 @@ CALLBACK(parse_time, bool,
  * Parse byte volume
  */
 CALLBACK(parse_bytes, bool,
-	u_int64_t *out, chunk_t v)
+	uint64_t *out, chunk_t v)
 {
 	char buf[16], *end;
 	unsigned long long l;
@@ -968,7 +971,7 @@ CALLBACK(parse_mark, bool,
  * Parse TFC padding option
  */
 CALLBACK(parse_tfc, bool,
-	u_int32_t *out, chunk_t v)
+	uint32_t *out, chunk_t v)
 {
 	if (chunk_equals(v, chunk_from_str("mtu")))
 	{
@@ -1327,29 +1330,31 @@ CALLBACK(child_kv, bool,
 	child_data_t *child, vici_message_t *message, char *name, chunk_t value)
 {
 	parse_rule_t rules[] = {
-		{ "updown",			parse_string,		&child->updown				},
-		{ "hostaccess",		parse_bool,			&child->hostaccess			},
-		{ "mode",			parse_mode,			&child->mode				},
-		{ "policies",		parse_bool,			&child->policies			},
-		{ "replay_window",	parse_uint32,		&child->replay_window		},
-		{ "rekey_time",		parse_time,			&child->lft.time.rekey		},
-		{ "life_time",		parse_time,			&child->lft.time.life		},
-		{ "rand_time",		parse_time,			&child->lft.time.jitter		},
-		{ "rekey_bytes",	parse_bytes,		&child->lft.bytes.rekey		},
-		{ "life_bytes",		parse_bytes,		&child->lft.bytes.life		},
-		{ "rand_bytes",		parse_bytes,		&child->lft.bytes.jitter	},
-		{ "rekey_packets",	parse_uint64,		&child->lft.packets.rekey	},
-		{ "life_packets",	parse_uint64,		&child->lft.packets.life	},
-		{ "rand_packets",	parse_uint64,		&child->lft.packets.jitter	},
-		{ "dpd_action",		parse_action,		&child->dpd_action			},
-		{ "start_action",	parse_action,		&child->start_action		},
-		{ "close_action",	parse_action,		&child->close_action		},
-		{ "ipcomp",			parse_bool,			&child->ipcomp				},
-		{ "inactivity",		parse_time,			&child->inactivity			},
-		{ "reqid",			parse_uint32,		&child->reqid				},
-		{ "mark_in",		parse_mark,			&child->mark_in				},
-		{ "mark_out",		parse_mark,			&child->mark_out			},
-		{ "tfc_padding",	parse_tfc,			&child->tfc					},
+		{ "updown",			parse_string,		&child->cfg.updown					},
+		{ "hostaccess",		parse_bool,			&child->cfg.hostaccess				},
+		{ "mode",			parse_mode,			&child->cfg.mode					},
+		{ "policies",		parse_bool,			&child->policies					},
+		{ "replay_window",	parse_uint32,		&child->replay_window				},
+		{ "rekey_time",		parse_time,			&child->cfg.lifetime.time.rekey		},
+		{ "life_time",		parse_time,			&child->cfg.lifetime.time.life		},
+		{ "rand_time",		parse_time,			&child->cfg.lifetime.time.jitter	},
+		{ "rekey_bytes",	parse_bytes,		&child->cfg.lifetime.bytes.rekey	},
+		{ "life_bytes",		parse_bytes,		&child->cfg.lifetime.bytes.life		},
+		{ "rand_bytes",		parse_bytes,		&child->cfg.lifetime.bytes.jitter	},
+		{ "rekey_packets",	parse_uint64,		&child->cfg.lifetime.packets.rekey	},
+		{ "life_packets",	parse_uint64,		&child->cfg.lifetime.packets.life	},
+		{ "rand_packets",	parse_uint64,		&child->cfg.lifetime.packets.jitter	},
+		{ "dpd_action",		parse_action,		&child->cfg.dpd_action				},
+		{ "start_action",	parse_action,		&child->cfg.start_action			},
+		{ "close_action",	parse_action,		&child->cfg.close_action			},
+		{ "ipcomp",			parse_bool,			&child->cfg.ipcomp					},
+		{ "inactivity",		parse_time,			&child->cfg.inactivity				},
+		{ "reqid",			parse_uint32,		&child->cfg.reqid					},
+		{ "mark_in",		parse_mark,			&child->cfg.mark_in					},
+		{ "mark_out",		parse_mark,			&child->cfg.mark_out				},
+		{ "tfc_padding",	parse_tfc,			&child->cfg.tfc						},
+		{ "priority",		parse_uint32,		&child->cfg.priority				},
+		{ "interface",		parse_string,		&child->cfg.interface				},
 	};
 
 	return parse_rules(rules, countof(rules), name, value,
@@ -1430,6 +1435,42 @@ CALLBACK(peer_kv, bool,
 					   &peer->request->reply);
 }
 
+/**
+ * Check and update lifetimes
+ */
+static void check_lifetimes(lifetime_cfg_t *lft)
+{
+	/* if no hard lifetime specified, add one at soft lifetime + 10% */
+	if (lft->time.life == LFT_UNDEFINED)
+	{
+		lft->time.life = lft->time.rekey * 110 / 100;
+	}
+	if (lft->bytes.life == LFT_UNDEFINED)
+	{
+		lft->bytes.life = lft->bytes.rekey * 110 / 100;
+	}
+	if (lft->packets.life == LFT_UNDEFINED)
+	{
+		lft->packets.life = lft->packets.rekey * 110 / 100;
+	}
+	/* if no rand time defined, use difference of hard and soft */
+	if (lft->time.jitter == LFT_UNDEFINED)
+	{
+		lft->time.jitter = lft->time.life -
+									min(lft->time.life, lft->time.rekey);
+	}
+	if (lft->bytes.jitter == LFT_UNDEFINED)
+	{
+		lft->bytes.jitter = lft->bytes.life -
+									min(lft->bytes.life, lft->bytes.rekey);
+	}
+	if (lft->packets.jitter == LFT_UNDEFINED)
+	{
+		lft->packets.jitter = lft->packets.life -
+									min(lft->packets.life, lft->packets.rekey);
+	}
+}
+
 CALLBACK(children_sn, bool,
 	peer_data_t *peer, vici_message_t *message, vici_parse_context_t *ctx,
 	char *name)
@@ -1439,29 +1480,28 @@ CALLBACK(children_sn, bool,
 		.proposals = linked_list_create(),
 		.local_ts = linked_list_create(),
 		.remote_ts = linked_list_create(),
-		.mode = MODE_TUNNEL,
 		.policies = TRUE,
 		.replay_window = REPLAY_UNDEFINED,
-		.dpd_action = ACTION_NONE,
-		.start_action = ACTION_NONE,
-		.close_action = ACTION_NONE,
-		.lft = {
-			.time = {
-				.rekey = LFT_DEFAULT_CHILD_REKEY,
-				.life = LFT_UNDEFINED,
-				.jitter = LFT_UNDEFINED,
-			},
-			.bytes = {
-				.rekey = LFT_UNDEFINED,
-				.life = LFT_UNDEFINED,
-				.jitter = LFT_UNDEFINED,
+		.cfg = {
+			.mode = MODE_TUNNEL,
+			.lifetime = {
+				.time = {
+					.rekey = LFT_DEFAULT_CHILD_REKEY_TIME,
+					.life = LFT_UNDEFINED,
+					.jitter = LFT_UNDEFINED,
+				},
+				.bytes = {
+					.rekey = LFT_DEFAULT_CHILD_REKEY_BYTES,
+					.life = LFT_UNDEFINED,
+					.jitter = LFT_UNDEFINED,
+				},
+				.packets = {
+					.rekey = LFT_DEFAULT_CHILD_REKEY_PACKETS,
+					.life = LFT_UNDEFINED,
+					.jitter = LFT_UNDEFINED,
+				},
 			},
-			.packets = {
-				.rekey = LFT_UNDEFINED,
-				.life = LFT_UNDEFINED,
-				.jitter = LFT_UNDEFINED,
-			},
-		}
+		},
 	};
 	child_cfg_t *cfg;
 	proposal_t *proposal;
@@ -1496,55 +1536,13 @@ CALLBACK(children_sn, bool,
 			child.proposals->insert_last(child.proposals, proposal);
 		}
 	}
+	child.cfg.suppress_policies = !child.policies;
 
-	/* if no hard lifetime specified, add one at soft lifetime + 10% */
-	if (child.lft.time.life == LFT_UNDEFINED)
-	{
-		child.lft.time.life = child.lft.time.rekey * 110 / 100;
-	}
-	if (child.lft.bytes.life == LFT_UNDEFINED)
-	{
-		child.lft.bytes.life = child.lft.bytes.rekey * 110 / 100;
-	}
-	if (child.lft.packets.life == LFT_UNDEFINED)
-	{
-		child.lft.packets.life = child.lft.packets.rekey * 110 / 100;
-	}
-	/* if no soft lifetime specified, add one at hard lifetime - 10% */
-	if (child.lft.bytes.rekey == LFT_UNDEFINED)
-	{
-		child.lft.bytes.rekey = child.lft.bytes.life * 90 / 100;
-	}
-	if (child.lft.packets.rekey == LFT_UNDEFINED)
-	{
-		child.lft.packets.rekey = child.lft.packets.life * 90 / 100;
-	}
-	/* if no rand time defined, use difference of hard and soft */
-	if (child.lft.time.jitter == LFT_UNDEFINED)
-	{
-		child.lft.time.jitter = child.lft.time.life -
-						min(child.lft.time.life, child.lft.time.rekey);
-	}
-	if (child.lft.bytes.jitter == LFT_UNDEFINED)
-	{
-		child.lft.bytes.jitter = child.lft.bytes.life -
-						min(child.lft.bytes.life, child.lft.bytes.rekey);
-	}
-	if (child.lft.packets.jitter == LFT_UNDEFINED)
-	{
-		child.lft.packets.jitter = child.lft.packets.life -
-						min(child.lft.packets.life, child.lft.packets.rekey);
-	}
+	check_lifetimes(&child.cfg.lifetime);
 
 	log_child_data(&child, name);
 
-	cfg = child_cfg_create(name, &child.lft, child.updown,
-						child.hostaccess, child.mode, child.start_action,
-						child.dpd_action, child.close_action, child.ipcomp,
-						child.inactivity, child.reqid, &child.mark_in,
-						&child.mark_out, child.tfc);
-
-	cfg->set_mipv6_options(cfg, FALSE, child.policies);
+	cfg = child_cfg_create(name, &child.cfg);
 
 	if (child.replay_window != REPLAY_UNDEFINED)
 	{
@@ -1649,12 +1647,12 @@ CALLBACK(peer_sn, bool,
 /**
  * Find reqid of an existing CHILD_SA
  */
-static u_int32_t find_reqid(child_cfg_t *cfg)
+static uint32_t find_reqid(child_cfg_t *cfg)
 {
 	enumerator_t *enumerator, *children;
 	child_sa_t *child_sa;
 	ike_sa_t *ike_sa;
-	u_int32_t reqid;
+	uint32_t reqid;
 
 	reqid = charon->traps->find_reqid(charon->traps, cfg);
 	if (reqid)
@@ -1723,7 +1721,7 @@ static void clear_start_action(private_vici_config_t *this, char *peer_name,
 	enumerator_t *enumerator, *children;
 	child_sa_t *child_sa;
 	ike_sa_t *ike_sa;
-	u_int32_t id = 0, others;
+	uint32_t id = 0, others;
 	array_t *ids = NULL, *ikeids = NULL;
 	char *name;
 
@@ -1987,6 +1985,7 @@ CALLBACK(config_sn, bool,
 		.rand_time = LFT_UNDEFINED,
 	};
 	enumerator_t *enumerator;
+	peer_cfg_create_t cfg;
 	peer_cfg_t *peer_cfg;
 	ike_cfg_t *ike_cfg;
 	child_cfg_t *child_cfg;
@@ -2046,7 +2045,7 @@ CALLBACK(config_sn, bool,
 	if (peer.rekey_time == LFT_UNDEFINED && peer.reauth_time == LFT_UNDEFINED)
 	{
 		/* apply a default rekey time if no rekey/reauth time set */
-		peer.rekey_time = LFT_DEFAULT_IKE_REKEY;
+		peer.rekey_time = LFT_DEFAULT_IKE_REKEY_TIME;
 		peer.reauth_time = 0;
 	}
 	if (peer.rekey_time == LFT_UNDEFINED)
@@ -2083,12 +2082,22 @@ CALLBACK(config_sn, bool,
 						peer.local_addrs, peer.local_port,
 						peer.remote_addrs, peer.remote_port,
 						peer.fragmentation, 0);
-	peer_cfg = peer_cfg_create(name, ike_cfg, peer.send_cert, peer.unique,
-						peer.keyingtries, peer.rekey_time, peer.reauth_time,
-						peer.rand_time, peer.over_time, peer.mobike,
-						peer.aggressive, peer.pull,
-						peer.dpd_delay, peer.dpd_timeout,
-						FALSE, NULL, NULL);
+
+	cfg = (peer_cfg_create_t){
+		.cert_policy = peer.send_cert,
+		.unique = peer.unique,
+		.keyingtries = peer.keyingtries,
+		.rekey_time = peer.rekey_time,
+		.reauth_time = peer.reauth_time,
+		.jitter_time = peer.rand_time,
+		.over_time = peer.over_time,
+		.no_mobike = !peer.mobike,
+		.aggressive = peer.aggressive,
+		.push_mode = !peer.pull,
+		.dpd = peer.dpd_delay,
+		.dpd_timeout = peer.dpd_timeout,
+	};
+	peer_cfg = peer_cfg_create(name, ike_cfg, &cfg);
 
 	while (peer.local->remove_first(peer.local,
 									(void**)&auth) == SUCCESS)
diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
index c526d2fda..44003819a 100644
--- a/src/libcharon/plugins/vici/vici_control.c
+++ b/src/libcharon/plugins/vici/vici_control.c
@@ -507,12 +507,12 @@ CALLBACK(redirect, vici_message_t*,
 /**
  * Find reqid of an existing CHILD_SA
  */
-static u_int32_t find_reqid(child_cfg_t *cfg)
+static uint32_t find_reqid(child_cfg_t *cfg)
 {
 	enumerator_t *enumerator, *children;
 	child_sa_t *child_sa;
 	ike_sa_t *ike_sa;
-	u_int32_t reqid;
+	uint32_t reqid;
 
 	reqid = charon->traps->find_reqid(charon->traps, cfg);
 	if (reqid)
@@ -583,7 +583,7 @@ CALLBACK(uninstall, vici_message_t*,
 {
 	child_sa_t *child_sa;
 	enumerator_t *enumerator;
-	u_int32_t reqid = 0;
+	uint32_t reqid = 0;
 	char *child;
 
 	child = request->get_str(request, NULL, "child");
diff --git a/src/libcharon/plugins/vici/vici_dispatcher.c b/src/libcharon/plugins/vici/vici_dispatcher.c
index 31292d6b3..ffe0d61e5 100644
--- a/src/libcharon/plugins/vici/vici_dispatcher.c
+++ b/src/libcharon/plugins/vici/vici_dispatcher.c
@@ -119,10 +119,10 @@ static void send_op(private_vici_dispatcher_t *this, u_int id,
 	bio_writer_t *writer;
 	u_int len;
 
-	len = sizeof(u_int8_t);
+	len = sizeof(uint8_t);
 	if (name)
 	{
-		len += sizeof(u_int8_t) + strlen(name);
+		len += sizeof(uint8_t) + strlen(name);
 	}
 	if (message)
 	{
@@ -308,7 +308,7 @@ CALLBACK(inbound, void,
 {
 	bio_reader_t *reader;
 	chunk_t chunk;
-	u_int8_t type;
+	uint8_t type;
 	char name[257];
 
 	reader = bio_reader_create(data);
diff --git a/src/libcharon/plugins/vici/vici_message.c b/src/libcharon/plugins/vici/vici_message.c
index fb6e8a1ab..58b896773 100644
--- a/src/libcharon/plugins/vici/vici_message.c
+++ b/src/libcharon/plugins/vici/vici_message.c
@@ -137,7 +137,7 @@ typedef struct {
 METHOD(enumerator_t, parse_enumerate, bool,
 	parse_enumerator_t *this, vici_type_t *out, char **name, chunk_t *value)
 {
-	u_int8_t type;
+	uint8_t type;
 	chunk_t data;
 
 	if (!this->reader->remaining(this->reader) ||
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index 284c23ee0..04cea004e 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -86,8 +86,8 @@ static void list_child(private_vici_query_t *this, vici_builder_t *b,
 					   child_sa_t *child, time_t now)
 {
 	time_t t;
-	u_int64_t bytes, packets;
-	u_int16_t alg, ks;
+	uint64_t bytes, packets;
+	uint16_t alg, ks;
 	proposal_t *proposal;
 	enumerator_t *enumerator;
 	traffic_selector_t *ts;
@@ -152,7 +152,7 @@ static void list_child(private_vici_query_t *this, vici_builder_t *b,
 		b->add_kv(b, "packets-in", "%" PRIu64, packets);
 		if (t)
 		{
-			b->add_kv(b, "use-in", "%"PRIu64, (u_int64_t)(now - t));
+			b->add_kv(b, "use-in", "%"PRIu64, (uint64_t)(now - t));
 		}
 
 		child->get_usestats(child, FALSE, &t, &bytes, &packets);
@@ -160,7 +160,7 @@ static void list_child(private_vici_query_t *this, vici_builder_t *b,
 		b->add_kv(b, "packets-out", "%"PRIu64, packets);
 		if (t)
 		{
-			b->add_kv(b, "use-out", "%"PRIu64, (u_int64_t)(now - t));
+			b->add_kv(b, "use-out", "%"PRIu64, (uint64_t)(now - t));
 		}
 
 		t = child->get_lifetime(child, FALSE);
@@ -272,7 +272,7 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
 	ike_sa_id_t *id;
 	identification_t *eap;
 	proposal_t *proposal;
-	u_int16_t alg, ks;
+	uint16_t alg, ks;
 	host_t *host;
 
 	b->add_kv(b, "uniqueid", "%u", ike_sa->get_unique_id(ike_sa));
@@ -682,9 +682,11 @@ CALLBACK(list_conns, vici_message_t*,
 	peer_cfg_t *peer_cfg;
 	ike_cfg_t *ike_cfg;
 	child_cfg_t *child_cfg;
-	char *ike, *str;
+	char *ike, *str, *interface;
+	uint32_t manual_prio;
 	linked_list_t *list;
 	traffic_selector_t *ts;
+	lifetime_cfg_t *lft;
 	vici_builder_t *b;
 
 	ike = request->get_str(request, NULL, "ike");
@@ -725,6 +727,10 @@ CALLBACK(list_conns, vici_message_t*,
 
 		b->add_kv(b, "version", "%N", ike_version_names,
 			peer_cfg->get_ike_version(peer_cfg));
+		b->add_kv(b, "reauth_time", "%u",
+			peer_cfg->get_reauth_time(peer_cfg, FALSE));
+		b->add_kv(b, "rekey_time", "%u",
+			peer_cfg->get_rekey_time(peer_cfg, FALSE));
 
 		build_auth_cfgs(peer_cfg, TRUE, b);
 		build_auth_cfgs(peer_cfg, FALSE, b);
@@ -739,6 +745,12 @@ CALLBACK(list_conns, vici_message_t*,
 			b->add_kv(b, "mode", "%N", ipsec_mode_names,
 				child_cfg->get_mode(child_cfg));
 
+			lft = child_cfg->get_lifetime(child_cfg, FALSE);
+			b->add_kv(b, "rekey_time",    "%"PRIu64, lft->time.rekey);
+			b->add_kv(b, "rekey_bytes",   "%"PRIu64, lft->bytes.rekey);
+			b->add_kv(b, "rekey_packets", "%"PRIu64, lft->packets.rekey);
+			free(lft);
+
 			b->begin_list(b, "local-ts");
 			list = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
 			selectors = list->create_enumerator(list);
@@ -761,6 +773,18 @@ CALLBACK(list_conns, vici_message_t*,
 			list->destroy_offset(list, offsetof(traffic_selector_t, destroy));
 			b->end_list(b /* remote-ts */);
 
+			interface = child_cfg->get_interface(child_cfg);
+			if (interface)
+			{
+				b->add_kv(b, "interface", "%s", interface);
+			}
+
+			manual_prio = child_cfg->get_manual_prio(child_cfg);
+			if (manual_prio)
+			{
+				b->add_kv(b, "priority", "%u", manual_prio);
+			}
+
 			b->end_section(b);
 		}
 		children->destroy(children);
diff --git a/src/libcharon/plugins/vici/vici_socket.c b/src/libcharon/plugins/vici/vici_socket.c
index 67fd7e8e3..2a55fd061 100644
--- a/src/libcharon/plugins/vici/vici_socket.c
+++ b/src/libcharon/plugins/vici/vici_socket.c
@@ -95,11 +95,11 @@ typedef struct {
 	/** bytes of length header sent/received */
 	u_char hdrlen;
 	/** bytes of length header */
-	char hdr[sizeof(u_int32_t)];
+	char hdr[sizeof(uint32_t)];
 	/** send/receive buffer on heap */
 	chunk_t buf;
 	/** bytes sent/received in buffer */
-	u_int32_t done;
+	uint32_t done;
 } msg_buf_t;
 
 /**
@@ -411,7 +411,7 @@ CALLBACK(on_write, bool,
 static bool do_read(private_vici_socket_t *this, entry_t *entry,
 					stream_t *stream, char *errmsg, size_t errlen)
 {
-	u_int32_t msglen;
+	uint32_t msglen;
 	ssize_t len;
 
 	/* assemble the length header first */
diff --git a/src/libcharon/plugins/whitelist/Makefile.in b/src/libcharon/plugins/whitelist/Makefile.in
index 549ef6bce..47fcf91cd 100644
--- a/src/libcharon/plugins/whitelist/Makefile.in
+++ b/src/libcharon/plugins/whitelist/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -16,7 +16,17 @@
 
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -81,8 +91,6 @@ build_triplet = @build@
 host_triplet = @host@
 ipsec_PROGRAMS = whitelist$(EXEEXT)
 subdir = src/libcharon/plugins/whitelist
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -96,6 +104,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -210,12 +219,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -265,6 +276,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -299,6 +311,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -410,6 +423,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -470,7 +484,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/whitelist/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/whitelist/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -840,6 +853,8 @@ uninstall-am: uninstall-ipsecPROGRAMS uninstall-pluginLTLIBRARIES
 	pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \
 	uninstall-ipsecPROGRAMS uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/xauth_eap/Makefile.in b/src/libcharon/plugins/xauth_eap/Makefile.in
index 6992df820..0e88f8e32 100644
--- a/src/libcharon/plugins/xauth_eap/Makefile.in
+++ b/src/libcharon/plugins/xauth_eap/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/xauth_eap
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -461,7 +475,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/xauth_eap/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/xauth_eap/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -775,6 +788,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/xauth_eap/xauth_eap.c b/src/libcharon/plugins/xauth_eap/xauth_eap.c
index f21d02697..9e103be1c 100644
--- a/src/libcharon/plugins/xauth_eap/xauth_eap.c
+++ b/src/libcharon/plugins/xauth_eap/xauth_eap.c
@@ -113,7 +113,7 @@ static bool verify_eap(private_xauth_eap_t *this, eap_method_t *backend)
 	eap_payload_t *request, *response;
 	eap_method_t *frontend;
 	eap_type_t type;
-	u_int32_t vendor;
+	uint32_t vendor;
 	status_t status;
 
 	if (backend->initiate(backend, &request) != NEED_MORE)
diff --git a/src/libcharon/plugins/xauth_generic/Makefile.in b/src/libcharon/plugins/xauth_generic/Makefile.in
index 057a734a3..e20b46f57 100644
--- a/src/libcharon/plugins/xauth_generic/Makefile.in
+++ b/src/libcharon/plugins/xauth_generic/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/xauth_generic
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -461,7 +475,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/xauth_generic/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/xauth_generic/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -775,6 +788,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.in b/src/libcharon/plugins/xauth_noauth/Makefile.in
index 6b0104e30..b8adbbf43 100644
--- a/src/libcharon/plugins/xauth_noauth/Makefile.in
+++ b/src/libcharon/plugins/xauth_noauth/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/xauth_noauth
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -461,7 +475,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/xauth_noauth/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/xauth_noauth/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -775,6 +788,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.in b/src/libcharon/plugins/xauth_pam/Makefile.in
index ae6a4d070..79c466689 100644
--- a/src/libcharon/plugins/xauth_pam/Makefile.in
+++ b/src/libcharon/plugins/xauth_pam/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/xauth_pam
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -203,12 +212,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -258,6 +269,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -292,6 +304,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -403,6 +416,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -462,7 +476,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/xauth_pam/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/xauth_pam/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -777,6 +790,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/processing/jobs/acquire_job.c b/src/libcharon/processing/jobs/acquire_job.c
index 207f534ba..cd4a4ca89 100644
--- a/src/libcharon/processing/jobs/acquire_job.c
+++ b/src/libcharon/processing/jobs/acquire_job.c
@@ -32,7 +32,7 @@ struct private_acquire_job_t {
 	/**
 	 * reqid of the child to rekey
 	 */
-	u_int32_t reqid;
+	uint32_t reqid;
 
 	/**
 	 * acquired source traffic selector
@@ -70,7 +70,7 @@ METHOD(job_t, get_priority, job_priority_t,
 /*
  * Described in header
  */
-acquire_job_t *acquire_job_create(u_int32_t reqid,
+acquire_job_t *acquire_job_create(uint32_t reqid,
 								  traffic_selector_t *src_ts,
 								  traffic_selector_t *dst_ts)
 {
diff --git a/src/libcharon/processing/jobs/acquire_job.h b/src/libcharon/processing/jobs/acquire_job.h
index 2b5bf4805..4d31f0569 100644
--- a/src/libcharon/processing/jobs/acquire_job.h
+++ b/src/libcharon/processing/jobs/acquire_job.h
@@ -47,7 +47,7 @@ struct acquire_job_t {
  * @param dst_ts	destination traffic selector
  * @return			acquire_job_t object
  */
-acquire_job_t *acquire_job_create(u_int32_t reqid,
+acquire_job_t *acquire_job_create(uint32_t reqid,
 								  traffic_selector_t *src_ts,
 								  traffic_selector_t *dst_ts);
 
diff --git a/src/libcharon/processing/jobs/adopt_children_job.c b/src/libcharon/processing/jobs/adopt_children_job.c
index c39689012..ff8e78b6b 100644
--- a/src/libcharon/processing/jobs/adopt_children_job.c
+++ b/src/libcharon/processing/jobs/adopt_children_job.c
@@ -64,7 +64,7 @@ METHOD(job_t, execute, job_requeue_t,
 	ike_sa_id_t *id;
 	ike_sa_t *ike_sa;
 	child_sa_t *child_sa;
-	u_int32_t unique;
+	uint32_t unique;
 
 	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, this->id);
 	if (ike_sa)
diff --git a/src/libcharon/processing/jobs/delete_child_sa_job.c b/src/libcharon/processing/jobs/delete_child_sa_job.c
index 0d85883be..70dbc1b4a 100644
--- a/src/libcharon/processing/jobs/delete_child_sa_job.c
+++ b/src/libcharon/processing/jobs/delete_child_sa_job.c
@@ -38,7 +38,7 @@ struct private_delete_child_sa_job_t {
 	/**
 	 * inbound SPI of the CHILD_SA
 	 */
-	u_int32_t spi;
+	uint32_t spi;
 
 	/**
 	 * SA destination address
@@ -89,7 +89,7 @@ METHOD(job_t, get_priority, job_priority_t,
  * Described in header
  */
 delete_child_sa_job_t *delete_child_sa_job_create(protocol_id_t protocol,
-									u_int32_t spi, host_t *dst, bool expired)
+									uint32_t spi, host_t *dst, bool expired)
 {
 	private_delete_child_sa_job_t *this;
 
diff --git a/src/libcharon/processing/jobs/delete_child_sa_job.h b/src/libcharon/processing/jobs/delete_child_sa_job.h
index 6fa53644c..349f5debb 100644
--- a/src/libcharon/processing/jobs/delete_child_sa_job.h
+++ b/src/libcharon/processing/jobs/delete_child_sa_job.h
@@ -51,6 +51,6 @@ struct delete_child_sa_job_t {
  * @return			delete_child_sa_job_t object
  */
 delete_child_sa_job_t *delete_child_sa_job_create(protocol_id_t protocol,
-									u_int32_t spi, host_t *dst, bool expired);
+									uint32_t spi, host_t *dst, bool expired);
 
 #endif /** DELETE_CHILD_SA_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/inactivity_job.c b/src/libcharon/processing/jobs/inactivity_job.c
index f0f90eedf..bf16e51b5 100644
--- a/src/libcharon/processing/jobs/inactivity_job.c
+++ b/src/libcharon/processing/jobs/inactivity_job.c
@@ -32,12 +32,12 @@ struct private_inactivity_job_t {
 	/**
 	 * Unique CHILD_SA identifier to check
 	 */
-	u_int32_t id;
+	uint32_t id;
 
 	/**
 	 * Inactivity timeout
 	 */
-	u_int32_t timeout;
+	uint32_t timeout;
 
 	/**
 	 * Close IKE_SA if last remaining CHILD inactive?
@@ -55,7 +55,7 @@ METHOD(job_t, execute, job_requeue_t,
 	private_inactivity_job_t *this)
 {
 	ike_sa_t *ike_sa;
-	u_int32_t reschedule = 0;
+	uint32_t reschedule = 0;
 
 	ike_sa = charon->child_sa_manager->checkout_by_id(charon->child_sa_manager,
 													  this->id, NULL);
@@ -63,7 +63,7 @@ METHOD(job_t, execute, job_requeue_t,
 	{
 		enumerator_t *enumerator;
 		child_sa_t *child_sa;
-		u_int32_t delete = 0;
+		uint32_t delete = 0;
 		protocol_id_t proto = 0;
 		int children = 0;
 		status_t status = SUCCESS;
@@ -136,7 +136,7 @@ METHOD(job_t, get_priority, job_priority_t,
 /**
  * See header
  */
-inactivity_job_t *inactivity_job_create(u_int32_t unique_id, u_int32_t timeout,
+inactivity_job_t *inactivity_job_create(uint32_t unique_id, uint32_t timeout,
 										bool close_ike)
 {
 	private_inactivity_job_t *this;
diff --git a/src/libcharon/processing/jobs/inactivity_job.h b/src/libcharon/processing/jobs/inactivity_job.h
index ff19fe560..240782fa8 100644
--- a/src/libcharon/processing/jobs/inactivity_job.h
+++ b/src/libcharon/processing/jobs/inactivity_job.h
@@ -47,7 +47,7 @@ struct inactivity_job_t {
  * @param close_ike	close IKE_SA if the last remaining CHILD_SA is inactive?
  * @return			inactivity checking job
  */
-inactivity_job_t *inactivity_job_create(u_int32_t unique_id, u_int32_t timeout,
+inactivity_job_t *inactivity_job_create(uint32_t unique_id, uint32_t timeout,
 										bool close_ike);
 
 #endif /** INACTIVITY_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/migrate_job.c b/src/libcharon/processing/jobs/migrate_job.c
index 097dbdffd..461ba11d1 100644
--- a/src/libcharon/processing/jobs/migrate_job.c
+++ b/src/libcharon/processing/jobs/migrate_job.c
@@ -34,7 +34,7 @@ struct private_migrate_job_t {
 	/**
 	 * reqid of the CHILD_SA if it already exists
 	 */
-	u_int32_t reqid;
+	uint32_t reqid;
 
 	/**
 	 * source traffic selector
@@ -144,7 +144,7 @@ METHOD(job_t, get_priority, job_priority_t,
 /*
  * Described in header
  */
-migrate_job_t *migrate_job_create(u_int32_t reqid,
+migrate_job_t *migrate_job_create(uint32_t reqid,
 								  traffic_selector_t *src_ts,
 								  traffic_selector_t *dst_ts,
 								  policy_dir_t dir,
diff --git a/src/libcharon/processing/jobs/migrate_job.h b/src/libcharon/processing/jobs/migrate_job.h
index 0f2b9aaad..140635bed 100644
--- a/src/libcharon/processing/jobs/migrate_job.h
+++ b/src/libcharon/processing/jobs/migrate_job.h
@@ -54,7 +54,7 @@ struct migrate_job_t {
  * @param remote	remote host address to be used in the IKE_SA
  * @return			migrate_job_t object
  */
-migrate_job_t *migrate_job_create(u_int32_t reqid,
+migrate_job_t *migrate_job_create(uint32_t reqid,
 						traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
 						policy_dir_t dir, host_t *local, host_t *remote);
 
diff --git a/src/libcharon/processing/jobs/rekey_child_sa_job.c b/src/libcharon/processing/jobs/rekey_child_sa_job.c
index 057876b33..d76f4f65b 100644
--- a/src/libcharon/processing/jobs/rekey_child_sa_job.c
+++ b/src/libcharon/processing/jobs/rekey_child_sa_job.c
@@ -38,7 +38,7 @@ struct private_rekey_child_sa_job_t {
 	/**
 	 * inbound SPI of the CHILD_SA
 	 */
-	u_int32_t spi;
+	uint32_t spi;
 
 	/**
 	 * SA destination address
@@ -86,7 +86,7 @@ METHOD(job_t, get_priority, job_priority_t,
  * Described in header
  */
 rekey_child_sa_job_t *rekey_child_sa_job_create(protocol_id_t protocol,
-												u_int32_t spi, host_t *dst)
+												uint32_t spi, host_t *dst)
 {
 	private_rekey_child_sa_job_t *this;
 
diff --git a/src/libcharon/processing/jobs/rekey_child_sa_job.h b/src/libcharon/processing/jobs/rekey_child_sa_job.h
index 364bb5ae7..1de06fd07 100644
--- a/src/libcharon/processing/jobs/rekey_child_sa_job.h
+++ b/src/libcharon/processing/jobs/rekey_child_sa_job.h
@@ -49,5 +49,5 @@ struct rekey_child_sa_job_t {
  * @return			rekey_child_sa_job_t object
  */
 rekey_child_sa_job_t *rekey_child_sa_job_create(protocol_id_t protocol,
-												u_int32_t spi, host_t *dst);
+												uint32_t spi, host_t *dst);
 #endif /** REKEY_CHILD_SA_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/rekey_ike_sa_job.c b/src/libcharon/processing/jobs/rekey_ike_sa_job.c
index 403d826a3..148db2f92 100644
--- a/src/libcharon/processing/jobs/rekey_ike_sa_job.c
+++ b/src/libcharon/processing/jobs/rekey_ike_sa_job.c
@@ -49,11 +49,11 @@ METHOD(job_t, destroy, void,
 /**
  * Check if we should delay a reauth, and by how many seconds
  */
-static u_int32_t get_retry_delay(ike_sa_t *ike_sa)
+static uint32_t get_retry_delay(ike_sa_t *ike_sa)
 {
 	enumerator_t *enumerator;
 	child_sa_t *child_sa;
-	u_int32_t retry = 0;
+	uint32_t retry = 0;
 
 	/* avoid reauth collisions for certain IKE_SA/CHILD_SA states */
 	if (ike_sa->get_state(ike_sa) != IKE_ESTABLISHED)
@@ -87,7 +87,7 @@ METHOD(job_t, execute, job_requeue_t,
 {
 	ike_sa_t *ike_sa;
 	status_t status = SUCCESS;
-	u_int32_t retry = 0;
+	uint32_t retry = 0;
 
 	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
 											  this->ike_sa_id);
diff --git a/src/libcharon/processing/jobs/retransmit_job.c b/src/libcharon/processing/jobs/retransmit_job.c
index 48c326804..4daa41868 100644
--- a/src/libcharon/processing/jobs/retransmit_job.c
+++ b/src/libcharon/processing/jobs/retransmit_job.c
@@ -32,7 +32,7 @@ struct private_retransmit_job_t {
 	/**
 	 * Message ID of the request to resend.
 	 */
-	u_int32_t message_id;
+	uint32_t message_id;
 
 	/**
 	 * ID of the IKE_SA which the message belongs to.
@@ -79,7 +79,7 @@ METHOD(job_t, get_priority, job_priority_t,
 /*
  * Described in header.
  */
-retransmit_job_t *retransmit_job_create(u_int32_t message_id,ike_sa_id_t *ike_sa_id)
+retransmit_job_t *retransmit_job_create(uint32_t message_id,ike_sa_id_t *ike_sa_id)
 {
 	private_retransmit_job_t *this;
 
diff --git a/src/libcharon/processing/jobs/retransmit_job.h b/src/libcharon/processing/jobs/retransmit_job.h
index c4545534b..595513cef 100644
--- a/src/libcharon/processing/jobs/retransmit_job.h
+++ b/src/libcharon/processing/jobs/retransmit_job.h
@@ -49,7 +49,7 @@ struct retransmit_job_t {
  * @param ike_sa_id			identification of the ike_sa as ike_sa_id_t
  * @return					retransmit_job_t object
  */
-retransmit_job_t *retransmit_job_create(u_int32_t message_id,
+retransmit_job_t *retransmit_job_create(uint32_t message_id,
 										ike_sa_id_t *ike_sa_id);
 
 #endif /** RETRANSMIT_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/update_sa_job.c b/src/libcharon/processing/jobs/update_sa_job.c
index 862506d90..3360b7dc5 100644
--- a/src/libcharon/processing/jobs/update_sa_job.c
+++ b/src/libcharon/processing/jobs/update_sa_job.c
@@ -41,7 +41,7 @@ struct private_update_sa_job_t {
 	/**
 	 * SPI of the CHILD_SA
 	 */
-	u_int32_t spi;
+	uint32_t spi;
 
 	/**
 	 * Old SA destination address
@@ -92,7 +92,7 @@ METHOD(job_t, get_priority, job_priority_t,
  * Described in header
  */
 update_sa_job_t *update_sa_job_create(protocol_id_t protocol,
-									  u_int32_t spi, host_t *dst, host_t *new)
+									  uint32_t spi, host_t *dst, host_t *new)
 {
 	private_update_sa_job_t *this;
 
diff --git a/src/libcharon/processing/jobs/update_sa_job.h b/src/libcharon/processing/jobs/update_sa_job.h
index 9c19f5b6e..ed978dc8b 100644
--- a/src/libcharon/processing/jobs/update_sa_job.h
+++ b/src/libcharon/processing/jobs/update_sa_job.h
@@ -49,6 +49,6 @@ struct update_sa_job_t {
  * @return				update_sa_job_t object
  */
 update_sa_job_t *update_sa_job_create(protocol_id_t protocol,
-									  u_int32_t spi, host_t *dst, host_t *new);
+									  uint32_t spi, host_t *dst, host_t *new);
 
 #endif /** UPDATE_SA_JOB_H_ @}*/
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 56b7cb5a4..8a405d93c 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -1,9 +1,10 @@
 /*
- * Copyright (C) 2006-2015 Tobias Brunner
+ * Coypright (C) 2016 Andreas Steffen
+ * Copyright (C) 2006-2016 Tobias Brunner
  * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -63,22 +64,22 @@ struct private_child_sa_t {
 	/**
 	 * our actually used SPI, 0 if unused
 	 */
-	u_int32_t my_spi;
+	uint32_t my_spi;
 
 	/**
 	 * others used SPI, 0 if unused
 	 */
-	u_int32_t other_spi;
+	uint32_t other_spi;
 
 	/**
 	 * our Compression Parameter Index (CPI) used, 0 if unused
 	 */
-	u_int16_t my_cpi;
+	uint16_t my_cpi;
 
 	/**
 	 * others Compression Parameter Index (CPI) used, 0 if unused
 	 */
-	u_int16_t other_cpi;
+	uint16_t other_cpi;
 
 	/**
 	 * Array for local traffic selectors
@@ -98,7 +99,7 @@ struct private_child_sa_t {
 	/**
 	 * reqid used for this child_sa
 	 */
-	u_int32_t reqid;
+	uint32_t reqid;
 
 	/**
 	 * Did we allocate/confirm and must release the reqid?
@@ -113,7 +114,7 @@ struct private_child_sa_t {
 	/*
 	 * Unique CHILD_SA identifier
 	 */
-	u_int32_t unique_id;
+	uint32_t unique_id;
 
 	/**
 	 * inbound mark used for this child_sa
@@ -198,28 +199,28 @@ struct private_child_sa_t {
 	/**
 	 * last number of inbound bytes
 	 */
-	u_int64_t my_usebytes;
+	uint64_t my_usebytes;
 
 	/**
 	 * last number of outbound bytes
 	 */
-	u_int64_t other_usebytes;
+	uint64_t other_usebytes;
 
 	/**
 	 * last number of inbound packets
 	 */
-	u_int64_t my_usepackets;
+	uint64_t my_usepackets;
 
 	/**
 	 * last number of outbound bytes
 	 */
-	u_int64_t other_usepackets;
+	uint64_t other_usepackets;
 };
 
 /**
  * convert an IKEv2 specific protocol identifier to the IP protocol identifier.
  */
-static inline u_int8_t proto_ike2ip(protocol_id_t protocol)
+static inline uint8_t proto_ike2ip(protocol_id_t protocol)
 {
 	switch (protocol)
 	{
@@ -238,13 +239,13 @@ METHOD(child_sa_t, get_name, char*,
 	return this->config->get_name(this->config);
 }
 
-METHOD(child_sa_t, get_reqid, u_int32_t,
+METHOD(child_sa_t, get_reqid, uint32_t,
 	   private_child_sa_t *this)
 {
 	return this->reqid;
 }
 
-METHOD(child_sa_t, get_unique_id, u_int32_t,
+METHOD(child_sa_t, get_unique_id, uint32_t,
 	private_child_sa_t *this)
 {
 	return this->unique_id;
@@ -269,13 +270,13 @@ METHOD(child_sa_t, get_state, child_sa_state_t,
 	return this->state;
 }
 
-METHOD(child_sa_t, get_spi, u_int32_t,
+METHOD(child_sa_t, get_spi, uint32_t,
 	   private_child_sa_t *this, bool inbound)
 {
 	return inbound ? this->my_spi : this->other_spi;
 }
 
-METHOD(child_sa_t, get_cpi, u_int16_t,
+METHOD(child_sa_t, get_cpi, uint16_t,
 	   private_child_sa_t *this, bool inbound)
 {
 	return inbound ? this->my_cpi : this->other_cpi;
@@ -461,17 +462,24 @@ METHOD(child_sa_t, create_policy_enumerator, enumerator_t*,
 static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 {
 	status_t status = FAILED;
-	u_int64_t bytes, packets;
+	uint64_t bytes, packets;
 	time_t time;
 
 	if (inbound)
 	{
 		if (this->my_spi)
 		{
-			status = charon->kernel->query_sa(charon->kernel, this->other_addr,
-									this->my_addr, this->my_spi,
-									proto_ike2ip(this->protocol), this->mark_in,
-									&bytes, &packets, &time);
+			kernel_ipsec_sa_id_t id = {
+				.src = this->other_addr,
+				.dst = this->my_addr,
+				.spi = this->my_spi,
+				.proto = proto_ike2ip(this->protocol),
+				.mark = this->mark_in,
+			};
+			kernel_ipsec_query_sa_t query = {};
+
+			status = charon->kernel->query_sa(charon->kernel, &id, &query,
+											  &bytes, &packets, &time);
 			if (status == SUCCESS)
 			{
 				if (bytes > this->my_usebytes)
@@ -492,10 +500,17 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 	{
 		if (this->other_spi)
 		{
-			status = charon->kernel->query_sa(charon->kernel, this->my_addr,
-								this->other_addr, this->other_spi,
-								proto_ike2ip(this->protocol), this->mark_out,
-								&bytes, &packets, &time);
+			kernel_ipsec_sa_id_t id = {
+				.src = this->my_addr,
+				.dst = this->other_addr,
+				.spi = this->other_spi,
+				.proto = proto_ike2ip(this->protocol),
+				.mark = this->mark_out,
+			};
+			kernel_ipsec_query_sa_t query = {};
+
+			status = charon->kernel->query_sa(charon->kernel, &id, &query,
+											  &bytes, &packets, &time);
 			if (status == SUCCESS)
 			{
 				if (bytes > this->other_usebytes)
@@ -531,15 +546,24 @@ static bool update_usetime(private_child_sa_t *this, bool inbound)
 
 		if (inbound)
 		{
-			if (charon->kernel->query_policy(charon->kernel, other_ts,
-							my_ts, POLICY_IN, this->mark_in, &in) == SUCCESS)
+			kernel_ipsec_policy_id_t id = {
+				.dir = POLICY_IN,
+				.src_ts = other_ts,
+				.dst_ts = my_ts,
+				.mark = this->mark_in,
+			};
+			kernel_ipsec_query_policy_t query = {};
+
+			if (charon->kernel->query_policy(charon->kernel, &id, &query,
+											 &in) == SUCCESS)
 			{
 				last_use = max(last_use, in);
 			}
 			if (this->mode != MODE_TRANSPORT)
 			{
-				if (charon->kernel->query_policy(charon->kernel, other_ts,
-							my_ts, POLICY_FWD, this->mark_in, &fwd) == SUCCESS)
+				id.dir = POLICY_FWD;
+				if (charon->kernel->query_policy(charon->kernel, &id, &query,
+												 &fwd) == SUCCESS)
 				{
 					last_use = max(last_use, fwd);
 				}
@@ -547,8 +571,17 @@ static bool update_usetime(private_child_sa_t *this, bool inbound)
 		}
 		else
 		{
-			if (charon->kernel->query_policy(charon->kernel, my_ts,
-							other_ts, POLICY_OUT, this->mark_out, &out) == SUCCESS)
+			kernel_ipsec_policy_id_t id = {
+				.dir = POLICY_OUT,
+				.src_ts = my_ts,
+				.dst_ts = other_ts,
+				.mark = this->mark_out,
+				.interface = this->config->get_interface(this->config),
+			};
+			kernel_ipsec_query_policy_t query = {};
+
+			if (charon->kernel->query_policy(charon->kernel, &id, &query,
+											 &out) == SUCCESS)
 			{
 				last_use = max(last_use, out);
 			}
@@ -573,7 +606,7 @@ static bool update_usetime(private_child_sa_t *this, bool inbound)
 
 METHOD(child_sa_t, get_usestats, void,
 	private_child_sa_t *this, bool inbound,
-	time_t *time, u_int64_t *bytes, u_int64_t *packets)
+	time_t *time, uint64_t *bytes, uint64_t *packets)
 {
 	if ((!bytes && !packets) || update_usebytes(this, inbound) != FAILED)
 	{
@@ -625,7 +658,7 @@ METHOD(child_sa_t, get_installtime, time_t,
 	return this->install_time;
 }
 
-METHOD(child_sa_t, alloc_spi, u_int32_t,
+METHOD(child_sa_t, alloc_spi, uint32_t,
 	   private_child_sa_t *this, protocol_id_t protocol)
 {
 	if (charon->kernel->get_spi(charon->kernel, this->other_addr, this->my_addr,
@@ -639,7 +672,7 @@ METHOD(child_sa_t, alloc_spi, u_int32_t,
 	return 0;
 }
 
-METHOD(child_sa_t, alloc_cpi, u_int16_t,
+METHOD(child_sa_t, alloc_cpi, uint16_t,
 	   private_child_sa_t *this)
 {
 	if (charon->kernel->get_cpi(charon->kernel, this->other_addr, this->my_addr,
@@ -651,16 +684,18 @@ METHOD(child_sa_t, alloc_cpi, u_int16_t,
 }
 
 METHOD(child_sa_t, install, status_t,
-	private_child_sa_t *this, chunk_t encr, chunk_t integ, u_int32_t spi,
-	u_int16_t cpi, bool initiator, bool inbound, bool tfcv3,
+	private_child_sa_t *this, chunk_t encr, chunk_t integ, uint32_t spi,
+	uint16_t cpi, bool initiator, bool inbound, bool tfcv3,
 	linked_list_t *my_ts, linked_list_t *other_ts)
 {
-	u_int16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size;
-	u_int16_t esn = NO_EXT_SEQ_NUMBERS;
+	uint16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size;
+	uint16_t esn = NO_EXT_SEQ_NUMBERS;
 	linked_list_t *src_ts = NULL, *dst_ts = NULL;
 	time_t now;
+	kernel_ipsec_sa_id_t id;
+	kernel_ipsec_add_sa_t sa;
 	lifetime_cfg_t *lifetime;
-	u_int32_t tfc = 0;
+	uint32_t tfc = 0;
 	host_t *src, *dst;
 	status_t status;
 	bool update = FALSE;
@@ -716,7 +751,7 @@ METHOD(child_sa_t, install, status_t,
 		this->reqid_allocated = TRUE;
 	}
 
-	lifetime = this->config->get_lifetime(this->config);
+	lifetime = this->config->get_lifetime(this->config, TRUE);
 
 	now = time_monotonic(NULL);
 	if (lifetime->time.rekey)
@@ -752,12 +787,36 @@ METHOD(child_sa_t, install, status_t,
 		dst_ts = other_ts;
 	}
 
-	status = charon->kernel->add_sa(charon->kernel,
-				src, dst, spi, proto_ike2ip(this->protocol), this->reqid,
-				inbound ? this->mark_in : this->mark_out, tfc,
-				lifetime, enc_alg, encr, int_alg, integ, this->mode,
-				this->ipcomp, cpi, this->config->get_replay_window(this->config),
-				initiator, this->encap, esn, inbound, update, src_ts, dst_ts);
+	id = (kernel_ipsec_sa_id_t){
+		.src = src,
+		.dst = dst,
+		.spi = spi,
+		.proto = proto_ike2ip(this->protocol),
+		.mark = inbound ? this->mark_in : this->mark_out,
+	};
+	sa = (kernel_ipsec_add_sa_t){
+		.reqid = this->reqid,
+		.mode = this->mode,
+		.src_ts = src_ts,
+		.dst_ts = dst_ts,
+		.interface = inbound ? NULL : this->config->get_interface(this->config),
+		.lifetime = lifetime,
+		.enc_alg = enc_alg,
+		.enc_key = encr,
+		.int_alg = int_alg,
+		.int_key = integ,
+		.replay_window = this->config->get_replay_window(this->config),
+		.tfc = tfc,
+		.ipcomp = this->ipcomp,
+		.cpi = cpi,
+		.encap = this->encap,
+		.esn = esn,
+		.initiator = initiator,
+		.inbound = inbound,
+		.update = update,
+	};
+
+	status = charon->kernel->add_sa(charon->kernel, &id, &sa);
 
 	free(lifetime);
 
@@ -825,24 +884,62 @@ static void prepare_sa_cfg(private_child_sa_t *this, ipsec_sa_cfg_t *my_sa,
 static status_t install_policies_internal(private_child_sa_t *this,
 	host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts,
 	traffic_selector_t *other_ts, ipsec_sa_cfg_t *my_sa,
-	ipsec_sa_cfg_t *other_sa, policy_type_t type, policy_priority_t priority)
+	ipsec_sa_cfg_t *other_sa, policy_type_t type,
+	policy_priority_t priority,	uint32_t manual_prio)
 {
+	kernel_ipsec_policy_id_t out_id = {
+		.dir = POLICY_OUT,
+		.src_ts = my_ts,
+		.dst_ts = other_ts,
+		.mark = this->mark_out,
+		.interface = this->config->get_interface(this->config),
+	}, in_id = {
+		.dir = POLICY_IN,
+		.src_ts = other_ts,
+		.dst_ts = my_ts,
+		.mark = this->mark_in,
+	};
+	kernel_ipsec_manage_policy_t out_policy = {
+		.type = type,
+		.prio = priority,
+		.manual_prio = manual_prio,
+		.src = my_addr,
+		.dst = other_addr,
+		.sa = other_sa,
+	}, in_policy = {
+		.type = type,
+		.prio = priority,
+		.manual_prio = manual_prio,
+		.src = other_addr,
+		.dst = my_addr,
+		.sa = my_sa,
+	};
 	status_t status = SUCCESS;
-	status |= charon->kernel->add_policy(charon->kernel,
-							my_addr, other_addr, my_ts, other_ts,
-							POLICY_OUT, type, other_sa,
-							this->mark_out, priority);
-
-	status |= charon->kernel->add_policy(charon->kernel,
-							other_addr, my_addr, other_ts, my_ts,
-							POLICY_IN, type, my_sa,
-							this->mark_in, priority);
+
+	status |= charon->kernel->add_policy(charon->kernel, &out_id, &out_policy);
+	status |= charon->kernel->add_policy(charon->kernel, &in_id, &in_policy);
 	if (this->mode != MODE_TRANSPORT)
 	{
-		status |= charon->kernel->add_policy(charon->kernel,
-							other_addr, my_addr, other_ts, my_ts,
-							POLICY_FWD, type, my_sa,
-							this->mark_in, priority);
+		in_id.dir = POLICY_FWD;
+		status |= charon->kernel->add_policy(charon->kernel, &in_id, &in_policy);
+
+		/* install an "outbound" FWD policy in case there is a drop policy
+		 * matching outbound forwarded traffic, to allow another tunnel to use
+		 * the reversed subnets and do the same we don't set a reqid (this also
+		 * allows the kernel backend to distinguish between the two types of
+		 * FWD policies). To avoid problems with symmetrically overlapping
+		 * policies of two SAs we install them with reduced priority.  As they
+		 * basically act as bypass policies for drop policies we use a higher
+		 * priority than is used for them. */
+		out_id.dir = POLICY_FWD;
+		other_sa->reqid = 0;
+		if (priority == POLICY_PRIORITY_DEFAULT)
+		{
+			out_policy.prio = POLICY_PRIORITY_ROUTED;
+		}
+		status |= charon->kernel->add_policy(charon->kernel, &out_id, &out_policy);
+		/* reset the reqid for any other further policies */
+		other_sa->reqid = this->reqid;
 	}
 	return status;
 }
@@ -853,20 +950,52 @@ static status_t install_policies_internal(private_child_sa_t *this,
 static void del_policies_internal(private_child_sa_t *this,
 	host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts,
 	traffic_selector_t *other_ts, ipsec_sa_cfg_t *my_sa,
-	ipsec_sa_cfg_t *other_sa, policy_type_t type, policy_priority_t priority)
+	ipsec_sa_cfg_t *other_sa, policy_type_t type,
+	policy_priority_t priority, uint32_t manual_prio)
 {
+	kernel_ipsec_policy_id_t out_id = {
+		.dir = POLICY_OUT,
+		.src_ts = my_ts,
+		.dst_ts = other_ts,
+		.mark = this->mark_out,
+		.interface = this->config->get_interface(this->config),
+	}, in_id = {
+		.dir = POLICY_IN,
+		.src_ts = other_ts,
+		.dst_ts = my_ts,
+		.mark = this->mark_in,
+	};
+	kernel_ipsec_manage_policy_t out_policy = {
+		.type = type,
+		.prio = priority,
+		.manual_prio = manual_prio,
+		.src = my_addr,
+		.dst = other_addr,
+		.sa = other_sa,
+	}, in_policy = {
+		.type = type,
+		.prio = priority,
+		.manual_prio = manual_prio,
+		.src = other_addr,
+		.dst = my_addr,
+		.sa = my_sa,
+	};
 
-	charon->kernel->del_policy(charon->kernel,
-						my_addr, other_addr, my_ts, other_ts, POLICY_OUT, type,
-						other_sa, this->mark_out, priority);
-	charon->kernel->del_policy(charon->kernel,
-						other_addr, my_addr, other_ts, my_ts, POLICY_IN,
-						type, my_sa, this->mark_in, priority);
+	charon->kernel->del_policy(charon->kernel, &out_id, &out_policy);
+	charon->kernel->del_policy(charon->kernel, &in_id, &in_policy);
 	if (this->mode != MODE_TRANSPORT)
 	{
-		charon->kernel->del_policy(charon->kernel,
-						other_addr, my_addr, other_ts, my_ts, POLICY_FWD,
-						type, my_sa, this->mark_in, priority);
+		in_id.dir = POLICY_FWD;
+		charon->kernel->del_policy(charon->kernel, &in_id, &in_policy);
+
+		out_id.dir = POLICY_FWD;
+		other_sa->reqid = 0;
+		if (priority == POLICY_PRIORITY_DEFAULT)
+		{
+			out_policy.prio = POLICY_PRIORITY_ROUTED;
+		}
+		charon->kernel->del_policy(charon->kernel, &out_id, &out_policy);
+		other_sa->reqid = this->reqid;
 	}
 }
 
@@ -912,8 +1041,10 @@ METHOD(child_sa_t, add_policies, status_t,
 	{
 		policy_priority_t priority;
 		ipsec_sa_cfg_t my_sa, other_sa;
+		uint32_t manual_prio;
 
 		prepare_sa_cfg(this, &my_sa, &other_sa);
+		manual_prio = this->config->get_manual_prio(this->config);
 
 		/* if we're not in state CHILD_INSTALLING (i.e. if there is no SAD
 		 * entry) we install a trap policy */
@@ -927,18 +1058,20 @@ METHOD(child_sa_t, add_policies, status_t,
 		{
 			/* install outbound drop policy to avoid packets leaving unencrypted
 			 * when updating policies */
-			if (priority == POLICY_PRIORITY_DEFAULT && require_policy_update())
+			if (priority == POLICY_PRIORITY_DEFAULT && manual_prio == 0 &&
+				require_policy_update())
 			{
 				status |= install_policies_internal(this, this->my_addr,
 									this->other_addr, my_ts, other_ts,
 									&my_sa, &other_sa, POLICY_DROP,
-									POLICY_PRIORITY_FALLBACK);
+									POLICY_PRIORITY_FALLBACK, 0);
 			}
 
 			/* install policies */
 			status |= install_policies_internal(this, this->my_addr,
 									this->other_addr, my_ts, other_ts,
-									&my_sa, &other_sa, POLICY_IPSEC, priority);
+									&my_sa, &other_sa, POLICY_IPSEC,
+									priority, manual_prio);
 
 			if (status != SUCCESS)
 			{
@@ -994,11 +1127,22 @@ METHOD(child_sa_t, update, status_t,
 		/* update our (initiator) SA */
 		if (this->my_spi)
 		{
-			if (charon->kernel->update_sa(charon->kernel,
-							this->my_spi, proto_ike2ip(this->protocol),
-							this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0,
-							this->other_addr, this->my_addr, other, me,
-							this->encap, encap, this->mark_in) == NOT_SUPPORTED)
+			kernel_ipsec_sa_id_t id = {
+				.src = this->other_addr,
+				.dst = this->my_addr,
+				.spi = this->my_spi,
+				.proto = proto_ike2ip(this->protocol),
+				.mark = this->mark_in,
+			};
+			kernel_ipsec_update_sa_t sa = {
+				.cpi = this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0,
+				.new_src = other,
+				.new_dst = me,
+				.encap = this->encap,
+				.new_encap = encap,
+			};
+			if (charon->kernel->update_sa(charon->kernel, &id,
+										  &sa) == NOT_SUPPORTED)
 			{
 				set_state(this, old);
 				return NOT_SUPPORTED;
@@ -1008,11 +1152,22 @@ METHOD(child_sa_t, update, status_t,
 		/* update his (responder) SA */
 		if (this->other_spi)
 		{
-			if (charon->kernel->update_sa(charon->kernel,
-							this->other_spi, proto_ike2ip(this->protocol),
-							this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0,
-							this->my_addr, this->other_addr, me, other,
-							this->encap, encap, this->mark_out) == NOT_SUPPORTED)
+			kernel_ipsec_sa_id_t id = {
+				.src = this->my_addr,
+				.dst = this->other_addr,
+				.spi = this->other_spi,
+				.proto = proto_ike2ip(this->protocol),
+				.mark = this->mark_out,
+			};
+			kernel_ipsec_update_sa_t sa = {
+				.cpi = this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0,
+				.new_src = me,
+				.new_dst = other,
+				.encap = this->encap,
+				.new_encap = encap,
+			};
+			if (charon->kernel->update_sa(charon->kernel, &id,
+										  &sa) == NOT_SUPPORTED)
 			{
 				set_state(this, old);
 				return NOT_SUPPORTED;
@@ -1028,18 +1183,21 @@ METHOD(child_sa_t, update, status_t,
 			ipsec_sa_cfg_t my_sa, other_sa;
 			enumerator_t *enumerator;
 			traffic_selector_t *my_ts, *other_ts;
+			uint32_t manual_prio;
 
 			prepare_sa_cfg(this, &my_sa, &other_sa);
+			manual_prio = this->config->get_manual_prio(this->config);
 
 			/* always use high priorities, as hosts getting updated are INSTALLED */
 			enumerator = create_policy_enumerator(this);
 			while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
 			{
 				traffic_selector_t *old_my_ts = NULL, *old_other_ts = NULL;
+
 				/* remove old policies first */
 				del_policies_internal(this, this->my_addr, this->other_addr,
-									  my_ts, other_ts, &my_sa, &other_sa,
-									  POLICY_IPSEC, POLICY_PRIORITY_DEFAULT);
+							my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC,
+							POLICY_PRIORITY_DEFAULT, manual_prio);
 
 				/* check if we have to update a "dynamic" traffic selector */
 				if (!me->ip_equals(me, this->my_addr) &&
@@ -1062,17 +1220,20 @@ METHOD(child_sa_t, update, status_t,
 				/* reinstall updated policies */
 				install_policies_internal(this, me, other, my_ts, other_ts,
 										  &my_sa, &other_sa, POLICY_IPSEC,
-										  POLICY_PRIORITY_DEFAULT);
+										  POLICY_PRIORITY_DEFAULT, manual_prio);
 
 				/* update fallback policies after the new policy is in place */
-				del_policies_internal(this, this->my_addr, this->other_addr,
-									  old_my_ts ?: my_ts,
-									  old_other_ts ?: other_ts,
-									  &my_sa, &other_sa, POLICY_DROP,
-									  POLICY_PRIORITY_FALLBACK);
-				install_policies_internal(this, me, other, my_ts, other_ts,
+				if (manual_prio == 0)
+				{
+					del_policies_internal(this, this->my_addr, this->other_addr,
+										  old_my_ts ?: my_ts,
+										  old_other_ts ?: other_ts,
+										  &my_sa, &other_sa, POLICY_DROP,
+										  POLICY_PRIORITY_FALLBACK, 0);
+					install_policies_internal(this, me, other, my_ts, other_ts,
 										  &my_sa, &other_sa, POLICY_DROP,
-										  POLICY_PRIORITY_FALLBACK);
+										  POLICY_PRIORITY_FALLBACK, 0);
+				}
 				DESTROY_IF(old_my_ts);
 				DESTROY_IF(old_other_ts);
 			}
@@ -1115,20 +1276,24 @@ METHOD(child_sa_t, destroy, void,
 	if (this->config->install_policy(this->config))
 	{
 		ipsec_sa_cfg_t my_sa, other_sa;
+		uint32_t manual_prio;
 
 		prepare_sa_cfg(this, &my_sa, &other_sa);
+		manual_prio = this->config->get_manual_prio(this->config);
 
 		/* delete all policies in the kernel */
 		enumerator = create_policy_enumerator(this);
 		while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
 		{
 			del_policies_internal(this, this->my_addr, this->other_addr,
-					my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC, priority);
-			if (priority == POLICY_PRIORITY_DEFAULT && require_policy_update())
+								  my_ts, other_ts, &my_sa, &other_sa,
+								  POLICY_IPSEC, priority, manual_prio);
+			if (priority == POLICY_PRIORITY_DEFAULT && manual_prio == 0 &&
+				require_policy_update())
 			{
 				del_policies_internal(this, this->my_addr, this->other_addr,
-								my_ts, other_ts, &my_sa, &other_sa, POLICY_DROP,
-								POLICY_PRIORITY_FALLBACK);
+									  my_ts, other_ts, &my_sa, &other_sa,
+									  POLICY_DROP, POLICY_PRIORITY_FALLBACK, 0);
 			}
 		}
 		enumerator->destroy(enumerator);
@@ -1137,17 +1302,31 @@ METHOD(child_sa_t, destroy, void,
 	/* delete SAs in the kernel, if they are set up */
 	if (this->my_spi)
 	{
-		charon->kernel->del_sa(charon->kernel,
-					this->other_addr, this->my_addr, this->my_spi,
-					proto_ike2ip(this->protocol), this->my_cpi,
-					this->mark_in);
+		kernel_ipsec_sa_id_t id = {
+			.src = this->other_addr,
+			.dst = this->my_addr,
+			.spi = this->my_spi,
+			.proto = proto_ike2ip(this->protocol),
+			.mark = this->mark_in,
+		};
+		kernel_ipsec_del_sa_t sa = {
+			.cpi = this->my_cpi,
+		};
+		charon->kernel->del_sa(charon->kernel, &id, &sa);
 	}
 	if (this->other_spi)
 	{
-		charon->kernel->del_sa(charon->kernel,
-					this->my_addr, this->other_addr, this->other_spi,
-					proto_ike2ip(this->protocol), this->other_cpi,
-					this->mark_out);
+		kernel_ipsec_sa_id_t id = {
+			.src = this->my_addr,
+			.dst = this->other_addr,
+			.spi = this->other_spi,
+			.proto = proto_ike2ip(this->protocol),
+			.mark = this->mark_out,
+		};
+		kernel_ipsec_del_sa_t sa = {
+			.cpi = this->other_cpi,
+		};
+		charon->kernel->del_sa(charon->kernel, &id, &sa);
 	}
 
 	if (this->reqid_allocated)
@@ -1174,7 +1353,7 @@ METHOD(child_sa_t, destroy, void,
 static host_t* get_proxy_addr(child_cfg_t *config, host_t *ike, bool local)
 {
 	host_t *host = NULL;
-	u_int8_t mask;
+	uint8_t mask;
 	enumerator_t *enumerator;
 	linked_list_t *ts_list, *list;
 	traffic_selector_t *ts;
@@ -1207,11 +1386,12 @@ static host_t* get_proxy_addr(child_cfg_t *config, host_t *ike, bool local)
  * Described in header.
  */
 child_sa_t * child_sa_create(host_t *me, host_t* other,
-							 child_cfg_t *config, u_int32_t rekey, bool encap,
+							 child_cfg_t *config, uint32_t rekey, bool encap,
 							 u_int mark_in, u_int mark_out)
 {
 	private_child_sa_t *this;
-	static refcount_t unique_id = 0, unique_mark = 0, mark;
+	static refcount_t unique_id = 0, unique_mark = 0;
+	refcount_t mark;
 
 	INIT(this,
 		.public = {
diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h
index debe8eb2c..bc7df996a 100644
--- a/src/libcharon/sa/child_sa.h
+++ b/src/libcharon/sa/child_sa.h
@@ -128,7 +128,7 @@ struct child_sa_t {
 	 *
 	 * @return 			reqid of the CHILD SA
 	 */
-	u_int32_t (*get_reqid)(child_sa_t *this);
+	uint32_t (*get_reqid)(child_sa_t *this);
 
 	/**
 	 * Get the unique numerical identifier for this CHILD_SA.
@@ -138,7 +138,7 @@ struct child_sa_t {
 	 *
 	 * @return			unique CHILD_SA identifier
 	 */
-	u_int32_t (*get_unique_id)(child_sa_t *this);
+	uint32_t (*get_unique_id)(child_sa_t *this);
 
 	/**
 	 * Get the config used to set up this child sa.
@@ -171,7 +171,7 @@ struct child_sa_t {
 	 * @param inbound	TRUE to get inbound SPI, FALSE for outbound.
 	 * @return 			SPI of the CHILD SA
 	 */
-	u_int32_t (*get_spi) (child_sa_t *this, bool inbound);
+	uint32_t (*get_spi) (child_sa_t *this, bool inbound);
 
 	/**
 	 * Get the CPI of this CHILD_SA.
@@ -183,7 +183,7 @@ struct child_sa_t {
 	 * @param inbound	TRUE to get inbound CPI, FALSE for outbound.
 	 * @return 			CPI of the CHILD SA
 	 */
-	u_int16_t (*get_cpi) (child_sa_t *this, bool inbound);
+	uint16_t (*get_cpi) (child_sa_t *this, bool inbound);
 
 	/**
 	 * Get the protocol which this CHILD_SA uses to protect traffic.
@@ -300,7 +300,7 @@ struct child_sa_t {
 	 * @param[out] packets	number of processed packets (NULL to ignore)
 	 */
 	void (*get_usestats)(child_sa_t *this, bool inbound, time_t *time,
-						 u_int64_t *bytes, u_int64_t *packets);
+						 uint64_t *bytes, uint64_t *packets);
 
 	/**
 	 * Get the mark used with this CHILD_SA.
@@ -335,14 +335,14 @@ struct child_sa_t {
 	 * @param spi		SPI output pointer
 	 * @return			SPI, 0 on failure
 	 */
-	u_int32_t (*alloc_spi)(child_sa_t *this, protocol_id_t protocol);
+	uint32_t (*alloc_spi)(child_sa_t *this, protocol_id_t protocol);
 
 	/**
 	 * Allocate a CPI to use for IPComp.
 	 *
 	 * @return			CPI, 0 on failure
 	 */
-	u_int16_t (*alloc_cpi)(child_sa_t *this);
+	uint16_t (*alloc_cpi)(child_sa_t *this);
 
 	/**
 	 * Install an IPsec SA for one direction.
@@ -359,7 +359,7 @@ struct child_sa_t {
 	 * @return			SUCCESS or FAILED
 	 */
 	status_t (*install)(child_sa_t *this, chunk_t encr, chunk_t integ,
-						u_int32_t spi, u_int16_t cpi,
+						uint32_t spi, uint16_t cpi,
 						bool initiator, bool inbound, bool tfcv3,
 						linked_list_t *my_ts, linked_list_t *other_ts);
 	/**
@@ -404,7 +404,7 @@ struct child_sa_t {
  * @return					child_sa_t object
  */
 child_sa_t * child_sa_create(host_t *me, host_t *other, child_cfg_t *config,
-							 u_int32_t reqid, bool encap,
+							 uint32_t reqid, bool encap,
 							 u_int mark_in, u_int mark_out);
 
 #endif /** CHILD_SA_H_ @}*/
diff --git a/src/libcharon/sa/child_sa_manager.c b/src/libcharon/sa/child_sa_manager.c
index 071a119da..13f22cf5f 100644
--- a/src/libcharon/sa/child_sa_manager.c
+++ b/src/libcharon/sa/child_sa_manager.c
@@ -59,11 +59,11 @@ typedef struct {
 	/** the associated IKE_SA */
 	ike_sa_id_t *ike_id;
 	/** unique CHILD_SA identifier */
-	u_int32_t unique_id;
+	uint32_t unique_id;
 	/** inbound SPI */
-	u_int32_t spi_in;
+	uint32_t spi_in;
 	/** outbound SPI */
-	u_int32_t spi_out;
+	uint32_t spi_out;
 	/** inbound host address */
 	host_t *host_in;
 	/** outbound host address and port */
@@ -202,7 +202,7 @@ METHOD(child_sa_manager_t, remove_, void,
  * Check out an IKE_SA for a given CHILD_SA
  */
 static ike_sa_t *checkout_ikesa(private_child_sa_manager_t *this,
-					ike_sa_id_t *id, u_int32_t unique_id, child_sa_t **child_sa)
+					ike_sa_id_t *id, uint32_t unique_id, child_sa_t **child_sa)
 {
 	enumerator_t *enumerator;
 	child_sa_t *current;
@@ -238,7 +238,7 @@ static ike_sa_t *checkout_ikesa(private_child_sa_manager_t *this,
 }
 
 METHOD(child_sa_manager_t, checkout_by_id, ike_sa_t*,
-	private_child_sa_manager_t *this, u_int32_t unique_id,
+	private_child_sa_manager_t *this, uint32_t unique_id,
 	child_sa_t **child_sa)
 {
 	ike_sa_id_t *id;
@@ -262,11 +262,11 @@ METHOD(child_sa_manager_t, checkout_by_id, ike_sa_t*,
 }
 
 METHOD(child_sa_manager_t, checkout, ike_sa_t*,
-	private_child_sa_manager_t *this, protocol_id_t protocol, u_int32_t spi,
+	private_child_sa_manager_t *this, protocol_id_t protocol, uint32_t spi,
 	host_t *dst, child_sa_t **child_sa)
 {
 	ike_sa_id_t *id;
-	u_int32_t unique_id;
+	uint32_t unique_id;
 	child_entry_t *entry, key = {
 		.spi_in = spi,
 		.spi_out = spi,
diff --git a/src/libcharon/sa/child_sa_manager.h b/src/libcharon/sa/child_sa_manager.h
index 4d57528e8..f1d6ad9e0 100644
--- a/src/libcharon/sa/child_sa_manager.h
+++ b/src/libcharon/sa/child_sa_manager.h
@@ -59,7 +59,7 @@ struct child_sa_manager_t {
 	 * @return				IKE_SA, NULL if not found
 	 */
 	ike_sa_t *(*checkout)(child_sa_manager_t *this,
-						  protocol_id_t protocol, u_int32_t spi, host_t *dst,
+						  protocol_id_t protocol, uint32_t spi, host_t *dst,
 						  child_sa_t **child_sa);
 
 	/**
@@ -72,7 +72,7 @@ struct child_sa_manager_t {
 	 * @param child_sa		returns CHILD_SA managed by IKE_SA
 	 * @return				IKE_SA, NULL if not found
 	 */
-	ike_sa_t *(*checkout_by_id)(child_sa_manager_t *this, u_int32_t unique_id,
+	ike_sa_t *(*checkout_by_id)(child_sa_manager_t *this, uint32_t unique_id,
 								child_sa_t **child_sa);
 
 	/**
diff --git a/src/libcharon/sa/eap/eap_manager.c b/src/libcharon/sa/eap/eap_manager.c
index 1886307e9..e4fcbc8f0 100644
--- a/src/libcharon/sa/eap/eap_manager.c
+++ b/src/libcharon/sa/eap/eap_manager.c
@@ -35,7 +35,7 @@ struct eap_entry_t {
 	/**
 	 * vendor ID, 0 for default EAP methods
 	 */
-	u_int32_t vendor;
+	uint32_t vendor;
 
 	/**
 	 * Role of the method returned by the constructor, EAP_SERVER or EAP_PEER
@@ -70,7 +70,7 @@ struct private_eap_manager_t {
 };
 
 METHOD(eap_manager_t, add_method, void,
-	private_eap_manager_t *this, eap_type_t type, u_int32_t vendor,
+	private_eap_manager_t *this, eap_type_t type, uint32_t vendor,
 	eap_role_t role, eap_constructor_t constructor)
 {
 	eap_entry_t *entry = malloc_thing(eap_entry_t);
@@ -109,7 +109,7 @@ METHOD(eap_manager_t, remove_method, void,
  * filter the registered methods
  */
 static bool filter_methods(uintptr_t role, eap_entry_t **entry,
-						   eap_type_t *type, void *in, u_int32_t *vendor)
+						   eap_type_t *type, void *in, uint32_t *vendor)
 {
 	if ((*entry)->role != (eap_role_t)role)
 	{
@@ -144,7 +144,7 @@ METHOD(eap_manager_t, create_enumerator, enumerator_t*,
 }
 
 METHOD(eap_manager_t, create_instance, eap_method_t*,
-	private_eap_manager_t *this, eap_type_t type, u_int32_t vendor,
+	private_eap_manager_t *this, eap_type_t type, uint32_t vendor,
 	eap_role_t role, identification_t *server, identification_t *peer)
 {
 	enumerator_t *enumerator;
diff --git a/src/libcharon/sa/eap/eap_manager.h b/src/libcharon/sa/eap/eap_manager.h
index e318ef57a..4ed1cae20 100644
--- a/src/libcharon/sa/eap/eap_manager.h
+++ b/src/libcharon/sa/eap/eap_manager.h
@@ -44,7 +44,7 @@ struct eap_manager_t {
 	 * @param role			EAP role of the registered method
 	 * @param constructor	constructor function, returns an eap_method_t
 	 */
-	void (*add_method)(eap_manager_t *this, eap_type_t type, u_int32_t vendor,
+	void (*add_method)(eap_manager_t *this, eap_type_t type, uint32_t vendor,
 					   eap_role_t role, eap_constructor_t constructor);
 
 	/**
@@ -61,7 +61,7 @@ struct eap_manager_t {
 	 * even though it is registered as method with this manager).
 	 *
 	 * @param role			EAP role of methods to enumerate
-	 * @return				enumerator over (eap_type_t type, u_int32_t vendor)
+	 * @return				enumerator over (eap_type_t type, uint32_t vendor)
 	 */
 	enumerator_t* (*create_enumerator)(eap_manager_t *this, eap_role_t role);
 
@@ -76,7 +76,7 @@ struct eap_manager_t {
 	 * @return				EAP method instance, NULL if no constructor found
 	 */
 	eap_method_t* (*create_instance)(eap_manager_t *this, eap_type_t type,
-									 u_int32_t vendor, eap_role_t role,
+									 uint32_t vendor, eap_role_t role,
 									 identification_t *server,
 									 identification_t *peer);
 
diff --git a/src/libcharon/sa/eap/eap_method.h b/src/libcharon/sa/eap/eap_method.h
index 689c0f990..8e25f7df8 100644
--- a/src/libcharon/sa/eap/eap_method.h
+++ b/src/libcharon/sa/eap/eap_method.h
@@ -96,7 +96,7 @@ struct eap_method_t {
 	 * @param vendor	pointer receiving vendor identifier for type, 0 for none
 	 * @return			type of the EAP method
 	 */
-	eap_type_t (*get_type) (eap_method_t *this, u_int32_t *vendor);
+	eap_type_t (*get_type) (eap_method_t *this, uint32_t *vendor);
 
 	/**
 	 * Check if this EAP method authenticates the server.
@@ -126,7 +126,7 @@ struct eap_method_t {
 	 *
 	 * @return				current EAP identifier
 	 */
-	u_int8_t (*get_identifier) (eap_method_t *this);
+	uint8_t (*get_identifier) (eap_method_t *this);
 
 	/**
 	 * Set the EAP identifier to a deterministic value, overwriting
@@ -134,7 +134,7 @@ struct eap_method_t {
 	 *
 	 * @param identifier	current EAP identifier
 	 */
-	void (*set_identifier) (eap_method_t *this, u_int8_t identifier);
+	void (*set_identifier) (eap_method_t *this, uint8_t identifier);
 
 	/**
 	 * Get authentication details performed by this EAP method.
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index bcbff3211..009277ddd 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -1,9 +1,9 @@
 /*
- * Copyright (C) 2006-2015 Tobias Brunner
+ * Copyright (C) 2006-2016 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -71,6 +71,7 @@ ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
 	"ESTABLISHED",
 	"PASSIVE",
 	"REKEYING",
+	"REKEYED",
 	"DELETING",
 	"DESTROYING",
 );
@@ -101,7 +102,7 @@ struct private_ike_sa_t {
 	/**
 	 * unique numerical ID for this IKE_SA.
 	 */
-	u_int32_t unique_id;
+	uint32_t unique_id;
 
 	/**
 	 * Current state of the IKE_SA
@@ -233,12 +234,12 @@ struct private_ike_sa_t {
 	/**
 	 * number pending UPDATE_SA_ADDRESS (MOBIKE)
 	 */
-	u_int32_t pending_updates;
+	uint32_t pending_updates;
 
 	/**
 	 * NAT keep alive interval
 	 */
-	u_int32_t keepalive_interval;
+	uint32_t keepalive_interval;
 
 	/**
 	 * The schedueld keep alive job, if any
@@ -249,7 +250,7 @@ struct private_ike_sa_t {
 	 * interval for retries during initiation (e.g. if DNS resolution failed),
 	 * 0 to disable (default)
 	 */
-	u_int32_t retry_initiate_interval;
+	uint32_t retry_initiate_interval;
 
 	/**
 	 * TRUE if a retry_initiate_job has been queued
@@ -259,12 +260,12 @@ struct private_ike_sa_t {
 	/**
 	 * Timestamps for this IKE_SA
 	 */
-	u_int32_t stats[STAT_MAX];
+	uint32_t stats[STAT_MAX];
 
 	/**
 	 * how many times we have retried so far (keyingtries)
 	 */
-	u_int32_t keyingtry;
+	uint32_t keyingtry;
 
 	/**
 	 * local host address to be used for IKE, set via MIGRATE kernel message
@@ -343,7 +344,7 @@ static time_t get_use_time(private_ike_sa_t* this, bool inbound)
 	return use_time;
 }
 
-METHOD(ike_sa_t, get_unique_id, u_int32_t,
+METHOD(ike_sa_t, get_unique_id, uint32_t,
 	private_ike_sa_t *this)
 {
 	return this->unique_id;
@@ -359,7 +360,7 @@ METHOD(ike_sa_t, get_name, char*,
 	return "(unnamed)";
 }
 
-METHOD(ike_sa_t, get_statistic, u_int32_t,
+METHOD(ike_sa_t, get_statistic, uint32_t,
 	private_ike_sa_t *this, statistic_t kind)
 {
 	if (kind < STAT_MAX)
@@ -370,7 +371,7 @@ METHOD(ike_sa_t, get_statistic, u_int32_t,
 }
 
 METHOD(ike_sa_t, set_statistic, void,
-	private_ike_sa_t *this, statistic_t kind, u_int32_t value)
+	private_ike_sa_t *this, statistic_t kind, uint32_t value)
 {
 	if (kind < STAT_MAX)
 	{
@@ -604,7 +605,7 @@ METHOD(ike_sa_t, set_proposal, void,
 }
 
 METHOD(ike_sa_t, set_message_id, void,
-	private_ike_sa_t *this, bool initiate, u_int32_t mid)
+	private_ike_sa_t *this, bool initiate, uint32_t mid)
 {
 	if (initiate)
 	{
@@ -814,7 +815,7 @@ METHOD(ike_sa_t, set_state, void,
 				this->state == IKE_PASSIVE)
 			{
 				job_t *job;
-				u_int32_t t;
+				uint32_t t;
 
 				/* calculate rekey, reauth and lifetime */
 				this->stats[STAT_ESTABLISHED] = time_monotonic(NULL);
@@ -1035,12 +1036,12 @@ METHOD(ike_sa_t, has_mapping_changed, bool,
 }
 
 METHOD(ike_sa_t, set_pending_updates, void,
-	private_ike_sa_t *this, u_int32_t updates)
+	private_ike_sa_t *this, uint32_t updates)
 {
 	this->pending_updates = updates;
 }
 
-METHOD(ike_sa_t, get_pending_updates, u_int32_t,
+METHOD(ike_sa_t, get_pending_updates, uint32_t,
 	private_ike_sa_t *this)
 {
 	return this->pending_updates;
@@ -1203,6 +1204,7 @@ METHOD(ike_sa_t, generate_message_fragmented, status_t,
 	packet_t *packet;
 	status_t status;
 	bool use_frags = FALSE;
+	bool pre_generated = FALSE;
 
 	if (this->ike_cfg)
 	{
@@ -1237,14 +1239,21 @@ METHOD(ike_sa_t, generate_message_fragmented, status_t,
 		return SUCCESS;
 	}
 
+	pre_generated = message->is_encoded(message);
 	this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
 	message->set_ike_sa_id(message, this->ike_sa_id);
-	charon->bus->message(charon->bus, message, FALSE, TRUE);
+	if (!pre_generated)
+	{
+		charon->bus->message(charon->bus, message, FALSE, TRUE);
+	}
 	status = message->fragment(message, this->keymat, this->fragment_size,
 							   &fragments);
 	if (status == SUCCESS)
 	{
-		charon->bus->message(charon->bus, message, FALSE, FALSE);
+		if (!pre_generated)
+		{
+			charon->bus->message(charon->bus, message, FALSE, FALSE);
+		}
 		*packets = enumerator_create_filter(fragments, (void*)filter_fragments,
 											this, NULL);
 	}
@@ -1432,7 +1441,7 @@ static void resolve_hosts(private_ike_sa_t *this)
 }
 
 METHOD(ike_sa_t, initiate, status_t,
-	private_ike_sa_t *this, child_cfg_t *child_cfg, u_int32_t reqid,
+	private_ike_sa_t *this, child_cfg_t *child_cfg, uint32_t reqid,
 	traffic_selector_t *tsi, traffic_selector_t *tsr)
 {
 	bool defer_initiate = FALSE;
@@ -1642,7 +1651,7 @@ METHOD(ike_sa_t, add_child_sa, void,
 }
 
 METHOD(ike_sa_t, get_child_sa, child_sa_t*,
-	private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi, bool inbound)
+	private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi, bool inbound)
 {
 	enumerator_t *enumerator;
 	child_sa_t *current, *found = NULL;
@@ -1721,7 +1730,7 @@ METHOD(ike_sa_t, remove_child_sa, void,
 }
 
 METHOD(ike_sa_t, rekey_child_sa, status_t,
-	private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
+	private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi)
 {
 	if (this->state == IKE_PASSIVE)
 	{
@@ -1732,7 +1741,7 @@ METHOD(ike_sa_t, rekey_child_sa, status_t,
 }
 
 METHOD(ike_sa_t, delete_child_sa, status_t,
-	private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi, bool expired)
+	private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi, bool expired)
 {
 	if (this->state == IKE_PASSIVE)
 	{
@@ -1744,7 +1753,7 @@ METHOD(ike_sa_t, delete_child_sa, status_t,
 }
 
 METHOD(ike_sa_t, destroy_child_sa, status_t,
-	private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
+	private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi)
 {
 	enumerator_t *enumerator;
 	child_sa_t *child_sa;
@@ -2301,7 +2310,7 @@ METHOD(ike_sa_t, redirect, status_t,
 }
 
 METHOD(ike_sa_t, retransmit, status_t,
-	private_ike_sa_t *this, u_int32_t message_id)
+	private_ike_sa_t *this, uint32_t message_id)
 {
 	if (this->state == IKE_PASSIVE)
 	{
@@ -2316,7 +2325,7 @@ METHOD(ike_sa_t, retransmit, status_t,
 			case IKE_CONNECTING:
 			{
 				/* retry IKE_SA_INIT/Main Mode if we have multiple keyingtries */
-				u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
+				uint32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
 				charon->bus->alert(charon->bus, ALERT_PEER_INIT_UNREACHABLE,
 								   this->keyingtry);
 				this->keyingtry++;
@@ -2348,7 +2357,8 @@ METHOD(ike_sa_t, retransmit, status_t,
 				reestablish(this);
 				break;
 		}
-		if (this->state != IKE_CONNECTING)
+		if (this->state != IKE_CONNECTING &&
+			this->state != IKE_REKEYED)
 		{
 			charon->bus->ike_updown(charon->bus, &this->public, FALSE);
 		}
@@ -2358,9 +2368,9 @@ METHOD(ike_sa_t, retransmit, status_t,
 }
 
 METHOD(ike_sa_t, set_auth_lifetime, status_t,
-	private_ike_sa_t *this, u_int32_t lifetime)
+	private_ike_sa_t *this, uint32_t lifetime)
 {
-	u_int32_t diff, hard, soft, now;
+	uint32_t diff, hard, soft, now;
 	bool send_update;
 
 	diff = this->peer_cfg->get_over_time(this->peer_cfg);
@@ -2500,6 +2510,7 @@ METHOD(ike_sa_t, roam, status_t,
 		case IKE_DELETING:
 		case IKE_DESTROYING:
 		case IKE_PASSIVE:
+		case IKE_REKEYED:
 			return SUCCESS;
 		default:
 			break;
@@ -2609,6 +2620,12 @@ METHOD(ike_sa_t, queue_task, void,
 	this->task_manager->queue_task(this->task_manager, task);
 }
 
+METHOD(ike_sa_t, queue_task_delayed, void,
+	private_ike_sa_t *this, task_t *task, uint32_t delay)
+{
+	this->task_manager->queue_task_delayed(this->task_manager, task, delay);
+}
+
 METHOD(ike_sa_t, inherit_pre, void,
 	private_ike_sa_t *this, ike_sa_t *other_public)
 {
@@ -2927,6 +2944,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
 			.create_task_enumerator = _create_task_enumerator,
 			.flush_queue = _flush_queue,
 			.queue_task = _queue_task,
+			.queue_task_delayed = _queue_task_delayed,
 #ifdef ME
 			.act_as_mediation_server = _act_as_mediation_server,
 			.get_server_reflexive_host = _get_server_reflexive_host,
diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index 836360e3c..6f5040d7c 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -1,9 +1,9 @@
 /*
- * Copyright (C) 2006-2015 Tobias Brunner
+ * Copyright (C) 2006-2016 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -58,12 +58,12 @@ typedef struct ike_sa_t ike_sa_t;
 /**
  * After which time rekeying should be retried if it failed, in seconds.
  */
-#define RETRY_INTERVAL 30
+#define RETRY_INTERVAL 15
 
 /**
  * Jitter to subtract from RETRY_INTERVAL to randomize rekey retry.
  */
-#define RETRY_JITTER 20
+#define RETRY_JITTER 10
 
 /**
  * Number of redirects allowed within REDIRECT_LOOP_DETECT_PERIOD.
@@ -309,6 +309,11 @@ enum ike_sa_state_t {
 	IKE_REKEYING,
 
 	/**
+	 * IKE_SA has been rekeyed (or is redundant)
+	 */
+	IKE_REKEYED,
+
+	/**
 	 * IKE_SA is in progress of deletion
 	 */
 	IKE_DELETING,
@@ -353,7 +358,7 @@ struct ike_sa_t {
 	 *
 	 * @return				unique ID
 	 */
-	u_int32_t (*get_unique_id) (ike_sa_t *this);
+	uint32_t (*get_unique_id) (ike_sa_t *this);
 
 	/**
 	 * Get the state of the IKE_SA.
@@ -382,7 +387,7 @@ struct ike_sa_t {
 	 * @param kind			kind of requested value
 	 * @return				value as integer
 	 */
-	u_int32_t (*get_statistic)(ike_sa_t *this, statistic_t kind);
+	uint32_t (*get_statistic)(ike_sa_t *this, statistic_t kind);
 
 	/**
 	 * Set statistic value of the IKE_SA.
@@ -390,7 +395,7 @@ struct ike_sa_t {
 	 * @param kind			kind of value to update
 	 * @param value			value as integer
 	 */
-	void (*set_statistic)(ike_sa_t *this, statistic_t kind, u_int32_t value);
+	void (*set_statistic)(ike_sa_t *this, statistic_t kind, uint32_t value);
 
 	/**
 	 * Get the own host address.
@@ -557,7 +562,7 @@ struct ike_sa_t {
 	 * @param initiate		TRUE to set message ID for initiating
 	 * @param mid			message id to set
 	 */
-	void (*set_message_id)(ike_sa_t *this, bool initiate, u_int32_t mid);
+	void (*set_message_id)(ike_sa_t *this, bool initiate, uint32_t mid);
 
 	/**
 	 * Add an additional address for the peer.
@@ -630,14 +635,14 @@ struct ike_sa_t {
 	 *
 	 * @return				number of pending updates
 	 */
-	u_int32_t (*get_pending_updates)(ike_sa_t *this);
+	uint32_t (*get_pending_updates)(ike_sa_t *this);
 
 	/**
 	 * Set the number of queued MOBIKE address updates.
 	 *
 	 * @param updates		number of pending updates
 	 */
-	void (*set_pending_updates)(ike_sa_t *this, u_int32_t updates);
+	void (*set_pending_updates)(ike_sa_t *this, uint32_t updates);
 
 #ifdef ME
 	/**
@@ -752,7 +757,7 @@ struct ike_sa_t {
 	 *						- DESTROY_ME if initialization failed
 	 */
 	status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg,
-						  u_int32_t reqid, traffic_selector_t *tsi,
+						  uint32_t reqid, traffic_selector_t *tsi,
 						  traffic_selector_t *tsr);
 
 	/**
@@ -850,7 +855,7 @@ struct ike_sa_t {
 	 *						- SUCCESS
 	 *						- NOT_FOUND if request doesn't have to be retransmited
 	 */
-	status_t (*retransmit) (ike_sa_t *this, u_int32_t message_id);
+	status_t (*retransmit) (ike_sa_t *this, uint32_t message_id);
 
 	/**
 	 * Sends a DPD request to the peer.
@@ -924,7 +929,7 @@ struct ike_sa_t {
 	 * @return				child_sa, or NULL if none found
 	 */
 	child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol,
-								 u_int32_t spi, bool inbound);
+								 uint32_t spi, bool inbound);
 
 	/**
 	 * Get the number of CHILD_SAs.
@@ -958,7 +963,7 @@ struct ike_sa_t {
 	 *						- NOT_FOUND, if IKE_SA has no such CHILD_SA
 	 *						- SUCCESS, if rekeying initiated
 	 */
-	status_t (*rekey_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
+	status_t (*rekey_child_sa) (ike_sa_t *this, protocol_id_t protocol, uint32_t spi);
 
 	/**
 	 * Close the CHILD SA with the specified protocol/SPI.
@@ -975,7 +980,7 @@ struct ike_sa_t {
 	 *						- SUCCESS, if delete message sent
 	 */
 	status_t (*delete_child_sa)(ike_sa_t *this, protocol_id_t protocol,
-								u_int32_t spi, bool expired);
+								uint32_t spi, bool expired);
 
 	/**
 	 * Destroy a CHILD SA with the specified protocol/SPI.
@@ -988,7 +993,7 @@ struct ike_sa_t {
 	 *						- NOT_FOUND, if IKE_SA has no such CHILD_SA
 	 *						- SUCCESS
 	 */
-	status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
+	status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, uint32_t spi);
 
 	/**
 	 * Rekey the IKE_SA.
@@ -1028,7 +1033,7 @@ struct ike_sa_t {
 	 * @param lifetime		lifetime in seconds
 	 * @return				DESTROY_ME to destroy the IKE_SA
 	 */
-	status_t (*set_auth_lifetime)(ike_sa_t *this, u_int32_t lifetime);
+	status_t (*set_auth_lifetime)(ike_sa_t *this, uint32_t lifetime);
 
 	/**
 	 * Add a virtual IP to use for this IKE_SA and its children.
@@ -1119,6 +1124,15 @@ struct ike_sa_t {
 	void (*queue_task)(ike_sa_t *this, task_t *task);
 
 	/**
+	 * Queue a task in the manager, but delay its initiation for at least the
+	 * given number of seconds.
+	 *
+	 * @param task			task to queue
+	 * @param delay			minimum delay in s before initiating the task
+	 */
+	void (*queue_task_delayed)(ike_sa_t *this, task_t *task, uint32_t delay);
+
+	/**
 	 * Inherit required attributes to new SA before rekeying.
 	 *
 	 * Some properties of the SA must be applied before starting IKE_SA
diff --git a/src/libcharon/sa/ike_sa_id.c b/src/libcharon/sa/ike_sa_id.c
index e52086483..b4e66ed73 100644
--- a/src/libcharon/sa/ike_sa_id.c
+++ b/src/libcharon/sa/ike_sa_id.c
@@ -34,17 +34,17 @@ struct private_ike_sa_id_t {
 	/**
 	 * Major IKE version of IKE_SA.
 	 */
-	u_int8_t ike_version;
+	uint8_t ike_version;
 
 	 /**
 	  * SPI of initiator.
 	  */
-	u_int64_t initiator_spi;
+	uint64_t initiator_spi;
 
 	 /**
 	  * SPI of responder.
 	  */
-	u_int64_t responder_spi;
+	uint64_t responder_spi;
 
 	/**
 	 * Role for specific IKE_SA.
@@ -52,31 +52,31 @@ struct private_ike_sa_id_t {
 	bool is_initiator_flag;
 };
 
-METHOD(ike_sa_id_t, get_ike_version, u_int8_t,
+METHOD(ike_sa_id_t, get_ike_version, uint8_t,
 	private_ike_sa_id_t *this)
 {
 	return this->ike_version;
 }
 
 METHOD(ike_sa_id_t, set_responder_spi, void,
-	private_ike_sa_id_t *this, u_int64_t responder_spi)
+	private_ike_sa_id_t *this, uint64_t responder_spi)
 {
 	this->responder_spi = responder_spi;
 }
 
 METHOD(ike_sa_id_t, set_initiator_spi, void,
-	private_ike_sa_id_t *this, u_int64_t initiator_spi)
+	private_ike_sa_id_t *this, uint64_t initiator_spi)
 {
 	this->initiator_spi = initiator_spi;
 }
 
-METHOD(ike_sa_id_t, get_initiator_spi, u_int64_t,
+METHOD(ike_sa_id_t, get_initiator_spi, uint64_t,
 	private_ike_sa_id_t *this)
 {
 	return this->initiator_spi;
 }
 
-METHOD(ike_sa_id_t, get_responder_spi, u_int64_t,
+METHOD(ike_sa_id_t, get_responder_spi, uint64_t,
 	private_ike_sa_id_t *this)
 {
 	return this->responder_spi;
@@ -134,8 +134,8 @@ METHOD(ike_sa_id_t, destroy, void,
 /*
  * Described in header.
  */
-ike_sa_id_t * ike_sa_id_create(u_int8_t ike_version, u_int64_t initiator_spi,
-							   u_int64_t responder_spi, bool is_initiator_flag)
+ike_sa_id_t * ike_sa_id_create(uint8_t ike_version, uint64_t initiator_spi,
+							   uint64_t responder_spi, bool is_initiator_flag)
 {
 	private_ike_sa_id_t *this;
 
diff --git a/src/libcharon/sa/ike_sa_id.h b/src/libcharon/sa/ike_sa_id.h
index 5eb754e95..b3a9ef61f 100644
--- a/src/libcharon/sa/ike_sa_id.h
+++ b/src/libcharon/sa/ike_sa_id.h
@@ -41,7 +41,7 @@ struct ike_sa_id_t {
 	 *
 	 * @return					IKE version
 	 */
-	u_int8_t (*get_ike_version) (ike_sa_id_t *this);
+	uint8_t (*get_ike_version) (ike_sa_id_t *this);
 
 	/**
 	 * Set the SPI of the responder.
@@ -50,28 +50,28 @@ struct ike_sa_id_t {
 	 *
 	 * @param responder_spi		SPI of responder to set
 	 */
-	void (*set_responder_spi) (ike_sa_id_t *this, u_int64_t responder_spi);
+	void (*set_responder_spi) (ike_sa_id_t *this, uint64_t responder_spi);
 
 	/**
 	 * Set the SPI of the initiator.
 	 *
 	 * @param initiator_spi		SPI to set
 	 */
-	void (*set_initiator_spi) (ike_sa_id_t *this, u_int64_t initiator_spi);
+	void (*set_initiator_spi) (ike_sa_id_t *this, uint64_t initiator_spi);
 
 	/**
 	 * Get the initiator SPI.
 	 *
 	 * @return					SPI of the initiator
 	 */
-	u_int64_t (*get_initiator_spi) (ike_sa_id_t *this);
+	uint64_t (*get_initiator_spi) (ike_sa_id_t *this);
 
 	/**
 	 * Get the responder SPI.
 	 *
 	 * @return					SPI of the responder
 	 */
-	u_int64_t (*get_responder_spi) (ike_sa_id_t *this);
+	uint64_t (*get_responder_spi) (ike_sa_id_t *this);
 
 	/**
 	 * Check if two ike_sa_id_t objects are equal.
@@ -131,7 +131,7 @@ struct ike_sa_id_t {
  * @param is_initiaor			TRUE if we are the original initiator
  * @return						ike_sa_id_t object
  */
-ike_sa_id_t * ike_sa_id_create(u_int8_t ike_version, u_int64_t initiator_spi,
-							   u_int64_t responder_spi, bool is_initiaor);
+ike_sa_id_t * ike_sa_id_create(uint8_t ike_version, uint64_t initiator_spi,
+							   uint64_t responder_spi, bool is_initiaor);
 
 #endif /** IKE_SA_ID_H_ @}*/
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index 307ea3b4a..ce44207c4 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -113,7 +113,7 @@ struct entry_t {
 	/**
 	 * message ID or hash of currently processing message, -1 if none
 	 */
-	u_int32_t processing;
+	uint32_t processing;
 };
 
 /**
@@ -265,7 +265,7 @@ struct init_hash_t {
 	chunk_t hash;
 
 	/** our SPI allocated for the IKE_SA based on this message */
-	u_int64_t our_spi;
+	uint64_t our_spi;
 };
 
 typedef struct segment_t segment_t;
@@ -977,9 +977,9 @@ static void remove_connected_peers(private_ike_sa_manager_t *this, entry_t *entr
 /**
  * Get a random SPI for new IKE_SAs
  */
-static u_int64_t get_spi(private_ike_sa_manager_t *this)
+static uint64_t get_spi(private_ike_sa_manager_t *this)
 {
-	u_int64_t spi;
+	uint64_t spi;
 
 	this->spi_lock->read_lock(this->spi_lock);
 	if (this->spi_cb.cb)
@@ -987,7 +987,7 @@ static u_int64_t get_spi(private_ike_sa_manager_t *this)
 		spi = this->spi_cb.cb(this->spi_cb.data);
 	}
 	else if (!this->rng ||
-			 !this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi))
+			 !this->rng->get_bytes(this->rng, sizeof(spi), (uint8_t*)&spi))
 	{
 		spi = 0;
 	}
@@ -1007,8 +1007,8 @@ static bool get_init_hash(hasher_t *hasher, message_t *message, chunk_t *hash)
 
 	if (message->get_first_payload_type(message) == PLV1_FRAGMENT)
 	{	/* only hash the source IP, port and SPI for fragmented init messages */
-		u_int16_t port;
-		u_int64_t spi;
+		uint16_t port;
+		uint64_t spi;
 
 		src = message->get_source(message);
 		if (!hasher->allocate_hash(hasher, src->get_address(src), NULL))
@@ -1050,13 +1050,13 @@ static bool get_init_hash(hasher_t *hasher, message_t *message, chunk_t *hash)
  *			FAILED if the SPI allocation failed
  */
 static status_t check_and_put_init_hash(private_ike_sa_manager_t *this,
-										chunk_t init_hash, u_int64_t *our_spi)
+										chunk_t init_hash, uint64_t *our_spi)
 {
 	table_item_t *item;
 	u_int row, segment;
 	mutex_t *mutex;
 	init_hash_t *init;
-	u_int64_t spi;
+	uint64_t spi;
 
 	row = chunk_hash(init_hash) & this->table_mask;
 	segment = row & this->segment_mask;
@@ -1174,8 +1174,8 @@ METHOD(ike_sa_manager_t, checkout_new, ike_sa_t*,
 {
 	ike_sa_id_t *ike_sa_id;
 	ike_sa_t *ike_sa;
-	u_int8_t ike_version;
-	u_int64_t spi;
+	uint8_t ike_version;
+	uint64_t spi;
 
 	ike_version = version == IKEV1 ? IKEV1_MAJOR_VERSION : IKEV2_MAJOR_VERSION;
 
@@ -1208,7 +1208,7 @@ METHOD(ike_sa_manager_t, checkout_new, ike_sa_t*,
 /**
  * Get the message ID or message hash to detect early retransmissions
  */
-static u_int32_t get_message_id_or_hash(message_t *message)
+static uint32_t get_message_id_or_hash(message_t *message)
 {
 	if (message->get_major_version(message) == IKEV1_MAJOR_VERSION)
 	{
@@ -1273,7 +1273,7 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 	if (is_init)
 	{
 		hasher_t *hasher;
-		u_int64_t our_spi;
+		uint64_t our_spi;
 		chunk_t hash;
 
 		hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
@@ -1415,7 +1415,8 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
 		{
 			continue;
 		}
-		if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING)
+		if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING ||
+			entry->ike_sa->get_state(entry->ike_sa) == IKE_REKEYED)
 		{	/* skip IKE_SAs which are not usable, wake other waiting threads */
 			entry->condvar->signal(entry->condvar);
 			continue;
@@ -1455,7 +1456,7 @@ out:
 }
 
 METHOD(ike_sa_manager_t, checkout_by_id, ike_sa_t*,
-	private_ike_sa_manager_t *this, u_int32_t id)
+	private_ike_sa_manager_t *this, uint32_t id)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -2094,10 +2095,41 @@ METHOD(ike_sa_manager_t, set_spi_cb, void,
 	this->spi_lock->unlock(this->spi_lock);
 }
 
+/**
+ * Destroy all entries
+ */
+static void destroy_all_entries(private_ike_sa_manager_t *this)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	u_int segment;
+
+	enumerator = create_table_enumerator(this);
+	while (enumerator->enumerate(enumerator, &entry, &segment))
+	{
+		charon->bus->set_sa(charon->bus, entry->ike_sa);
+		if (entry->half_open)
+		{
+			remove_half_open(this, entry);
+		}
+		if (entry->my_id && entry->other_id)
+		{
+			remove_connected_peers(this, entry);
+		}
+		if (entry->init_hash.ptr)
+		{
+			remove_init_hash(this, entry->init_hash);
+		}
+		remove_entry_at((private_enumerator_t*)enumerator);
+		entry_destroy(entry);
+	}
+	enumerator->destroy(enumerator);
+	charon->bus->set_sa(charon->bus, NULL);
+}
+
 METHOD(ike_sa_manager_t, flush, void,
 	private_ike_sa_manager_t *this)
 {
-	/* destroy all list entries */
 	enumerator_t *enumerator;
 	entry_t *entry;
 	u_int segment;
@@ -2153,31 +2185,11 @@ METHOD(ike_sa_manager_t, flush, void,
 
 	DBG2(DBG_MGR, "destroy all entries");
 	/* Step 4: destroy all entries */
-	enumerator = create_table_enumerator(this);
-	while (enumerator->enumerate(enumerator, &entry, &segment))
-	{
-		charon->bus->set_sa(charon->bus, entry->ike_sa);
-		if (entry->half_open)
-		{
-			remove_half_open(this, entry);
-		}
-		if (entry->my_id && entry->other_id)
-		{
-			remove_connected_peers(this, entry);
-		}
-		if (entry->init_hash.ptr)
-		{
-			remove_init_hash(this, entry->init_hash);
-		}
-		remove_entry_at((private_enumerator_t*)enumerator);
-		entry_destroy(entry);
-	}
-	enumerator->destroy(enumerator);
-	charon->bus->set_sa(charon->bus, NULL);
+	destroy_all_entries(this);
 	unlock_all_segments(this);
 
 	this->spi_lock->write_lock(this->spi_lock);
-	this->rng->destroy(this->rng);
+	DESTROY_IF(this->rng);
 	this->rng = NULL;
 	this->spi_cb.cb = NULL;
 	this->spi_cb.data = NULL;
@@ -2189,7 +2201,11 @@ METHOD(ike_sa_manager_t, destroy, void,
 {
 	u_int i;
 
-	/* these are already cleared in flush() above */
+	/* in case new SAs were checked in after flush() was called */
+	lock_all_segments(this);
+	destroy_all_entries(this);
+	unlock_all_segments(this);
+
 	free(this->ike_sa_table);
 	free(this->half_open_table);
 	free(this->connected_peers_table);
diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h
index f1b7c2579..4298c54e2 100644
--- a/src/libcharon/sa/ike_sa_manager.h
+++ b/src/libcharon/sa/ike_sa_manager.h
@@ -38,7 +38,7 @@ typedef struct ike_sa_manager_t ike_sa_manager_t;
  * @param data		data supplied during registration of the callback
  * @return			allocated SPI, 0 on failure
  */
-typedef u_int64_t (*spi_cb_t)(void *data);
+typedef uint64_t (*spi_cb_t)(void *data);
 
 /**
  * Manages and synchronizes access to all IKE_SAs.
@@ -147,7 +147,7 @@ struct ike_sa_manager_t {
 	 * 							- checked out IKE_SA, if found
 	 * 							- NULL, if not found
 	 */
-	ike_sa_t* (*checkout_by_id) (ike_sa_manager_t* this, u_int32_t id);
+	ike_sa_t* (*checkout_by_id) (ike_sa_manager_t* this, uint32_t id);
 
 	/**
 	 * Check out an IKE_SA by the policy/connection name.
diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c
index e428966ad..be6b03bef 100644
--- a/src/libcharon/sa/ikev1/keymat_v1.c
+++ b/src/libcharon/sa/ikev1/keymat_v1.c
@@ -32,7 +32,7 @@ typedef struct private_keymat_v1_t private_keymat_v1_t;
  */
 typedef struct {
 	/** message ID */
-	u_int32_t mid;
+	uint32_t mid;
 	/** current IV */
 	chunk_t iv;
 	/** last block of encrypted message */
@@ -128,7 +128,7 @@ static void iv_data_destroy(iv_data_t *this)
  */
 typedef struct {
 	/** message ID */
-	u_int32_t mid;
+	uint32_t mid;
 	/** Ni_b (Nonce from first message) */
 	chunk_t n_i;
 	/** Nr_b (Nonce from second message) */
@@ -272,7 +272,7 @@ static bool expand_skeyid_e(chunk_t skeyid_e, size_t key_size, prf_t *prf,
 static aead_t *create_aead(proposal_t *proposal, prf_t *prf, chunk_t skeyid_e)
 {
 	private_aead_t *this;
-	u_int16_t alg, key_size;
+	uint16_t alg, key_size;
 	crypter_t *crypter;
 	chunk_t ka;
 
@@ -324,7 +324,7 @@ static aead_t *create_aead(proposal_t *proposal, prf_t *prf, chunk_t skeyid_e)
 /**
  * Converts integrity algorithm to PRF algorithm
  */
-static u_int16_t auth_to_prf(u_int16_t alg)
+static uint16_t auth_to_prf(uint16_t alg)
 {
 	switch (alg)
 	{
@@ -348,7 +348,7 @@ static u_int16_t auth_to_prf(u_int16_t alg)
 /**
  * Converts integrity algorithm to hash algorithm
  */
-static u_int16_t auth_to_hash(u_int16_t alg)
+static uint16_t auth_to_hash(uint16_t alg)
 {
 	switch (alg)
 	{
@@ -370,7 +370,7 @@ static u_int16_t auth_to_hash(u_int16_t alg)
 /**
  * Adjust the key length for PRF algorithms that expect a fixed key length.
  */
-static void adjust_keylen(u_int16_t alg, chunk_t *key)
+static void adjust_keylen(uint16_t alg, chunk_t *key)
 {
 	switch (alg)
 	{
@@ -393,10 +393,10 @@ METHOD(keymat_v1_t, derive_ike_keys, bool,
 {
 	chunk_t g_xy, g_xi, g_xr, dh_me, spi_i, spi_r, nonces, data, skeyid_e;
 	chunk_t skeyid;
-	u_int16_t alg;
+	uint16_t alg;
 
-	spi_i = chunk_alloca(sizeof(u_int64_t));
-	spi_r = chunk_alloca(sizeof(u_int64_t));
+	spi_i = chunk_alloca(sizeof(uint64_t));
+	spi_r = chunk_alloca(sizeof(uint64_t));
 
 	if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
 	{	/* no PRF negotiated, use HMAC version of integrity algorithm instead */
@@ -431,8 +431,8 @@ METHOD(keymat_v1_t, derive_ike_keys, bool,
 	}
 	DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &g_xy);
 
-	*((u_int64_t*)spi_i.ptr) = id->get_initiator_spi(id);
-	*((u_int64_t*)spi_r.ptr) = id->get_responder_spi(id);
+	*((uint64_t*)spi_i.ptr) = id->get_initiator_spi(id);
+	*((uint64_t*)spi_r.ptr) = id->get_responder_spi(id);
 	nonces = chunk_cata("cc", nonce_i, nonce_r);
 
 	switch (auth)
@@ -585,11 +585,11 @@ METHOD(keymat_v1_t, derive_ike_keys, bool,
 
 METHOD(keymat_v1_t, derive_child_keys, bool,
 	private_keymat_v1_t *this, proposal_t *proposal, diffie_hellman_t *dh,
-	u_int32_t spi_i, u_int32_t spi_r, chunk_t nonce_i, chunk_t nonce_r,
+	uint32_t spi_i, uint32_t spi_r, chunk_t nonce_i, chunk_t nonce_r,
 	chunk_t *encr_i, chunk_t *integ_i, chunk_t *encr_r, chunk_t *integ_r)
 {
-	u_int16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
-	u_int8_t protocol;
+	uint16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
+	uint8_t protocol;
 	prf_plus_t *prf_plus;
 	chunk_t seed, secret = chunk_empty;
 	bool success = FALSE;
@@ -725,7 +725,7 @@ failure:
 METHOD(keymat_v1_t, create_hasher, bool,
 	private_keymat_v1_t *this, proposal_t *proposal)
 {
-	u_int16_t alg;
+	uint16_t alg;
 	if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL) ||
 		(alg = auth_to_hash(alg)) == HASH_UNKNOWN)
 	{
@@ -754,7 +754,7 @@ METHOD(keymat_v1_t, get_hash, bool,
 	ike_sa_id_t *ike_sa_id, chunk_t sa_i, chunk_t id, chunk_t *hash)
 {
 	chunk_t data;
-	u_int64_t spi, spi_other;
+	uint64_t spi, spi_other;
 
 	/* HASH_I = prf(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b )
 	 * HASH_R = prf(SKEYID, g^xr | g^xi | CKY-R | CKY-I | SAi_b | IDir_b )
@@ -810,7 +810,7 @@ static chunk_t get_message_data(message_t *message, generator_t *generator)
 {
 	payload_t *payload, *next;
 	enumerator_t *enumerator;
-	u_int32_t *lenpos;
+	uint32_t *lenpos;
 
 	if (message->is_encoded(message))
 	{	/* inbound, although the message is generated, we cannot access the
@@ -850,7 +850,7 @@ static chunk_t get_message_data(message_t *message, generator_t *generator)
  * Try to find data about a Quick Mode with the given message ID,
  * if none is found, state is generated.
  */
-static qm_data_t *lookup_quick_mode(private_keymat_v1_t *this, u_int32_t mid)
+static qm_data_t *lookup_quick_mode(private_keymat_v1_t *this, uint32_t mid)
 {
 	enumerator_t *enumerator;
 	qm_data_t *qm, *found = NULL;
@@ -885,7 +885,7 @@ static qm_data_t *lookup_quick_mode(private_keymat_v1_t *this, u_int32_t mid)
 METHOD(keymat_v1_t, get_hash_phase2, bool,
 	private_keymat_v1_t *this, message_t *message, chunk_t *hash)
 {
-	u_int32_t mid, mid_n;
+	uint32_t mid, mid_n;
 	chunk_t data = chunk_empty;
 	bool add_message = TRUE;
 	char *name = "Hash";
@@ -993,7 +993,7 @@ static bool generate_iv(private_keymat_v1_t *this, iv_data_t *iv)
 	else
 	{
 		/* initial phase 2 IV = hash(last_phase1_block | mid) */
-		u_int32_t net;;
+		uint32_t net;;
 		chunk_t data;
 
 		net = htonl(iv->mid);
@@ -1014,7 +1014,7 @@ static bool generate_iv(private_keymat_v1_t *this, iv_data_t *iv)
 /**
  * Try to find an IV for the given message ID, if not found, generate it.
  */
-static iv_data_t *lookup_iv(private_keymat_v1_t *this, u_int32_t mid)
+static iv_data_t *lookup_iv(private_keymat_v1_t *this, uint32_t mid)
 {
 	enumerator_t *enumerator;
 	iv_data_t *iv, *found = NULL;
@@ -1057,7 +1057,7 @@ static iv_data_t *lookup_iv(private_keymat_v1_t *this, u_int32_t mid)
 }
 
 METHOD(keymat_v1_t, get_iv, bool,
-	private_keymat_v1_t *this, u_int32_t mid, chunk_t *out)
+	private_keymat_v1_t *this, uint32_t mid, chunk_t *out)
 {
 	iv_data_t *iv;
 
@@ -1071,7 +1071,7 @@ METHOD(keymat_v1_t, get_iv, bool,
 }
 
 METHOD(keymat_v1_t, update_iv, bool,
-	private_keymat_v1_t *this, u_int32_t mid, chunk_t last_block)
+	private_keymat_v1_t *this, uint32_t mid, chunk_t last_block)
 {
 	iv_data_t *iv = lookup_iv(this, mid);
 	if (iv)
@@ -1084,7 +1084,7 @@ METHOD(keymat_v1_t, update_iv, bool,
 }
 
 METHOD(keymat_v1_t, confirm_iv, bool,
-	private_keymat_v1_t *this, u_int32_t mid)
+	private_keymat_v1_t *this, uint32_t mid)
 {
 	iv_data_t *iv = lookup_iv(this, mid);
 	if (iv)
diff --git a/src/libcharon/sa/ikev1/keymat_v1.h b/src/libcharon/sa/ikev1/keymat_v1.h
index cc9f3b339..46eeea8b6 100644
--- a/src/libcharon/sa/ikev1/keymat_v1.h
+++ b/src/libcharon/sa/ikev1/keymat_v1.h
@@ -72,7 +72,7 @@ struct keymat_v1_t {
 	 * @param integ_r		allocated responders integrity key
 	 */
 	bool (*derive_child_keys)(keymat_v1_t *this, proposal_t *proposal,
-						diffie_hellman_t *dh, u_int32_t spi_i, u_int32_t spi_r,
+						diffie_hellman_t *dh, uint32_t spi_i, uint32_t spi_r,
 						chunk_t nonce_i, chunk_t nonce_r,
 						chunk_t *encr_i, chunk_t *integ_i,
 						chunk_t *encr_r, chunk_t *integ_r);
@@ -127,7 +127,7 @@ struct keymat_v1_t {
 	 * @param iv			chunk receiving IV, internal data
 	 * @return				TRUE if IV allocated successfully
 	 */
-	bool (*get_iv)(keymat_v1_t *this, u_int32_t mid, chunk_t *iv);
+	bool (*get_iv)(keymat_v1_t *this, uint32_t mid, chunk_t *iv);
 
 	/**
 	 * Updates the IV for the next message with the given message ID.
@@ -141,7 +141,7 @@ struct keymat_v1_t {
 	 * @param last_block	last block of encrypted message (gets cloned)
 	 * @return				TRUE if IV updated successfully
 	 */
-	bool (*update_iv)(keymat_v1_t *this, u_int32_t mid, chunk_t last_block);
+	bool (*update_iv)(keymat_v1_t *this, uint32_t mid, chunk_t last_block);
 
 	/**
 	 * Confirms the updated IV for the given message ID.
@@ -152,7 +152,7 @@ struct keymat_v1_t {
 	 * @param mid			message ID
 	 * @return				TRUE if IV confirmed successfully
 	 */
-	bool (*confirm_iv)(keymat_v1_t *this, u_int32_t mid);
+	bool (*confirm_iv)(keymat_v1_t *this, uint32_t mid);
 };
 
 /**
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index 3c601a4fa..b0c4f5f84 100644
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2007-2015 Tobias Brunner
+ * Copyright (C) 2007-2016 Tobias Brunner
  * Copyright (C) 2007-2011 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -67,7 +67,7 @@ struct exchange_t {
 	/**
 	 * Message ID used for this transaction
 	 */
-	u_int32_t mid;
+	uint32_t mid;
 
 	/**
 	 * generated packet for retransmission
@@ -104,12 +104,12 @@ struct private_task_manager_t {
 		/**
 		 * Message ID of the last response
 		 */
-		u_int32_t mid;
+		uint32_t mid;
 
 		/**
 		 * Hash of a previously received message
 		 */
-		u_int32_t hash;
+		uint32_t hash;
 
 		/**
 		 * packet(s) for retransmission
@@ -119,7 +119,7 @@ struct private_task_manager_t {
 		/**
 		 * Sequence number of the last sent message
 		 */
-		u_int32_t seqnr;
+		uint32_t seqnr;
 
 		/**
 		 * how many times we have retransmitted so far
@@ -135,12 +135,12 @@ struct private_task_manager_t {
 		/**
 		 * Message ID of the exchange
 		 */
-		u_int32_t mid;
+		uint32_t mid;
 
 		/**
 		 * Hashes of old responses we can ignore
 		 */
-		u_int32_t old_hashes[MAX_OLD_HASHES];
+		uint32_t old_hashes[MAX_OLD_HASHES];
 
 		/**
 		 * Position in old hash array
@@ -150,7 +150,7 @@ struct private_task_manager_t {
 		/**
 		 * Sequence number of the last sent message
 		 */
-		u_int32_t seqnr;
+		uint32_t seqnr;
 
 		/**
 		 * how many times we have retransmitted so far
@@ -212,12 +212,12 @@ struct private_task_manager_t {
 	/**
 	 * Sequence number for sending DPD requests
 	 */
-	u_int32_t dpd_send;
+	uint32_t dpd_send;
 
 	/**
 	 * Sequence number for received DPD requests
 	 */
-	u_int32_t dpd_recv;
+	uint32_t dpd_recv;
 };
 
 /**
@@ -341,11 +341,11 @@ static bool generate_message(private_task_manager_t *this, message_t *message,
 /**
  * Retransmit a packet (or its fragments)
  */
-static status_t retransmit_packet(private_task_manager_t *this, u_int32_t seqnr,
+static status_t retransmit_packet(private_task_manager_t *this, uint32_t seqnr,
 							u_int mid, u_int retransmitted, array_t *packets)
 {
 	packet_t *packet;
-	u_int32_t t;
+	uint32_t t;
 
 	array_get(packets, 0, &packet);
 	if (retransmitted > this->retransmit_tries)
@@ -354,14 +354,15 @@ static status_t retransmit_packet(private_task_manager_t *this, u_int32_t seqnr,
 		charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT, packet);
 		return DESTROY_ME;
 	}
-	t = (u_int32_t)(this->retransmit_timeout * 1000.0 *
+	t = (uint32_t)(this->retransmit_timeout * 1000.0 *
 					pow(this->retransmit_base, retransmitted));
 	if (retransmitted)
 	{
 		DBG1(DBG_IKE, "sending retransmit %u of %s message ID %u, seq %u",
 			 retransmitted, seqnr < RESPONDING_SEQ ? "request" : "response",
 			 mid, seqnr < RESPONDING_SEQ ? seqnr : seqnr - RESPONDING_SEQ);
-		charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, packet);
+		charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, packet,
+						   retransmitted);
 	}
 	send_packets(this, packets);
 	lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)
@@ -370,7 +371,7 @@ static status_t retransmit_packet(private_task_manager_t *this, u_int32_t seqnr,
 }
 
 METHOD(task_manager_t, retransmit, status_t,
-	private_task_manager_t *this, u_int32_t seqnr)
+	private_task_manager_t *this, uint32_t seqnr)
 {
 	status_t status = SUCCESS;
 
@@ -514,26 +515,26 @@ METHOD(task_manager_t, initiate, status_t,
 					new_mid = TRUE;
 					break;
 				}
-				if (!mode_config_expected(this) &&
-					activate_task(this, TASK_QUICK_MODE))
+				if (activate_task(this, TASK_ISAKMP_DELETE))
 				{
-					exchange = QUICK_MODE;
+					exchange = INFORMATIONAL_V1;
 					new_mid = TRUE;
 					break;
 				}
-				if (activate_task(this, TASK_INFORMATIONAL))
+				if (activate_task(this, TASK_QUICK_DELETE))
 				{
 					exchange = INFORMATIONAL_V1;
 					new_mid = TRUE;
 					break;
 				}
-				if (activate_task(this, TASK_QUICK_DELETE))
+				if (!mode_config_expected(this) &&
+					activate_task(this, TASK_QUICK_MODE))
 				{
-					exchange = INFORMATIONAL_V1;
+					exchange = QUICK_MODE;
 					new_mid = TRUE;
 					break;
 				}
-				if (activate_task(this, TASK_ISAKMP_DELETE))
+				if (activate_task(this, TASK_INFORMATIONAL))
 				{
 					exchange = INFORMATIONAL_V1;
 					new_mid = TRUE;
@@ -807,7 +808,7 @@ static void send_notify(private_task_manager_t *this, message_t *request,
 	message_t *response;
 	array_t *packets = NULL;
 	host_t *me, *other;
-	u_int32_t mid;
+	uint32_t mid;
 
 	if (request->get_exchange_type(request) == INFORMATIONAL_V1)
 	{	/* don't respond to INFORMATIONAL requests to avoid a notify war */
@@ -857,7 +858,7 @@ static bool process_dpd(private_task_manager_t *this, message_t *message)
 {
 	notify_payload_t *notify;
 	notify_type_t type;
-	u_int32_t seq;
+	uint32_t seq;
 	chunk_t data;
 
 	type = DPD_R_U_THERE;
@@ -910,7 +911,7 @@ static bool process_dpd(private_task_manager_t *this, message_t *message)
  * Check if we already have a quick mode task queued for the exchange with the
  * given message ID
  */
-static bool have_quick_mode_task(private_task_manager_t *this, u_int32_t mid)
+static bool have_quick_mode_task(private_task_manager_t *this, uint32_t mid)
 {
 	enumerator_t *enumerator;
 	quick_mode_t *qm;
@@ -935,9 +936,9 @@ static bool have_quick_mode_task(private_task_manager_t *this, u_int32_t mid)
 }
 
 /**
- * Check if we still have an aggressive mode task queued
+ * Check if we still have a specific task queued
  */
-static bool have_aggressive_mode_task(private_task_manager_t *this)
+static bool have_task_queued(private_task_manager_t *this, task_type_t type)
 {
 	enumerator_t *enumerator;
 	task_t *task;
@@ -946,7 +947,7 @@ static bool have_aggressive_mode_task(private_task_manager_t *this)
 	enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
 	while (enumerator->enumerate(enumerator, &task))
 	{
-		if (task->get_type(task) == TASK_AGGRESSIVE_MODE)
+		if (task->get_type(task) == type)
 		{
 			found = TRUE;
 			break;
@@ -1180,6 +1181,12 @@ static status_t process_response(private_task_manager_t *this,
 	}
 	enumerator->destroy(enumerator);
 
+	if (this->initiating.retransmitted)
+	{
+		packet_t *packet = NULL;
+		array_get(this->initiating.packets, 0, &packet);
+		charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_CLEARED, packet);
+	}
 	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
 	clear_packets(this->initiating.packets);
 
@@ -1305,7 +1312,7 @@ static status_t queue_message(private_task_manager_t *this, message_t *msg)
 METHOD(task_manager_t, process_message, status_t,
 	private_task_manager_t *this, message_t *msg)
 {
-	u_int32_t hash, mid, i;
+	uint32_t hash, mid, i;
 	host_t *me, *other;
 	status_t status;
 
@@ -1405,7 +1412,7 @@ METHOD(task_manager_t, process_message, status_t,
 		/* drop XAuth/Mode Config/Quick Mode messages until we received the last
 		 * Aggressive Mode message.  since Informational messages are not
 		 * retransmitted we queue them. */
-		if (have_aggressive_mode_task(this))
+		if (have_task_queued(this, TASK_AGGRESSIVE_MODE))
 		{
 			if (msg->get_exchange_type(msg) == INFORMATIONAL_V1)
 			{
@@ -1427,6 +1434,13 @@ METHOD(task_manager_t, process_message, status_t,
 			return queue_message(this, msg);
 		}
 
+		/* some peers send INITIAL_CONTACT notifies during XAuth, cache it */
+		if (have_task_queued(this, TASK_XAUTH) &&
+			msg->get_exchange_type(msg) == INFORMATIONAL_V1)
+		{
+			return queue_message(this, msg);
+		}
+
 		msg->set_request(msg, TRUE);
 		charon->bus->message(charon->bus, msg, TRUE, FALSE);
 		status = parse_message(this, msg);
@@ -1499,8 +1513,8 @@ static bool has_queued(private_task_manager_t *this, task_type_t type)
 	return found;
 }
 
-METHOD(task_manager_t, queue_task, void,
-	private_task_manager_t *this, task_t *task)
+METHOD(task_manager_t, queue_task_delayed, void,
+	private_task_manager_t *this, task_t *task, uint32_t delay)
 {
 	task_type_t type = task->get_type(task);
 
@@ -1521,6 +1535,12 @@ METHOD(task_manager_t, queue_task, void,
 	this->queued_tasks->insert_last(this->queued_tasks, task);
 }
 
+METHOD(task_manager_t, queue_task, void,
+	private_task_manager_t *this, task_t *task)
+{
+	queue_task_delayed(this, task, 0);
+}
+
 METHOD(task_manager_t, queue_ike, void,
 	private_task_manager_t *this)
 {
@@ -1660,7 +1680,7 @@ METHOD(task_manager_t, queue_mobike, void,
 }
 
 METHOD(task_manager_t, queue_child, void,
-	private_task_manager_t *this, child_cfg_t *cfg, u_int32_t reqid,
+	private_task_manager_t *this, child_cfg_t *cfg, uint32_t reqid,
 	traffic_selector_t *tsi, traffic_selector_t *tsr)
 {
 	quick_mode_t *task;
@@ -1739,7 +1759,7 @@ static traffic_selector_t* get_first_ts(child_sa_t *child_sa, bool local)
 }
 
 METHOD(task_manager_t, queue_child_rekey, void,
-	private_task_manager_t *this, protocol_id_t protocol, u_int32_t spi)
+	private_task_manager_t *this, protocol_id_t protocol, uint32_t spi)
 {
 	child_sa_t *child_sa;
 	child_cfg_t *cfg;
@@ -1754,6 +1774,7 @@ METHOD(task_manager_t, queue_child_rekey, void,
 	{
 		if (is_redundant(this, child_sa))
 		{
+			child_sa->set_state(child_sa, CHILD_REKEYED);
 			queue_task(this, (task_t*)quick_delete_create(this->ike_sa,
 												protocol, spi, FALSE, FALSE));
 		}
@@ -1774,7 +1795,7 @@ METHOD(task_manager_t, queue_child_rekey, void,
 }
 
 METHOD(task_manager_t, queue_child_delete, void,
-	private_task_manager_t *this, protocol_id_t protocol, u_int32_t spi,
+	private_task_manager_t *this, protocol_id_t protocol, uint32_t spi,
 	bool expired)
 {
 	queue_task(this, (task_t*)quick_delete_create(this->ike_sa, protocol,
@@ -1785,7 +1806,7 @@ METHOD(task_manager_t, queue_dpd, void,
 	private_task_manager_t *this)
 {
 	peer_cfg_t *peer_cfg;
-	u_int32_t t, retransmit;
+	uint32_t t, retransmit;
 
 	queue_task(this, (task_t*)isakmp_dpd_create(this->ike_sa, DPD_R_U_THERE,
 												this->dpd_send++));
@@ -1798,7 +1819,7 @@ METHOD(task_manager_t, queue_dpd, void,
 		/* use the same timeout as a retransmitting IKE message would have */
 		for (retransmit = 0; retransmit <= this->retransmit_tries; retransmit++)
 		{
-			t += (u_int32_t)(this->retransmit_timeout * 1000.0 *
+			t += (uint32_t)(this->retransmit_timeout * 1000.0 *
 							pow(this->retransmit_base, retransmit));
 		}
 	}
@@ -1871,7 +1892,7 @@ METHOD(task_manager_t, incr_mid, void,
 }
 
 METHOD(task_manager_t, reset, void,
-	private_task_manager_t *this, u_int32_t initiate, u_int32_t respond)
+	private_task_manager_t *this, uint32_t initiate, uint32_t respond)
 {
 	enumerator_t *enumerator;
 	task_t *task;
@@ -1960,6 +1981,7 @@ task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
 			.task_manager = {
 				.process_message = _process_message,
 				.queue_task = _queue_task,
+				.queue_task_delayed = _queue_task_delayed,
 				.queue_ike = _queue_ike,
 				.queue_ike_rekey = _queue_ike_rekey,
 				.queue_ike_reauth = _queue_ike_reauth,
diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
index 710bf1cd2..9b5f676a3 100644
--- a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
@@ -77,7 +77,7 @@ struct private_aggressive_mode_t {
 	/**
 	 * Negotiated SA lifetime
 	 */
-	u_int32_t lifetime;
+	uint32_t lifetime;
 
 	/**
 	 * Negotiated authentication method
@@ -164,7 +164,7 @@ static status_t send_notify(private_aggressive_mode_t *this, notify_type_t type)
 {
 	notify_payload_t *notify;
 	ike_sa_id_t *ike_sa_id;
-	u_int64_t spi_i, spi_r;
+	uint64_t spi_i, spi_r;
 	chunk_t spi;
 
 	notify = notify_payload_create_from_protocol_and_type(PLV1_NOTIFY,
@@ -219,7 +219,7 @@ METHOD(task_t, build_i, status_t,
 			linked_list_t *proposals;
 			identification_t *id;
 			packet_t *packet;
-			u_int16_t group;
+			uint16_t group;
 
 			DBG0(DBG_IKE, "initiating Aggressive Mode IKE_SA %s[%d] to %H",
 				 this->ike_sa->get_name(this->ike_sa),
@@ -377,7 +377,8 @@ METHOD(task_t, process_r, status_t,
 			id_payload_t *id_payload;
 			identification_t *id;
 			linked_list_t *list;
-			u_int16_t group;
+			uint16_t group;
+			bool prefer_configured;
 
 			this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
 			DBG0(DBG_IKE, "%H is initiating a Aggressive Mode IKE_SA",
@@ -401,8 +402,10 @@ METHOD(task_t, process_r, status_t,
 			}
 
 			list = sa_payload->get_proposals(sa_payload);
+			prefer_configured = lib->settings->get_bool(lib->settings,
+							"%s.prefer_configured_proposals", TRUE, lib->ns);
 			this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
-															list, FALSE);
+												list, FALSE, prefer_configured);
 			list->destroy_offset(list, offsetof(proposal_t, destroy));
 			if (!this->proposal)
 			{
@@ -629,7 +632,7 @@ METHOD(task_t, process_i, status_t,
 		id_payload_t *id_payload;
 		identification_t *id, *cid;
 		linked_list_t *list;
-		u_int32_t lifetime;
+		uint32_t lifetime;
 
 		sa_payload = (sa_payload_t*)message->get_payload(message,
 												PLV1_SECURITY_ASSOCIATION);
@@ -640,7 +643,7 @@ METHOD(task_t, process_i, status_t,
 		}
 		list = sa_payload->get_proposals(sa_payload);
 		this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
-														list, FALSE);
+														list, FALSE, TRUE);
 		list->destroy_offset(list, offsetof(proposal_t, destroy));
 		if (!this->proposal)
 		{
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_delete.c b/src/libcharon/sa/ikev1/tasks/isakmp_delete.c
index a56805afb..df0293d4f 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_delete.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_delete.c
@@ -81,7 +81,7 @@ METHOD(task_t, process_r, status_t,
 	payload_t *payload;
 	delete_payload_t *delete_payload;
 	ike_sa_id_t *id;
-	u_int64_t spi_i, spi_r;
+	uint64_t spi_i, spi_r;
 	bool found = FALSE;
 
 	/* some peers send DELETE payloads for other IKE_SAs, e.g. those for expired
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_dpd.c b/src/libcharon/sa/ikev1/tasks/isakmp_dpd.c
index 5522e9221..840d352b1 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_dpd.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_dpd.c
@@ -33,7 +33,7 @@ struct private_isakmp_dpd_t {
 	/**
 	 * Sequence number.
 	 */
-	u_int32_t seqnr;
+	uint32_t seqnr;
 
 	/**
 	 * DPD notify type
@@ -51,8 +51,8 @@ METHOD(task_t, build, status_t,
 {
 	notify_payload_t *notify;
 	ike_sa_id_t *ike_sa_id;
-	u_int64_t spi_i, spi_r;
-	u_int32_t seqnr;
+	uint64_t spi_i, spi_r;
+	uint32_t seqnr;
 	chunk_t spi;
 
 	notify = notify_payload_create_from_protocol_and_type(PLV1_NOTIFY,
@@ -100,7 +100,7 @@ METHOD(task_t, destroy, void,
  * Described in header.
  */
 isakmp_dpd_t *isakmp_dpd_create(ike_sa_t *ike_sa, notify_type_t type,
-								u_int32_t seqnr)
+								uint32_t seqnr)
 {
 	private_isakmp_dpd_t *this;
 
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_dpd.h b/src/libcharon/sa/ikev1/tasks/isakmp_dpd.h
index 06a0175eb..9a69b423c 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_dpd.h
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_dpd.h
@@ -47,6 +47,6 @@ struct isakmp_dpd_t {
  * @return				ISAKMP_DPD task to handle by the task_manager
  */
 isakmp_dpd_t *isakmp_dpd_create(ike_sa_t *ike_sa, notify_type_t type,
-								u_int32_t seqnr);
+								uint32_t seqnr);
 
 #endif /** ISAKMP_DPD_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
index cb1a31371..d17948cd0 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
@@ -129,8 +129,8 @@ static chunk_t generate_natd_hash(private_isakmp_natd_t *this,
 {
 	hasher_t *hasher;
 	chunk_t natd_chunk, natd_hash;
-	u_int64_t spi_i, spi_r;
-	u_int16_t port;
+	uint64_t spi_i, spi_r;
+	uint16_t port;
 
 	hasher = this->keymat->get_hasher(this->keymat);
 	if (!hasher)
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
index 0162fd84e..f28b83e8a 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
@@ -170,7 +170,7 @@ static struct {
  * for fragmentation of base ISAKMP messages (Cisco adds that and thus sends
  * 0xc0000000)
  */
-static const u_int32_t fragmentation_ike = 0x80000000;
+static const uint32_t fragmentation_ike = 0x80000000;
 
 static bool is_known_vid(chunk_t data, int i)
 {
diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c
index 3ea4a2a85..628ea0de8 100644
--- a/src/libcharon/sa/ikev1/tasks/main_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/main_mode.c
@@ -77,7 +77,7 @@ struct private_main_mode_t {
 	/**
 	 * Negotiated SA lifetime
 	 */
-	u_int32_t lifetime;
+	uint32_t lifetime;
 
 	/**
 	 * Negotiated authentication method
@@ -173,7 +173,7 @@ static status_t send_notify(private_main_mode_t *this, notify_type_t type)
 {
 	notify_payload_t *notify;
 	ike_sa_id_t *ike_sa_id;
-	u_int64_t spi_i, spi_r;
+	uint64_t spi_i, spi_r;
 	chunk_t spi;
 
 	notify = notify_payload_create_from_protocol_and_type(PLV1_NOTIFY,
@@ -215,7 +215,7 @@ static void add_initial_contact(private_main_mode_t *this, message_t *message,
 	host_t *host;
 	notify_payload_t *notify;
 	ike_sa_id_t *ike_sa_id;
-	u_int64_t spi_i, spi_r;
+	uint64_t spi_i, spi_r;
 	chunk_t spi;
 
 	idr = this->ph1->get_id(this->ph1, this->peer_cfg, FALSE);
@@ -303,7 +303,7 @@ METHOD(task_t, build_i, status_t,
 		}
 		case MM_SA:
 		{
-			u_int16_t group;
+			uint16_t group;
 
 			if (!this->ph1->create_hasher(this->ph1))
 			{
@@ -367,7 +367,7 @@ METHOD(task_t, process_r, status_t,
 		{
 			linked_list_t *list;
 			sa_payload_t *sa_payload;
-			bool private;
+			bool private, prefer_configured;
 
 			this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
 			DBG0(DBG_IKE, "%H is initiating a Main Mode IKE_SA",
@@ -392,9 +392,11 @@ METHOD(task_t, process_r, status_t,
 
 			list = sa_payload->get_proposals(sa_payload);
 			private = this->ike_sa->supports_extension(this->ike_sa,
-														   EXT_STRONGSWAN);
+													   EXT_STRONGSWAN);
+			prefer_configured = lib->settings->get_bool(lib->settings,
+							"%s.prefer_configured_proposals", TRUE, lib->ns);
 			this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
-															list, private);
+											list, private, prefer_configured);
 			list->destroy_offset(list, offsetof(proposal_t, destroy));
 			if (!this->proposal)
 			{
@@ -411,7 +413,7 @@ METHOD(task_t, process_r, status_t,
 		}
 		case MM_SA:
 		{
-			u_int16_t group;
+			uint16_t group;
 
 			if (!this->ph1->create_hasher(this->ph1))
 			{
@@ -627,7 +629,7 @@ METHOD(task_t, process_i, status_t,
 			linked_list_t *list;
 			sa_payload_t *sa_payload;
 			auth_method_t method;
-			u_int32_t lifetime;
+			uint32_t lifetime;
 			bool private;
 
 			sa_payload = (sa_payload_t*)message->get_payload(message,
@@ -641,7 +643,7 @@ METHOD(task_t, process_i, status_t,
 			private = this->ike_sa->supports_extension(this->ike_sa,
 														   EXT_STRONGSWAN);
 			this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
-															list, private);
+															list, private, TRUE);
 			list->destroy_offset(list, offsetof(proposal_t, destroy));
 			if (!this->proposal)
 			{
diff --git a/src/libcharon/sa/ikev1/tasks/mode_config.c b/src/libcharon/sa/ikev1/tasks/mode_config.c
index b9f924009..7098d24a2 100644
--- a/src/libcharon/sa/ikev1/tasks/mode_config.c
+++ b/src/libcharon/sa/ikev1/tasks/mode_config.c
@@ -58,7 +58,7 @@ struct private_mode_config_t {
 	/**
 	 * Identifier to include in response
 	 */
-	u_int16_t identifier;
+	uint16_t identifier;
 };
 
 /**
diff --git a/src/libcharon/sa/ikev1/tasks/quick_delete.c b/src/libcharon/sa/ikev1/tasks/quick_delete.c
index ade59a2dd..66ef50811 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_delete.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_delete.c
@@ -69,7 +69,7 @@ struct private_quick_delete_t {
 	/**
 	 * Inbound SPI of CHILD_SA to delete
 	 */
-	u_int32_t spi;
+	uint32_t spi;
 
 	/**
 	 * Send delete even if SA does not exist
@@ -86,9 +86,9 @@ struct private_quick_delete_t {
  * Delete the specified CHILD_SA, if found
  */
 static bool delete_child(private_quick_delete_t *this, protocol_id_t protocol,
-						 u_int32_t spi, bool remote_close)
+						 uint32_t spi, bool remote_close)
 {
-	u_int64_t bytes_in, bytes_out;
+	uint64_t bytes_in, bytes_out;
 	child_sa_t *child_sa;
 	linked_list_t *my_ts, *other_ts;
 	child_cfg_t *child_cfg;
@@ -200,7 +200,7 @@ METHOD(task_t, process_r, status_t,
 	payload_t *payload;
 	delete_payload_t *delete_payload;
 	protocol_id_t protocol;
-	u_int32_t spi;
+	uint32_t spi;
 
 	payloads = message->create_payload_enumerator(message);
 	while (payloads->enumerate(payloads, &payload))
@@ -260,7 +260,7 @@ METHOD(task_t, destroy, void,
  * Described in header.
  */
 quick_delete_t *quick_delete_create(ike_sa_t *ike_sa, protocol_id_t protocol,
-									u_int32_t spi, bool force, bool expired)
+									uint32_t spi, bool force, bool expired)
 {
 	private_quick_delete_t *this;
 
diff --git a/src/libcharon/sa/ikev1/tasks/quick_delete.h b/src/libcharon/sa/ikev1/tasks/quick_delete.h
index 4df30c8fe..6227b364b 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_delete.h
+++ b/src/libcharon/sa/ikev1/tasks/quick_delete.h
@@ -50,6 +50,6 @@ struct quick_delete_t {
  * @return				quick_delete task to handle by the task_manager
  */
 quick_delete_t *quick_delete_create(ike_sa_t *ike_sa, protocol_id_t protocol,
-									u_int32_t spi, bool force, bool expired);
+									uint32_t spi, bool force, bool expired);
 
 #endif /** QUICK_DELETE_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index b4fe04663..bbd1cb09f 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -98,22 +98,22 @@ struct private_quick_mode_t {
 	/**
 	 * Initiators ESP SPI
 	 */
-	u_int32_t spi_i;
+	uint32_t spi_i;
 
 	/**
 	 * Responder ESP SPI
 	 */
-	u_int32_t spi_r;
+	uint32_t spi_r;
 
 	/**
 	 * Initiators IPComp CPI
 	 */
-	u_int16_t cpi_i;
+	uint16_t cpi_i;
 
 	/**
 	 * Responders IPComp CPI
 	 */
-	u_int16_t cpi_r;
+	uint16_t cpi_r;
 
 	/**
 	 * selected CHILD_SA proposal
@@ -143,17 +143,17 @@ struct private_quick_mode_t {
 	/**
 	 * Negotiated lifetime of new SA
 	 */
-	u_int32_t lifetime;
+	uint32_t lifetime;
 
 	/**
-	 * Negotaited lifebytes of new SA
+	 * Negotiated lifebytes of new SA
 	 */
-	u_int64_t lifebytes;
+	uint64_t lifebytes;
 
 	/**
 	 * Reqid to use, 0 for auto-allocate
 	 */
-	u_int32_t reqid;
+	uint32_t reqid;
 
 	/**
 	 * Explicit inbound mark value to use, if any
@@ -168,7 +168,7 @@ struct private_quick_mode_t {
 	/**
 	 * SPI of SA we rekey
 	 */
-	u_int32_t rekey;
+	uint32_t rekey;
 
 	/**
 	 * Delete old child after successful rekey
@@ -193,7 +193,7 @@ struct private_quick_mode_t {
 	/**
 	 * Message ID of handled quick mode exchange
 	 */
-	u_int32_t mid;
+	uint32_t mid;
 
 	/** states of quick mode */
 	enum {
@@ -207,7 +207,7 @@ struct private_quick_mode_t {
  */
 static void schedule_inactivity_timeout(private_quick_mode_t *this)
 {
-	u_int32_t timeout;
+	uint32_t timeout;
 	bool close_ike;
 
 	timeout = this->config->get_inactivity(this->config);
@@ -722,12 +722,12 @@ static void get_lifetimes(private_quick_mode_t *this)
 {
 	lifetime_cfg_t *lft;
 
-	lft = this->config->get_lifetime(this->config);
+	lft = this->config->get_lifetime(this->config, TRUE);
 	if (lft->time.life)
 	{
 		this->lifetime = lft->time.life;
 	}
-	else if (lft->bytes.life)
+	if (lft->bytes.life)
 	{
 		this->lifebytes = lft->bytes.life;
 	}
@@ -739,8 +739,8 @@ static void get_lifetimes(private_quick_mode_t *this)
  */
 static void apply_lifetimes(private_quick_mode_t *this, sa_payload_t *sa_payload)
 {
-	u_int32_t lifetime;
-	u_int64_t lifebytes;
+	uint32_t lifetime;
+	uint64_t lifebytes;
 
 	lifetime = sa_payload->get_lifetime(sa_payload);
 	lifebytes = sa_payload->get_lifebytes(sa_payload);
@@ -863,7 +863,7 @@ METHOD(task_t, build_i, status_t,
 			if (group != MODP_NONE)
 			{
 				proposal_t *proposal;
-				u_int16_t preferred_group;
+				uint16_t preferred_group;
 
 				proposal = this->ike_sa->get_proposal(this->ike_sa);
 				proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP,
@@ -1007,7 +1007,6 @@ static void check_for_rekeyed_child(private_quick_mode_t *this)
 			{
 				case CHILD_INSTALLED:
 				case CHILD_REKEYING:
-				case CHILD_REKEYED:
 					policies = child_sa->create_policy_enumerator(child_sa);
 					if (policies->enumerate(policies, &local, &remote) &&
 						local->equals(local, this->tsr) &&
@@ -1026,9 +1025,10 @@ static void check_for_rekeyed_child(private_quick_mode_t *this)
 							 child_sa->get_unique_id(child_sa));
 					}
 					policies->destroy(policies);
-				break;
-			default:
-				break;
+					break;
+				case CHILD_REKEYED:
+				default:
+					break;
 			}
 		}
 	}
@@ -1050,8 +1050,8 @@ METHOD(task_t, process_r, status_t,
 			sa_payload_t *sa_payload;
 			linked_list_t *tsi, *tsr, *hostsi, *hostsr, *list = NULL;
 			peer_cfg_t *peer_cfg;
-			u_int16_t group;
-			bool private;
+			uint16_t group;
+			bool private, prefer_configured;
 
 			sa_payload = (sa_payload_t*)message->get_payload(message,
 													PLV1_SECURITY_ASSOCIATION);
@@ -1109,8 +1109,10 @@ METHOD(task_t, process_r, status_t,
 			}
 			private = this->ike_sa->supports_extension(this->ike_sa,
 													   EXT_STRONGSWAN);
-			this->proposal = this->config->select_proposal(this->config,
-														   list, FALSE, private);
+			prefer_configured = lib->settings->get_bool(lib->settings,
+							"%s.prefer_configured_proposals", TRUE, lib->ns);
+			this->proposal = this->config->select_proposal(this->config, list,
+											FALSE, private, prefer_configured);
 			list->destroy_offset(list, offsetof(proposal_t, destroy));
 
 			get_lifetimes(this);
@@ -1323,8 +1325,8 @@ METHOD(task_t, process_i, status_t,
 			}
 			private = this->ike_sa->supports_extension(this->ike_sa,
 													   EXT_STRONGSWAN);
-			this->proposal = this->config->select_proposal(this->config,
-														   list, FALSE, private);
+			this->proposal = this->config->select_proposal(this->config, list,
+														FALSE, private, TRUE);
 			list->destroy_offset(list, offsetof(proposal_t, destroy));
 			if (!this->proposal)
 			{
@@ -1365,14 +1367,14 @@ METHOD(task_t, get_type, task_type_t,
 	return TASK_QUICK_MODE;
 }
 
-METHOD(quick_mode_t, get_mid, u_int32_t,
+METHOD(quick_mode_t, get_mid, uint32_t,
 	private_quick_mode_t *this)
 {
 	return this->mid;
 }
 
 METHOD(quick_mode_t, use_reqid, void,
-	private_quick_mode_t *this, u_int32_t reqid)
+	private_quick_mode_t *this, uint32_t reqid)
 {
 	this->reqid = reqid;
 }
@@ -1385,7 +1387,7 @@ METHOD(quick_mode_t, use_marks, void,
 }
 
 METHOD(quick_mode_t, rekey, void,
-	private_quick_mode_t *this, u_int32_t spi)
+	private_quick_mode_t *this, uint32_t spi)
 {
 	this->rekey = spi;
 }
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.h b/src/libcharon/sa/ikev1/tasks/quick_mode.h
index 062d63465..fe684568a 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.h
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.h
@@ -46,14 +46,14 @@ struct quick_mode_t {
 	 *
 	 * @return				message ID, or 0 (not defined yet or as initiator)
 	 */
-	u_int32_t (*get_mid)(quick_mode_t *this);
+	uint32_t (*get_mid)(quick_mode_t *this);
 
 	/**
 	 * Use a specific reqid to install this CHILD_SA.
 	 *
 	 * @param reqid			reqid to use
 	 */
-	void (*use_reqid)(quick_mode_t *this, u_int32_t reqid);
+	void (*use_reqid)(quick_mode_t *this, uint32_t reqid);
 
 	/**
 	 * Use specific mark values, overriding configuration.
@@ -68,7 +68,7 @@ struct quick_mode_t {
 	 *
 	 * @param spi			spi of SA to rekey
 	 */
-	void (*rekey)(quick_mode_t *this, u_int32_t spi);
+	void (*rekey)(quick_mode_t *this, uint32_t spi);
 };
 
 /**
diff --git a/src/libcharon/sa/ikev1/tasks/xauth.c b/src/libcharon/sa/ikev1/tasks/xauth.c
index ecdfc780d..968b4386c 100644
--- a/src/libcharon/sa/ikev1/tasks/xauth.c
+++ b/src/libcharon/sa/ikev1/tasks/xauth.c
@@ -68,7 +68,7 @@ struct private_xauth_t {
 	/**
 	 * received identifier
 	 */
-	u_int16_t identifier;
+	uint16_t identifier;
 
 	/**
 	 * status of Xauth exchange
diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
index 91f6187f9..3ab59fada 100644
--- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
@@ -104,7 +104,7 @@ struct private_eap_authenticator_t {
  * load an EAP method
  */
 static eap_method_t *load_method(private_eap_authenticator_t *this,
-							eap_type_t type, u_int32_t vendor, eap_role_t role)
+							eap_type_t type, uint32_t vendor, eap_role_t role)
 {
 	identification_t *server, *peer, *aaa;
 	auth_cfg_t *auth;
@@ -143,7 +143,7 @@ static eap_payload_t* server_initiate_eap(private_eap_authenticator_t *this,
 	auth_cfg_t *auth;
 	eap_type_t type;
 	identification_t *id;
-	u_int32_t vendor;
+	uint32_t vendor;
 	eap_payload_t *out;
 	char *action;
 
@@ -237,7 +237,7 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
 										 eap_payload_t *in)
 {
 	eap_type_t type, received_type, conf_type;
-	u_int32_t vendor, received_vendor, conf_vendor;
+	uint32_t vendor, received_vendor, conf_vendor;
 	eap_payload_t *out;
 	auth_cfg_t *auth;
 
@@ -341,7 +341,7 @@ static eap_payload_t* client_process_eap(private_eap_authenticator_t *this,
 										 eap_payload_t *in)
 {
 	eap_type_t type, conf_type;
-	u_int32_t vendor, conf_vendor;
+	uint32_t vendor, conf_vendor;
 	auth_cfg_t *auth;
 	eap_payload_t *out;
 	identification_t *id;
@@ -449,7 +449,7 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message,
 	auth_cfg_t *auth;
 	keymat_v2_t *keymat;
 	eap_type_t type;
-	u_int32_t vendor;
+	uint32_t vendor;
 
 	auth_payload = (auth_payload_t*)message->get_payload(message,
 														 PLV2_AUTH);
@@ -595,7 +595,7 @@ METHOD(authenticator_t, process_client, status_t,
 		}
 		if (this->require_mutual && !this->method->is_mutual(this->method))
 		{	/* we require mutual authentication due to EAP-only */
-			u_int32_t vendor;
+			uint32_t vendor;
 
 			DBG1(DBG_IKE, "EAP-only authentication requires a mutual and "
 				 "MSK deriving EAP method, but %N is not",
@@ -623,7 +623,7 @@ METHOD(authenticator_t, process_client, status_t,
 			case EAP_SUCCESS:
 			{
 				eap_type_t type;
-				u_int32_t vendor;
+				uint32_t vendor;
 				auth_cfg_t *cfg;
 
 				if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
@@ -685,7 +685,7 @@ METHOD(authenticator_t, is_mutual, bool,
 {
 	if (this->method)
 	{
-		u_int32_t vendor;
+		uint32_t vendor;
 
 		if (this->method->get_type(this->method, &vendor) != EAP_IDENTITY ||
 			vendor != 0)
diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
index 04ccd4f4f..6fd34e0a6 100644
--- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
@@ -63,7 +63,7 @@ struct private_pubkey_authenticator_t {
 static bool parse_signature_auth_data(chunk_t *auth_data, key_type_t *key_type,
 									  signature_scheme_t *scheme)
 {
-	u_int8_t len;
+	uint8_t len;
 	int oid;
 
 	if (!auth_data->len)
@@ -91,7 +91,7 @@ static bool build_signature_auth_data(chunk_t *auth_data,
 									  signature_scheme_t scheme)
 {
 	chunk_t data;
-	u_int8_t len;
+	uint8_t len;
 	int oid;
 
 	oid = signature_scheme_to_oid(scheme);
diff --git a/src/libcharon/sa/ikev2/connect_manager.c b/src/libcharon/sa/ikev2/connect_manager.c
index 161c4fdaf..280796d8c 100644
--- a/src/libcharon/sa/ikev2/connect_manager.c
+++ b/src/libcharon/sa/ikev2/connect_manager.c
@@ -92,10 +92,10 @@ typedef struct endpoint_pair_t endpoint_pair_t;
  */
 struct endpoint_pair_t {
 	/** pair id */
-	u_int32_t id;
+	uint32_t id;
 
 	/** priority */
-	u_int64_t priority;
+	uint64_t priority;
 
 	/** local endpoint */
 	host_t *local;
@@ -107,7 +107,7 @@ struct endpoint_pair_t {
 	check_state_t state;
 
 	/** number of retransmissions */
-	u_int32_t retransmitted;
+	uint32_t retransmitted;
 
 	/** the generated packet */
 	packet_t *packet;
@@ -132,8 +132,8 @@ static endpoint_pair_t *endpoint_pair_create(endpoint_notify_t *initiator,
 {
 	endpoint_pair_t *this;
 
-	u_int32_t pi = initiator->get_priority(initiator);
-	u_int32_t pr = responder->get_priority(responder);
+	uint32_t pi = initiator->get_priority(initiator);
+	uint32_t pr = responder->get_priority(responder);
 
 	INIT(this,
 		.priority = pow(2, 32) * min(pi, pr) + 2 * max(pi, pr)
@@ -313,7 +313,7 @@ typedef struct check_t check_t;
  */
 struct check_t {
 	/** message id */
-	u_int32_t mid;
+	uint32_t mid;
 
 	/** source of the connectivity check */
 	host_t *src;
@@ -375,7 +375,7 @@ struct callback_data_t {
 	chunk_t connect_id;
 
 	/** message (pair) id */
-	u_int32_t mid;
+	uint32_t mid;
 };
 
 /**
@@ -406,7 +406,7 @@ static callback_data_t *callback_data_create(private_connect_manager_t *connect_
  * Creates a new retransmission data object
  */
 static callback_data_t *retransmit_data_create(private_connect_manager_t *connect_manager,
-											   chunk_t connect_id, u_int32_t mid)
+											   chunk_t connect_id, uint32_t mid)
 {
 	callback_data_t *this = callback_data_create(connect_manager, connect_id);
 	this->mid = mid;
@@ -576,7 +576,7 @@ static status_t get_pair_by_hosts(linked_list_t *pairs, host_t *local,
 							 (void**)pair, local, remote);
 }
 
-static bool match_pair_by_id(endpoint_pair_t *current, u_int32_t *id)
+static bool match_pair_by_id(endpoint_pair_t *current, uint32_t *id)
 {
 	return current->id == *id;
 }
@@ -584,7 +584,7 @@ static bool match_pair_by_id(endpoint_pair_t *current, u_int32_t *id)
 /**
  * Searches for a pair with a specific id
  */
-static status_t get_pair_by_id(check_list_t *checklist, u_int32_t id,
+static status_t get_pair_by_id(check_list_t *checklist, uint32_t id,
 							   endpoint_pair_t **pair)
 {
 	return checklist->pairs->find_first(checklist->pairs,
@@ -669,7 +669,7 @@ static void prune_pairs(linked_list_t *pairs)
 {
 	enumerator_t *enumerator, *search;
 	endpoint_pair_t *current, *other;
-	u_int32_t id = 0;
+	uint32_t id = 0;
 
 	enumerator = pairs->create_enumerator(pairs);
 	search = pairs->create_enumerator(pairs);
@@ -826,7 +826,7 @@ static status_t process_payloads(message_t *message, check_t *check)
 static chunk_t build_signature(private_connect_manager_t *this,
 		check_list_t *checklist, check_t *check, bool outbound)
 {
-	u_int32_t mid;
+	uint32_t mid;
 	chunk_t mid_chunk, key_chunk, sig_chunk;
 	chunk_t sig_hash;
 
@@ -851,7 +851,7 @@ static chunk_t build_signature(private_connect_manager_t *this,
 }
 
 static void queue_retransmission(private_connect_manager_t *this, check_list_t *checklist, endpoint_pair_t *pair);
-static void schedule_checks(private_connect_manager_t *this, check_list_t *checklist, u_int32_t time);
+static void schedule_checks(private_connect_manager_t *this, check_list_t *checklist, uint32_t time);
 static void finish_checks(private_connect_manager_t *this, check_list_t *checklist);
 
 /**
@@ -1019,11 +1019,11 @@ static void queue_retransmission(private_connect_manager_t *this, check_list_t *
 	job = (job_t*)callback_job_create((callback_job_cb_t)retransmit, data,
 						(callback_job_cleanup_t)callback_data_destroy, NULL);
 
-	u_int32_t retransmission = pair->retransmitted + 1;
-	u_int32_t rto = ME_INTERVAL;
+	uint32_t retransmission = pair->retransmitted + 1;
+	uint32_t rto = ME_INTERVAL;
 	if (retransmission > ME_BOOST)
 	{
-		rto = (u_int32_t)(ME_INTERVAL * pow(ME_RETRANS_BASE, retransmission - ME_BOOST));
+		rto = (uint32_t)(ME_INTERVAL * pow(ME_RETRANS_BASE, retransmission - ME_BOOST));
 	}
 	DBG2(DBG_IKE, "scheduling retransmission %d of pair '%d' in %dms",
 		 retransmission, pair->id, rto);
@@ -1165,7 +1165,7 @@ static job_requeue_t sender(callback_data_t *data)
  * Schedules checks for a checklist (time in ms)
  */
 static void schedule_checks(private_connect_manager_t *this,
-							check_list_t *checklist, u_int32_t time)
+							check_list_t *checklist, uint32_t time)
 {
 	callback_data_t *data = callback_data_create(this, checklist->connect_id);
 	checklist->sender = (job_t*)callback_job_create((callback_job_cb_t)sender,
diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c
index 55cb5dd9c..e37399841 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.c
+++ b/src/libcharon/sa/ikev2/keymat_v2.c
@@ -99,8 +99,8 @@ METHOD(keymat_t, create_nonce_gen, nonce_gen_t*,
 /**
  * Derive IKE keys for a combined AEAD algorithm
  */
-static bool derive_ike_aead(private_keymat_v2_t *this, u_int16_t alg,
-							u_int16_t key_size, prf_plus_t *prf_plus)
+static bool derive_ike_aead(private_keymat_v2_t *this, uint16_t alg,
+							uint16_t key_size, prf_plus_t *prf_plus)
 {
 	aead_t *aead_i, *aead_r;
 	chunk_t key = chunk_empty;
@@ -189,8 +189,8 @@ failure:
 /**
  * Derive IKE keys for traditional encryption and MAC algorithms
  */
-static bool derive_ike_traditional(private_keymat_v2_t *this, u_int16_t enc_alg,
-					u_int16_t enc_size, u_int16_t int_alg, prf_plus_t *prf_plus)
+static bool derive_ike_traditional(private_keymat_v2_t *this, uint16_t enc_alg,
+					uint16_t enc_size, uint16_t int_alg, prf_plus_t *prf_plus)
 {
 	crypter_t *crypter_i = NULL, *crypter_r = NULL;
 	signer_t *signer_i, *signer_r;
@@ -302,11 +302,11 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
 	chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed;
 	chunk_t spi_i, spi_r;
 	prf_plus_t *prf_plus = NULL;
-	u_int16_t alg, key_size, int_alg;
+	uint16_t alg, key_size, int_alg;
 	prf_t *rekey_prf = NULL;
 
-	spi_i = chunk_alloca(sizeof(u_int64_t));
-	spi_r = chunk_alloca(sizeof(u_int64_t));
+	spi_i = chunk_alloca(sizeof(uint64_t));
+	spi_r = chunk_alloca(sizeof(uint64_t));
 
 	if (!dh->get_shared_secret(dh, &secret))
 	{
@@ -354,8 +354,8 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
 			break;
 	}
 	fixed_nonce = chunk_cat("cc", nonce_i, nonce_r);
-	*((u_int64_t*)spi_i.ptr) = id->get_initiator_spi(id);
-	*((u_int64_t*)spi_r.ptr) = id->get_responder_spi(id);
+	*((uint64_t*)spi_i.ptr) = id->get_initiator_spi(id);
+	*((uint64_t*)spi_r.ptr) = id->get_responder_spi(id);
 	prf_plus_seed = chunk_cat("ccc", full_nonce, spi_i, spi_r);
 
 	/* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
@@ -489,7 +489,7 @@ METHOD(keymat_v2_t, derive_child_keys, bool,
 	chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i,
 	chunk_t *encr_r, chunk_t *integ_r)
 {
-	u_int16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
+	uint16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
 	chunk_t seed, secret = chunk_empty;
 	prf_plus_t *prf_plus;
 
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index c2f972ab1..41a4e1b75 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2007-2015 Tobias Brunner
+ * Copyright (C) 2007-2016 Tobias Brunner
  * Copyright (C) 2007-2010 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -43,30 +43,14 @@
 #include <encoding/payloads/unknown_payload.h>
 #include <processing/jobs/retransmit_job.h>
 #include <processing/jobs/delete_ike_sa_job.h>
+#include <processing/jobs/initiate_tasks_job.h>
 
 #ifdef ME
 #include <sa/ikev2/tasks/ike_me.h>
 #endif
 
-typedef struct exchange_t exchange_t;
-
-/**
- * An exchange in the air, used do detect and handle retransmission
- */
-struct exchange_t {
-
-	/**
-	 * Message ID used for this transaction
-	 */
-	u_int32_t mid;
-
-	/**
-	 * generated packet for retransmission
-	 */
-	packet_t *packet;
-};
-
 typedef struct private_task_manager_t private_task_manager_t;
+typedef struct queued_task_t queued_task_t;
 
 /**
  * private data of the task manager
@@ -90,7 +74,7 @@ struct private_task_manager_t {
 		/**
 		 * Message ID of the exchange
 		 */
-		u_int32_t mid;
+		uint32_t mid;
 
 		/**
 		 * packet(s) for retransmission
@@ -111,7 +95,7 @@ struct private_task_manager_t {
 		/**
 		 * Message ID of the exchange
 		 */
-		u_int32_t mid;
+		uint32_t mid;
 
 		/**
 		 * how many times we have retransmitted so far
@@ -182,6 +166,22 @@ struct private_task_manager_t {
 };
 
 /**
+ * Queued tasks
+ */
+struct queued_task_t {
+
+	/**
+	 * Queued task
+	 */
+	task_t *task;
+
+	/**
+	 * Time before which the task is not to be initiated
+	 */
+	timeval_t time;
+};
+
+/**
  * Reset retransmission packet list
  */
 static void clear_packets(array_t *array)
@@ -216,6 +216,12 @@ METHOD(task_manager_t, flush_queue, void,
 	}
 	while (array_remove(array, ARRAY_TAIL, &task))
 	{
+		if (queue == TASK_QUEUE_QUEUED)
+		{
+			queued_task_t *queued = (queued_task_t*)task;
+			task = queued->task;
+			free(queued);
+		}
 		task->destroy(task);
 	}
 }
@@ -229,22 +235,28 @@ METHOD(task_manager_t, flush, void,
 }
 
 /**
- * move a task of a specific type from the queue to the active list
+ * Move a task of a specific type from the queue to the active list, if it is
+ * not delayed.
  */
 static bool activate_task(private_task_manager_t *this, task_type_t type)
 {
 	enumerator_t *enumerator;
-	task_t *task;
+	queued_task_t *queued;
+	timeval_t now;
 	bool found = FALSE;
 
+	time_monotonic(&now);
+
 	enumerator = array_create_enumerator(this->queued_tasks);
-	while (enumerator->enumerate(enumerator, (void**)&task))
+	while (enumerator->enumerate(enumerator, (void**)&queued))
 	{
-		if (task->get_type(task) == type)
+		if (queued->task->get_type(queued->task) == type &&
+			!timercmp(&now, &queued->time, <))
 		{
 			DBG2(DBG_IKE, "  activating %N task", task_type_names, type);
 			array_remove_at(this->queued_tasks, enumerator);
-			array_insert(this->active_tasks, ARRAY_TAIL, task);
+			array_insert(this->active_tasks, ARRAY_TAIL, queued->task);
+			free(queued);
 			found = TRUE;
 			break;
 		}
@@ -303,12 +315,12 @@ static bool generate_message(private_task_manager_t *this, message_t *message,
 }
 
 METHOD(task_manager_t, retransmit, status_t,
-	private_task_manager_t *this, u_int32_t message_id)
+	private_task_manager_t *this, uint32_t message_id)
 {
 	if (message_id == this->initiating.mid &&
 		array_count(this->initiating.packets))
 	{
-		u_int32_t timeout;
+		uint32_t timeout;
 		job_t *job;
 		enumerator_t *enumerator;
 		packet_t *packet;
@@ -336,7 +348,7 @@ METHOD(task_manager_t, retransmit, status_t,
 		{
 			if (this->initiating.retransmitted <= this->retransmit_tries)
 			{
-				timeout = (u_int32_t)(this->retransmit_timeout * 1000.0 *
+				timeout = (uint32_t)(this->retransmit_timeout * 1000.0 *
 					pow(this->retransmit_base, this->initiating.retransmitted));
 			}
 			else
@@ -352,7 +364,8 @@ METHOD(task_manager_t, retransmit, status_t,
 			{
 				DBG1(DBG_IKE, "retransmit %d of request with message ID %d",
 					 this->initiating.retransmitted, message_id);
-				charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, packet);
+				charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, packet,
+								   this->initiating.retransmitted);
 			}
 			if (!mobike)
 			{
@@ -534,6 +547,7 @@ METHOD(task_manager_t, initiate, status_t,
 					break;
 				}
 			case IKE_REKEYING:
+			case IKE_REKEYED:
 				if (activate_task(this, TASK_IKE_DELETE))
 				{
 					exchange = INFORMATIONAL;
@@ -610,7 +624,8 @@ METHOD(task_manager_t, initiate, status_t,
 			case FAILED:
 			default:
 				this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
-				if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
+				if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING &&
+					this->ike_sa->get_state(this->ike_sa) != IKE_REKEYED)
 				{
 					charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
 				}
@@ -694,6 +709,13 @@ static status_t process_response(private_task_manager_t *this,
 	}
 	enumerator->destroy(enumerator);
 
+	if (this->initiating.retransmitted)
+	{
+		packet_t *packet = NULL;
+		array_get(this->initiating.packets, 0, &packet);
+		charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_CLEARED, packet);
+	}
+
 	/* catch if we get resetted while processing */
 	this->reset = FALSE;
 	enumerator = array_create_enumerator(this->active_tasks);
@@ -751,8 +773,7 @@ static bool handle_collisions(private_task_manager_t *this, task_t *task)
 
 	/* do we have to check  */
 	if (type == TASK_IKE_REKEY || type == TASK_CHILD_REKEY ||
-		type == TASK_CHILD_DELETE || type == TASK_IKE_DELETE ||
-		type == TASK_IKE_REAUTH)
+		type == TASK_CHILD_DELETE || type == TASK_IKE_DELETE)
 	{
 		/* find an exchange collision, and notify these tasks */
 		enumerator = array_create_enumerator(this->active_tasks);
@@ -761,8 +782,7 @@ static bool handle_collisions(private_task_manager_t *this, task_t *task)
 			switch (active->get_type(active))
 			{
 				case TASK_IKE_REKEY:
-					if (type == TASK_IKE_REKEY || type == TASK_IKE_DELETE ||
-						type == TASK_IKE_REAUTH)
+					if (type == TASK_IKE_REKEY || type == TASK_IKE_DELETE)
 					{
 						ike_rekey_t *rekey = (ike_rekey_t*)active;
 						rekey->collide(rekey, task);
@@ -799,7 +819,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	host_t *me, *other;
 	bool delete = FALSE, hook = FALSE;
 	ike_sa_id_t *id = NULL;
-	u_int64_t responder_spi = 0;
+	uint64_t responder_spi = 0;
 	bool result;
 
 	me = request->get_destination(request);
@@ -839,6 +859,10 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 				/* FALL */
 			case DESTROY_ME:
 				/* destroy IKE_SA, but SEND response first */
+				if (handle_collisions(this, task))
+				{
+					array_remove_at(this->passive_tasks, enumerator);
+				}
 				delete = TRUE;
 				break;
 		}
@@ -901,9 +925,11 @@ static status_t process_request(private_task_manager_t *this,
 	payload_t *payload;
 	notify_payload_t *notify;
 	delete_payload_t *delete;
+	ike_sa_state_t state;
 
 	if (array_count(this->passive_tasks) == 0)
 	{	/* create tasks depending on request type, if not already some queued */
+		state = this->ike_sa->get_state(this->ike_sa);
 		switch (message->get_exchange_type(message))
 		{
 			case IKE_SA_INIT:
@@ -939,8 +965,8 @@ static status_t process_request(private_task_manager_t *this,
 			{	/* FIXME: we should prevent this on mediation connections */
 				bool notify_found = FALSE, ts_found = FALSE;
 
-				if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
-					this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING)
+				if (state == IKE_CREATED ||
+					state == IKE_CONNECTING)
 				{
 					DBG1(DBG_IKE, "received CREATE_CHILD_SA request for "
 						 "unestablished IKE_SA, rejected");
@@ -1005,6 +1031,14 @@ static status_t process_request(private_task_manager_t *this,
 						case PLV2_NOTIFY:
 						{
 							notify = (notify_payload_t*)payload;
+							if (state == IKE_REKEYED)
+							{
+								DBG1(DBG_IKE, "received unexpected notify %N "
+									 "for rekeyed IKE_SA, ignored",
+									 notify_type_names,
+									 notify->get_notify_type(notify));
+								break;
+							}
 							switch (notify->get_notify_type(notify))
 							{
 								case ADDITIONAL_IP4_ADDRESS:
@@ -1252,7 +1286,7 @@ static void send_notify_response(private_task_manager_t *this,
 static status_t parse_message(private_task_manager_t *this, message_t *msg)
 {
 	status_t status;
-	u_int8_t type = 0;
+	uint8_t type = 0;
 
 	status = msg->parse_body(msg, this->ike_sa->get_keymat(this->ike_sa));
 
@@ -1345,8 +1379,10 @@ METHOD(task_manager_t, process_message, status_t,
 {
 	host_t *me, *other;
 	status_t status;
-	u_int32_t mid;
+	uint32_t mid;
 	bool schedule_delete_job = FALSE;
+	ike_sa_state_t state;
+	exchange_type_t type;
 
 	charon->bus->message(charon->bus, msg, TRUE, FALSE);
 	status = parse_message(this, msg);
@@ -1387,15 +1423,16 @@ METHOD(task_manager_t, process_message, status_t,
 	{
 		if (mid == this->responding.mid)
 		{
-			/* reject initial messages if not received in specific states */
-			if ((msg->get_exchange_type(msg) == IKE_SA_INIT &&
-				 this->ike_sa->get_state(this->ike_sa) != IKE_CREATED) ||
-				(msg->get_exchange_type(msg) == IKE_AUTH &&
-				 this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING))
+			/* reject initial messages if not received in specific states,
+			 * after rekeying we only expect a DELETE in an INFORMATIONAL */
+			type = msg->get_exchange_type(msg);
+			state = this->ike_sa->get_state(this->ike_sa);
+			if ((type == IKE_SA_INIT && state != IKE_CREATED) ||
+				(type == IKE_AUTH && state != IKE_CONNECTING) ||
+				(state == IKE_REKEYED && type != INFORMATIONAL))
 			{
 				DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N",
-					 exchange_type_names, msg->get_exchange_type(msg),
-					 ike_sa_state_names, this->ike_sa->get_state(this->ike_sa));
+					 exchange_type_names, type, ike_sa_state_names, state);
 				return FAILED;
 			}
 			if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
@@ -1499,18 +1536,19 @@ METHOD(task_manager_t, process_message, status_t,
 	return SUCCESS;
 }
 
-METHOD(task_manager_t, queue_task, void,
-	private_task_manager_t *this, task_t *task)
+METHOD(task_manager_t, queue_task_delayed, void,
+	private_task_manager_t *this, task_t *task, uint32_t delay)
 {
+	enumerator_t *enumerator;
+	queued_task_t *queued;
+	timeval_t time;
+
 	if (task->get_type(task) == TASK_IKE_MOBIKE)
 	{	/*  there is no need to queue more than one mobike task */
-		enumerator_t *enumerator;
-		task_t *current;
-
 		enumerator = array_create_enumerator(this->queued_tasks);
-		while (enumerator->enumerate(enumerator, &current))
+		while (enumerator->enumerate(enumerator, &queued))
 		{
-			if (current->get_type(current) == TASK_IKE_MOBIKE)
+			if (queued->task->get_type(queued->task) == TASK_IKE_MOBIKE)
 			{
 				enumerator->destroy(enumerator);
 				task->destroy(task);
@@ -1519,8 +1557,35 @@ METHOD(task_manager_t, queue_task, void,
 		}
 		enumerator->destroy(enumerator);
 	}
-	DBG2(DBG_IKE, "queueing %N task", task_type_names, task->get_type(task));
-	array_insert(this->queued_tasks, ARRAY_TAIL, task);
+	time_monotonic(&time);
+	if (delay)
+	{
+		job_t *job;
+
+		DBG2(DBG_IKE, "queueing %N task (delayed by %us)", task_type_names,
+			 task->get_type(task), delay);
+		time.tv_sec += delay;
+
+		job = (job_t*)initiate_tasks_job_create(
+											this->ike_sa->get_id(this->ike_sa));
+		lib->scheduler->schedule_job_tv(lib->scheduler, job, time);
+	}
+	else
+	{
+		DBG2(DBG_IKE, "queueing %N task", task_type_names,
+			 task->get_type(task));
+	}
+	INIT(queued,
+		.task = task,
+		.time = time,
+	);
+	array_insert(this->queued_tasks, ARRAY_TAIL, queued);
+}
+
+METHOD(task_manager_t, queue_task, void,
+	private_task_manager_t *this, task_t *task)
+{
+	queue_task_delayed(this, task, 0);
 }
 
 /**
@@ -1530,12 +1595,12 @@ static bool has_queued(private_task_manager_t *this, task_type_t type)
 {
 	enumerator_t *enumerator;
 	bool found = FALSE;
-	task_t *task;
+	queued_task_t *queued;
 
 	enumerator = array_create_enumerator(this->queued_tasks);
-	while (enumerator->enumerate(enumerator, &task))
+	while (enumerator->enumerate(enumerator, &queued))
 	{
-		if (task->get_type(task) == type)
+		if (queued->task->get_type(queued->task) == type)
 		{
 			found = TRUE;
 			break;
@@ -1614,7 +1679,7 @@ static void trigger_mbb_reauth(private_task_manager_t *this)
 	child_cfg_t *cfg;
 	ike_sa_t *new;
 	host_t *host;
-	task_t *task;
+	queued_task_t *queued;
 
 	new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
 								this->ike_sa->get_version(this->ike_sa), TRUE);
@@ -1645,13 +1710,14 @@ static void trigger_mbb_reauth(private_task_manager_t *this)
 	enumerator->destroy(enumerator);
 
 	enumerator = array_create_enumerator(this->queued_tasks);
-	while (enumerator->enumerate(enumerator, &task))
+	while (enumerator->enumerate(enumerator, &queued))
 	{
-		if (task->get_type(task) == TASK_CHILD_CREATE)
+		if (queued->task->get_type(queued->task) == TASK_CHILD_CREATE)
 		{
-			task->migrate(task, new);
-			new->queue_task(new, task);
+			queued->task->migrate(queued->task, new);
+			new->queue_task(new, queued->task);
 			array_remove_at(this->queued_tasks, enumerator);
+			free(queued);
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -1726,7 +1792,7 @@ METHOD(task_manager_t, queue_mobike, void,
 }
 
 METHOD(task_manager_t, queue_child, void,
-	private_task_manager_t *this, child_cfg_t *cfg, u_int32_t reqid,
+	private_task_manager_t *this, child_cfg_t *cfg, uint32_t reqid,
 	traffic_selector_t *tsi, traffic_selector_t *tsr)
 {
 	child_create_t *task;
@@ -1740,13 +1806,13 @@ METHOD(task_manager_t, queue_child, void,
 }
 
 METHOD(task_manager_t, queue_child_rekey, void,
-	private_task_manager_t *this, protocol_id_t protocol, u_int32_t spi)
+	private_task_manager_t *this, protocol_id_t protocol, uint32_t spi)
 {
 	queue_task(this, (task_t*)child_rekey_create(this->ike_sa, protocol, spi));
 }
 
 METHOD(task_manager_t, queue_child_delete, void,
-	private_task_manager_t *this, protocol_id_t protocol, u_int32_t spi,
+	private_task_manager_t *this, protocol_id_t protocol, uint32_t spi,
 	bool expired)
 {
 	queue_task(this, (task_t*)child_delete_create(this->ike_sa,
@@ -1776,34 +1842,62 @@ METHOD(task_manager_t, adopt_tasks, void,
 	private_task_manager_t *this, task_manager_t *other_public)
 {
 	private_task_manager_t *other = (private_task_manager_t*)other_public;
-	task_t *task;
+	queued_task_t *queued;
+	timeval_t now;
+
+	time_monotonic(&now);
 
 	/* move queued tasks from other to this */
-	while (array_remove(other->queued_tasks, ARRAY_TAIL, &task))
+	while (array_remove(other->queued_tasks, ARRAY_TAIL, &queued))
 	{
-		DBG2(DBG_IKE, "migrating %N task", task_type_names, task->get_type(task));
-		task->migrate(task, this->ike_sa);
-		array_insert(this->queued_tasks, ARRAY_HEAD, task);
+		DBG2(DBG_IKE, "migrating %N task", task_type_names,
+			 queued->task->get_type(queued->task));
+		queued->task->migrate(queued->task, this->ike_sa);
+		/* don't delay tasks on the new IKE_SA */
+		queued->time = now;
+		array_insert(this->queued_tasks, ARRAY_HEAD, queued);
 	}
 }
 
 /**
- * Migrates child-creating tasks from src to dst
+ * Migrates child-creating tasks from other to this
  */
 static void migrate_child_tasks(private_task_manager_t *this,
-								array_t *src, array_t *dst)
+								private_task_manager_t *other,
+								task_queue_t queue)
 {
 	enumerator_t *enumerator;
+	array_t *array;
 	task_t *task;
 
-	enumerator = array_create_enumerator(src);
+	switch (queue)
+	{
+		case TASK_QUEUE_ACTIVE:
+			array = other->active_tasks;
+			break;
+		case TASK_QUEUE_QUEUED:
+			array = other->queued_tasks;
+			break;
+		default:
+			return;
+	}
+
+	enumerator = array_create_enumerator(array);
 	while (enumerator->enumerate(enumerator, &task))
 	{
+		queued_task_t *queued = NULL;
+
+		if (queue == TASK_QUEUE_QUEUED)
+		{
+			queued = (queued_task_t*)task;
+			task = queued->task;
+		}
 		if (task->get_type(task) == TASK_CHILD_CREATE)
 		{
-			array_remove_at(src, enumerator);
+			array_remove_at(array, enumerator);
 			task->migrate(task, this->ike_sa);
-			array_insert(dst, ARRAY_TAIL, task);
+			queue_task(this, task);
+			free(queued);
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -1815,9 +1909,9 @@ METHOD(task_manager_t, adopt_child_tasks, void,
 	private_task_manager_t *other = (private_task_manager_t*)other_public;
 
 	/* move active child tasks from other to this */
-	migrate_child_tasks(this, other->active_tasks, this->queued_tasks);
+	migrate_child_tasks(this, other, TASK_QUEUE_ACTIVE);
 	/* do the same for queued tasks */
-	migrate_child_tasks(this, other->queued_tasks, this->queued_tasks);
+	migrate_child_tasks(this, other, TASK_QUEUE_QUEUED);
 }
 
 METHOD(task_manager_t, busy, bool,
@@ -1827,10 +1921,12 @@ METHOD(task_manager_t, busy, bool,
 }
 
 METHOD(task_manager_t, reset, void,
-	private_task_manager_t *this, u_int32_t initiate, u_int32_t respond)
+	private_task_manager_t *this, uint32_t initiate, uint32_t respond)
 {
 	enumerator_t *enumerator;
+	queued_task_t *queued;
 	task_t *task;
+	timeval_t now;
 
 	/* reset message counters and retransmit packets */
 	clear_packets(this->responding.packets);
@@ -1849,11 +1945,13 @@ METHOD(task_manager_t, reset, void,
 	}
 	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
 
+	time_monotonic(&now);
 	/* reset queued tasks */
 	enumerator = array_create_enumerator(this->queued_tasks);
-	while (enumerator->enumerate(enumerator, &task))
+	while (enumerator->enumerate(enumerator, &queued))
 	{
-		task->migrate(task, this->ike_sa);
+		queued->time = now;
+		queued->task->migrate(queued->task, this->ike_sa);
 	}
 	enumerator->destroy(enumerator);
 
@@ -1861,12 +1959,25 @@ METHOD(task_manager_t, reset, void,
 	while (array_remove(this->active_tasks, ARRAY_TAIL, &task))
 	{
 		task->migrate(task, this->ike_sa);
-		array_insert(this->queued_tasks, ARRAY_HEAD, task);
+		INIT(queued,
+			.task = task,
+			.time = now,
+		);
+		array_insert(this->queued_tasks, ARRAY_HEAD, queued);
 	}
 
 	this->reset = TRUE;
 }
 
+/**
+ * Filter queued tasks
+ */
+static bool filter_queued(void *unused, queued_task_t **queued, task_t **task)
+{
+	*task = (*queued)->task;
+	return TRUE;
+}
+
 METHOD(task_manager_t, create_task_enumerator, enumerator_t*,
 	private_task_manager_t *this, task_queue_t queue)
 {
@@ -1877,7 +1988,9 @@ METHOD(task_manager_t, create_task_enumerator, enumerator_t*,
 		case TASK_QUEUE_PASSIVE:
 			return array_create_enumerator(this->passive_tasks);
 		case TASK_QUEUE_QUEUED:
-			return array_create_enumerator(this->queued_tasks);
+			return enumerator_create_filter(
+									array_create_enumerator(this->queued_tasks),
+									(void*)filter_queued, NULL, NULL);
 		default:
 			return enumerator_create_empty();
 	}
@@ -1913,6 +2026,7 @@ task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa)
 			.task_manager = {
 				.process_message = _process_message,
 				.queue_task = _queue_task,
+				.queue_task_delayed = _queue_task_delayed,
 				.queue_ike = _queue_ike,
 				.queue_ike_rekey = _queue_ike_rekey,
 				.queue_ike_reauth = _queue_ike_reauth,
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index 3d4ded944..64a82850b 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2016 Tobias Brunner
  * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -29,7 +29,7 @@
 #include <encoding/payloads/delete_payload.h>
 #include <processing/jobs/delete_ike_sa_job.h>
 #include <processing/jobs/inactivity_job.h>
-
+#include <processing/jobs/initiate_tasks_job.h>
 
 typedef struct private_child_create_t private_child_create_t;
 
@@ -151,27 +151,27 @@ struct private_child_create_t {
 	/**
 	 * Own allocated SPI
 	 */
-	u_int32_t my_spi;
+	uint32_t my_spi;
 
 	/**
 	 * SPI received in proposal
 	 */
-	u_int32_t other_spi;
+	uint32_t other_spi;
 
 	/**
 	 * Own allocated Compression Parameter Index (CPI)
 	 */
-	u_int16_t my_cpi;
+	uint16_t my_cpi;
 
 	/**
 	 * Other Compression Parameter Index (CPI), received via IPCOMP_SUPPORTED
 	 */
-	u_int16_t other_cpi;
+	uint16_t other_cpi;
 
 	/**
 	 * reqid to use if we are rekeying
 	 */
-	u_int32_t reqid;
+	uint32_t reqid;
 
 	/**
 	 * Explicit inbound mark value
@@ -205,6 +205,25 @@ struct private_child_create_t {
 };
 
 /**
+ * Schedule a retry if creating the CHILD_SA temporary failed
+ */
+static void schedule_delayed_retry(private_child_create_t *this)
+{
+	child_create_t *task;
+	uint32_t retry;
+
+	retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
+
+	task = child_create_create(this->ike_sa,
+							   this->config->get_ref(this->config), FALSE,
+							   this->packet_tsi, this->packet_tsr);
+	task->use_reqid(task, this->reqid);
+	DBG1(DBG_IKE, "creating CHILD_SA failed, trying again in %d seconds",
+		 retry);
+	this->ike_sa->queue_task_delayed(this->ike_sa, (task_t*)task, retry);
+}
+
+/**
  * get the nonce from a message
  */
 static status_t get_nonce(message_t *message, chunk_t *nonce)
@@ -306,7 +325,7 @@ static bool allocate_spi(private_child_create_t *this)
  */
 static void schedule_inactivity_timeout(private_child_create_t *this)
 {
-	u_int32_t timeout, id;
+	uint32_t timeout, id;
 	bool close_ike;
 
 	timeout = this->config->get_inactivity(this->config);
@@ -386,7 +405,7 @@ static linked_list_t* get_transport_nat_ts(private_child_create_t *this,
 	linked_list_t *out;
 	traffic_selector_t *ts;
 	host_t *ike, *first = NULL;
-	u_int8_t mask;
+	uint8_t mask;
 
 	if (local)
 	{
@@ -464,7 +483,7 @@ static status_t select_and_install(private_child_create_t *this,
 	chunk_t integ_i = chunk_empty, integ_r = chunk_empty;
 	linked_list_t *my_ts, *other_ts;
 	host_t *me, *other;
-	bool private;
+	bool private, prefer_configured;
 
 	if (this->proposals == NULL)
 	{
@@ -481,8 +500,10 @@ static status_t select_and_install(private_child_create_t *this,
 	other = this->ike_sa->get_other_host(this->ike_sa);
 
 	private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN);
+	prefer_configured = lib->settings->get_bool(lib->settings,
+							"%s.prefer_configured_proposals", TRUE, lib->ns);
 	this->proposal = this->config->select_proposal(this->config,
-											this->proposals, no_dh, private);
+							this->proposals, no_dh, private, prefer_configured);
 	if (this->proposal == NULL)
 	{
 		DBG1(DBG_IKE, "no acceptable proposal found");
@@ -501,7 +522,7 @@ static status_t select_and_install(private_child_create_t *this,
 
 	if (!this->proposal->has_dh_group(this->proposal, this->dh_group))
 	{
-		u_int16_t group;
+		uint16_t group;
 
 		if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
 										  &group, NULL))
@@ -798,7 +819,7 @@ static bool build_payloads(private_child_create_t *this, message_t *message)
  * Adds an IPCOMP_SUPPORTED notify to the message, allocating a CPI
  */
 static void add_ipcomp_notify(private_child_create_t *this,
-								  message_t *message, u_int8_t ipcomp)
+								  message_t *message, uint8_t ipcomp)
 {
 	this->my_cpi = this->child_sa->alloc_cpi(this->child_sa);
 	if (this->my_cpi)
@@ -838,11 +859,11 @@ static void handle_notify(private_child_create_t *this, notify_payload_t *notify
 		case IPCOMP_SUPPORTED:
 		{
 			ipcomp_transform_t ipcomp;
-			u_int16_t cpi;
+			uint16_t cpi;
 			chunk_t data;
 
 			data = notify->get_notification_data(notify);
-			cpi = *(u_int16_t*)data.ptr;
+			cpi = *(uint16_t*)data.ptr;
 			ipcomp = (ipcomp_transform_t)(*(data.ptr + 2));
 			switch (ipcomp)
 			{
@@ -1232,13 +1253,13 @@ METHOD(task_t, build_r, status_t,
 	if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
 	{
 		DBG1(DBG_IKE, "unable to create CHILD_SA while rekeying IKE_SA");
-		message->add_notify(message, TRUE, NO_ADDITIONAL_SAS, chunk_empty);
+		message->add_notify(message, TRUE, TEMPORARY_FAILURE, chunk_empty);
 		return SUCCESS;
 	}
 	if (this->ike_sa->get_state(this->ike_sa) == IKE_DELETING)
 	{
 		DBG1(DBG_IKE, "unable to create CHILD_SA while deleting IKE_SA");
-		message->add_notify(message, TRUE, NO_ADDITIONAL_SAS, chunk_empty);
+		message->add_notify(message, TRUE, TEMPORARY_FAILURE, chunk_empty);
 		return SUCCESS;
 	}
 
@@ -1310,7 +1331,7 @@ METHOD(task_t, build_r, status_t,
 			return SUCCESS;
 		case INVALID_ARG:
 		{
-			u_int16_t group = htons(this->dh_group);
+			uint16_t group = htons(this->dh_group);
 			message->add_notify(message, FALSE, INVALID_KE_PAYLOAD,
 								chunk_from_thing(group));
 			handle_child_sa_failure(this, message);
@@ -1441,10 +1462,21 @@ METHOD(task_t, process_i, status_t,
 					/* an error in CHILD_SA creation is not critical */
 					return SUCCESS;
 				}
+				case TEMPORARY_FAILURE:
+				{
+					DBG1(DBG_IKE, "received %N notify, will retry later",
+						 notify_type_names, type);
+					enumerator->destroy(enumerator);
+					if (!this->rekey)
+					{	/* the rekey task will retry itself if necessary */
+						schedule_delayed_retry(this);
+					}
+					return SUCCESS;
+				}
 				case INVALID_KE_PAYLOAD:
 				{
 					chunk_t data;
-					u_int16_t group = MODP_NONE;
+					uint16_t group = MODP_NONE;
 
 					data = notify->get_notification_data(notify);
 					if (data.len == sizeof(group))
@@ -1529,7 +1561,7 @@ METHOD(task_t, process_i, status_t,
 }
 
 METHOD(child_create_t, use_reqid, void,
-	private_child_create_t *this, u_int32_t reqid)
+	private_child_create_t *this, uint32_t reqid)
 {
 	this->reqid = reqid;
 }
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.h b/src/libcharon/sa/ikev2/tasks/child_create.h
index 46d9403ee..f48d7b0a9 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.h
+++ b/src/libcharon/sa/ikev2/tasks/child_create.h
@@ -49,7 +49,7 @@ struct child_create_t {
 	 *
 	 * @param reqid		reqid to use
 	 */
-	void (*use_reqid) (child_create_t *this, u_int32_t reqid);
+	void (*use_reqid) (child_create_t *this, uint32_t reqid);
 
 	/**
 	 * Use specific mark values to override configuration.
diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c
index 877ae0531..6fa8836ac 100644
--- a/src/libcharon/sa/ikev2/tasks/child_delete.c
+++ b/src/libcharon/sa/ikev2/tasks/child_delete.c
@@ -1,6 +1,7 @@
 /*
+ * Copyright (C) 2009-2016 Tobias Brunner
  * Copyright (C) 2006-2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -18,7 +19,7 @@
 #include <daemon.h>
 #include <encoding/payloads/delete_payload.h>
 #include <sa/ikev2/tasks/child_create.h>
-
+#include <sa/ikev2/tasks/child_rekey.h>
 
 typedef struct private_child_delete_t private_child_delete_t;
 
@@ -50,7 +51,7 @@ struct private_child_delete_t {
 	/**
 	 * Inbound SPI of CHILD_SA to delete
 	 */
-	u_int32_t spi;
+	uint32_t spi;
 
 	/**
 	 * whether to enforce delete action policy
@@ -86,7 +87,7 @@ static void build_payloads(private_child_delete_t *this, message_t *message)
 	while (enumerator->enumerate(enumerator, (void**)&child_sa))
 	{
 		protocol_id_t protocol = child_sa->get_protocol(child_sa);
-		u_int32_t spi = child_sa->get_spi(child_sa, TRUE);
+		uint32_t spi = child_sa->get_spi(child_sa, TRUE);
 
 		switch (protocol)
 		{
@@ -119,6 +120,33 @@ static void build_payloads(private_child_delete_t *this, message_t *message)
 }
 
 /**
+ * Check if the given CHILD_SA is the redundant SA created in a rekey collision.
+ */
+static bool is_redundant(private_child_delete_t *this, child_sa_t *child)
+{
+	enumerator_t *tasks;
+	task_t *task;
+
+	tasks = this->ike_sa->create_task_enumerator(this->ike_sa,
+												 TASK_QUEUE_ACTIVE);
+	while (tasks->enumerate(tasks, &task))
+	{
+		if (task->get_type(task) == TASK_CHILD_REKEY)
+		{
+			child_rekey_t *rekey = (child_rekey_t*)task;
+
+			if (rekey->is_redundant(rekey, child))
+			{
+				tasks->destroy(tasks);
+				return TRUE;
+			}
+		}
+	}
+	tasks->destroy(tasks);
+	return FALSE;
+}
+
+/**
  * read in payloads and find the children to delete
  */
 static void process_payloads(private_child_delete_t *this, message_t *message)
@@ -126,7 +154,7 @@ static void process_payloads(private_child_delete_t *this, message_t *message)
 	enumerator_t *payloads, *spis;
 	payload_t *payload;
 	delete_payload_t *delete_payload;
-	u_int32_t spi;
+	uint32_t spi;
 	protocol_id_t protocol;
 	child_sa_t *child_sa;
 
@@ -157,24 +185,31 @@ static void process_payloads(private_child_delete_t *this, message_t *message)
 
 				switch (child_sa->get_state(child_sa))
 				{
-					case CHILD_REKEYING:
+					case CHILD_REKEYED:
 						this->rekeyed = TRUE;
-						/* we reply as usual, rekeying will fail */
 						break;
 					case CHILD_DELETING:
 						/* we don't send back a delete if we initiated ourself */
 						if (!this->initiator)
 						{
-							this->ike_sa->destroy_child_sa(this->ike_sa,
-														   protocol, spi);
 							continue;
 						}
 						/* fall through */
+					case CHILD_REKEYING:
+						/* we reply as usual, rekeying will fail */
 					case CHILD_INSTALLED:
 						if (!this->initiator)
-						{	/* reestablish installed children if required */
-							this->check_delete_action = TRUE;
+						{
+							if (is_redundant(this, child_sa))
+							{
+								this->rekeyed = TRUE;
+							}
+							else
+							{
+								this->check_delete_action = TRUE;
+							}
 						}
+						break;
 					default:
 						break;
 				}
@@ -199,14 +234,14 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
 	child_sa_t *child_sa;
 	child_cfg_t *child_cfg;
 	protocol_id_t protocol;
-	u_int32_t spi, reqid;
+	uint32_t spi, reqid;
 	action_t action;
 	status_t status = SUCCESS;
 
 	enumerator = this->child_sas->create_enumerator(this->child_sas);
 	while (enumerator->enumerate(enumerator, (void**)&child_sa))
 	{
-		/* signal child down event if we are not rekeying */
+		/* signal child down event if we weren't rekeying */
 		if (!this->rekeyed)
 		{
 			charon->bus->child_updown(charon->bus, child_sa, FALSE);
@@ -254,7 +289,7 @@ static void log_children(private_child_delete_t *this)
 	linked_list_t *my_ts, *other_ts;
 	enumerator_t *enumerator;
 	child_sa_t *child_sa;
-	u_int64_t bytes_in, bytes_out;
+	uint64_t bytes_in, bytes_out;
 
 	enumerator = this->child_sas->create_enumerator(this->child_sas);
 	while (enumerator->enumerate(enumerator, (void**)&child_sa))
@@ -308,7 +343,7 @@ METHOD(task_t, build_i, status_t,
 		this->spi = child_sa->get_spi(child_sa, TRUE);
 	}
 	this->child_sas->insert_last(this->child_sas, child_sa);
-	if (child_sa->get_state(child_sa) == CHILD_REKEYING)
+	if (child_sa->get_state(child_sa) == CHILD_REKEYED)
 	{
 		this->rekeyed = TRUE;
 	}
@@ -347,11 +382,7 @@ METHOD(task_t, process_r, status_t,
 METHOD(task_t, build_r, status_t,
 	private_child_delete_t *this, message_t *message)
 {
-	/* if we are rekeying, we send an empty informational */
-	if (this->ike_sa->get_state(this->ike_sa) != IKE_REKEYING)
-	{
-		build_payloads(this, message);
-	}
+	build_payloads(this, message);
 	DBG1(DBG_IKE, "CHILD_SA closed");
 	return destroy_and_reestablish(this);
 }
@@ -391,7 +422,7 @@ METHOD(task_t, destroy, void,
  * Described in header.
  */
 child_delete_t *child_delete_create(ike_sa_t *ike_sa, protocol_id_t protocol,
-									u_int32_t spi, bool expired)
+									uint32_t spi, bool expired)
 {
 	private_child_delete_t *this;
 
diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.h b/src/libcharon/sa/ikev2/tasks/child_delete.h
index 1ada0699e..1e9b2d2f7 100644
--- a/src/libcharon/sa/ikev2/tasks/child_delete.h
+++ b/src/libcharon/sa/ikev2/tasks/child_delete.h
@@ -56,6 +56,6 @@ struct child_delete_t {
  * @return				child_delete task to handle by the task_manager
  */
 child_delete_t *child_delete_create(ike_sa_t *ike_sa, protocol_id_t protocol,
-									u_int32_t spi, bool expired);
+									uint32_t spi, bool expired);
 
 #endif /** CHILD_DELETE_H_ @}*/
diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c
index 6f0c2b2c7..c04ec141f 100644
--- a/src/libcharon/sa/ikev2/tasks/child_rekey.c
+++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c
@@ -1,7 +1,8 @@
 /*
+ * Copyright (C) 2009-2016 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -54,7 +55,7 @@ struct private_child_rekey_t {
 	/**
 	 * Inbound SPI of CHILD_SA to rekey
 	 */
-	u_int32_t spi;
+	uint32_t spi;
 
 	/**
 	 * the CHILD_CREATE task which is reused to simplify rekeying
@@ -91,7 +92,7 @@ struct private_child_rekey_t {
  */
 static void schedule_delayed_rekey(private_child_rekey_t *this)
 {
-	u_int32_t retry;
+	uint32_t retry;
 	job_t *job;
 
 	retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
@@ -130,7 +131,7 @@ static void find_child(private_child_rekey_t *this, message_t *message)
 {
 	notify_payload_t *notify;
 	protocol_id_t protocol;
-	u_int32_t spi;
+	uint32_t spi;
 
 	notify = message->get_notify(message, REKEY_SA);
 	if (notify)
@@ -150,7 +151,7 @@ METHOD(task_t, build_i, status_t,
 	private_child_rekey_t *this, message_t *message)
 {
 	notify_payload_t *notify;
-	u_int32_t reqid;
+	uint32_t reqid;
 	child_cfg_t *config;
 
 	this->child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,
@@ -159,14 +160,21 @@ METHOD(task_t, build_i, status_t,
 	{	/* check if it is an outbound CHILD_SA */
 		this->child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,
 													this->spi, FALSE);
-		if (!this->child_sa)
-		{	/* CHILD_SA is gone, unable to rekey. As an empty CREATE_CHILD_SA
-			 * exchange is invalid, we fall back to an INFORMATIONAL exchange.*/
-			message->set_exchange_type(message, INFORMATIONAL);
-			return SUCCESS;
+		if (this->child_sa)
+		{
+			/* we work only with the inbound SPI */
+			this->spi = this->child_sa->get_spi(this->child_sa, TRUE);
 		}
-		/* we work only with the inbound SPI */
-		this->spi = this->child_sa->get_spi(this->child_sa, TRUE);
+	}
+	if (!this->child_sa ||
+		(!this->child_create &&
+		  this->child_sa->get_state(this->child_sa) != CHILD_INSTALLED) ||
+		(this->child_create &&
+		 this->child_sa->get_state(this->child_sa) != CHILD_REKEYING))
+	{
+		/* CHILD_SA is gone or in the wrong state, unable to rekey */
+		message->set_exchange_type(message, EXCHANGE_TYPE_UNDEFINED);
+		return SUCCESS;
 	}
 	config = this->child_sa->get_config(this->child_sa);
 
@@ -217,13 +225,19 @@ METHOD(task_t, build_r, status_t,
 	private_child_rekey_t *this, message_t *message)
 {
 	child_cfg_t *config;
-	u_int32_t reqid;
+	uint32_t reqid;
+	child_sa_state_t state;
 
-	if (this->child_sa == NULL ||
-		this->child_sa->get_state(this->child_sa) == CHILD_DELETING)
+	if (!this->child_sa)
 	{
 		DBG1(DBG_IKE, "unable to rekey, CHILD_SA not found");
-		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
+		message->add_notify(message, TRUE, CHILD_SA_NOT_FOUND, chunk_empty);
+		return SUCCESS;
+	}
+	if (this->child_sa->get_state(this->child_sa) == CHILD_DELETING)
+	{
+		DBG1(DBG_IKE, "unable to rekey, we are deleting the CHILD_SA");
+		message->add_notify(message, TRUE, TEMPORARY_FAILURE, chunk_empty);
 		return SUCCESS;
 	}
 
@@ -237,14 +251,16 @@ METHOD(task_t, build_r, status_t,
 	this->child_create->set_config(this->child_create, config->get_ref(config));
 	this->child_create->task.build(&this->child_create->task, message);
 
+	state = this->child_sa->get_state(this->child_sa);
+	this->child_sa->set_state(this->child_sa, CHILD_REKEYING);
+
 	if (message->get_payload(message, PLV2_SECURITY_ASSOCIATION) == NULL)
-	{
-		/* rekeying failed, reuse old child */
-		this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
+	{	/* rekeying failed, reuse old child */
+		this->child_sa->set_state(this->child_sa, state);
 		return SUCCESS;
 	}
 
-	this->child_sa->set_state(this->child_sa, CHILD_REKEYING);
+	this->child_sa->set_state(this->child_sa, CHILD_REKEYED);
 
 	/* invoke rekey hook */
 	charon->bus->child_rekey(charon->bus, this->child_sa,
@@ -284,9 +300,9 @@ static child_sa_t *handle_collision(private_child_rekey_t *this)
 				if (child_sa)
 				{
 					child_sa->set_close_action(child_sa, ACTION_NONE);
-					if (child_sa->get_state(child_sa) != CHILD_REKEYING)
+					if (child_sa->get_state(child_sa) != CHILD_REKEYED)
 					{
-						child_sa->set_state(child_sa, CHILD_REKEYING);
+						child_sa->set_state(child_sa, CHILD_REKEYED);
 					}
 				}
 			}
@@ -324,7 +340,7 @@ METHOD(task_t, process_i, status_t,
 	private_child_rekey_t *this, message_t *message)
 {
 	protocol_id_t protocol;
-	u_int32_t spi;
+	uint32_t spi;
 	child_sa_t *to_delete;
 
 	if (message->get_notify(message, NO_ADDITIONAL_SAS))
@@ -337,6 +353,34 @@ METHOD(task_t, process_i, status_t,
 							this->ike_sa->get_id(this->ike_sa), TRUE));
 		return SUCCESS;
 	}
+	if (message->get_notify(message, CHILD_SA_NOT_FOUND))
+	{
+		child_cfg_t *child_cfg;
+		uint32_t reqid;
+
+		if (this->collision &&
+			this->collision->get_type(this->collision) == TASK_CHILD_DELETE)
+		{	/* ignore this error if we already deleted the CHILD_SA on the
+			 * peer's behalf (could happen if the other peer does not detect
+			 * the collision and did not respond with TEMPORARY_FAILURE) */
+			return SUCCESS;
+		}
+		DBG1(DBG_IKE, "peer didn't find the CHILD_SA we tried to rekey");
+		/* FIXME: according to RFC 7296 we should only create a new CHILD_SA if
+		 * it does not exist yet, we currently have no good way of checking for
+		 * that (we could go by name, but that might be tricky e.g. due to
+		 * narrowing) */
+		spi = this->child_sa->get_spi(this->child_sa, TRUE);
+		reqid = this->child_sa->get_reqid(this->child_sa);
+		protocol = this->child_sa->get_protocol(this->child_sa);
+		child_cfg = this->child_sa->get_config(this->child_sa);
+		child_cfg->get_ref(child_cfg);
+		charon->bus->child_updown(charon->bus, this->child_sa, FALSE);
+		this->ike_sa->destroy_child_sa(this->ike_sa, protocol, spi);
+		return this->ike_sa->initiate(this->ike_sa,
+									  child_cfg->get_ref(child_cfg), reqid,
+									  NULL, NULL);
+	}
 
 	if (this->child_create->task.process(&this->child_create->task,
 										 message) == NEED_MORE)
@@ -346,10 +390,10 @@ METHOD(task_t, process_i, status_t,
 	}
 	if (message->get_payload(message, PLV2_SECURITY_ASSOCIATION) == NULL)
 	{
-		/* establishing new child failed, reuse old. but not when we
-		 * received a delete in the meantime */
-		if (!(this->collision &&
-			  this->collision->get_type(this->collision) == TASK_CHILD_DELETE))
+		/* establishing new child failed, reuse old and try again. but not when
+		 * we received a delete in the meantime */
+		if (!this->collision ||
+			 this->collision->get_type(this->collision) != TASK_CHILD_DELETE)
 		{
 			schedule_delayed_rekey(this);
 		}
@@ -377,9 +421,9 @@ METHOD(task_t, process_i, status_t,
 		return SUCCESS;
 	}
 	/* disable updown event for redundant CHILD_SA */
-	if (to_delete->get_state(to_delete) != CHILD_REKEYING)
+	if (to_delete->get_state(to_delete) != CHILD_REKEYED)
 	{
-		to_delete->set_state(to_delete, CHILD_REKEYING);
+		to_delete->set_state(to_delete, CHILD_REKEYED);
 	}
 	spi = to_delete->get_spi(to_delete, TRUE);
 	protocol = to_delete->get_protocol(to_delete);
@@ -398,6 +442,18 @@ METHOD(task_t, get_type, task_type_t,
 	return TASK_CHILD_REKEY;
 }
 
+METHOD(child_rekey_t, is_redundant, bool,
+	private_child_rekey_t *this, child_sa_t *child)
+{
+	if (this->collision &&
+		this->collision->get_type(this->collision) == TASK_CHILD_REKEY)
+	{
+		private_child_rekey_t *rekey = (private_child_rekey_t*)this->collision;
+		return child == rekey->child_create->get_child(rekey->child_create);
+	}
+	return FALSE;
+}
+
 METHOD(child_rekey_t, collide, void,
 	private_child_rekey_t *this, task_t *other)
 {
@@ -406,9 +462,18 @@ METHOD(child_rekey_t, collide, void,
 	if (other->get_type(other) == TASK_CHILD_REKEY)
 	{
 		private_child_rekey_t *rekey = (private_child_rekey_t*)other;
+		child_sa_t *other_child;
+
 		if (rekey->child_sa != this->child_sa)
+		{	/* not the same child => no collision */
+			other->destroy(other);
+			return;
+		}
+		/* ignore passive tasks that did not successfully create a CHILD_SA */
+		other_child = rekey->child_create->get_child(rekey->child_create);
+		if (!other_child ||
+			 other_child->get_state(other_child) != CHILD_INSTALLED)
 		{
-			/* not the same child => no collision */
 			other->destroy(other);
 			return;
 		}
@@ -416,19 +481,11 @@ METHOD(child_rekey_t, collide, void,
 	else if (other->get_type(other) == TASK_CHILD_DELETE)
 	{
 		child_delete_t *del = (child_delete_t*)other;
-		if (this->collision &&
-			this->collision->get_type(this->collision) == TASK_CHILD_REKEY)
+		if (is_redundant(this, del->get_child(del)))
 		{
-			private_child_rekey_t *rekey;
-
-			rekey = (private_child_rekey_t*)this->collision;
-			if (del->get_child(del) == rekey->child_create->get_child(rekey->child_create))
-			{
-				/* peer deletes redundant child created in collision */
-				this->other_child_destroyed = TRUE;
-				other->destroy(other);
-				return;
-			}
+			this->other_child_destroyed = TRUE;
+			other->destroy(other);
+			return;
 		}
 		if (del->get_child(del) != this->child_sa)
 		{
@@ -439,7 +496,7 @@ METHOD(child_rekey_t, collide, void,
 	}
 	else
 	{
-		/* any other task is not critical for collisisions, ignore */
+		/* any other task is not critical for collisions, ignore */
 		other->destroy(other);
 		return;
 	}
@@ -485,7 +542,7 @@ METHOD(task_t, destroy, void,
  * Described in header.
  */
 child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol,
-								  u_int32_t spi)
+								  uint32_t spi)
 {
 	private_child_rekey_t *this;
 
@@ -496,6 +553,7 @@ child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol,
 				.migrate = _migrate,
 				.destroy = _destroy,
 			},
+			.is_redundant = _is_redundant,
 			.collide = _collide,
 		},
 		.ike_sa = ike_sa,
diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.h b/src/libcharon/sa/ikev2/tasks/child_rekey.h
index 23384653d..0ad1a062d 100644
--- a/src/libcharon/sa/ikev2/tasks/child_rekey.h
+++ b/src/libcharon/sa/ikev2/tasks/child_rekey.h
@@ -1,6 +1,7 @@
 /*
+ * Copyright (C) 2016 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -39,13 +40,25 @@ struct child_rekey_t {
 	task_t task;
 
 	/**
-	 * Register a rekeying task which collides with this one
+	 * Check if the given SA is the redundant CHILD_SA created during a rekey
+	 * collision.
+	 *
+	 * This is called if the other peer deletes the redundant SA before we were
+	 * able to handle the CREATE_CHILD_SA response.
+	 *
+	 * @param child		CHILD_SA to check
+	 * @return			TRUE if the SA is the redundant CHILD_SA
+	 */
+	bool (*is_redundant)(child_rekey_t *this, child_sa_t *child);
+
+	/**
+	 * Register a rekeying/delete task which collides with this one
 	 *
 	 * If two peers initiate rekeying at the same time, the collision must
 	 * be handled gracefully. The task manager is aware of what exchanges
-	 * are going on and notifies the outgoing task by passing the incoming.
+	 * are going on and notifies the active task by passing the passive.
 	 *
-	 * @param other		incoming task
+	 * @param other		passive task (adopted)
 	 */
 	void (*collide)(child_rekey_t* this, task_t *other);
 };
@@ -59,6 +72,6 @@ struct child_rekey_t {
  * @return				child_rekey task to handle by the task_manager
  */
 child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol,
-								  u_int32_t spi);
+								  uint32_t spi);
 
 #endif /** CHILD_REKEY_H_ @}*/
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index 79a436fbf..036910d0e 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -186,7 +186,7 @@ static status_t collect_other_init_data(private_ike_auth_t *this,
  */
 static void get_reserved_id_bytes(private_ike_auth_t *this, id_payload_t *id)
 {
-	u_int8_t *byte;
+	uint8_t *byte;
 	int i;
 
 	for (i = 0; i < countof(this->reserved); i++)
@@ -564,6 +564,10 @@ METHOD(task_t, process_r, status_t,
 			this->ike_sa->enable_extension(this->ike_sa,
 										   EXT_EAP_ONLY_AUTHENTICATION);
 		}
+		if (message->get_notify(message, INITIAL_CONTACT))
+		{
+			this->initial_contact = TRUE;
+		}
 	}
 
 	if (this->other_auth == NULL)
@@ -652,14 +656,6 @@ METHOD(task_t, process_r, status_t,
 			return NEED_MORE;
 	}
 
-	/* If authenticated (with non-EAP) and received INITIAL_CONTACT,
-	 * delete any existing IKE_SAs with that peer. */
-	if (message->get_message_id(message) == 1 &&
-		message->get_notify(message, INITIAL_CONTACT))
-	{
-		this->initial_contact = TRUE;
-	}
-
 	/* another auth round done, invoke authorize hook */
 	if (!charon->bus->authorize(charon->bus, FALSE))
 	{
@@ -749,13 +745,6 @@ METHOD(task_t, build_r, status_t,
 		get_reserved_id_bytes(this, id_payload);
 		message->add_payload(message, (payload_t*)id_payload);
 
-		if (this->initial_contact)
-		{
-			charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
-													 this->ike_sa, TRUE);
-			this->initial_contact = FALSE;
-		}
-
 		if ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS) == AUTH_CLASS_EAP)
 		{	/* EAP-only authentication */
 			if (!this->ike_sa->supports_extension(this->ike_sa,
@@ -830,7 +819,7 @@ METHOD(task_t, build_r, status_t,
 	}
 
 	if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
-												 this->ike_sa, FALSE))
+										this->ike_sa, this->initial_contact))
 	{
 		DBG1(DBG_IKE, "cancelling IKE_SA setup due to uniqueness policy");
 		charon->bus->alert(charon->bus, ALERT_UNIQUE_KEEP);
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.c b/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.c
index a7d162e68..47b0a3ed1 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.c
@@ -45,14 +45,14 @@ struct private_ike_auth_lifetime_t {
 static void add_auth_lifetime(private_ike_auth_lifetime_t *this, message_t *message)
 {
 	chunk_t chunk;
-	u_int32_t lifetime;
+	uint32_t lifetime;
 
 	lifetime = this->ike_sa->get_statistic(this->ike_sa, STAT_REAUTH);
 	if (lifetime)
 	{
 		lifetime -= time_monotonic(NULL);
 		chunk = chunk_from_thing(lifetime);
-		*(u_int32_t*)chunk.ptr = htonl(lifetime);
+		*(uint32_t*)chunk.ptr = htonl(lifetime);
 		message->add_notify(message, FALSE, AUTH_LIFETIME, chunk);
 	}
 }
@@ -64,13 +64,13 @@ static void process_payloads(private_ike_auth_lifetime_t *this, message_t *messa
 {
 	notify_payload_t *notify;
 	chunk_t data;
-	u_int32_t lifetime;
+	uint32_t lifetime;
 
 	notify = message->get_notify(message, AUTH_LIFETIME);
 	if (notify)
 	{
 		data = notify->get_notification_data(notify);
-		lifetime = ntohl(*(u_int32_t*)data.ptr);
+		lifetime = ntohl(*(uint32_t*)data.ptr);
 		this->ike_sa->set_auth_lifetime(this->ike_sa, lifetime);
 	}
 }
diff --git a/src/libcharon/sa/ikev2/tasks/ike_delete.c b/src/libcharon/sa/ikev2/tasks/ike_delete.c
index e972dba07..fd36b144a 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_delete.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_delete.c
@@ -1,6 +1,7 @@
 /*
+ * Copyright (C) 2016 Tobias Brunner
  * Copyright (C) 2006-2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -17,7 +18,7 @@
 
 #include <daemon.h>
 #include <encoding/payloads/delete_payload.h>
-
+#include <sa/ikev2/tasks/ike_rekey.h>
 
 typedef struct private_ike_delete_t private_ike_delete_t;
 
@@ -45,11 +46,6 @@ struct private_ike_delete_t {
 	 * are we deleting a rekeyed SA?
 	 */
 	bool rekeyed;
-
-	/**
-	 * are we responding to a delete, but have initated our own?
-	 */
-	bool simultaneous;
 };
 
 METHOD(task_t, build_i, status_t,
@@ -68,7 +64,8 @@ METHOD(task_t, build_i, status_t,
 	delete_payload = delete_payload_create(PLV2_DELETE, PROTO_IKE);
 	message->add_payload(message, (payload_t*)delete_payload);
 
-	if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
+	if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING ||
+		this->ike_sa->get_state(this->ike_sa) == IKE_REKEYED)
 	{
 		this->rekeyed = TRUE;
 	}
@@ -93,6 +90,33 @@ METHOD(task_t, process_i, status_t,
 	return DESTROY_ME;
 }
 
+/**
+ * Check if this delete happened after a rekey collsion
+ */
+static bool after_rekey_collision(private_ike_delete_t *this)
+{
+	enumerator_t *tasks;
+	task_t *task;
+
+	tasks = this->ike_sa->create_task_enumerator(this->ike_sa,
+												 TASK_QUEUE_ACTIVE);
+	while (tasks->enumerate(tasks, &task))
+	{
+		if (task->get_type(task) == TASK_IKE_REKEY)
+		{
+			ike_rekey_t *rekey = (ike_rekey_t*)task;
+
+			if (rekey->did_collide(rekey))
+			{
+				tasks->destroy(tasks);
+				return TRUE;
+			}
+		}
+	}
+	tasks->destroy(tasks);
+	return FALSE;
+}
+
 METHOD(task_t, process_r, status_t,
 	private_ike_delete_t *this, message_t *message)
 {
@@ -119,16 +143,24 @@ METHOD(task_t, process_r, status_t,
 
 	switch (this->ike_sa->get_state(this->ike_sa))
 	{
+		case IKE_REKEYING:
+			/* if the peer concurrently deleted the IKE_SA we treat this as
+			 * regular delete.  however, in case the peer did not detect a rekey
+			 * collision it will delete the replaced IKE_SA if we are still in
+			 * state IKE_REKEYING */
+			if (after_rekey_collision(this))
+			{
+				this->rekeyed = TRUE;
+				break;
+			}
+			/* fall-through */
 		case IKE_ESTABLISHED:
 			this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
 			this->ike_sa->reestablish(this->ike_sa);
 			return NEED_MORE;
-		case IKE_REKEYING:
+		case IKE_REKEYED:
 			this->rekeyed = TRUE;
 			break;
-		case IKE_DELETING:
-			this->simultaneous = TRUE;
-			break;
 		default:
 			break;
 	}
@@ -141,11 +173,6 @@ METHOD(task_t, build_r, status_t,
 {
 	DBG0(DBG_IKE, "IKE_SA deleted");
 
-	if (this->simultaneous)
-	{
-		/* wait for peer's response for our delete request */
-		return SUCCESS;
-	}
 	if (!this->rekeyed)
 	{	/* invoke ike_down() hook if SA has not been rekeyed */
 		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
@@ -164,7 +191,6 @@ METHOD(task_t, migrate, void,
 	private_ike_delete_t *this, ike_sa_t *ike_sa)
 {
 	this->ike_sa = ike_sa;
-	this->simultaneous = FALSE;
 }
 
 METHOD(task_t, destroy, void,
diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index 78579be95..801b6d8f3 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -221,7 +221,7 @@ static void handle_supported_hash_algorithms(private_ike_init_t *this,
 											 notify_payload_t *notify)
 {
 	bio_reader_t *reader;
-	u_int16_t algo;
+	uint16_t algo;
 	bool added = FALSE;
 
 	reader = bio_reader_create(notify->get_notification_data(notify));
@@ -373,13 +373,15 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 			{
 				sa_payload_t *sa_payload = (sa_payload_t*)payload;
 				linked_list_t *proposal_list;
-				bool private;
+				bool private, prefer_configured;
 
 				proposal_list = sa_payload->get_proposals(sa_payload);
 				private = this->ike_sa->supports_extension(this->ike_sa,
 														   EXT_STRONGSWAN);
+				prefer_configured = lib->settings->get_bool(lib->settings,
+							"%s.prefer_configured_proposals", TRUE, lib->ns);
 				this->proposal = this->config->select_proposal(this->config,
-														proposal_list, private);
+									proposal_list, private, prefer_configured);
 				if (!this->proposal)
 				{
 					charon->bus->alert(charon->bus, ALERT_PROPOSAL_MISMATCH_IKE,
@@ -633,7 +635,7 @@ METHOD(task_t, build_r, status_t,
 	if (this->dh == NULL ||
 		!this->proposal->has_dh_group(this->proposal, this->dh_group))
 	{
-		u_int16_t group;
+		uint16_t group;
 
 		if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
 										  &group, NULL))
@@ -765,7 +767,7 @@ METHOD(task_t, process_i, status_t,
 
 					bad_group = this->dh_group;
 					data = notify->get_notification_data(notify);
-					this->dh_group = ntohs(*((u_int16_t*)data.ptr));
+					this->dh_group = ntohs(*((uint16_t*)data.ptr));
 					DBG1(DBG_IKE, "peer didn't accept DH group %N, "
 						 "it requested %N", diffie_hellman_group_names,
 						 bad_group, diffie_hellman_group_names, this->dh_group);
diff --git a/src/libcharon/sa/ikev2/tasks/ike_me.c b/src/libcharon/sa/ikev2/tasks/ike_me.c
index 10d412ffd..f077ccfb5 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_me.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_me.c
@@ -128,7 +128,7 @@ static void gather_and_add_endpoints(private_ike_me_t *this, message_t *message)
 {
 	enumerator_t *enumerator;
 	host_t *addr, *host;
-	u_int16_t port;
+	uint16_t port;
 
 	/* get the port that is used to communicate with the ms */
 	host = this->ike_sa->get_my_host(this->ike_sa);
diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.c b/src/libcharon/sa/ikev2/tasks/ike_mobike.c
index 3f7bb175f..dc0f24fb8 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_mobike.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.c
@@ -299,7 +299,7 @@ static void update_children(private_ike_mobike_t *this)
 /**
  * Apply the port of the old host, if its ip equals the new, use port otherwise.
  */
-static void apply_port(host_t *host, host_t *old, u_int16_t port, bool local)
+static void apply_port(host_t *host, host_t *old, uint16_t port, bool local)
 {
 	if (host->ip_equals(host, old))
 	{
diff --git a/src/libcharon/sa/ikev2/tasks/ike_natd.c b/src/libcharon/sa/ikev2/tasks/ike_natd.c
index 4bf5264dd..f3f32d7af 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_natd.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_natd.c
@@ -99,8 +99,8 @@ static chunk_t generate_natd_hash(private_ike_natd_t *this,
 {
 	chunk_t natd_chunk, spi_i_chunk, spi_r_chunk, addr_chunk, port_chunk;
 	chunk_t natd_hash;
-	u_int64_t spi_i, spi_r;
-	u_int16_t port;
+	uint64_t spi_i, spi_r;
+	uint16_t port;
 
 	/* prepare all required chunks */
 	spi_i = ike_sa_id->get_initiator_spi(ike_sa_id);
@@ -142,7 +142,7 @@ static notify_payload_t *build_natd_payload(private_ike_natd_t *this,
 	config = this->ike_sa->get_ike_cfg(this->ike_sa);
 	if (force_encap(config) && type == NAT_DETECTION_SOURCE_IP)
 	{
-		u_int32_t addr;
+		uint32_t addr;
 
 		/* chunk_hash() is randomly keyed so this produces a random IPv4 address
 		 * that changes with every restart but otherwise stays the same */
diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
index eaba04e3a..2f0552a33 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
@@ -1,7 +1,8 @@
 /*
+ * Copyright (C) 2015-2016 Tobias Brunner
  * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -66,9 +67,30 @@ struct private_ike_rekey_t {
 	 * colliding task detected by the task manager
 	 */
 	task_t *collision;
+
+	/**
+	 * TRUE if rekeying can't be handled temporarily
+	 */
+	bool failed_temporarily;
 };
 
 /**
+ * Schedule a retry if rekeying temporary failed
+ */
+static void schedule_delayed_rekey(private_ike_rekey_t *this)
+{
+	uint32_t retry;
+	job_t *job;
+
+	retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
+	job = (job_t*)rekey_ike_sa_job_create(
+						this->ike_sa->get_id(this->ike_sa), FALSE);
+	DBG1(DBG_IKE, "IKE_SA rekeying failed, trying again in %d seconds", retry);
+	this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+	lib->scheduler->schedule_job(lib->scheduler, job, retry);
+}
+
+/**
  * Check if an IKE_SA has any queued tasks, return initiation job
  */
 static job_t* check_queued_tasks(ike_sa_t *ike_sa)
@@ -83,7 +105,6 @@ static job_t* check_queued_tasks(ike_sa_t *ike_sa)
 		job = (job_t*)initiate_tasks_job_create(ike_sa->get_id(ike_sa));
 	}
 	enumerator->destroy(enumerator);
-
 	return job;
 }
 
@@ -117,20 +138,9 @@ static void establish_new(private_ike_rekey_t *this)
 		}
 		this->new_sa = NULL;
 		charon->bus->set_sa(charon->bus, this->ike_sa);
-	}
-}
 
-METHOD(task_t, process_r_delete, status_t,
-	private_ike_rekey_t *this, message_t *message)
-{
-	establish_new(this);
-	return this->ike_delete->task.process(&this->ike_delete->task, message);
-}
-
-METHOD(task_t, build_r_delete, status_t,
-	private_ike_rekey_t *this, message_t *message)
-{
-	return this->ike_delete->task.build(&this->ike_delete->task, message);
+		this->ike_sa->set_state(this->ike_sa, IKE_REKEYED);
+	}
 }
 
 METHOD(task_t, build_i_delete, status_t,
@@ -172,36 +182,59 @@ METHOD(task_t, build_i, status_t,
 	return NEED_MORE;
 }
 
-METHOD(task_t, process_r, status_t,
-	private_ike_rekey_t *this, message_t *message)
+/**
+ * Check if there are any half-open children
+ */
+static bool have_half_open_children(private_ike_rekey_t *this)
 {
 	enumerator_t *enumerator;
 	child_sa_t *child_sa;
-
-	if (this->ike_sa->get_state(this->ike_sa) == IKE_DELETING)
-	{
-		DBG1(DBG_IKE, "peer initiated rekeying, but we are deleting");
-		return NEED_MORE;
-	}
+	task_t *task;
 
 	enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
 	while (enumerator->enumerate(enumerator, (void**)&child_sa))
 	{
 		switch (child_sa->get_state(child_sa))
 		{
-			case CHILD_CREATED:
 			case CHILD_REKEYING:
 			case CHILD_RETRYING:
 			case CHILD_DELETING:
-				/* we do not allow rekeying while we have children in-progress */
-				DBG1(DBG_IKE, "peer initiated rekeying, but a child is half-open");
 				enumerator->destroy(enumerator);
-				return NEED_MORE;
+				return TRUE;
 			default:
 				break;
 		}
 	}
 	enumerator->destroy(enumerator);
+	enumerator = this->ike_sa->create_task_enumerator(this->ike_sa,
+													  TASK_QUEUE_ACTIVE);
+	while (enumerator->enumerate(enumerator, (void**)&task))
+	{
+		if (task->get_type(task) == TASK_CHILD_CREATE)
+		{
+			enumerator->destroy(enumerator);
+			return TRUE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return FALSE;
+}
+
+METHOD(task_t, process_r, status_t,
+	private_ike_rekey_t *this, message_t *message)
+{
+	if (this->ike_sa->get_state(this->ike_sa) == IKE_DELETING)
+	{
+		DBG1(DBG_IKE, "peer initiated rekeying, but we are deleting");
+		this->failed_temporarily = TRUE;
+		return NEED_MORE;
+	}
+	if (have_half_open_children(this))
+	{
+		DBG1(DBG_IKE, "peer initiated rekeying, but a child is half-open");
+		this->failed_temporarily = TRUE;
+		return NEED_MORE;
+	}
 
 	this->new_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
 							this->ike_sa->get_version(this->ike_sa), FALSE);
@@ -219,33 +252,57 @@ METHOD(task_t, process_r, status_t,
 METHOD(task_t, build_r, status_t,
 	private_ike_rekey_t *this, message_t *message)
 {
+	if (this->failed_temporarily)
+	{
+		message->add_notify(message, TRUE, TEMPORARY_FAILURE, chunk_empty);
+		return SUCCESS;
+	}
 	if (this->new_sa == NULL)
 	{
 		/* IKE_SA/a CHILD_SA is in an inacceptable state, deny rekeying */
 		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
 		return SUCCESS;
 	}
-
 	if (this->ike_init->task.build(&this->ike_init->task, message) == FAILED)
 	{
+		this->ike_init->task.destroy(&this->ike_init->task);
+		this->ike_init = NULL;
 		charon->bus->set_sa(charon->bus, this->ike_sa);
 		return SUCCESS;
 	}
 	charon->bus->set_sa(charon->bus, this->ike_sa);
-	this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
 
-	/* rekeying successful, delete the IKE_SA using a subtask */
-	this->ike_delete = ike_delete_create(this->ike_sa, FALSE);
-	this->public.task.build = _build_r_delete;
-	this->public.task.process = _process_r_delete;
-
-	/* the peer does have to delete the IKE_SA. If it does not, we get a
-	 * unusable IKE_SA in REKEYING state without a replacement. We consider
-	 * this a timeout condition by the peer, and trigger a delete actively. */
-	lib->scheduler->schedule_job(lib->scheduler, (job_t*)
-		delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE), 90);
+	if (this->ike_sa->get_state(this->ike_sa) != IKE_REKEYING)
+	{	/* in case of a collision we let the initiating task handle this */
+		establish_new(this);
+		/* make sure the IKE_SA is gone in case the peer fails to delete it */
+		lib->scheduler->schedule_job(lib->scheduler, (job_t*)
+			delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE),
+									 90);
+	}
+	return SUCCESS;
+}
 
-	return NEED_MORE;
+/**
+ * Conclude any undetected rekey collision.
+ *
+ * If the peer does not detect the collision it will delete this IKE_SA.
+ * Depending on when our request reaches the peer and we receive the delete
+ * this may get called at different times.
+ *
+ * Returns TRUE if there was a collision, FALSE otherwise.
+ */
+static bool conclude_undetected_collision(private_ike_rekey_t *this)
+{
+	if (this->collision &&
+		this->collision->get_type(this->collision) == TASK_IKE_REKEY)
+	{
+		DBG1(DBG_IKE, "peer did not notice IKE_SA rekey collision, abort "
+			 "active rekeying");
+		establish_new((private_ike_rekey_t*)this->collision);
+		return TRUE;
+	}
+	return FALSE;
 }
 
 METHOD(task_t, process_i, status_t,
@@ -266,18 +323,9 @@ METHOD(task_t, process_i, status_t,
 	{
 		case FAILED:
 			/* rekeying failed, fallback to old SA */
-			if (!(this->collision && (
-				this->collision->get_type(this->collision) == TASK_IKE_DELETE ||
-				this->collision->get_type(this->collision) == TASK_IKE_REAUTH)))
+			if (!conclude_undetected_collision(this))
 			{
-				job_t *job;
-				u_int32_t retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
-				job = (job_t*)rekey_ike_sa_job_create(
-										this->ike_sa->get_id(this->ike_sa), FALSE);
-				DBG1(DBG_IKE, "IKE_SA rekeying failed, "
-										"trying again in %d seconds", retry);
-				this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-				lib->scheduler->schedule_job(lib->scheduler, job, retry);
+				schedule_delayed_rekey(this);
 			}
 			return SUCCESS;
 		case NEED_MORE:
@@ -293,55 +341,53 @@ METHOD(task_t, process_i, status_t,
 		this->collision->get_type(this->collision) == TASK_IKE_REKEY)
 	{
 		private_ike_rekey_t *other = (private_ike_rekey_t*)this->collision;
+		host_t *host;
+		chunk_t this_nonce, other_nonce;
 
-		/* ike_init can be NULL, if child_sa is half-open */
-		if (other->ike_init)
-		{
-			host_t *host;
-			chunk_t this_nonce, other_nonce;
-
-			this_nonce = this->ike_init->get_lower_nonce(this->ike_init);
-			other_nonce = other->ike_init->get_lower_nonce(other->ike_init);
+		this_nonce = this->ike_init->get_lower_nonce(this->ike_init);
+		other_nonce = other->ike_init->get_lower_nonce(other->ike_init);
 
-			/* if we have the lower nonce, delete rekeyed SA. If not, delete
-			 * the redundant. */
-			if (memcmp(this_nonce.ptr, other_nonce.ptr,
-						min(this_nonce.len, other_nonce.len)) > 0)
+		/* if we have the lower nonce, delete rekeyed SA. If not, delete
+		 * the redundant. */
+		if (memcmp(this_nonce.ptr, other_nonce.ptr,
+				   min(this_nonce.len, other_nonce.len)) < 0)
+		{
+			DBG1(DBG_IKE, "IKE_SA rekey collision lost, deleting redundant "
+				 "IKE_SA %s[%d]", this->new_sa->get_name(this->new_sa),
+				 this->new_sa->get_unique_id(this->new_sa));
+			/* apply host for a proper delete */
+			host = this->ike_sa->get_my_host(this->ike_sa);
+			this->new_sa->set_my_host(this->new_sa, host->clone(host));
+			host = this->ike_sa->get_other_host(this->ike_sa);
+			this->new_sa->set_other_host(this->new_sa, host->clone(host));
+			/* IKE_SAs in state IKE_REKEYED are silently deleted, so we use
+			 * IKE_REKEYING */
+			this->new_sa->set_state(this->new_sa, IKE_REKEYING);
+			if (this->new_sa->delete(this->new_sa) == DESTROY_ME)
 			{
-				/* peer should delete this SA. Add a timeout just in case. */
-				job_t *job = (job_t*)delete_ike_sa_job_create(
-						other->new_sa->get_id(other->new_sa), TRUE);
-				lib->scheduler->schedule_job(lib->scheduler, job, 10);
-				DBG1(DBG_IKE, "IKE_SA rekey collision won, waiting for delete");
-				charon->ike_sa_manager->checkin(charon->ike_sa_manager, other->new_sa);
-				other->new_sa = NULL;
+				this->new_sa->destroy(this->new_sa);
 			}
 			else
 			{
-				DBG1(DBG_IKE, "IKE_SA rekey collision lost, "
-					 "deleting redundant IKE_SA");
-				/* apply host for a proper delete */
-				host = this->ike_sa->get_my_host(this->ike_sa);
-				this->new_sa->set_my_host(this->new_sa, host->clone(host));
-				host = this->ike_sa->get_other_host(this->ike_sa);
-				this->new_sa->set_other_host(this->new_sa, host->clone(host));
-				this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-				this->new_sa->set_state(this->new_sa, IKE_REKEYING);
-				if (this->new_sa->delete(this->new_sa) == DESTROY_ME)
-				{
-					this->new_sa->destroy(this->new_sa);
-				}
-				else
-				{
-					charon->ike_sa_manager->checkin(
-								charon->ike_sa_manager, this->new_sa);
-				}
-				charon->bus->set_sa(charon->bus, this->ike_sa);
-				this->new_sa = NULL;
-				establish_new(other);
-				return SUCCESS;
+				charon->ike_sa_manager->checkin(charon->ike_sa_manager,
+												this->new_sa);
 			}
+			charon->bus->set_sa(charon->bus, this->ike_sa);
+			this->new_sa = NULL;
+			establish_new(other);
+			return SUCCESS;
 		}
+		/* peer should delete this SA. Add a timeout just in case. */
+		job_t *job = (job_t*)delete_ike_sa_job_create(
+									other->new_sa->get_id(other->new_sa), TRUE);
+		lib->scheduler->schedule_job(lib->scheduler, job,
+									 HALF_OPEN_IKE_SA_TIMEOUT);
+		DBG1(DBG_IKE, "IKE_SA rekey collision won, waiting for delete for "
+			 "redundant IKE_SA %s[%d]", other->new_sa->get_name(other->new_sa),
+			 other->new_sa->get_unique_id(other->new_sa));
+		other->new_sa->set_state(other->new_sa, IKE_REKEYED);
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, other->new_sa);
+		other->new_sa = NULL;
 		charon->bus->set_sa(charon->bus, this->ike_sa);
 	}
 
@@ -361,11 +407,41 @@ METHOD(task_t, get_type, task_type_t,
 	return TASK_IKE_REKEY;
 }
 
+METHOD(ike_rekey_t, did_collide, bool,
+	private_ike_rekey_t *this)
+{
+	return this->collision &&
+		   this->collision->get_type(this->collision) == TASK_IKE_REKEY;
+}
+
 METHOD(ike_rekey_t, collide, void,
 	private_ike_rekey_t* this, task_t *other)
 {
 	DBG1(DBG_IKE, "detected %N collision with %N", task_type_names,
 		 TASK_IKE_REKEY, task_type_names, other->get_type(other));
+
+	switch (other->get_type(other))
+	{
+		case TASK_IKE_DELETE:
+			conclude_undetected_collision(this);
+			other->destroy(other);
+			return;
+		case TASK_IKE_REKEY:
+		{
+			private_ike_rekey_t *rekey = (private_ike_rekey_t*)other;
+
+			if (!rekey->ike_init)
+			{
+				DBG1(DBG_IKE, "colliding exchange did not result in an IKE_SA, "
+					 "ignore");
+				other->destroy(other);
+				return;
+			}
+			break;
+		}
+		default:
+			break;
+	}
 	DESTROY_IF(this->collision);
 	this->collision = other;
 }
@@ -425,6 +501,7 @@ ike_rekey_t *ike_rekey_create(ike_sa_t *ike_sa, bool initiator)
 				.migrate = _migrate,
 				.destroy = _destroy,
 			},
+			.did_collide = _did_collide,
 			.collide = _collide,
 		},
 		.ike_sa = ike_sa,
diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.h b/src/libcharon/sa/ikev2/tasks/ike_rekey.h
index 6a12e9034..86b512c92 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_rekey.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.h
@@ -1,6 +1,7 @@
 /*
+ * Copyright (C) 2016 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -38,6 +39,13 @@ struct ike_rekey_t {
 	task_t task;
 
 	/**
+	 * Check if there was a rekey collision.
+	 *
+	 * @return			TRUE if there was a rekey collision before
+	 */
+	bool (*did_collide)(ike_rekey_t *this);
+
+	/**
 	 * Register a rekeying task which collides with this one.
 	 *
 	 * If two peers initiate rekeying at the same time, the collision must
diff --git a/src/libcharon/sa/redirect_manager.c b/src/libcharon/sa/redirect_manager.c
index ff92ac29f..45b7e79df 100644
--- a/src/libcharon/sa/redirect_manager.c
+++ b/src/libcharon/sa/redirect_manager.c
@@ -248,7 +248,7 @@ identification_t *redirect_data_parse(chunk_t data, chunk_t *nonce)
 	bio_reader_t *reader;
 	id_type_t id_type;
 	chunk_t gateway;
-	u_int8_t type;
+	uint8_t type;
 
 	reader = bio_reader_create(data);
 	if (!reader->read_uint8(reader, &type) ||
diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c
index 0e9cf6e1f..40e291be5 100644
--- a/src/libcharon/sa/shunt_manager.c
+++ b/src/libcharon/sa/shunt_manager.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2015 Tobias Brunner
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2015-2016 Tobias Brunner
+ * Copyright (C) 2011-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -68,6 +68,8 @@ static bool install_shunt_policy(child_cfg_t *child)
 	policy_type_t policy_type;
 	policy_priority_t policy_prio;
 	status_t status = SUCCESS;
+	uint32_t manual_prio;
+	char *interface;
 	ipsec_sa_cfg_t sa = { .mode = MODE_TRANSPORT };
 
 	switch (child->get_mode(child))
@@ -92,6 +94,9 @@ static bool install_shunt_policy(child_cfg_t *child)
 	other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, hosts);
 	hosts->destroy(hosts);
 
+	manual_prio = child->get_manual_prio(child);
+	interface = child->get_interface(child);
+
 	/* enumerate pairs of traffic selectors */
 	e_my_ts = my_ts_list->create_enumerator(my_ts_list);
 	while (e_my_ts->enumerate(e_my_ts, &my_ts))
@@ -110,25 +115,37 @@ static bool install_shunt_policy(child_cfg_t *child)
 				continue;
 			}
 			/* install out policy */
-			status |= charon->kernel->add_policy(charon->kernel,
-								host_any, host_any,
-								my_ts, other_ts, POLICY_OUT, policy_type,
-								&sa, child->get_mark(child, FALSE),
-								policy_prio);
-
+			kernel_ipsec_policy_id_t id = {
+				.dir = POLICY_OUT,
+				.src_ts = my_ts,
+				.dst_ts = other_ts,
+				.mark = child->get_mark(child, FALSE),
+				.interface = interface,
+			};
+			kernel_ipsec_manage_policy_t policy = {
+				.type = policy_type,
+				.prio = policy_prio,
+				.manual_prio = manual_prio,
+				.src = host_any,
+				.dst = host_any,
+				.sa = &sa,
+			};
+			status |= charon->kernel->add_policy(charon->kernel, &id, &policy);
+			/* install "outbound" forward policy */
+			id.dir = POLICY_FWD;
+			status |= charon->kernel->add_policy(charon->kernel, &id, &policy);
 			/* install in policy */
-			status |= charon->kernel->add_policy(charon->kernel,
-								host_any, host_any,
-								other_ts, my_ts, POLICY_IN, policy_type,
-								&sa, child->get_mark(child, TRUE),
-								policy_prio);
-
-			/* install forward policy */
-			status |= charon->kernel->add_policy(charon->kernel,
-								host_any, host_any,
-								other_ts, my_ts, POLICY_FWD, policy_type,
-								&sa, child->get_mark(child, TRUE),
-								policy_prio);
+			id = (kernel_ipsec_policy_id_t){
+				.dir = POLICY_IN,
+				.src_ts = other_ts,
+				.dst_ts = my_ts,
+				.mark = child->get_mark(child, TRUE),
+				.interface = interface,
+			};
+			status |= charon->kernel->add_policy(charon->kernel, &id, &policy);
+			/* install "inbound" forward policy */
+			id.dir = POLICY_FWD;
+			status |= charon->kernel->add_policy(charon->kernel, &id, &policy);
 		}
 		e_other_ts->destroy(e_other_ts);
 	}
@@ -205,6 +222,8 @@ static void uninstall_shunt_policy(child_cfg_t *child)
 	policy_type_t policy_type;
 	policy_priority_t policy_prio;
 	status_t status = SUCCESS;
+	uint32_t manual_prio;
+	char *interface;
 	ipsec_sa_cfg_t sa = { .mode = MODE_TRANSPORT };
 
 	switch (child->get_mode(child))
@@ -229,6 +248,9 @@ static void uninstall_shunt_policy(child_cfg_t *child)
 	other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, hosts);
 	hosts->destroy(hosts);
 
+	manual_prio = child->get_manual_prio(child);
+	interface = child->get_interface(child);
+
 	/* enumerate pairs of traffic selectors */
 	e_my_ts = my_ts_list->create_enumerator(my_ts_list);
 	while (e_my_ts->enumerate(e_my_ts, &my_ts))
@@ -247,25 +269,37 @@ static void uninstall_shunt_policy(child_cfg_t *child)
 				continue;
 			}
 			/* uninstall out policy */
-			status |= charon->kernel->del_policy(charon->kernel,
-							host_any, host_any,
-							my_ts, other_ts, POLICY_OUT, policy_type,
-							&sa, child->get_mark(child, FALSE),
-							policy_prio);
-
+			kernel_ipsec_policy_id_t id = {
+				.dir = POLICY_OUT,
+				.src_ts = my_ts,
+				.dst_ts = other_ts,
+				.mark = child->get_mark(child, FALSE),
+				.interface = interface,
+			};
+			kernel_ipsec_manage_policy_t policy = {
+				.type = policy_type,
+				.prio = policy_prio,
+				.manual_prio = manual_prio,
+				.src = host_any,
+				.dst = host_any,
+				.sa = &sa,
+			};
+			status |= charon->kernel->del_policy(charon->kernel, &id, &policy);
+			/* uninstall "outbound" forward policy */
+			id.dir = POLICY_FWD;
+			status |= charon->kernel->del_policy(charon->kernel, &id, &policy);
 			/* uninstall in policy */
-			status |= charon->kernel->del_policy(charon->kernel,
-							host_any, host_any,
-							other_ts, my_ts, POLICY_IN, policy_type,
-							&sa, child->get_mark(child, TRUE),
-							policy_prio);
-
-			/* uninstall forward policy */
-			status |= charon->kernel->del_policy(charon->kernel,
-							host_any, host_any,
-							other_ts, my_ts, POLICY_FWD, policy_type,
-							&sa, child->get_mark(child, TRUE),
-							policy_prio);
+			id = (kernel_ipsec_policy_id_t){
+				.dir = POLICY_IN,
+				.src_ts = other_ts,
+				.dst_ts = my_ts,
+				.mark = child->get_mark(child, TRUE),
+				.interface = interface,
+			};
+			status |= charon->kernel->del_policy(charon->kernel, &id, &policy);
+			/* uninstall "inbound" forward policy */
+			id.dir = POLICY_FWD;
+			status |= charon->kernel->del_policy(charon->kernel, &id, &policy);
 		}
 		e_other_ts->destroy(e_other_ts);
 	}
diff --git a/src/libcharon/sa/task_manager.h b/src/libcharon/sa/task_manager.h
index e7a6bf463..86077d373 100644
--- a/src/libcharon/sa/task_manager.h
+++ b/src/libcharon/sa/task_manager.h
@@ -1,6 +1,7 @@
 /*
+ * Copyright (C) 2013-2016 Tobias Brunner
  * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -122,7 +123,17 @@ struct task_manager_t {
 	 *
 	 * @param task			task to queue
 	 */
-	void (*queue_task) (task_manager_t *this, task_t *task);
+	void (*queue_task)(task_manager_t *this, task_t *task);
+
+	/**
+	 * Queue a task in the manager, but delay its initiation for at least the
+	 * given number of seconds.
+	 *
+	 * @param task			task to queue
+	 * @param delay			minimum delay in s before initiating the task
+	 */
+	void (*queue_task_delayed)(task_manager_t *this, task_t *task,
+							   uint32_t delay);
 
 	/**
 	 * Queue IKE_SA establishing tasks.
@@ -160,7 +171,7 @@ struct task_manager_t {
 	 * @param tsi			initiator traffic selector, if packet-triggered
 	 * @param tsr			responder traffic selector, if packet-triggered
 	 */
-	void (*queue_child)(task_manager_t *this, child_cfg_t *cfg, u_int32_t reqid,
+	void (*queue_child)(task_manager_t *this, child_cfg_t *cfg, uint32_t reqid,
 						traffic_selector_t *tsi, traffic_selector_t *tsr);
 
 	/**
@@ -170,7 +181,7 @@ struct task_manager_t {
 	 * @param spi			CHILD_SA SPI to rekey
 	 */
 	void (*queue_child_rekey)(task_manager_t *this, protocol_id_t protocol,
-							  u_int32_t spi);
+							  uint32_t spi);
 
 	/**
 	 * Queue CHILD_SA delete tasks.
@@ -180,7 +191,7 @@ struct task_manager_t {
 	 * @param expired		TRUE if SA already expired
 	 */
 	void (*queue_child_delete)(task_manager_t *this, protocol_id_t protocol,
-							   u_int32_t spi, bool expired);
+							   uint32_t spi, bool expired);
 
 	/**
 	 * Queue liveness checking tasks.
@@ -199,7 +210,7 @@ struct task_manager_t {
 	 *						- INVALID_STATE if retransmission not required
 	 *						- SUCCESS if retransmission sent
 	 */
-	status_t (*retransmit) (task_manager_t *this, u_int32_t message_id);
+	status_t (*retransmit) (task_manager_t *this, uint32_t message_id);
 
 	/**
 	 * Migrate all queued tasks from other to this.
@@ -242,7 +253,7 @@ struct task_manager_t {
 	 * @param initiate		message ID / DPD seq to initiate exchanges (send)
 	 * @param respond		message ID / DPD seq to respond to exchanges (expect)
 	 */
-	void (*reset) (task_manager_t *this, u_int32_t initiate, u_int32_t respond);
+	void (*reset) (task_manager_t *this, uint32_t initiate, uint32_t respond);
 
 	/**
 	 * Check if we are currently waiting for a reply.
diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
index 85e220775..40a0682f2 100644
--- a/src/libcharon/sa/trap_manager.c
+++ b/src/libcharon/sa/trap_manager.c
@@ -115,7 +115,7 @@ typedef struct {
 	/** pending IKE_SA connecting upon acquire */
 	ike_sa_t *ike_sa;
 	/** reqid of pending trap policy */
-	u_int32_t reqid;
+	uint32_t reqid;
 	/** destination address (wildcard case) */
 	host_t *dst;
 } acquire_t;
@@ -143,7 +143,7 @@ static void destroy_acquire(acquire_t *this)
 /**
  * match an acquire entry by reqid
  */
-static bool acquire_by_reqid(acquire_t *this, u_int32_t *reqid)
+static bool acquire_by_reqid(acquire_t *this, uint32_t *reqid)
 {
 	return this->reqid == *reqid;
 }
@@ -156,9 +156,9 @@ static bool acquire_by_dst(acquire_t *this, host_t *dst)
 	return this->dst && this->dst->ip_equals(this->dst, dst);
 }
 
-METHOD(trap_manager_t, install, u_int32_t,
+METHOD(trap_manager_t, install, uint32_t,
 	private_trap_manager_t *this, peer_cfg_t *peer, child_cfg_t *child,
-	u_int32_t reqid)
+	uint32_t reqid)
 {
 	entry_t *entry, *found = NULL;
 	ike_cfg_t *ike_cfg;
@@ -197,9 +197,7 @@ METHOD(trap_manager_t, install, u_int32_t,
 			me = charon->kernel->get_source_addr(charon->kernel, other, NULL);
 			if (!me)
 			{
-				DBG1(DBG_CFG, "installing trap failed, local address unknown");
-				other->destroy(other);
-				return 0;
+				me = host_create_any(other->get_family(other));
 			}
 			me->set_port(me, ike_cfg->get_my_port(ike_cfg));
 		}
@@ -307,7 +305,7 @@ METHOD(trap_manager_t, install, u_int32_t,
 }
 
 METHOD(trap_manager_t, uninstall, bool,
-	private_trap_manager_t *this, u_int32_t reqid)
+	private_trap_manager_t *this, uint32_t reqid)
 {
 	enumerator_t *enumerator;
 	entry_t *entry, *found = NULL;
@@ -366,12 +364,12 @@ METHOD(trap_manager_t, create_enumerator, enumerator_t*,
 									(void*)this->lock->unlock);
 }
 
-METHOD(trap_manager_t, find_reqid, u_int32_t,
+METHOD(trap_manager_t, find_reqid, uint32_t,
 	private_trap_manager_t *this, child_cfg_t *child)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
-	u_int32_t reqid = 0;
+	uint32_t reqid = 0;
 
 	this->lock->read_lock(this->lock);
 	enumerator = this->traps->create_enumerator(this->traps);
@@ -392,7 +390,7 @@ METHOD(trap_manager_t, find_reqid, u_int32_t,
 }
 
 METHOD(trap_manager_t, acquire, void,
-	private_trap_manager_t *this, u_int32_t reqid,
+	private_trap_manager_t *this, uint32_t reqid,
 	traffic_selector_t *src, traffic_selector_t *dst)
 {
 	enumerator_t *enumerator;
@@ -430,7 +428,7 @@ METHOD(trap_manager_t, acquire, void,
 	if (wildcard)
 	{	/* for wildcard acquires we check that we don't have a pending acquire
 		 * with the same peer */
-		u_int8_t mask;
+		uint8_t mask;
 
 		dst->to_subnet(dst, &host, &mask);
 		if (this->acquires->find_first(this->acquires, (void*)acquire_by_dst,
@@ -483,8 +481,8 @@ METHOD(trap_manager_t, acquire, void,
 		if (ike_sa)
 		{
 			ike_cfg_t *ike_cfg;
-			u_int16_t port;
-			u_int8_t mask;
+			uint16_t port;
+			uint8_t mask;
 
 			ike_sa->set_peer_cfg(ike_sa, peer);
 			ike_cfg = ike_sa->get_ike_cfg(ike_sa);
diff --git a/src/libcharon/sa/trap_manager.h b/src/libcharon/sa/trap_manager.h
index 0491107fd..083ea3dbf 100644
--- a/src/libcharon/sa/trap_manager.h
+++ b/src/libcharon/sa/trap_manager.h
@@ -40,8 +40,8 @@ struct trap_manager_t {
 	 * @param reqid		optional reqid to use
 	 * @return			reqid of installed CHILD_SA, 0 if failed
 	 */
-	u_int32_t (*install)(trap_manager_t *this, peer_cfg_t *peer,
-						 child_cfg_t *child, u_int32_t reqid);
+	uint32_t (*install)(trap_manager_t *this, peer_cfg_t *peer,
+						 child_cfg_t *child, uint32_t reqid);
 
 	/**
 	 * Uninstall a trap policy.
@@ -49,7 +49,7 @@ struct trap_manager_t {
 	 * @param id		reqid of CHILD_SA to uninstall, returned by install()
 	 * @return			TRUE if uninstalled successfully
 	 */
-	bool (*uninstall)(trap_manager_t *this, u_int32_t reqid);
+	bool (*uninstall)(trap_manager_t *this, uint32_t reqid);
 
 	/**
 	 * Create an enumerator over all installed traps.
@@ -64,7 +64,7 @@ struct trap_manager_t {
 	 * @param child		CHILD_SA config to get the reqid for
 	 * @return			reqid of trap, 0 if not found
 	 */
-	u_int32_t (*find_reqid)(trap_manager_t *this, child_cfg_t *child);
+	uint32_t (*find_reqid)(trap_manager_t *this, child_cfg_t *child);
 
 	/**
 	 * Acquire an SA triggered by an installed trap.
@@ -73,7 +73,7 @@ struct trap_manager_t {
 	 * @param src		source of the triggering packet
 	 * @param dst		destination of the triggering packet
 	 */
-	void (*acquire)(trap_manager_t *this, u_int32_t reqid,
+	void (*acquire)(trap_manager_t *this, uint32_t reqid,
 					traffic_selector_t *src, traffic_selector_t *dst);
 
 	/**
diff --git a/src/libcharon/tests/Makefile.am b/src/libcharon/tests/Makefile.am
index 0589269aa..b8670246b 100644
--- a/src/libcharon/tests/Makefile.am
+++ b/src/libcharon/tests/Makefile.am
@@ -1,8 +1,9 @@
-TESTS = libcharon_tests
+TESTS = libcharon_tests exchange_tests
 
 check_PROGRAMS = $(TESTS)
 
 libcharon_tests_SOURCES = \
+  suites/test_proposal.c \
   suites/test_ike_cfg.c \
   suites/test_mem_pool.c \
   suites/test_message_chapoly.c \
@@ -21,3 +22,34 @@ libcharon_tests_LDADD = \
   $(top_builddir)/src/libcharon/libcharon.la \
   $(top_builddir)/src/libstrongswan/libstrongswan.la \
   $(top_builddir)/src/libstrongswan/tests/libtest.la
+
+
+exchange_tests_SOURCES = \
+  suites/test_child_create.c \
+  suites/test_child_delete.c \
+  suites/test_child_rekey.c \
+  suites/test_ike_delete.c \
+  suites/test_ike_rekey.c \
+  utils/exchange_test_asserts.h utils/exchange_test_asserts.c \
+  utils/exchange_test_helper.h utils/exchange_test_helper.c \
+  utils/job_asserts.h \
+  utils/mock_dh.h utils/mock_dh.c \
+  utils/mock_ipsec.h utils/mock_ipsec.c \
+  utils/mock_nonce_gen.h utils/mock_nonce_gen.c \
+  utils/mock_sender.h utils/mock_sender.c \
+  utils/sa_asserts.h \
+  exchange_tests.h exchange_tests.c
+
+exchange_tests_CFLAGS = \
+  -I$(top_srcdir)/src/libcharon \
+  -I$(top_srcdir)/src/libstrongswan \
+  -I$(top_srcdir)/src/libstrongswan/tests \
+  -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \
+  -DPLUGINS=\""${s_plugins}\"" \
+  @COVERAGE_CFLAGS@
+
+exchange_tests_LDFLAGS = @COVERAGE_LDFLAGS@
+exchange_tests_LDADD = \
+  $(top_builddir)/src/libcharon/libcharon.la \
+  $(top_builddir)/src/libstrongswan/libstrongswan.la \
+  $(top_builddir)/src/libstrongswan/tests/libtest.la
diff --git a/src/libcharon/tests/Makefile.in b/src/libcharon/tests/Makefile.in
index 87dea161a..7a0d34292 100644
--- a/src/libcharon/tests/Makefile.in
+++ b/src/libcharon/tests/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -14,7 +14,17 @@
 
 @SET_MAKE@
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -77,11 +87,9 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-TESTS = libcharon_tests$(EXEEXT)
+TESTS = libcharon_tests$(EXEEXT) exchange_tests$(EXEEXT)
 check_PROGRAMS = $(am__EXEEXT_1)
 subdir = src/libcharon/tests
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -95,13 +103,41 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
-am__EXEEXT_1 = libcharon_tests$(EXEEXT)
+am__EXEEXT_1 = libcharon_tests$(EXEEXT) exchange_tests$(EXEEXT)
 am__dirstamp = $(am__leading_dot)dirstamp
+am_exchange_tests_OBJECTS =  \
+	suites/exchange_tests-test_child_create.$(OBJEXT) \
+	suites/exchange_tests-test_child_delete.$(OBJEXT) \
+	suites/exchange_tests-test_child_rekey.$(OBJEXT) \
+	suites/exchange_tests-test_ike_delete.$(OBJEXT) \
+	suites/exchange_tests-test_ike_rekey.$(OBJEXT) \
+	utils/exchange_tests-exchange_test_asserts.$(OBJEXT) \
+	utils/exchange_tests-exchange_test_helper.$(OBJEXT) \
+	utils/exchange_tests-mock_dh.$(OBJEXT) \
+	utils/exchange_tests-mock_ipsec.$(OBJEXT) \
+	utils/exchange_tests-mock_nonce_gen.$(OBJEXT) \
+	utils/exchange_tests-mock_sender.$(OBJEXT) \
+	exchange_tests-exchange_tests.$(OBJEXT)
+exchange_tests_OBJECTS = $(am_exchange_tests_OBJECTS)
+exchange_tests_DEPENDENCIES =  \
+	$(top_builddir)/src/libcharon/libcharon.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libstrongswan/tests/libtest.la
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 = 
+exchange_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(exchange_tests_CFLAGS) $(CFLAGS) $(exchange_tests_LDFLAGS) \
+	$(LDFLAGS) -o $@
 am_libcharon_tests_OBJECTS =  \
+	suites/libcharon_tests-test_proposal.$(OBJEXT) \
 	suites/libcharon_tests-test_ike_cfg.$(OBJEXT) \
 	suites/libcharon_tests-test_mem_pool.$(OBJEXT) \
 	suites/libcharon_tests-test_message_chapoly.$(OBJEXT) \
@@ -111,10 +147,6 @@ libcharon_tests_DEPENDENCIES =  \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libstrongswan/tests/libtest.la
-AM_V_lt = $(am__v_lt_@AM_V@)
-am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
-am__v_lt_0 = --silent
-am__v_lt_1 = 
 libcharon_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(libcharon_tests_CFLAGS) $(CFLAGS) $(libcharon_tests_LDFLAGS) \
@@ -153,8 +185,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@)
 am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
 am__v_CCLD_0 = @echo "  CCLD    " $@;
 am__v_CCLD_1 = 
-SOURCES = $(libcharon_tests_SOURCES)
-DIST_SOURCES = $(libcharon_tests_SOURCES)
+SOURCES = $(exchange_tests_SOURCES) $(libcharon_tests_SOURCES)
+DIST_SOURCES = $(exchange_tests_SOURCES) $(libcharon_tests_SOURCES)
 am__can_run_installinfo = \
   case $$AM_UPDATE_INFO_DIR in \
     n|no|NO) false;; \
@@ -201,12 +233,14 @@ am__tty_colors = { \
     std='[m'; \
   fi; \
 }
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -256,6 +290,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -290,6 +325,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -401,6 +437,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -430,6 +467,7 @@ urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 libcharon_tests_SOURCES = \
+  suites/test_proposal.c \
   suites/test_ike_cfg.c \
   suites/test_mem_pool.c \
   suites/test_message_chapoly.c \
@@ -449,6 +487,36 @@ libcharon_tests_LDADD = \
   $(top_builddir)/src/libstrongswan/libstrongswan.la \
   $(top_builddir)/src/libstrongswan/tests/libtest.la
 
+exchange_tests_SOURCES = \
+  suites/test_child_create.c \
+  suites/test_child_delete.c \
+  suites/test_child_rekey.c \
+  suites/test_ike_delete.c \
+  suites/test_ike_rekey.c \
+  utils/exchange_test_asserts.h utils/exchange_test_asserts.c \
+  utils/exchange_test_helper.h utils/exchange_test_helper.c \
+  utils/job_asserts.h \
+  utils/mock_dh.h utils/mock_dh.c \
+  utils/mock_ipsec.h utils/mock_ipsec.c \
+  utils/mock_nonce_gen.h utils/mock_nonce_gen.c \
+  utils/mock_sender.h utils/mock_sender.c \
+  utils/sa_asserts.h \
+  exchange_tests.h exchange_tests.c
+
+exchange_tests_CFLAGS = \
+  -I$(top_srcdir)/src/libcharon \
+  -I$(top_srcdir)/src/libstrongswan \
+  -I$(top_srcdir)/src/libstrongswan/tests \
+  -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \
+  -DPLUGINS=\""${s_plugins}\"" \
+  @COVERAGE_CFLAGS@
+
+exchange_tests_LDFLAGS = @COVERAGE_LDFLAGS@
+exchange_tests_LDADD = \
+  $(top_builddir)/src/libcharon/libcharon.la \
+  $(top_builddir)/src/libstrongswan/libstrongswan.la \
+  $(top_builddir)/src/libstrongswan/tests/libtest.la
+
 all: all-am
 
 .SUFFIXES:
@@ -465,7 +533,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/tests/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/tests/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -498,6 +565,40 @@ suites/$(am__dirstamp):
 suites/$(DEPDIR)/$(am__dirstamp):
 	@$(MKDIR_P) suites/$(DEPDIR)
 	@: > suites/$(DEPDIR)/$(am__dirstamp)
+suites/exchange_tests-test_child_create.$(OBJEXT):  \
+	suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
+suites/exchange_tests-test_child_delete.$(OBJEXT):  \
+	suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
+suites/exchange_tests-test_child_rekey.$(OBJEXT):  \
+	suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
+suites/exchange_tests-test_ike_delete.$(OBJEXT):  \
+	suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
+suites/exchange_tests-test_ike_rekey.$(OBJEXT):  \
+	suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
+utils/$(am__dirstamp):
+	@$(MKDIR_P) utils
+	@: > utils/$(am__dirstamp)
+utils/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) utils/$(DEPDIR)
+	@: > utils/$(DEPDIR)/$(am__dirstamp)
+utils/exchange_tests-exchange_test_asserts.$(OBJEXT):  \
+	utils/$(am__dirstamp) utils/$(DEPDIR)/$(am__dirstamp)
+utils/exchange_tests-exchange_test_helper.$(OBJEXT):  \
+	utils/$(am__dirstamp) utils/$(DEPDIR)/$(am__dirstamp)
+utils/exchange_tests-mock_dh.$(OBJEXT): utils/$(am__dirstamp) \
+	utils/$(DEPDIR)/$(am__dirstamp)
+utils/exchange_tests-mock_ipsec.$(OBJEXT): utils/$(am__dirstamp) \
+	utils/$(DEPDIR)/$(am__dirstamp)
+utils/exchange_tests-mock_nonce_gen.$(OBJEXT): utils/$(am__dirstamp) \
+	utils/$(DEPDIR)/$(am__dirstamp)
+utils/exchange_tests-mock_sender.$(OBJEXT): utils/$(am__dirstamp) \
+	utils/$(DEPDIR)/$(am__dirstamp)
+
+exchange_tests$(EXEEXT): $(exchange_tests_OBJECTS) $(exchange_tests_DEPENDENCIES) $(EXTRA_exchange_tests_DEPENDENCIES) 
+	@rm -f exchange_tests$(EXEEXT)
+	$(AM_V_CCLD)$(exchange_tests_LINK) $(exchange_tests_OBJECTS) $(exchange_tests_LDADD) $(LIBS)
+suites/libcharon_tests-test_proposal.$(OBJEXT):  \
+	suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
 suites/libcharon_tests-test_ike_cfg.$(OBJEXT): suites/$(am__dirstamp) \
 	suites/$(DEPDIR)/$(am__dirstamp)
 suites/libcharon_tests-test_mem_pool.$(OBJEXT):  \
@@ -512,14 +613,28 @@ libcharon_tests$(EXEEXT): $(libcharon_tests_OBJECTS) $(libcharon_tests_DEPENDENC
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
 	-rm -f suites/*.$(OBJEXT)
+	-rm -f utils/*.$(OBJEXT)
 
 distclean-compile:
 	-rm -f *.tab.c
 
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/exchange_tests-exchange_tests.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcharon_tests-libcharon_tests.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/exchange_tests-test_child_create.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/exchange_tests-test_child_delete.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/exchange_tests-test_child_rekey.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/exchange_tests-test_ike_delete.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/exchange_tests-test_ike_rekey.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libcharon_tests-test_ike_cfg.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libcharon_tests-test_message_chapoly.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libcharon_tests-test_proposal.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/exchange_tests-exchange_test_asserts.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/exchange_tests-exchange_test_helper.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/exchange_tests-mock_dh.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/exchange_tests-mock_ipsec.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/exchange_tests-mock_nonce_gen.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/exchange_tests-mock_sender.Po@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@@ -545,6 +660,188 @@ distclean-compile:
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
+suites/exchange_tests-test_child_create.o: suites/test_child_create.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT suites/exchange_tests-test_child_create.o -MD -MP -MF suites/$(DEPDIR)/exchange_tests-test_child_create.Tpo -c -o suites/exchange_tests-test_child_create.o `test -f 'suites/test_child_create.c' || echo '$(srcdir)/'`suites/test_child_create.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/exchange_tests-test_child_create.Tpo suites/$(DEPDIR)/exchange_tests-test_child_create.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_child_create.c' object='suites/exchange_tests-test_child_create.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o suites/exchange_tests-test_child_create.o `test -f 'suites/test_child_create.c' || echo '$(srcdir)/'`suites/test_child_create.c
+
+suites/exchange_tests-test_child_create.obj: suites/test_child_create.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT suites/exchange_tests-test_child_create.obj -MD -MP -MF suites/$(DEPDIR)/exchange_tests-test_child_create.Tpo -c -o suites/exchange_tests-test_child_create.obj `if test -f 'suites/test_child_create.c'; then $(CYGPATH_W) 'suites/test_child_create.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_child_create.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/exchange_tests-test_child_create.Tpo suites/$(DEPDIR)/exchange_tests-test_child_create.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_child_create.c' object='suites/exchange_tests-test_child_create.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o suites/exchange_tests-test_child_create.obj `if test -f 'suites/test_child_create.c'; then $(CYGPATH_W) 'suites/test_child_create.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_child_create.c'; fi`
+
+suites/exchange_tests-test_child_delete.o: suites/test_child_delete.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT suites/exchange_tests-test_child_delete.o -MD -MP -MF suites/$(DEPDIR)/exchange_tests-test_child_delete.Tpo -c -o suites/exchange_tests-test_child_delete.o `test -f 'suites/test_child_delete.c' || echo '$(srcdir)/'`suites/test_child_delete.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/exchange_tests-test_child_delete.Tpo suites/$(DEPDIR)/exchange_tests-test_child_delete.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_child_delete.c' object='suites/exchange_tests-test_child_delete.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o suites/exchange_tests-test_child_delete.o `test -f 'suites/test_child_delete.c' || echo '$(srcdir)/'`suites/test_child_delete.c
+
+suites/exchange_tests-test_child_delete.obj: suites/test_child_delete.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT suites/exchange_tests-test_child_delete.obj -MD -MP -MF suites/$(DEPDIR)/exchange_tests-test_child_delete.Tpo -c -o suites/exchange_tests-test_child_delete.obj `if test -f 'suites/test_child_delete.c'; then $(CYGPATH_W) 'suites/test_child_delete.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_child_delete.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/exchange_tests-test_child_delete.Tpo suites/$(DEPDIR)/exchange_tests-test_child_delete.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_child_delete.c' object='suites/exchange_tests-test_child_delete.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o suites/exchange_tests-test_child_delete.obj `if test -f 'suites/test_child_delete.c'; then $(CYGPATH_W) 'suites/test_child_delete.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_child_delete.c'; fi`
+
+suites/exchange_tests-test_child_rekey.o: suites/test_child_rekey.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT suites/exchange_tests-test_child_rekey.o -MD -MP -MF suites/$(DEPDIR)/exchange_tests-test_child_rekey.Tpo -c -o suites/exchange_tests-test_child_rekey.o `test -f 'suites/test_child_rekey.c' || echo '$(srcdir)/'`suites/test_child_rekey.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/exchange_tests-test_child_rekey.Tpo suites/$(DEPDIR)/exchange_tests-test_child_rekey.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_child_rekey.c' object='suites/exchange_tests-test_child_rekey.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o suites/exchange_tests-test_child_rekey.o `test -f 'suites/test_child_rekey.c' || echo '$(srcdir)/'`suites/test_child_rekey.c
+
+suites/exchange_tests-test_child_rekey.obj: suites/test_child_rekey.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT suites/exchange_tests-test_child_rekey.obj -MD -MP -MF suites/$(DEPDIR)/exchange_tests-test_child_rekey.Tpo -c -o suites/exchange_tests-test_child_rekey.obj `if test -f 'suites/test_child_rekey.c'; then $(CYGPATH_W) 'suites/test_child_rekey.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_child_rekey.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/exchange_tests-test_child_rekey.Tpo suites/$(DEPDIR)/exchange_tests-test_child_rekey.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_child_rekey.c' object='suites/exchange_tests-test_child_rekey.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o suites/exchange_tests-test_child_rekey.obj `if test -f 'suites/test_child_rekey.c'; then $(CYGPATH_W) 'suites/test_child_rekey.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_child_rekey.c'; fi`
+
+suites/exchange_tests-test_ike_delete.o: suites/test_ike_delete.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT suites/exchange_tests-test_ike_delete.o -MD -MP -MF suites/$(DEPDIR)/exchange_tests-test_ike_delete.Tpo -c -o suites/exchange_tests-test_ike_delete.o `test -f 'suites/test_ike_delete.c' || echo '$(srcdir)/'`suites/test_ike_delete.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/exchange_tests-test_ike_delete.Tpo suites/$(DEPDIR)/exchange_tests-test_ike_delete.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_ike_delete.c' object='suites/exchange_tests-test_ike_delete.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o suites/exchange_tests-test_ike_delete.o `test -f 'suites/test_ike_delete.c' || echo '$(srcdir)/'`suites/test_ike_delete.c
+
+suites/exchange_tests-test_ike_delete.obj: suites/test_ike_delete.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT suites/exchange_tests-test_ike_delete.obj -MD -MP -MF suites/$(DEPDIR)/exchange_tests-test_ike_delete.Tpo -c -o suites/exchange_tests-test_ike_delete.obj `if test -f 'suites/test_ike_delete.c'; then $(CYGPATH_W) 'suites/test_ike_delete.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ike_delete.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/exchange_tests-test_ike_delete.Tpo suites/$(DEPDIR)/exchange_tests-test_ike_delete.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_ike_delete.c' object='suites/exchange_tests-test_ike_delete.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o suites/exchange_tests-test_ike_delete.obj `if test -f 'suites/test_ike_delete.c'; then $(CYGPATH_W) 'suites/test_ike_delete.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ike_delete.c'; fi`
+
+suites/exchange_tests-test_ike_rekey.o: suites/test_ike_rekey.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT suites/exchange_tests-test_ike_rekey.o -MD -MP -MF suites/$(DEPDIR)/exchange_tests-test_ike_rekey.Tpo -c -o suites/exchange_tests-test_ike_rekey.o `test -f 'suites/test_ike_rekey.c' || echo '$(srcdir)/'`suites/test_ike_rekey.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/exchange_tests-test_ike_rekey.Tpo suites/$(DEPDIR)/exchange_tests-test_ike_rekey.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_ike_rekey.c' object='suites/exchange_tests-test_ike_rekey.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o suites/exchange_tests-test_ike_rekey.o `test -f 'suites/test_ike_rekey.c' || echo '$(srcdir)/'`suites/test_ike_rekey.c
+
+suites/exchange_tests-test_ike_rekey.obj: suites/test_ike_rekey.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT suites/exchange_tests-test_ike_rekey.obj -MD -MP -MF suites/$(DEPDIR)/exchange_tests-test_ike_rekey.Tpo -c -o suites/exchange_tests-test_ike_rekey.obj `if test -f 'suites/test_ike_rekey.c'; then $(CYGPATH_W) 'suites/test_ike_rekey.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ike_rekey.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/exchange_tests-test_ike_rekey.Tpo suites/$(DEPDIR)/exchange_tests-test_ike_rekey.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_ike_rekey.c' object='suites/exchange_tests-test_ike_rekey.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o suites/exchange_tests-test_ike_rekey.obj `if test -f 'suites/test_ike_rekey.c'; then $(CYGPATH_W) 'suites/test_ike_rekey.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ike_rekey.c'; fi`
+
+utils/exchange_tests-exchange_test_asserts.o: utils/exchange_test_asserts.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT utils/exchange_tests-exchange_test_asserts.o -MD -MP -MF utils/$(DEPDIR)/exchange_tests-exchange_test_asserts.Tpo -c -o utils/exchange_tests-exchange_test_asserts.o `test -f 'utils/exchange_test_asserts.c' || echo '$(srcdir)/'`utils/exchange_test_asserts.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) utils/$(DEPDIR)/exchange_tests-exchange_test_asserts.Tpo utils/$(DEPDIR)/exchange_tests-exchange_test_asserts.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/exchange_test_asserts.c' object='utils/exchange_tests-exchange_test_asserts.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o utils/exchange_tests-exchange_test_asserts.o `test -f 'utils/exchange_test_asserts.c' || echo '$(srcdir)/'`utils/exchange_test_asserts.c
+
+utils/exchange_tests-exchange_test_asserts.obj: utils/exchange_test_asserts.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT utils/exchange_tests-exchange_test_asserts.obj -MD -MP -MF utils/$(DEPDIR)/exchange_tests-exchange_test_asserts.Tpo -c -o utils/exchange_tests-exchange_test_asserts.obj `if test -f 'utils/exchange_test_asserts.c'; then $(CYGPATH_W) 'utils/exchange_test_asserts.c'; else $(CYGPATH_W) '$(srcdir)/utils/exchange_test_asserts.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) utils/$(DEPDIR)/exchange_tests-exchange_test_asserts.Tpo utils/$(DEPDIR)/exchange_tests-exchange_test_asserts.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/exchange_test_asserts.c' object='utils/exchange_tests-exchange_test_asserts.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o utils/exchange_tests-exchange_test_asserts.obj `if test -f 'utils/exchange_test_asserts.c'; then $(CYGPATH_W) 'utils/exchange_test_asserts.c'; else $(CYGPATH_W) '$(srcdir)/utils/exchange_test_asserts.c'; fi`
+
+utils/exchange_tests-exchange_test_helper.o: utils/exchange_test_helper.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT utils/exchange_tests-exchange_test_helper.o -MD -MP -MF utils/$(DEPDIR)/exchange_tests-exchange_test_helper.Tpo -c -o utils/exchange_tests-exchange_test_helper.o `test -f 'utils/exchange_test_helper.c' || echo '$(srcdir)/'`utils/exchange_test_helper.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) utils/$(DEPDIR)/exchange_tests-exchange_test_helper.Tpo utils/$(DEPDIR)/exchange_tests-exchange_test_helper.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/exchange_test_helper.c' object='utils/exchange_tests-exchange_test_helper.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o utils/exchange_tests-exchange_test_helper.o `test -f 'utils/exchange_test_helper.c' || echo '$(srcdir)/'`utils/exchange_test_helper.c
+
+utils/exchange_tests-exchange_test_helper.obj: utils/exchange_test_helper.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT utils/exchange_tests-exchange_test_helper.obj -MD -MP -MF utils/$(DEPDIR)/exchange_tests-exchange_test_helper.Tpo -c -o utils/exchange_tests-exchange_test_helper.obj `if test -f 'utils/exchange_test_helper.c'; then $(CYGPATH_W) 'utils/exchange_test_helper.c'; else $(CYGPATH_W) '$(srcdir)/utils/exchange_test_helper.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) utils/$(DEPDIR)/exchange_tests-exchange_test_helper.Tpo utils/$(DEPDIR)/exchange_tests-exchange_test_helper.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/exchange_test_helper.c' object='utils/exchange_tests-exchange_test_helper.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o utils/exchange_tests-exchange_test_helper.obj `if test -f 'utils/exchange_test_helper.c'; then $(CYGPATH_W) 'utils/exchange_test_helper.c'; else $(CYGPATH_W) '$(srcdir)/utils/exchange_test_helper.c'; fi`
+
+utils/exchange_tests-mock_dh.o: utils/mock_dh.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT utils/exchange_tests-mock_dh.o -MD -MP -MF utils/$(DEPDIR)/exchange_tests-mock_dh.Tpo -c -o utils/exchange_tests-mock_dh.o `test -f 'utils/mock_dh.c' || echo '$(srcdir)/'`utils/mock_dh.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) utils/$(DEPDIR)/exchange_tests-mock_dh.Tpo utils/$(DEPDIR)/exchange_tests-mock_dh.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/mock_dh.c' object='utils/exchange_tests-mock_dh.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o utils/exchange_tests-mock_dh.o `test -f 'utils/mock_dh.c' || echo '$(srcdir)/'`utils/mock_dh.c
+
+utils/exchange_tests-mock_dh.obj: utils/mock_dh.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT utils/exchange_tests-mock_dh.obj -MD -MP -MF utils/$(DEPDIR)/exchange_tests-mock_dh.Tpo -c -o utils/exchange_tests-mock_dh.obj `if test -f 'utils/mock_dh.c'; then $(CYGPATH_W) 'utils/mock_dh.c'; else $(CYGPATH_W) '$(srcdir)/utils/mock_dh.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) utils/$(DEPDIR)/exchange_tests-mock_dh.Tpo utils/$(DEPDIR)/exchange_tests-mock_dh.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/mock_dh.c' object='utils/exchange_tests-mock_dh.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o utils/exchange_tests-mock_dh.obj `if test -f 'utils/mock_dh.c'; then $(CYGPATH_W) 'utils/mock_dh.c'; else $(CYGPATH_W) '$(srcdir)/utils/mock_dh.c'; fi`
+
+utils/exchange_tests-mock_ipsec.o: utils/mock_ipsec.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT utils/exchange_tests-mock_ipsec.o -MD -MP -MF utils/$(DEPDIR)/exchange_tests-mock_ipsec.Tpo -c -o utils/exchange_tests-mock_ipsec.o `test -f 'utils/mock_ipsec.c' || echo '$(srcdir)/'`utils/mock_ipsec.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) utils/$(DEPDIR)/exchange_tests-mock_ipsec.Tpo utils/$(DEPDIR)/exchange_tests-mock_ipsec.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/mock_ipsec.c' object='utils/exchange_tests-mock_ipsec.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o utils/exchange_tests-mock_ipsec.o `test -f 'utils/mock_ipsec.c' || echo '$(srcdir)/'`utils/mock_ipsec.c
+
+utils/exchange_tests-mock_ipsec.obj: utils/mock_ipsec.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT utils/exchange_tests-mock_ipsec.obj -MD -MP -MF utils/$(DEPDIR)/exchange_tests-mock_ipsec.Tpo -c -o utils/exchange_tests-mock_ipsec.obj `if test -f 'utils/mock_ipsec.c'; then $(CYGPATH_W) 'utils/mock_ipsec.c'; else $(CYGPATH_W) '$(srcdir)/utils/mock_ipsec.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) utils/$(DEPDIR)/exchange_tests-mock_ipsec.Tpo utils/$(DEPDIR)/exchange_tests-mock_ipsec.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/mock_ipsec.c' object='utils/exchange_tests-mock_ipsec.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o utils/exchange_tests-mock_ipsec.obj `if test -f 'utils/mock_ipsec.c'; then $(CYGPATH_W) 'utils/mock_ipsec.c'; else $(CYGPATH_W) '$(srcdir)/utils/mock_ipsec.c'; fi`
+
+utils/exchange_tests-mock_nonce_gen.o: utils/mock_nonce_gen.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT utils/exchange_tests-mock_nonce_gen.o -MD -MP -MF utils/$(DEPDIR)/exchange_tests-mock_nonce_gen.Tpo -c -o utils/exchange_tests-mock_nonce_gen.o `test -f 'utils/mock_nonce_gen.c' || echo '$(srcdir)/'`utils/mock_nonce_gen.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) utils/$(DEPDIR)/exchange_tests-mock_nonce_gen.Tpo utils/$(DEPDIR)/exchange_tests-mock_nonce_gen.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/mock_nonce_gen.c' object='utils/exchange_tests-mock_nonce_gen.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o utils/exchange_tests-mock_nonce_gen.o `test -f 'utils/mock_nonce_gen.c' || echo '$(srcdir)/'`utils/mock_nonce_gen.c
+
+utils/exchange_tests-mock_nonce_gen.obj: utils/mock_nonce_gen.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT utils/exchange_tests-mock_nonce_gen.obj -MD -MP -MF utils/$(DEPDIR)/exchange_tests-mock_nonce_gen.Tpo -c -o utils/exchange_tests-mock_nonce_gen.obj `if test -f 'utils/mock_nonce_gen.c'; then $(CYGPATH_W) 'utils/mock_nonce_gen.c'; else $(CYGPATH_W) '$(srcdir)/utils/mock_nonce_gen.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) utils/$(DEPDIR)/exchange_tests-mock_nonce_gen.Tpo utils/$(DEPDIR)/exchange_tests-mock_nonce_gen.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/mock_nonce_gen.c' object='utils/exchange_tests-mock_nonce_gen.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o utils/exchange_tests-mock_nonce_gen.obj `if test -f 'utils/mock_nonce_gen.c'; then $(CYGPATH_W) 'utils/mock_nonce_gen.c'; else $(CYGPATH_W) '$(srcdir)/utils/mock_nonce_gen.c'; fi`
+
+utils/exchange_tests-mock_sender.o: utils/mock_sender.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT utils/exchange_tests-mock_sender.o -MD -MP -MF utils/$(DEPDIR)/exchange_tests-mock_sender.Tpo -c -o utils/exchange_tests-mock_sender.o `test -f 'utils/mock_sender.c' || echo '$(srcdir)/'`utils/mock_sender.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) utils/$(DEPDIR)/exchange_tests-mock_sender.Tpo utils/$(DEPDIR)/exchange_tests-mock_sender.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/mock_sender.c' object='utils/exchange_tests-mock_sender.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o utils/exchange_tests-mock_sender.o `test -f 'utils/mock_sender.c' || echo '$(srcdir)/'`utils/mock_sender.c
+
+utils/exchange_tests-mock_sender.obj: utils/mock_sender.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT utils/exchange_tests-mock_sender.obj -MD -MP -MF utils/$(DEPDIR)/exchange_tests-mock_sender.Tpo -c -o utils/exchange_tests-mock_sender.obj `if test -f 'utils/mock_sender.c'; then $(CYGPATH_W) 'utils/mock_sender.c'; else $(CYGPATH_W) '$(srcdir)/utils/mock_sender.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) utils/$(DEPDIR)/exchange_tests-mock_sender.Tpo utils/$(DEPDIR)/exchange_tests-mock_sender.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/mock_sender.c' object='utils/exchange_tests-mock_sender.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o utils/exchange_tests-mock_sender.obj `if test -f 'utils/mock_sender.c'; then $(CYGPATH_W) 'utils/mock_sender.c'; else $(CYGPATH_W) '$(srcdir)/utils/mock_sender.c'; fi`
+
+exchange_tests-exchange_tests.o: exchange_tests.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT exchange_tests-exchange_tests.o -MD -MP -MF $(DEPDIR)/exchange_tests-exchange_tests.Tpo -c -o exchange_tests-exchange_tests.o `test -f 'exchange_tests.c' || echo '$(srcdir)/'`exchange_tests.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/exchange_tests-exchange_tests.Tpo $(DEPDIR)/exchange_tests-exchange_tests.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='exchange_tests.c' object='exchange_tests-exchange_tests.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o exchange_tests-exchange_tests.o `test -f 'exchange_tests.c' || echo '$(srcdir)/'`exchange_tests.c
+
+exchange_tests-exchange_tests.obj: exchange_tests.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT exchange_tests-exchange_tests.obj -MD -MP -MF $(DEPDIR)/exchange_tests-exchange_tests.Tpo -c -o exchange_tests-exchange_tests.obj `if test -f 'exchange_tests.c'; then $(CYGPATH_W) 'exchange_tests.c'; else $(CYGPATH_W) '$(srcdir)/exchange_tests.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/exchange_tests-exchange_tests.Tpo $(DEPDIR)/exchange_tests-exchange_tests.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='exchange_tests.c' object='exchange_tests-exchange_tests.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o exchange_tests-exchange_tests.obj `if test -f 'exchange_tests.c'; then $(CYGPATH_W) 'exchange_tests.c'; else $(CYGPATH_W) '$(srcdir)/exchange_tests.c'; fi`
+
+suites/libcharon_tests-test_proposal.o: suites/test_proposal.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT suites/libcharon_tests-test_proposal.o -MD -MP -MF suites/$(DEPDIR)/libcharon_tests-test_proposal.Tpo -c -o suites/libcharon_tests-test_proposal.o `test -f 'suites/test_proposal.c' || echo '$(srcdir)/'`suites/test_proposal.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/libcharon_tests-test_proposal.Tpo suites/$(DEPDIR)/libcharon_tests-test_proposal.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_proposal.c' object='suites/libcharon_tests-test_proposal.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o suites/libcharon_tests-test_proposal.o `test -f 'suites/test_proposal.c' || echo '$(srcdir)/'`suites/test_proposal.c
+
+suites/libcharon_tests-test_proposal.obj: suites/test_proposal.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT suites/libcharon_tests-test_proposal.obj -MD -MP -MF suites/$(DEPDIR)/libcharon_tests-test_proposal.Tpo -c -o suites/libcharon_tests-test_proposal.obj `if test -f 'suites/test_proposal.c'; then $(CYGPATH_W) 'suites/test_proposal.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_proposal.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/libcharon_tests-test_proposal.Tpo suites/$(DEPDIR)/libcharon_tests-test_proposal.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_proposal.c' object='suites/libcharon_tests-test_proposal.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o suites/libcharon_tests-test_proposal.obj `if test -f 'suites/test_proposal.c'; then $(CYGPATH_W) 'suites/test_proposal.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_proposal.c'; fi`
+
 suites/libcharon_tests-test_ike_cfg.o: suites/test_ike_cfg.c
 @am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT suites/libcharon_tests-test_ike_cfg.o -MD -MP -MF suites/$(DEPDIR)/libcharon_tests-test_ike_cfg.Tpo -c -o suites/libcharon_tests-test_ike_cfg.o `test -f 'suites/test_ike_cfg.c' || echo '$(srcdir)/'`suites/test_ike_cfg.c
 @am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/libcharon_tests-test_ike_cfg.Tpo suites/$(DEPDIR)/libcharon_tests-test_ike_cfg.Po
@@ -816,6 +1113,8 @@ distclean-generic:
 	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 	-rm -f suites/$(DEPDIR)/$(am__dirstamp)
 	-rm -f suites/$(am__dirstamp)
+	-rm -f utils/$(DEPDIR)/$(am__dirstamp)
+	-rm -f utils/$(am__dirstamp)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -826,7 +1125,7 @@ clean-am: clean-checkPROGRAMS clean-generic clean-libtool \
 	mostlyclean-am
 
 distclean: distclean-am
-	-rm -rf ./$(DEPDIR) suites/$(DEPDIR)
+	-rm -rf ./$(DEPDIR) suites/$(DEPDIR) utils/$(DEPDIR)
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
 	distclean-tags
@@ -872,7 +1171,7 @@ install-ps-am:
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR) suites/$(DEPDIR)
+	-rm -rf ./$(DEPDIR) suites/$(DEPDIR) utils/$(DEPDIR)
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 
@@ -907,6 +1206,8 @@ uninstall-am:
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags tags-am uninstall uninstall-am
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/tests/exchange_tests.c b/src/libcharon/tests/exchange_tests.c
new file mode 100644
index 000000000..eab50a875
--- /dev/null
+++ b/src/libcharon/tests/exchange_tests.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <test_runner.h>
+#include <daemon.h>
+
+#include "utils/exchange_test_helper.h"
+
+/* declare test suite constructors */
+#define TEST_SUITE(x) test_suite_t* x();
+#define TEST_SUITE_DEPEND(x, ...) TEST_SUITE(x)
+#include "exchange_tests.h"
+#undef TEST_SUITE
+#undef TEST_SUITE_DEPEND
+
+static test_configuration_t tests[] = {
+#define TEST_SUITE(x) \
+	{ .suite = x, },
+#define TEST_SUITE_DEPEND(x, type, ...) \
+	{ .suite = x, .feature = PLUGIN_DEPENDS(type, __VA_ARGS__) },
+#include "exchange_tests.h"
+	{ .suite = NULL, }
+};
+
+static bool test_runner_init(bool init)
+{
+	if (init)
+	{
+		char *plugins, *plugindir;
+
+		libcharon_init();
+
+		plugins = getenv("TESTS_PLUGINS") ?:
+					lib->settings->get_str(lib->settings,
+										"tests.load", PLUGINS);
+		plugindir = lib->settings->get_str(lib->settings,
+										"tests.plugindir", PLUGINDIR);
+		plugin_loader_add_plugindirs(plugindir, plugins);
+		exchange_test_helper_init(plugins);
+	}
+	else
+	{
+		exchange_test_helper_deinit();
+		libcharon_deinit();
+	}
+	return TRUE;
+}
+
+int main(int argc, char *argv[])
+{
+	return test_runner_run("exchanges", tests, test_runner_init);
+}
diff --git a/src/libcharon/tests/exchange_tests.h b/src/libcharon/tests/exchange_tests.h
new file mode 100644
index 000000000..30086721f
--- /dev/null
+++ b/src/libcharon/tests/exchange_tests.h
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+TEST_SUITE(ike_delete_suite_create)
+TEST_SUITE(ike_rekey_suite_create)
+TEST_SUITE(child_create_suite_create)
+TEST_SUITE(child_delete_suite_create)
+TEST_SUITE(child_rekey_suite_create)
diff --git a/src/libcharon/tests/libcharon_tests.c b/src/libcharon/tests/libcharon_tests.c
index 4692c3094..e25e5434f 100644
--- a/src/libcharon/tests/libcharon_tests.c
+++ b/src/libcharon/tests/libcharon_tests.c
@@ -53,9 +53,6 @@ static bool test_runner_init(bool init)
 	}
 	else
 	{
-		lib->processor->set_threads(lib->processor, 0);
-		lib->processor->cancel(lib->processor);
-		lib->plugins->unload(lib->plugins);
 		libcharon_deinit();
 	}
 	return TRUE;
diff --git a/src/libcharon/tests/libcharon_tests.h b/src/libcharon/tests/libcharon_tests.h
index fb82baccb..f770f464d 100644
--- a/src/libcharon/tests/libcharon_tests.h
+++ b/src/libcharon/tests/libcharon_tests.h
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2014-2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
@@ -13,6 +16,15 @@
  * for more details.
  */
 
+/**
+ * @defgroup libcharon-tests tests
+ * @ingroup libcharon
+ *
+ * @defgroup test_utils_c test_utils
+ * @ingroup libcharon-tests
+ */
+
+TEST_SUITE(proposal_suite_create)
 TEST_SUITE(ike_cfg_suite_create)
 TEST_SUITE(mem_pool_suite_create)
 TEST_SUITE_DEPEND(message_chapoly_suite_create, AEAD, ENCR_CHACHA20_POLY1305, 32)
diff --git a/src/libcharon/tests/suites/test_child_create.c b/src/libcharon/tests/suites/test_child_create.c
new file mode 100644
index 000000000..20a47f6bf
--- /dev/null
+++ b/src/libcharon/tests/suites/test_child_create.c
@@ -0,0 +1,106 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <daemon.h>
+#include <tests/utils/exchange_test_helper.h>
+#include <tests/utils/exchange_test_asserts.h>
+#include <tests/utils/job_asserts.h>
+#include <tests/utils/sa_asserts.h>
+
+/**
+ * One of the peers tries to create a new CHILD_SA while the other concurrently
+ * started to rekey the IKE_SA. TEMPORARY_FAILURE should be returned on both
+ * sides and the peers should prepare to retry.
+ */
+START_TEST(test_collision_ike_rekey)
+{
+	child_cfg_t *child_cfg;
+	child_cfg_create_t child = {
+		.mode = MODE_TUNNEL,
+	};
+	ike_sa_t *a, *b;
+
+	exchange_test_helper->establish_sa(exchange_test_helper,
+									   &a, &b, NULL);
+
+	assert_hook_not_called(child_updown);
+	child_cfg = child_cfg_create("child", &child);
+	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+	child_cfg->add_traffic_selector(child_cfg, TRUE,
+								traffic_selector_create_dynamic(0, 0, 65535));
+	child_cfg->add_traffic_selector(child_cfg, FALSE,
+								traffic_selector_create_dynamic(0, 0, 65535));
+	call_ikesa(a, initiate, child_cfg, 0, NULL, NULL);
+	assert_child_sa_count(a, 1);
+	assert_hook();
+
+	call_ikesa(b, rekey);
+
+	/* CREATE_CHILD_SA { SA, Ni, [KEi,] TSi, TSr } --> */
+	assert_hook_not_called(child_updown);
+	assert_single_notify(OUT, TEMPORARY_FAILURE);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_count(b, 1);
+	assert_hook();
+
+	/* <-- CREATE_CHILD_SA { SA, Ni, KEi } */
+	assert_single_notify(OUT, TEMPORARY_FAILURE);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+
+	/* <-- CREATE_CHILD_SA { N(TEMP_FAIL) } */
+	assert_hook_not_called(child_updown);
+	assert_jobs_scheduled(1);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_count(a, 1);
+	assert_scheduler();
+	assert_hook();
+
+	/* CREATE_CHILD_SA { N(TEMP_FAIL) } --> */
+	assert_jobs_scheduled(1);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_ike_sa_state(b, IKE_ESTABLISHED);
+	assert_scheduler();
+
+	/* make sure no message was sent after handling the TEMPORARY_FAILURE and
+	 * that the task to retry creating the CHILD_SA is queued and not active
+	 * and it can't be initiated immediately */
+	ck_assert(!exchange_test_helper->sender->dequeue(exchange_test_helper->sender));
+	assert_num_tasks(a, 0, TASK_QUEUE_ACTIVE);
+	assert_num_tasks(a, 1, TASK_QUEUE_QUEUED);
+	call_ikesa(a, initiate, NULL, 0, NULL, NULL);
+	assert_num_tasks(a, 0, TASK_QUEUE_ACTIVE);
+
+	assert_sa_idle(b);
+
+	call_ikesa(a, destroy);
+	call_ikesa(b, destroy);
+}
+END_TEST
+
+Suite *child_create_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("child create");
+
+	tc = tcase_create("collisions ike rekey");
+	tcase_add_test(tc, test_collision_ike_rekey);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libcharon/tests/suites/test_child_delete.c b/src/libcharon/tests/suites/test_child_delete.c
new file mode 100644
index 000000000..437e919c7
--- /dev/null
+++ b/src/libcharon/tests/suites/test_child_delete.c
@@ -0,0 +1,366 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <daemon.h>
+#include <tests/utils/exchange_test_helper.h>
+#include <tests/utils/exchange_test_asserts.h>
+#include <tests/utils/job_asserts.h>
+#include <tests/utils/sa_asserts.h>
+
+/**
+ * Regular CHILD_SA deletion either initiated by the original initiator or
+ * responder of the IKE_SA.
+ */
+START_TEST(test_regular)
+{
+	ike_sa_t *a, *b;
+
+	if (_i)
+	{	/* responder deletes the CHILD_SA (SPI 2) */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &b, &a, NULL);
+	}
+	else
+	{	/* initiator deletes the CHILD_SA (SPI 1) */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &a, &b, NULL);
+	}
+	assert_hook_not_called(child_updown);
+	call_ikesa(a, delete_child_sa, PROTO_ESP, _i+1, FALSE);
+	assert_child_sa_state(a, _i+1, CHILD_DELETING);
+	assert_hook();
+
+	/* INFORMATIONAL { D } --> */
+	assert_hook_updown(child_updown, FALSE);
+	assert_single_payload(IN, PLV2_DELETE);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_count(b, 0);
+	assert_hook();
+
+	/* <-- INFORMATIONAL { D } */
+	assert_hook_updown(child_updown, FALSE);
+	assert_single_payload(IN, PLV2_DELETE);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_count(a, 0);
+	assert_hook();
+
+	call_ikesa(a, destroy);
+	call_ikesa(b, destroy);
+}
+END_TEST
+
+/**
+ * Both peers initiate the CHILD_SA deletion concurrently and should handle
+ * the collision properly.
+ */
+START_TEST(test_collision)
+{
+	ike_sa_t *a, *b;
+
+	exchange_test_helper->establish_sa(exchange_test_helper,
+									   &a, &b, NULL);
+	/* both peers delete the CHILD_SA concurrently */
+	assert_hook_not_called(child_updown);
+	call_ikesa(a, delete_child_sa, PROTO_ESP, 1, FALSE);
+	assert_child_sa_state(a, 1, CHILD_DELETING);
+	call_ikesa(b, delete_child_sa, PROTO_ESP, 2, FALSE);
+	assert_child_sa_state(b, 2, CHILD_DELETING);
+	assert_hook();
+
+	/* RFC 7296 says:
+	 *
+	 *   Normally, the response in the INFORMATIONAL exchange will contain
+	 *   Delete payloads for the paired SAs going in the other direction.
+	 *   There is one exception.  If, by chance, both ends of a set of SAs
+	 *   independently decide to close them, each may send a Delete payload
+	 *   and the two requests may cross in the network.  If a node receives a
+	 *   delete request for SAs for which it has already issued a delete
+	 *   request, it MUST delete the outgoing SAs while processing the request
+	 *   and the incoming SAs while processing the response.  In that case,
+	 *   the responses MUST NOT include Delete payloads for the deleted SAs,
+	 *   since that would result in duplicate deletion and could in theory
+	 *   delete the wrong SA.
+	 *
+	 * We don't handle SAs separately so we expect both are still installed,
+	 * but the INFORMATIONAL response should not contain a DELETE payload.
+	 */
+
+	/* INFORMATIONAL { D } --> */
+	assert_hook_not_called(child_updown);
+	assert_single_payload(IN, PLV2_DELETE);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, 2, CHILD_DELETING);
+	/* <-- INFORMATIONAL { D } */
+	assert_single_payload(IN, PLV2_DELETE);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, 1, CHILD_DELETING);
+	assert_hook();
+
+	/* <-- INFORMATIONAL { } */
+	assert_hook_updown(child_updown, FALSE);
+	assert_message_empty(IN);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_count(a, 0);
+	assert_hook();
+	/* INFORMATIONAL { } --> */
+	assert_hook_updown(child_updown, FALSE);
+	assert_message_empty(IN);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_count(b, 0);
+	assert_hook();
+
+	call_ikesa(a, destroy);
+	call_ikesa(b, destroy);
+}
+END_TEST
+
+/**
+ * This is like the collision above but one of the DELETEs is dropped or delayed
+ * so the other peer is not aware that there is a collision.
+ */
+START_TEST(test_collision_drop)
+{
+	ike_sa_t *a, *b;
+	message_t *msg;
+
+	exchange_test_helper->establish_sa(exchange_test_helper,
+									   &a, &b, NULL);
+	/* both peers delete the CHILD_SA concurrently */
+	assert_hook_not_called(child_updown);
+	call_ikesa(a, delete_child_sa, PROTO_ESP, 1, FALSE);
+	assert_child_sa_state(a, 1, CHILD_DELETING);
+	call_ikesa(b, delete_child_sa, PROTO_ESP, 2, FALSE);
+	assert_child_sa_state(b, 2, CHILD_DELETING);
+	assert_hook();
+
+	/* INFORMATIONAL { D } --> */
+	assert_hook_not_called(child_updown);
+	assert_single_payload(IN, PLV2_DELETE);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, 2, CHILD_DELETING);
+	assert_hook();
+
+	/* drop/delay the responder's message */
+	msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+
+	/* <-- INFORMATIONAL { } */
+	assert_hook_updown(child_updown, FALSE);
+	assert_message_empty(IN);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_count(a, 0);
+	assert_hook();
+
+	/* <-- INFORMATIONAL { D } (delayed/retransmitted) */
+	assert_hook_not_called(child_updown);
+	assert_single_payload(IN, PLV2_DELETE);
+	exchange_test_helper->process_message(exchange_test_helper, a, msg);
+	assert_hook();
+
+	/* INFORMATIONAL { } --> */
+	assert_hook_updown(child_updown, FALSE);
+	assert_message_empty(IN);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_count(b, 0);
+	assert_hook();
+
+	call_ikesa(a, destroy);
+	call_ikesa(b, destroy);
+}
+END_TEST
+
+/**
+ * One of the hosts initiates a rekey of the IKE_SA of the CHILD_SA the other
+ * peer is concurrently trying to delete.
+ *
+ *           delete ----\       /---- rekey IKE
+ *                       \-----/----> detect collision
+ * detect collision <---------/ /---- delete
+ *        TEMP_FAIL ----\      /
+ *                       \----/----->
+ *                  <--------/
+ */
+START_TEST(test_collision_ike_rekey)
+{
+	ike_sa_t *a, *b;
+	uint32_t spi_a = _i+1;
+
+	if (_i)
+	{	/* responder deletes the CHILD_SA (SPI 2) */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &b, &a, NULL);
+	}
+	else
+	{	/* initiator deletes the CHILD_SA (SPI 1) */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &a, &b, NULL);
+	}
+	call_ikesa(a, delete_child_sa, PROTO_ESP, spi_a, FALSE);
+	assert_child_sa_state(a, spi_a, CHILD_DELETING);
+	call_ikesa(b, rekey);
+	assert_ike_sa_state(b, IKE_REKEYING);
+
+	/* this should never get called as there is no successful rekeying */
+	assert_hook_not_called(ike_rekey);
+
+	/* RFC 7296, 2.25.2: If a peer receives a request to delete a Child SA when
+	 * it is currently rekeying the IKE SA, it SHOULD reply as usual, with a
+	 * Delete payload.
+	 */
+
+	/* INFORMATIONAL { D } --> */
+	assert_hook_updown(child_updown, FALSE);
+	assert_single_payload(OUT, PLV2_DELETE);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_ike_sa_state(b, IKE_REKEYING);
+	assert_child_sa_count(b, 0);
+	assert_hook();
+
+	/* RFC 7296, 2.25.1: If a peer receives a request to rekey the IKE SA, and
+	 * it is currently, rekeying, or closing a Child SA of that IKE SA, it
+	 * SHOULD reply with TEMPORARY_FAILURE.
+	 */
+
+	/* <-- CREATE_CHILD_SA { SA, Ni, KEi } */
+	assert_single_notify(OUT, TEMPORARY_FAILURE);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, spi_a, CHILD_DELETING);
+
+	/* <-- INFORMATIONAL { D } */
+	assert_hook_updown(child_updown, FALSE);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_count(a, 0);
+	assert_hook();
+
+	/* CREATE_CHILD_SA { N(TEMP_FAIL) } --> */
+	/* we expect a job to retry the rekeying is scheduled */
+	assert_jobs_scheduled(1);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_ike_sa_state(b, IKE_ESTABLISHED);
+	assert_scheduler();
+
+	/* ike_rekey */
+	assert_hook();
+
+	call_ikesa(a, destroy);
+	call_ikesa(b, destroy);
+}
+END_TEST
+
+/**
+ * One of the hosts initiates a delete of the IKE_SA of the CHILD_SA the other
+ * peer is concurrently trying to delete.
+ *
+ *           delete ----\       /---- delete IKE
+ *                       \-----/----> detect collision
+ *                  <---------/ /---- delete
+ *           delete ----\      /
+ *                       \----/----->
+ *  sa already gone <--------/
+ */
+START_TEST(test_collision_ike_delete)
+{
+	ike_sa_t *a, *b;
+	uint32_t spi_a = _i+1;
+	message_t *msg;
+	status_t s;
+
+	if (_i)
+	{	/* responder rekeys the CHILD_SA (SPI 2) */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &b, &a, NULL);
+	}
+	else
+	{	/* initiator rekeys the CHILD_SA (SPI 1) */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &a, &b, NULL);
+	}
+	call_ikesa(a, delete_child_sa, PROTO_ESP, spi_a, FALSE);
+	assert_child_sa_state(a, spi_a, CHILD_DELETING);
+	call_ikesa(b, delete);
+	assert_ike_sa_state(b, IKE_DELETING);
+
+	/* RFC 7296, 2.25.2 does not explicitly state what the behavior SHOULD be if
+	 * a peer receives a request to delete a CHILD_SA when it is currently
+	 * closing the IKE SA.  We expect a regular response.
+	 */
+
+	/* INFORMATIONAL { D } --> */
+	assert_hook_updown(child_updown, FALSE);
+	assert_single_payload(OUT, PLV2_DELETE);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_ike_sa_state(b, IKE_DELETING);
+	assert_child_sa_count(b, 0);
+	assert_hook();
+
+	/* RFC 7296, 2.25.1 does not explicitly state what the behavior SHOULD be if
+	 * a peer receives a request to close the IKE SA if it is currently deleting
+	 * a Child SA of that IKE SA.  Let's just close the IKE_SA and forget the
+	 * delete.
+	 */
+
+	/* <-- INFORMATIONAL { D } */
+	assert_hook_updown(ike_updown, FALSE);
+	assert_hook_updown(child_updown, FALSE);
+	assert_message_empty(OUT);
+	s = exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	ck_assert_int_eq(DESTROY_ME, s);
+	call_ikesa(a, destroy);
+	assert_hook();
+	assert_hook();
+
+	/* <-- INFORMATIONAL { D } */
+	/* the SA is already gone */
+	msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+	msg->destroy(msg);
+
+	/* INFORMATIONAL { } --> */
+	assert_hook_updown(ike_updown, FALSE);
+	assert_hook_not_called(child_updown);
+	s = exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	ck_assert_int_eq(DESTROY_ME, s);
+	call_ikesa(b, destroy);
+	assert_hook();
+	assert_hook();
+}
+END_TEST
+
+Suite *child_delete_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("child delete");
+
+	tc = tcase_create("regular");
+	tcase_add_loop_test(tc, test_regular, 0, 2);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("collisions");
+	tcase_add_test(tc, test_collision);
+	tcase_add_test(tc, test_collision_drop);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("collisions ike rekey");
+	tcase_add_loop_test(tc, test_collision_ike_rekey, 0, 2);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("collisions ike delete");
+	tcase_add_loop_test(tc, test_collision_ike_delete, 0, 2);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libcharon/tests/suites/test_child_rekey.c b/src/libcharon/tests/suites/test_child_rekey.c
new file mode 100644
index 000000000..fcac49388
--- /dev/null
+++ b/src/libcharon/tests/suites/test_child_rekey.c
@@ -0,0 +1,1569 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <daemon.h>
+#include <tests/utils/exchange_test_helper.h>
+#include <tests/utils/exchange_test_asserts.h>
+#include <tests/utils/job_asserts.h>
+#include <tests/utils/sa_asserts.h>
+
+/**
+ * Initiate rekeying the CHILD_SA with the given SPI on the given IKE_SA.
+ */
+#define initiate_rekey(sa, spi) ({ \
+	assert_hook_not_called(child_updown); \
+	assert_hook_not_called(child_rekey); \
+	call_ikesa(sa, rekey_child_sa, PROTO_ESP, spi); \
+	assert_child_sa_state(sa, spi, CHILD_REKEYING); \
+	assert_hook(); \
+	assert_hook(); \
+})
+
+/**
+ * Regular CHILD_SA rekey either initiated by the original initiator or
+ * responder of the IKE_SA.
+ */
+START_TEST(test_regular)
+{
+	ike_sa_t *a, *b;
+	uint32_t spi_a = _i+1, spi_b = 2-_i;
+
+	if (_i)
+	{	/* responder rekeys the CHILD_SA (SPI 2) */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &b, &a, NULL);
+	}
+	else
+	{	/* initiator rekeys the CHILD_SA (SPI 1) */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &a, &b, NULL);
+	}
+	initiate_rekey(a, spi_a);
+
+	/* this should never get called as this results in a successful rekeying */
+	assert_hook_not_called(child_updown);
+
+	/* CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } --> */
+	assert_hook_called(child_rekey);
+	assert_notify(IN, REKEY_SA);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, spi_b, CHILD_REKEYED);
+	assert_child_sa_state(b, 4, CHILD_INSTALLED);
+	assert_hook();
+
+	/* <-- CREATE_CHILD_SA { SA, Nr, [KEr,] TSi, TSr } */
+	assert_hook_called(child_rekey);
+	assert_no_notify(IN, REKEY_SA);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, spi_a, CHILD_DELETING);
+	assert_child_sa_state(a, 3, CHILD_INSTALLED);
+	assert_hook();
+
+	/* INFORMATIONAL { D } --> */
+	assert_hook_not_called(child_rekey);
+	assert_single_payload(IN, PLV2_DELETE);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, 4, CHILD_INSTALLED);
+	assert_child_sa_count(b, 1);
+	assert_hook();
+	/* <-- INFORMATIONAL { D } */
+	assert_hook_not_called(child_rekey);
+	assert_single_payload(IN, PLV2_DELETE);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, 3, CHILD_INSTALLED);
+	assert_child_sa_count(a, 1);
+	assert_hook();
+
+	/* child_updown */
+	assert_hook();
+
+	call_ikesa(a, destroy);
+	call_ikesa(b, destroy);
+}
+END_TEST
+
+/**
+ * CHILD_SA rekey where the responder does not agree with the DH group selected
+ * by the initiator, either initiated by the original initiator or responder of
+ * the IKE_SA.
+ */
+START_TEST(test_regular_ke_invalid)
+{
+	exchange_test_sa_conf_t conf = {
+		.initiator = {
+			.esp = "aes128-sha256-modp2048-modp3072",
+		},
+		.responder = {
+			.esp = "aes128-sha256-modp3072-modp2048",
+		},
+	};
+	ike_sa_t *a, *b;
+	uint32_t spi_a = _i+1, spi_b = 2-_i;
+
+	if (_i)
+	{	/* responder rekeys the CHILD_SA (SPI 2) */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &b, &a, &conf);
+	}
+	else
+	{	/* initiator rekeys the CHILD_SA (SPI 1) */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &a, &b, &conf);
+	}
+	initiate_rekey(a, spi_a);
+
+	/* this should never get called as this results in a successful rekeying */
+	assert_hook_not_called(child_updown);
+
+	/* CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } --> */
+	assert_hook_not_called(child_rekey);
+	assert_notify(IN, REKEY_SA);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, spi_b, CHILD_INSTALLED);
+	assert_child_sa_count(b, 1);
+	assert_hook();
+
+	/* <-- CREATE_CHILD_SA { N(INVAL_KE) } */
+	assert_hook_not_called(child_rekey);
+	assert_single_notify(IN, INVALID_KE_PAYLOAD);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, spi_a, CHILD_REKEYING);
+	assert_child_sa_count(a, 1);
+	assert_hook();
+
+	/* CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } --> */
+	assert_hook_called(child_rekey);
+	assert_notify(IN, REKEY_SA);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, spi_b, CHILD_REKEYED);
+	assert_child_sa_state(b, 6, CHILD_INSTALLED);
+	assert_hook();
+
+	/* <-- CREATE_CHILD_SA { SA, Nr, [KEr,] TSi, TSr } */
+	assert_hook_called(child_rekey);
+	assert_no_notify(IN, REKEY_SA);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, spi_a, CHILD_DELETING);
+	assert_child_sa_state(a, 5, CHILD_INSTALLED);
+	assert_hook();
+
+	/* INFORMATIONAL { D } --> */
+	assert_hook_not_called(child_rekey);
+	assert_single_payload(IN, PLV2_DELETE);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, 6, CHILD_INSTALLED);
+	assert_child_sa_count(b, 1);
+	assert_hook();
+	/* <-- INFORMATIONAL { D } */
+	assert_hook_not_called(child_rekey);
+	assert_single_payload(IN, PLV2_DELETE);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, 5, CHILD_INSTALLED);
+	assert_child_sa_count(a, 1);
+	assert_hook();
+
+	/* child_updown */
+	assert_hook();
+
+	call_ikesa(a, destroy);
+	call_ikesa(b, destroy);
+}
+END_TEST
+
+/**
+ * Check that the responder ignores soft expires while waiting for the delete
+ * after a rekeying.
+ */
+START_TEST(test_regular_responder_ignore_soft_expire)
+{
+	ike_sa_t *a, *b;
+
+	exchange_test_helper->establish_sa(exchange_test_helper,
+									   &a, &b, NULL);
+	initiate_rekey(a, 1);
+
+	/* this should never get called as this results in a successful rekeying */
+	assert_hook_not_called(child_updown);
+
+	/* CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } --> */
+	assert_hook_called(child_rekey);
+	assert_notify(IN, REKEY_SA);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, 2, CHILD_REKEYED);
+	assert_child_sa_state(b, 4, CHILD_INSTALLED);
+	assert_hook();
+
+	/* <-- CREATE_CHILD_SA { SA, Nr, [KEr,] TSi, TSr } */
+	assert_hook_called(child_rekey);
+	assert_no_notify(IN, REKEY_SA);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, 1, CHILD_DELETING);
+	assert_child_sa_state(a, 3, CHILD_INSTALLED);
+	assert_hook();
+
+	/* we don't expect this to get called anymore */
+	assert_hook_not_called(child_rekey);
+	/* this should not produce a message, if it does there won't be a delete
+	 * payload below */
+	call_ikesa(b, rekey_child_sa, PROTO_ESP, 2);
+	assert_child_sa_state(b, 2, CHILD_REKEYED);
+
+	/* INFORMATIONAL { D } --> */
+	assert_single_payload(IN, PLV2_DELETE);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, 4, CHILD_INSTALLED);
+	assert_child_sa_count(b, 1);
+	/* <-- INFORMATIONAL { D } */
+	assert_single_payload(IN, PLV2_DELETE);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, 3, CHILD_INSTALLED);
+	assert_child_sa_count(a, 1);
+
+	/* child_rekey/child_updown */
+	assert_hook();
+	assert_hook();
+
+	call_ikesa(a, destroy);
+	call_ikesa(b, destroy);
+}
+END_TEST
+
+/**
+ * Check that the responder handles hard expires properly while waiting for the
+ * delete after a rekeying (e.g. if the initiator of the rekeying fails to
+ * delete the CHILD_SA for some reason).
+ */
+START_TEST(test_regular_responder_handle_hard_expire)
+{
+	ike_sa_t *a, *b;
+
+	exchange_test_helper->establish_sa(exchange_test_helper,
+									   &a, &b, NULL);
+	initiate_rekey(a, 1);
+
+	/* this should never get called as this results in a successful rekeying */
+	assert_hook_not_called(child_updown);
+
+	/* CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } --> */
+	assert_hook_called(child_rekey);
+	assert_notify(IN, REKEY_SA);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, 2, CHILD_REKEYED);
+	assert_child_sa_state(b, 4, CHILD_INSTALLED);
+	assert_hook();
+
+	/* <-- CREATE_CHILD_SA { SA, Nr, [KEr,] TSi, TSr } */
+	assert_hook_called(child_rekey);
+	assert_no_notify(IN, REKEY_SA);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, 1, CHILD_DELETING);
+	assert_child_sa_state(a, 3, CHILD_INSTALLED);
+	assert_hook();
+
+	/* we don't expect this to get called anymore */
+	assert_hook_not_called(child_rekey);
+	/* this is similar to a regular delete collision */
+	assert_single_payload(OUT, PLV2_DELETE);
+	call_ikesa(b, delete_child_sa, PROTO_ESP, 2, TRUE);
+	assert_child_sa_state(b, 2, CHILD_DELETING);
+
+	/* INFORMATIONAL { D } --> */
+	assert_single_payload(IN, PLV2_DELETE);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, 4, CHILD_INSTALLED);
+	assert_child_sa_state(a, 2, CHILD_DELETING);
+	/* <-- INFORMATIONAL { D } */
+	assert_single_payload(IN, PLV2_DELETE);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, 3, CHILD_INSTALLED);
+	assert_child_sa_state(a, 1, CHILD_DELETING);
+	/* <-- INFORMATIONAL { } */
+	assert_message_empty(IN);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, 3, CHILD_INSTALLED);
+	assert_child_sa_count(a, 1);
+	/* INFORMATIONAL { } --> */
+	assert_message_empty(IN);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, 4, CHILD_INSTALLED);
+	assert_child_sa_count(b, 1);
+
+	/* child_rekey/child_updown */
+	assert_hook();
+	assert_hook();
+
+	call_ikesa(a, destroy);
+	call_ikesa(b, destroy);
+}
+END_TEST
+
+/**
+ * Both peers initiate the CHILD_SA reekying concurrently and should handle
+ * the collision properly depending on the nonces.
+ */
+START_TEST(test_collision)
+{
+	ike_sa_t *a, *b;
+
+	exchange_test_helper->establish_sa(exchange_test_helper,
+									   &a, &b, NULL);
+
+	/* When rekeyings collide we get two CHILD_SAs with a total of four nonces.
+	 * The CHILD_SA with the lowest nonce SHOULD be deleted by the peer that
+	 * created that CHILD_SA.  The replaced CHILD_SA is deleted by the peer that
+	 * initiated the surviving SA.
+	 * Four nonces and SPIs are needed (SPI 1 and 2 are used for the initial
+	 * CHILD_SA):
+	 *   N1/3 -----\    /----- N2/4
+	 *              \--/-----> N3/5
+	 *   N4/6 <-------/ /----- ...
+	 *   ...  -----\
+	 * We test this four times, each time a different nonce is the lowest.
+	 */
+	struct {
+		/* Nonces used at each point */
+		u_char nonces[4];
+		/* SPIs of the deleted CHILD_SA (either redundant or replaced) */
+		uint32_t spi_del_a, spi_del_b;
+		/* SPIs of the kept CHILD_SA */
+		uint32_t spi_a, spi_b;
+	} data[] = {
+		{ { 0x00, 0xFF, 0xFF, 0xFF }, 3, 2, 6, 4 },
+		{ { 0xFF, 0x00, 0xFF, 0xFF }, 1, 4, 3, 5 },
+		{ { 0xFF, 0xFF, 0x00, 0xFF }, 3, 2, 6, 4 },
+		{ { 0xFF, 0xFF, 0xFF, 0x00 }, 1, 4, 3, 5 },
+	};
+
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[0];
+	initiate_rekey(a, 1);
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[1];
+	initiate_rekey(b, 2);
+
+	/* this should never get called as this results in a successful rekeying */
+	assert_hook_not_called(child_updown);
+
+	/* CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } --> */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[2];
+	assert_hook_rekey(child_rekey, 2, 5);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, 2, CHILD_REKEYED);
+	assert_child_sa_state(b, 5, CHILD_INSTALLED);
+	assert_hook();
+	/* <-- CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[3];
+	assert_hook_rekey(child_rekey, 1, 6);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, 1, CHILD_REKEYED);
+	assert_child_sa_state(a, 6, CHILD_INSTALLED);
+	assert_hook();
+
+	/* <-- CREATE_CHILD_SA { SA, Nr, [KEr,] TSi, TSr } */
+	if (data[_i].spi_del_a == 1)
+	{	/* currently we call this again if we keep our own replacement as we
+		 * already called it above */
+		assert_hook_rekey(child_rekey, 1, data[_i].spi_a);
+		exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+		assert_hook();
+	}
+	else
+	{
+		assert_hook_not_called(child_rekey);
+		exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+		assert_hook();
+	}
+	assert_child_sa_state(a, data[_i].spi_del_a, CHILD_DELETING);
+	assert_child_sa_state(a, data[_i].spi_del_b, CHILD_REKEYED);
+	assert_child_sa_state(a, data[_i].spi_a, CHILD_INSTALLED);
+	/* CREATE_CHILD_SA { SA, Nr, [KEr,] TSi, TSr } --> */
+	if (data[_i].spi_del_b == 2)
+	{
+		assert_hook_rekey(child_rekey, 2, data[_i].spi_b);
+		exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+		assert_hook();
+	}
+	else
+	{
+		assert_hook_not_called(child_rekey);
+		exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+		assert_hook();
+	}
+	assert_child_sa_state(b, data[_i].spi_del_b, CHILD_DELETING);
+	assert_child_sa_state(b, data[_i].spi_del_a, CHILD_REKEYED);
+	assert_child_sa_state(b, data[_i].spi_b, CHILD_INSTALLED);
+
+	/* we don't expect this hook to get called anymore */
+	assert_hook_not_called(child_rekey);
+	/* INFORMATIONAL { D } --> */
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, data[_i].spi_del_b, CHILD_DELETING);
+	assert_child_sa_state(b, data[_i].spi_b, CHILD_INSTALLED);
+	assert_child_sa_count(b, 2);
+	/* <-- INFORMATIONAL { D } */
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, data[_i].spi_del_a, CHILD_DELETING);
+	assert_child_sa_state(a, data[_i].spi_a, CHILD_INSTALLED);
+	assert_child_sa_count(a, 2);
+	/* <-- INFORMATIONAL { D } */
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, data[_i].spi_a, CHILD_INSTALLED);
+	assert_child_sa_count(a, 1);
+	/* INFORMATIONAL { D } --> */
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, data[_i].spi_b, CHILD_INSTALLED);
+	assert_child_sa_count(b, 1);
+
+	/* child_rekey/child_updown */
+	assert_hook();
+	assert_hook();
+
+	call_ikesa(a, destroy);
+	call_ikesa(b, destroy);
+}
+END_TEST
+
+/**
+ * This is like the rekey collision above, but one peer deletes the
+ * redundant/old SA before the other peer receives the CREATE_CHILD_SA
+ * response:
+ *
+ *            rekey ----\       /---- rekey
+ *                       \-----/----> detect collision
+ * detect collision <---------/ /----
+ *                  ----\      /
+ *                       \----/----->
+ *    handle delete <--------/------- delete SA
+ *                  --------/------->
+ *     handle rekey <------/
+ *        delete SA ---------------->
+ *                  <----------------
+ */
+START_TEST(test_collision_delayed_response)
+{
+	ike_sa_t *a, *b;
+	message_t *msg;
+
+	exchange_test_helper->establish_sa(exchange_test_helper,
+									   &a, &b, NULL);
+
+	/* Four nonces and SPIs are needed (SPI 1 and 2 are used for the initial
+	 * CHILD_SA):
+	 *   N1/3 -----\    /----- N2/4
+	 *              \--/-----> N3/5
+	 *   N4/6 <-------/ /----- ...
+	 *   ...  -----\
+	 * We test this four times, each time a different nonce is the lowest.
+	 */
+	struct {
+		/* Nonces used at each point */
+		u_char nonces[4];
+		/* SPIs of the deleted CHILD_SA (either redundant or replaced) */
+		uint32_t spi_del_a, spi_del_b;
+		/* SPIs of the kept CHILD_SA */
+		uint32_t spi_a, spi_b;
+	} data[] = {
+		{ { 0x00, 0xFF, 0xFF, 0xFF }, 3, 2, 6, 4 },
+		{ { 0xFF, 0x00, 0xFF, 0xFF }, 1, 4, 3, 5 },
+		{ { 0xFF, 0xFF, 0x00, 0xFF }, 3, 2, 6, 4 },
+		{ { 0xFF, 0xFF, 0xFF, 0x00 }, 1, 4, 3, 5 },
+	};
+
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[0];
+	initiate_rekey(a, 1);
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[1];
+	initiate_rekey(b, 2);
+
+	/* this should never get called as this results in a successful rekeying */
+	assert_hook_not_called(child_updown);
+
+	/* CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } --> */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[2];
+	assert_hook_rekey(child_rekey, 2, 5);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, 2, CHILD_REKEYED);
+	assert_child_sa_state(b, 5, CHILD_INSTALLED);
+	assert_hook();
+	/* <-- CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[3];
+	assert_hook_rekey(child_rekey, 1, 6);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, 1, CHILD_REKEYED);
+	assert_child_sa_state(a, 6, CHILD_INSTALLED);
+	assert_hook();
+
+	/* delay the CREATE_CHILD_SA response from b to a */
+	msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+
+	/* CREATE_CHILD_SA { SA, Nr, [KEr,] TSi, TSr } --> */
+	if (data[_i].spi_del_b == 2)
+	{
+		assert_hook_rekey(child_rekey, 2, data[_i].spi_b);
+		exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+		assert_hook();
+	}
+	else
+	{
+		assert_hook_not_called(child_rekey);
+		exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+		assert_hook();
+	}
+	assert_child_sa_state(b, data[_i].spi_del_b, CHILD_DELETING);
+	assert_child_sa_state(b, data[_i].spi_del_a, CHILD_REKEYED);
+	assert_child_sa_state(b, data[_i].spi_b, CHILD_INSTALLED);
+
+	/* <-- INFORMATIONAL { D } */
+	assert_hook_not_called(child_rekey);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	if (data[_i].spi_del_b == 2)
+	{
+		assert_child_sa_state(a, data[_i].spi_a, CHILD_INSTALLED);
+		assert_child_sa_count(a, 1);
+	}
+	else
+	{
+		assert_child_sa_state(a, 1, CHILD_REKEYED);
+		assert_child_sa_count(a, 1);
+	}
+	/* INFORMATIONAL { D } --> */
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, data[_i].spi_del_a, CHILD_REKEYED);
+	assert_child_sa_state(b, data[_i].spi_b, CHILD_INSTALLED);
+	assert_child_sa_count(b, 2);
+	assert_hook();
+
+	/* <-- CREATE_CHILD_SA { SA, Nr, [KEr,] TSi, TSr } (delayed) */
+	if (data[_i].spi_del_a == 1)
+	{
+		assert_hook_rekey(child_rekey, 1, data[_i].spi_a);
+		exchange_test_helper->process_message(exchange_test_helper, a, msg);
+		assert_hook();
+	}
+	else
+	{
+		assert_hook_not_called(child_rekey);
+		exchange_test_helper->process_message(exchange_test_helper, a, msg);
+		assert_hook();
+	}
+	assert_child_sa_state(a, data[_i].spi_del_a, CHILD_DELETING);
+	assert_child_sa_state(a, data[_i].spi_a, CHILD_INSTALLED);
+	assert_child_sa_count(a, 2);
+
+	/* we don't expect this hook to get called anymore */
+	assert_hook_not_called(child_rekey);
+	/* INFORMATIONAL { D } --> */
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, data[_i].spi_b, CHILD_INSTALLED);
+	assert_child_sa_count(b, 1);
+	/* <-- INFORMATIONAL { D } */
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, data[_i].spi_a, CHILD_INSTALLED);
+	assert_child_sa_count(a, 1);
+
+	/* child_rekey/child_updown */
+	assert_hook();
+	assert_hook();
+
+	call_ikesa(a, destroy);
+	call_ikesa(b, destroy);
+}
+END_TEST
+
+/**
+ * In this scenario one of the peers does not notice that there is a
+ * rekey collision:
+ *
+ *            rekey ----\       /---- rekey
+ *                       \     /
+ * detect collision <-----\---/
+ *                  -------\-------->
+ *                          \   /---- delete old SA
+ *                           \-/----> detect collision
+ * detect collision <---------/ /---- TEMP_FAIL
+ *           delete -----------/---->
+ *  aborts rekeying <---------/
+ */
+START_TEST(test_collision_delayed_request)
+{
+	ike_sa_t *a, *b;
+	message_t *msg;
+
+	exchange_test_helper->establish_sa(exchange_test_helper,
+									   &a, &b, NULL);
+
+	/* Three nonces and SPIs are needed (SPI 1 and 2 are used for the initial
+	 * CHILD_SA):
+	 *   N1/3 -----\    /----- N2/4
+	 *   N3/5 <-----\--/
+	 *   ...  -----\ \-------> ...
+	 * We test this three times, each time a different nonce is the lowest.
+	 */
+	struct {
+		/* Nonces used at each point */
+		u_char nonces[3];
+	} data[] = {
+		{ { 0x00, 0xFF, 0xFF } },
+		{ { 0xFF, 0x00, 0xFF } },
+		{ { 0xFF, 0xFF, 0x00 } },
+	};
+
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[0];
+	initiate_rekey(a, 1);
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[1];
+	initiate_rekey(b, 2);
+
+	/* delay the CREATE_CHILD_SA request from a to b */
+	msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+
+	/* this should never get called as this results in a successful rekeying */
+	assert_hook_not_called(child_updown);
+
+	/* <-- CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[2];
+	assert_hook_rekey(child_rekey, 1, 5);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, 1, CHILD_REKEYED);
+	assert_child_sa_state(a, 5, CHILD_INSTALLED);
+	assert_hook();
+	/* CREATE_CHILD_SA { SA, Nr, [KEr,] TSi, TSr } --> */
+	assert_hook_rekey(child_rekey, 2, 4);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, 2, CHILD_DELETING);
+	assert_child_sa_state(b, 4, CHILD_INSTALLED);
+	assert_hook();
+
+	/* we don't expect this hook to get called anymore */
+	assert_hook_not_called(child_rekey);
+
+	/* CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } --> (delayed) */
+	assert_single_notify(OUT, TEMPORARY_FAILURE);
+	exchange_test_helper->process_message(exchange_test_helper, b, msg);
+	assert_child_sa_state(b, 2, CHILD_DELETING);
+	assert_child_sa_state(b, 4, CHILD_INSTALLED);
+
+	/* <-- INFORMATIONAL { D } */
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, 5, CHILD_INSTALLED);
+	assert_child_sa_count(a, 1);
+
+	/* <-- CREATE_CHILD_SA { N(TEMP_FAIL) } */
+	assert_no_jobs_scheduled();
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, 5, CHILD_INSTALLED);
+	assert_child_sa_count(a, 1);
+	assert_scheduler();
+
+	/* INFORMATIONAL { D } --> */
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, 4, CHILD_INSTALLED);
+	assert_child_sa_count(b, 1);
+
+	/* child_rekey/child_updown */
+	assert_hook();
+	assert_hook();
+
+	assert_sa_idle(a);
+	assert_sa_idle(b);
+
+	call_ikesa(a, destroy);
+	call_ikesa(b, destroy);
+}
+END_TEST
+
+/**
+ * Similar to above one peer fails to notice the collision but the
+ * CREATE_CHILD_SA request is even more delayed:
+ *
+ *            rekey ----\       /---- rekey
+ *                       \     /
+ * detect collision <-----\---/
+ *                  -------\-------->
+ * detect collision <-------\-------- delete old SA
+ *           delete ---------\------>
+ *                            \----->
+ *                              /---- CHILD_SA_NOT_FOUND
+ *  aborts rekeying <----------/
+ */
+START_TEST(test_collision_delayed_request_more)
+{
+	ike_sa_t *a, *b;
+	message_t *msg;
+
+	exchange_test_helper->establish_sa(exchange_test_helper,
+									   &a, &b, NULL);
+
+	/* Three nonces and SPIs are needed (SPI 1 and 2 are used for the initial
+	 * CHILD_SA):
+	 *   N1/3 -----\    /----- N2/4
+	 *   N3/5 <-----\--/
+	 *   ...  -----\ \-------> ...
+	 * We test this three times, each time a different nonce is the lowest.
+	 */
+	struct {
+		/* Nonces used at each point */
+		u_char nonces[3];
+	} data[] = {
+		{ { 0x00, 0xFF, 0xFF } },
+		{ { 0xFF, 0x00, 0xFF } },
+		{ { 0xFF, 0xFF, 0x00 } },
+	};
+
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[0];
+	initiate_rekey(a, 1);
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[1];
+	initiate_rekey(b, 2);
+
+	/* delay the CREATE_CHILD_SA request from a to b */
+	msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+
+	/* this should never get called as this results in a successful rekeying */
+	assert_hook_not_called(child_updown);
+
+	/* <-- CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[2];
+	assert_hook_rekey(child_rekey, 1, 5);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, 1, CHILD_REKEYED);
+	assert_child_sa_state(a, 5, CHILD_INSTALLED);
+	assert_hook();
+	/* CREATE_CHILD_SA { SA, Nr, [KEr,] TSi, TSr } --> */
+	assert_hook_rekey(child_rekey, 2, 4);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, 2, CHILD_DELETING);
+	assert_child_sa_state(b, 4, CHILD_INSTALLED);
+	assert_hook();
+
+	/* we don't expect this hook to get called anymore */
+	assert_hook_not_called(child_rekey);
+
+	/* <-- INFORMATIONAL { D } */
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, 5, CHILD_INSTALLED);
+	assert_child_sa_count(a, 1);
+	/* INFORMATIONAL { D } --> */
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, 4, CHILD_INSTALLED);
+	assert_child_sa_count(b, 1);
+
+	/* CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } --> */
+	assert_single_notify(OUT, CHILD_SA_NOT_FOUND);
+	exchange_test_helper->process_message(exchange_test_helper, b, msg);
+	assert_child_sa_state(b, 4, CHILD_INSTALLED);
+	assert_child_sa_count(b, 1);
+	/* <-- CREATE_CHILD_SA { N(NO_CHILD_SA) } */
+	assert_no_jobs_scheduled();
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, 5, CHILD_INSTALLED);
+	assert_child_sa_count(a, 1);
+	assert_scheduler();
+
+	/* child_rekey/child_updown */
+	assert_hook();
+	assert_hook();
+
+	assert_sa_idle(a);
+	assert_sa_idle(b);
+
+	call_ikesa(a, destroy);
+	call_ikesa(b, destroy);
+}
+END_TEST
+
+/**
+ * Both peers initiate the CHILD_SA reekying concurrently but the proposed DH
+ * groups are not the same after handling the INVALID_KE_PAYLOAD they should
+ * still handle the collision properly depending on the nonces.
+ */
+START_TEST(test_collision_ke_invalid)
+{
+	exchange_test_sa_conf_t conf = {
+		.initiator = {
+			.esp = "aes128-sha256-modp2048-modp3072",
+		},
+		.responder = {
+			.esp = "aes128-sha256-modp3072-modp2048",
+		},
+	};
+	ike_sa_t *a, *b;
+
+	exchange_test_helper->establish_sa(exchange_test_helper,
+									   &a, &b, &conf);
+
+	/* Eight nonces and SPIs are needed (SPI 1 and 2 are used for the initial
+	 * CHILD_SA):
+	 *     N1/3 -----\    /----- N2/4
+	 *                \--/-----> N3/5
+	 *     N4/6 <-------/  /---- INVAL_KE
+	 * INVAL_KE -----\    /
+	 *          <-----\--/
+	 *     N5/7 -----\ \------->
+	 *                \    /---- N6/8
+	 *                 \--/----> N7/9
+	 *    N8/10 <--------/ /---- ...
+	 *      ... ------\
+	 *
+	 * We test this four times, each time a different nonce is the lowest.
+	 */
+	struct {
+		/* Nonces used at each point */
+		u_char nonces[4];
+		/* SPIs of the deleted CHILD_SA (either redundant or replaced) */
+		uint32_t spi_del_a, spi_del_b;
+		/* SPIs of the kept CHILD_SA */
+		uint32_t spi_a, spi_b;
+	} data[] = {
+		{ { 0x00, 0xFF, 0xFF, 0xFF }, 7, 2,10, 8 },
+		{ { 0xFF, 0x00, 0xFF, 0xFF }, 1, 8, 7, 9 },
+		{ { 0xFF, 0xFF, 0x00, 0xFF }, 7, 2,10, 8 },
+		{ { 0xFF, 0xFF, 0xFF, 0x00 }, 1, 8, 7, 9 },
+	};
+
+	/* make sure the nonces of the first try don't affect the retries */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[1];
+	initiate_rekey(a, 1);
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[0];
+	initiate_rekey(b, 2);
+
+	/* this should never get called as this results in a successful rekeying */
+	assert_hook_not_called(child_updown);
+
+	/* CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } --> */
+	assert_hook_not_called(child_rekey);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, 2, CHILD_REKEYING);
+	assert_child_sa_count(b, 1);
+	assert_hook();
+	/* <-- CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } */
+	assert_hook_not_called(child_rekey);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, 1, CHILD_REKEYING);
+	assert_child_sa_count(a, 1);
+	assert_hook();
+
+	/* <-- CREATE_CHILD_SA { N(INVAL_KE) } */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[0];
+	assert_hook_not_called(child_rekey);
+	assert_single_notify(IN, INVALID_KE_PAYLOAD);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, 1, CHILD_REKEYING);
+	assert_child_sa_count(a, 1);
+	assert_hook();
+	/* CREATE_CHILD_SA { N(INVAL_KE) } --> */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[1];
+	assert_hook_not_called(child_rekey);
+	assert_single_notify(IN, INVALID_KE_PAYLOAD);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, 2, CHILD_REKEYING);
+	assert_child_sa_count(b, 1);
+	assert_hook();
+
+	/* CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } --> */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[2];
+	assert_hook_rekey(child_rekey, 2, 9);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, 2, CHILD_REKEYED);
+	assert_child_sa_state(b, 9, CHILD_INSTALLED);
+	assert_hook();
+	/* <-- CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[3];
+	assert_hook_rekey(child_rekey, 1, 10);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, 1, CHILD_REKEYED);
+	assert_child_sa_state(a,10, CHILD_INSTALLED);
+	assert_hook();
+
+	/* <-- CREATE_CHILD_SA { SA, Nr, [KEr,] TSi, TSr } */
+	if (data[_i].spi_del_a == 1)
+	{	/* currently we call this again if we keep our own replacement as we
+		 * already called it above */
+		assert_hook_rekey(child_rekey, 1, data[_i].spi_a);
+		exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+		assert_hook();
+	}
+	else
+	{
+		exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	}
+	assert_child_sa_state(a, data[_i].spi_del_a, CHILD_DELETING);
+	assert_child_sa_state(a, data[_i].spi_del_b, CHILD_REKEYED);
+	assert_child_sa_state(a, data[_i].spi_a, CHILD_INSTALLED);
+	/* CREATE_CHILD_SA { SA, Nr, [KEr,] TSi, TSr } --> */
+	if (data[_i].spi_del_b == 2)
+	{
+		assert_hook_rekey(child_rekey, 2, data[_i].spi_b);
+		exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+		assert_hook();
+	}
+	else
+	{
+		exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	}
+	assert_child_sa_state(b, data[_i].spi_del_b, CHILD_DELETING);
+	assert_child_sa_state(b, data[_i].spi_del_a, CHILD_REKEYED);
+	assert_child_sa_state(b, data[_i].spi_b, CHILD_INSTALLED);
+
+	/* we don't expect this hook to get called anymore */
+	assert_hook_not_called(child_rekey);
+	/* INFORMATIONAL { D } --> */
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, data[_i].spi_del_b, CHILD_DELETING);
+	assert_child_sa_state(b, data[_i].spi_b, CHILD_INSTALLED);
+	assert_child_sa_count(b, 2);
+	/* <-- INFORMATIONAL { D } */
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, data[_i].spi_del_a, CHILD_DELETING);
+	assert_child_sa_state(a, data[_i].spi_a, CHILD_INSTALLED);
+	assert_child_sa_count(a, 2);
+	/* <-- INFORMATIONAL { D } */
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, data[_i].spi_a, CHILD_INSTALLED);
+	assert_child_sa_count(a, 1);
+	/* INFORMATIONAL { D } --> */
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, data[_i].spi_b, CHILD_INSTALLED);
+	assert_child_sa_count(b, 1);
+
+	/* child_rekey/child_updown */
+	assert_hook();
+	assert_hook();
+
+	assert_sa_idle(a);
+	assert_sa_idle(b);
+
+	call_ikesa(a, destroy);
+	call_ikesa(b, destroy);
+}
+END_TEST
+
+/**
+ * This is a variation of the above but with the retry by one peer delayed so
+ * that to the other peer it looks like there is no collision.
+ */
+START_TEST(test_collision_ke_invalid_delayed_retry)
+{
+	exchange_test_sa_conf_t conf = {
+		.initiator = {
+			.esp = "aes128-sha256-modp2048-modp3072",
+		},
+		.responder = {
+			.esp = "aes128-sha256-modp3072-modp2048",
+		},
+	};
+	ike_sa_t *a, *b;
+	message_t *msg;
+
+	exchange_test_helper->establish_sa(exchange_test_helper,
+									   &a, &b, &conf);
+
+	/* Seven nonces and SPIs are needed (SPI 1 and 2 are used for the initial
+	 * CHILD_SA):
+	 *     N1/3 -----\    /----- N2/4
+	 *                \--/-----> N3/5
+	 *     N4/6 <-------/  /---- INVAL_KE
+	 * INVAL_KE -----\    /
+	 *          <-----\--/
+	 *     N5/7 -----\ \------->
+	 *          <-----\--------- N6/8
+	 *     N7/9 -------\------->
+	 *          <-------\------- DELETE
+	 *      ... ------\  \----->
+	 *                     /---- TEMP_FAIL
+	 *
+	 * We test this three times, each time a different nonce is the lowest.
+	 */
+	struct {
+		/* Nonces used at each point */
+		u_char nonces[3];
+	} data[] = {
+		{ { 0x00, 0xFF, 0xFF } },
+		{ { 0xFF, 0x00, 0xFF } },
+		{ { 0xFF, 0xFF, 0x00 } },
+	};
+
+	/* make sure the nonces of the first try don't affect the retries */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[1];
+	initiate_rekey(a, 1);
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[0];
+	initiate_rekey(b, 2);
+
+	/* this should never get called as this results in a successful rekeying */
+	assert_hook_not_called(child_updown);
+
+	/* CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } --> */
+	assert_hook_not_called(child_rekey);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, 2, CHILD_REKEYING);
+	assert_child_sa_count(b, 1);
+	assert_hook();
+	/* <-- CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } */
+	assert_hook_not_called(child_rekey);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, 1, CHILD_REKEYING);
+	assert_child_sa_count(a, 1);
+	assert_hook();
+
+	/* <-- CREATE_CHILD_SA { N(INVAL_KE) } */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[0];
+	assert_hook_not_called(child_rekey);
+	assert_single_notify(IN, INVALID_KE_PAYLOAD);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, 1, CHILD_REKEYING);
+	assert_child_sa_count(a, 1);
+	assert_hook();
+	/* CREATE_CHILD_SA { N(INVAL_KE) } --> */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[1];
+	assert_hook_not_called(child_rekey);
+	assert_single_notify(IN, INVALID_KE_PAYLOAD);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, 2, CHILD_REKEYING);
+	assert_child_sa_count(b, 1);
+	assert_hook();
+
+	/* delay the CREATE_CHILD_SA request from a to b */
+	msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+
+	/* <-- CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[2];
+	assert_hook_rekey(child_rekey, 1, 9);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, 1, CHILD_REKEYED);
+	assert_child_sa_state(a, 9, CHILD_INSTALLED);
+	assert_hook();
+	/* CREATE_CHILD_SA { SA, Nr, [KEr,] TSi, TSr } --> */
+	assert_hook_rekey(child_rekey, 2, 8);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, 2, CHILD_DELETING);
+	assert_child_sa_state(b, 8, CHILD_INSTALLED);
+	assert_hook();
+
+	/* we don't expect this hook to get called anymore */
+	assert_hook_not_called(child_rekey);
+
+	/* CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } --> (delayed) */
+	assert_single_notify(OUT, TEMPORARY_FAILURE);
+	exchange_test_helper->process_message(exchange_test_helper, b, msg);
+	assert_child_sa_state(b, 2, CHILD_DELETING);
+	assert_child_sa_state(b, 8, CHILD_INSTALLED);
+
+	/* <-- INFORMATIONAL { D } */
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, 9, CHILD_INSTALLED);
+	assert_child_sa_count(a, 1);
+
+	/* <-- CREATE_CHILD_SA { N(TEMP_FAIL) } */
+	assert_no_jobs_scheduled();
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, 9, CHILD_INSTALLED);
+	assert_child_sa_count(a, 1);
+	assert_scheduler();
+
+	/* INFORMATIONAL { D } --> */
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, 8, CHILD_INSTALLED);
+	assert_child_sa_count(b, 1);
+
+	/* child_rekey/child_updown */
+	assert_hook();
+	assert_hook();
+
+	assert_sa_idle(a);
+	assert_sa_idle(b);
+
+	call_ikesa(a, destroy);
+	call_ikesa(b, destroy);
+}
+END_TEST
+
+/**
+ * One of the hosts initiates a DELETE of the CHILD_SA the other peer is
+ * concurrently trying to rekey.
+ *
+ *            rekey ----\       /---- delete
+ *                       \-----/----> detect collision
+ * detect collision <---------/ /---- TEMP_FAIL
+ *           delete ----\      /
+ *                       \----/----->
+ *  aborts rekeying <--------/
+ */
+START_TEST(test_collision_delete)
+{
+	ike_sa_t *a, *b;
+	uint32_t spi_a = _i+1, spi_b = 2-_i;
+
+	if (_i)
+	{	/* responder rekeys the CHILD_SA (SPI 2) */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &b, &a, NULL);
+	}
+	else
+	{	/* initiator rekeys the CHILD_SA (SPI 1) */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &a, &b, NULL);
+	}
+	initiate_rekey(a, spi_a);
+	call_ikesa(b, delete_child_sa, PROTO_ESP, spi_b, FALSE);
+	assert_child_sa_state(b, spi_b, CHILD_DELETING);
+
+	/* this should never get called as there is no successful rekeying on
+	 * either side */
+	assert_hook_not_called(child_rekey);
+
+	/* RFC 7296, 2.25.1: If a peer receives a request to rekey a CHILD_SA that
+	 * it is currently trying to close, it SHOULD reply with TEMPORARY_FAILURE.
+	 */
+
+	/* CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } --> */
+	assert_hook_not_called(child_updown);
+	assert_notify(IN, REKEY_SA);
+	assert_single_notify(OUT, TEMPORARY_FAILURE);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, spi_b, CHILD_DELETING);
+	assert_hook();
+
+	/* RFC 7296, 2.25.1: If a peer receives a request to delete a CHILD_SA that
+	 * it is currently trying to rekey, it SHOULD reply as usual, with a DELETE
+	 * payload.
+	 */
+
+	/* <-- INFORMATIONAL { D } */
+	assert_hook_updown(child_updown, FALSE);
+	assert_single_payload(IN, PLV2_DELETE);
+	assert_single_payload(OUT, PLV2_DELETE);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_count(a, 0);
+	assert_hook();
+
+	/* <-- CREATE_CHILD_SA { N(TEMP_FAIL) } */
+	assert_hook_not_called(child_updown);
+	/* we don't expect a job to retry the rekeying */
+	assert_no_jobs_scheduled();
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_scheduler();
+	assert_hook();
+
+	/* INFORMATIONAL { D } --> */
+	assert_hook_updown(child_updown, FALSE);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_count(b, 0);
+	assert_hook();
+
+	/* child_rekey */
+	assert_hook();
+
+	assert_sa_idle(a);
+	assert_sa_idle(b);
+
+	call_ikesa(a, destroy);
+	call_ikesa(b, destroy);
+}
+END_TEST
+
+/**
+ * One of the hosts initiates a DELETE of the CHILD_SA the other peer is
+ * concurrently trying to rekey.  However, the delete request is delayed or
+ * dropped, so the peer doing the rekeying is unaware of the collision.
+ *
+ *            rekey ----\       /---- delete
+ *                       \-----/----> detect collision
+ *       reschedule <---------/------ TEMP_FAIL
+ *                  <--------/
+ *           delete ---------------->
+ *
+ * The job will not find the SA to retry rekeying.
+ */
+START_TEST(test_collision_delete_drop_delete)
+{
+	ike_sa_t *a, *b;
+	message_t *msg;
+	uint32_t spi_a = _i+1, spi_b = 2-_i;
+
+	if (_i)
+	{	/* responder rekeys the CHILD_SA (SPI 2) */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &b, &a, NULL);
+	}
+	else
+	{	/* initiator rekeys the CHILD_SA (SPI 1) */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &a, &b, NULL);
+	}
+	initiate_rekey(a, spi_a);
+	call_ikesa(b, delete_child_sa, PROTO_ESP, spi_b, FALSE);
+	assert_child_sa_state(b, spi_b, CHILD_DELETING);
+
+	/* this should never get called as there is no successful rekeying on
+	 * either side */
+	assert_hook_not_called(child_rekey);
+
+	/* RFC 7296, 2.25.1: If a peer receives a request to rekey a CHILD_SA that
+	 * it is currently trying to close, it SHOULD reply with TEMPORARY_FAILURE.
+	 */
+
+	/* CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } --> */
+	assert_hook_not_called(child_updown);
+	assert_notify(IN, REKEY_SA);
+	assert_single_notify(OUT, TEMPORARY_FAILURE);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_state(b, spi_b, CHILD_DELETING);
+	assert_hook();
+
+	/* delay the DELETE request */
+	msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+
+	/* <-- CREATE_CHILD_SA { N(TEMP_FAIL) } */
+	assert_hook_not_called(child_updown);
+	/* we expect a job to retry the rekeying is scheduled */
+	assert_jobs_scheduled(1);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, spi_a, CHILD_INSTALLED);
+	assert_scheduler();
+	assert_hook();
+
+	/* <-- INFORMATIONAL { D } (delayed) */
+	assert_hook_updown(child_updown, FALSE);
+	assert_single_payload(IN, PLV2_DELETE);
+	assert_single_payload(OUT, PLV2_DELETE);
+	exchange_test_helper->process_message(exchange_test_helper, a, msg);
+	assert_child_sa_count(a, 0);
+	assert_hook();
+
+	/* INFORMATIONAL { D } --> */
+	assert_hook_updown(child_updown, FALSE);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_count(b, 0);
+	assert_hook();
+
+	/* child_rekey */
+	assert_hook();
+
+	assert_sa_idle(a);
+	assert_sa_idle(b);
+
+	call_ikesa(a, destroy);
+	call_ikesa(b, destroy);
+}
+END_TEST
+
+/**
+ * One of the hosts initiates a DELETE of the CHILD_SA the other peer is
+ * concurrently trying to rekey.  However, the rekey request is delayed or
+ * dropped, so the peer doing the deleting is unaware of the collision.
+ *
+ *            rekey ----\       /---- delete
+ * detect collision <----\-----/
+ *           delete ------\--------->
+ *                         \-------->
+ *                              /---- CHILD_SA_NOT_FOUND
+ *  aborts rekeying <----------/
+ */
+ START_TEST(test_collision_delete_drop_rekey)
+{
+	ike_sa_t *a, *b;
+	message_t *msg;
+	uint32_t spi_a = _i+1, spi_b = 2-_i;
+
+	if (_i)
+	{	/* responder rekeys the CHILD_SA (SPI 2) */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &b, &a, NULL);
+	}
+	else
+	{	/* initiator rekeys the CHILD_SA (SPI 1) */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &a, &b, NULL);
+	}
+	initiate_rekey(a, spi_a);
+	call_ikesa(b, delete_child_sa, PROTO_ESP, spi_b, FALSE);
+	assert_child_sa_state(b, spi_b, CHILD_DELETING);
+
+	/* this should never get called as there is no successful rekeying on
+	 * either side */
+	assert_hook_not_called(child_rekey);
+
+	/* delay the CREATE_CHILD_SA request */
+	msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+
+	/* RFC 7296, 2.25.1: If a peer receives a request to delete a CHILD_SA that
+	 * it is currently trying to rekey, it SHOULD reply as usual, with a DELETE
+	 * payload.
+	 */
+
+	/* <-- INFORMATIONAL { D } */
+	assert_hook_updown(child_updown, FALSE);
+	assert_single_payload(IN, PLV2_DELETE);
+	assert_single_payload(OUT, PLV2_DELETE);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_count(a, 0);
+	assert_hook();
+
+	/* INFORMATIONAL { D } --> */
+	assert_hook_updown(child_updown, FALSE);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_child_sa_count(b, 0);
+	assert_hook();
+
+	/* RFC 7296, 2.25.1: If a peer receives a to rekey a Child SA that does not
+	 * exist, it SHOULD reply with CHILD_SA_NOT_FOUND.
+	 */
+
+	/* CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } --> (delayed) */
+	assert_hook_not_called(child_updown);
+	assert_notify(IN, REKEY_SA);
+	assert_single_notify(OUT, CHILD_SA_NOT_FOUND);
+	exchange_test_helper->process_message(exchange_test_helper, b, msg);
+	assert_hook();
+
+	/* <-- CREATE_CHILD_SA { N(NO_CHILD_SA) } */
+	assert_hook_not_called(child_updown);
+	/* no jobs or tasks should get scheduled/queued */
+	assert_no_jobs_scheduled();
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_scheduler();
+	assert_hook();
+
+	/* child_rekey */
+	assert_hook();
+
+	assert_sa_idle(a);
+	assert_sa_idle(b);
+
+	call_ikesa(a, destroy);
+	call_ikesa(b, destroy);
+}
+END_TEST
+
+/**
+ * FIXME: Not sure what we can do about the following:
+ *
+ * One of the hosts initiates a rekeying of a CHILD_SA and after responding to
+ * it the other peer deletes the new SA.  However, the rekey response is
+ * delayed or dropped, so the peer doing the rekeying receives a delete for an
+ * unknown CHILD_SA and then has a rekeyed CHILD_SA that should not exist.
+ *
+ *            rekey ---------------->
+ *                              /---- rekey
+ *       unknown SA <----------/----- delete new SA
+ *                  ----------/----->
+ *                  <--------/
+ *
+ * The peers' states are now out of sync.
+ *
+ * Perhaps the rekey initiator could keep track of deletes for non-existing SAs
+ * while rekeying and then check against the SPIs when handling the
+ * CREATE_CHILD_SA response.
+ */
+
+
+/**
+ * One of the hosts initiates a rekey of the IKE_SA of the CHILD_SA the other
+ * peer is concurrently trying to rekey.
+ *
+ *            rekey ----\       /---- rekey IKE
+ *                       \-----/----> detect collision
+ * detect collision <---------/ /---- TEMP_FAIL
+ *        TEMP_FAIL ----\      /
+ *                       \----/----->
+ *                  <--------/
+ */
+START_TEST(test_collision_ike_rekey)
+{
+	ike_sa_t *a, *b;
+	uint32_t spi_a = _i+1;
+
+	if (_i)
+	{	/* responder rekeys the CHILD_SA (SPI 2) */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &b, &a, NULL);
+	}
+	else
+	{	/* initiator rekeys the CHILD_SA (SPI 1) */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &a, &b, NULL);
+	}
+	initiate_rekey(a, spi_a);
+	call_ikesa(b, rekey);
+	assert_ike_sa_state(b, IKE_REKEYING);
+
+	/* these should never get called as there is no successful rekeying on
+	 * either side */
+	assert_hook_not_called(ike_rekey);
+	assert_hook_not_called(child_rekey);
+
+	/* RFC 7296, 2.25.2: If a peer receives a request to rekey a CHILD_SA when
+	 * it is currently rekeying the IKE SA, it SHOULD reply with
+	 * TEMPORARY_FAILURE.
+	 */
+
+	/* CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } --> */
+	assert_single_notify(OUT, TEMPORARY_FAILURE);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_ike_sa_state(b, IKE_REKEYING);
+
+	/* RFC 7296, 2.25.1: If a peer receives a request to rekey the IKE SA, and
+	 * it is currently, rekeying, or closing a Child SA of that IKE SA, it
+	 * SHOULD reply with TEMPORARY_FAILURE.
+	 */
+
+	/* <-- CREATE_CHILD_SA { SA, Ni, KEi } */
+	assert_single_notify(OUT, TEMPORARY_FAILURE);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, spi_a, CHILD_REKEYING);
+
+	/* <-- CREATE_CHILD_SA { N(TEMP_FAIL) } */
+	/* we expect a job to retry the rekeying is scheduled */
+	assert_jobs_scheduled(1);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_child_sa_state(a, spi_a, CHILD_INSTALLED);
+	assert_scheduler();
+
+	/* CREATE_CHILD_SA { N(TEMP_FAIL) } --> */
+	/* we expect a job to retry the rekeying is scheduled */
+	assert_jobs_scheduled(1);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_ike_sa_state(b, IKE_ESTABLISHED);
+	assert_scheduler();
+
+	/* ike_rekey/child_rekey */
+	assert_hook();
+	assert_hook();
+
+	assert_sa_idle(a);
+	assert_sa_idle(b);
+
+	call_ikesa(a, destroy);
+	call_ikesa(b, destroy);
+}
+END_TEST
+
+/**
+ * One of the hosts initiates a delete of the IKE_SA of the CHILD_SA the other
+ * peer is concurrently trying to rekey.
+ *
+ *            rekey ----\       /---- delete IKE
+ *                       \-----/----> detect collision
+ *                  <---------/ /---- TEMP_FAIL
+ *           delete ----\      /
+ *                       \----/----->
+ *  sa already gone <--------/
+ */
+START_TEST(test_collision_ike_delete)
+{
+	ike_sa_t *a, *b;
+	uint32_t spi_a = _i+1;
+	message_t *msg;
+	status_t s;
+
+	if (_i)
+	{	/* responder rekeys the CHILD_SA (SPI 2) */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &b, &a, NULL);
+	}
+	else
+	{	/* initiator rekeys the CHILD_SA (SPI 1) */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &a, &b, NULL);
+	}
+	initiate_rekey(a, spi_a);
+	call_ikesa(b, delete);
+	assert_ike_sa_state(b, IKE_DELETING);
+
+	/* this should never get called as there is no successful rekeying on
+	 * either side */
+	assert_hook_not_called(child_rekey);
+
+	/* RFC 7296, 2.25.2 does not explicitly state what the behavior SHOULD be if
+	 * a peer receives a request to rekey a CHILD_SA when it is currently
+	 * closing the IKE SA.  We expect a TEMPORARY_FAILURE notify.
+	 */
+
+	/* CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } --> */
+	assert_single_notify(OUT, TEMPORARY_FAILURE);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_ike_sa_state(b, IKE_DELETING);
+
+	/* RFC 7296, 2.25.1 does not explicitly state what the behavior SHOULD be if
+	 * a peer receives a request to close the IKE SA if it is currently rekeying
+	 * a Child SA of that IKE SA.  Let's just close the IKE_SA and forget the
+	 * rekeying.
+	 */
+
+	/* <-- INFORMATIONAL { D } */
+	assert_hook_updown(ike_updown, FALSE);
+	assert_hook_updown(child_updown, FALSE);
+	assert_message_empty(OUT);
+	s = exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	ck_assert_int_eq(DESTROY_ME, s);
+	call_ikesa(a, destroy);
+	assert_hook();
+	assert_hook();
+
+	/* <-- CREATE_CHILD_SA { N(TEMP_FAIL) } */
+	/* the SA is already gone */
+	msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+	msg->destroy(msg);
+
+	/* INFORMATIONAL { } --> */
+	assert_hook_updown(ike_updown, FALSE);
+	assert_hook_updown(child_updown, FALSE);
+	s = exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	ck_assert_int_eq(DESTROY_ME, s);
+	call_ikesa(b, destroy);
+	assert_hook();
+	assert_hook();
+
+	/* child_rekey */
+	assert_hook();
+}
+END_TEST
+
+Suite *child_rekey_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("child rekey");
+
+	tc = tcase_create("regular");
+	tcase_add_loop_test(tc, test_regular, 0, 2);
+	tcase_add_loop_test(tc, test_regular_ke_invalid, 0, 2);
+	tcase_add_test(tc, test_regular_responder_ignore_soft_expire);
+	tcase_add_test(tc, test_regular_responder_handle_hard_expire);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("collisions rekey");
+	tcase_add_loop_test(tc, test_collision, 0, 4);
+	tcase_add_loop_test(tc, test_collision_delayed_response, 0, 4);
+	tcase_add_loop_test(tc, test_collision_delayed_request, 0, 3);
+	tcase_add_loop_test(tc, test_collision_delayed_request_more, 0, 3);
+	tcase_add_loop_test(tc, test_collision_ke_invalid, 0, 4);
+	tcase_add_loop_test(tc, test_collision_ke_invalid_delayed_retry, 0, 3);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("collisions delete");
+	tcase_add_loop_test(tc, test_collision_delete, 0, 2);
+	tcase_add_loop_test(tc, test_collision_delete_drop_delete, 0, 2);
+	tcase_add_loop_test(tc, test_collision_delete_drop_rekey, 0, 2);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("collisions ike rekey");
+	tcase_add_loop_test(tc, test_collision_ike_rekey, 0, 2);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("collisions ike delete");
+	tcase_add_loop_test(tc, test_collision_ike_delete, 0, 2);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libcharon/tests/suites/test_ike_delete.c b/src/libcharon/tests/suites/test_ike_delete.c
new file mode 100644
index 000000000..d79f9bc50
--- /dev/null
+++ b/src/libcharon/tests/suites/test_ike_delete.c
@@ -0,0 +1,137 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <tests/utils/exchange_test_helper.h>
+#include <tests/utils/exchange_test_asserts.h>
+#include <tests/utils/sa_asserts.h>
+
+/**
+ * Regular IKE_SA delete either initiated by the original initiator or
+ * responder of the IKE_SA.
+ */
+START_TEST(test_regular)
+{
+	ike_sa_t *a, *b;
+	status_t s;
+
+	if (_i)
+	{	/* responder deletes the IKE_SA */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &b, &a, NULL);
+	}
+	else
+	{	/* initiator deletes the IKE_SA */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &a, &b, NULL);
+	}
+	assert_hook_not_called(ike_updown);
+	assert_hook_not_called(child_updown);
+	call_ikesa(a, delete);
+	assert_ike_sa_state(a, IKE_DELETING);
+	assert_hook();
+	assert_hook();
+
+	/* INFORMATIONAL { D } --> */
+	assert_hook_updown(ike_updown, FALSE);
+	assert_hook_updown(child_updown, FALSE);
+	assert_single_payload(IN, PLV2_DELETE);
+	s = exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	ck_assert_int_eq(DESTROY_ME, s);
+	call_ikesa(b, destroy);
+	assert_hook();
+	assert_hook();
+
+	/* <-- INFORMATIONAL { } */
+	assert_hook_updown(ike_updown, FALSE);
+	assert_hook_updown(child_updown, FALSE);
+	assert_message_empty(IN);
+	s = exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	ck_assert_int_eq(DESTROY_ME, s);
+	call_ikesa(a, destroy);
+	assert_hook();
+	assert_hook();
+}
+END_TEST
+
+/**
+ * Both peers initiate the IKE_SA deletion concurrently and should handle the
+ * collision properly.
+ */
+START_TEST(test_collision)
+{
+	ike_sa_t *a, *b;
+	status_t s;
+
+	exchange_test_helper->establish_sa(exchange_test_helper,
+									   &a, &b, NULL);
+
+	assert_hook_not_called(ike_updown);
+	assert_hook_not_called(child_updown);
+	call_ikesa(a, delete);
+	assert_ike_sa_state(a, IKE_DELETING);
+	call_ikesa(b, delete);
+	assert_ike_sa_state(b, IKE_DELETING);
+	assert_hook();
+	assert_hook();
+
+	/* RFC 7296 says:  If a peer receives a request to close an IKE SA that it
+	 * is currently trying to close, it SHOULD reply as usual, and forget about
+	 * its own close request.
+	 * So we expect the SA to just get closed with an empty response still sent.
+	 */
+
+	/* INFORMATIONAL { D } --> */
+	assert_hook_updown(ike_updown, FALSE);
+	assert_hook_updown(child_updown, FALSE);
+	assert_single_payload(IN, PLV2_DELETE);
+	assert_message_empty(OUT);
+	s = exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	ck_assert_int_eq(DESTROY_ME, s);
+	call_ikesa(b, destroy);
+	assert_hook();
+	assert_hook();
+
+	/* <-- INFORMATIONAL { D } */
+	assert_hook_updown(ike_updown, FALSE);
+	assert_hook_updown(child_updown, FALSE);
+	assert_single_payload(IN, PLV2_DELETE);
+	assert_message_empty(OUT);
+	s = exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	ck_assert_int_eq(DESTROY_ME, s);
+	call_ikesa(a, destroy);
+	assert_hook();
+	assert_hook();
+}
+END_TEST
+
+Suite *ike_delete_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("ike delete");
+
+	tc = tcase_create("regular");
+	tcase_add_loop_test(tc, test_regular, 0, 2);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("collisions");
+	tcase_add_test(tc, test_collision);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libcharon/tests/suites/test_ike_rekey.c b/src/libcharon/tests/suites/test_ike_rekey.c
new file mode 100644
index 000000000..ba39657a4
--- /dev/null
+++ b/src/libcharon/tests/suites/test_ike_rekey.c
@@ -0,0 +1,1480 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <tests/utils/exchange_test_helper.h>
+#include <tests/utils/exchange_test_asserts.h>
+#include <tests/utils/job_asserts.h>
+#include <tests/utils/sa_asserts.h>
+
+/**
+ * Initiate rekeying the given IKE_SA.
+ */
+#define initiate_rekey(sa) ({ \
+	assert_hook_not_called(ike_rekey); \
+	call_ikesa(sa, rekey); \
+	assert_ike_sa_state(a, IKE_REKEYING); \
+	assert_hook(); \
+})
+
+/**
+ * Regular IKE_SA rekeying either initiated by the original initiator or
+ * responder of the IKE_SA.
+ */
+START_TEST(test_regular)
+{
+	ike_sa_t *a, *b, *new_sa;
+	status_t s;
+
+	if (_i)
+	{	/* responder rekeys the IKE_SA */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &b, &a, NULL);
+	}
+	else
+	{	/* initiator rekeys the IKE_SA */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &a, &b, NULL);
+	}
+	/* these should never get called as this results in a successful rekeying */
+	assert_hook_not_called(ike_updown);
+	assert_hook_not_called(child_updown);
+
+	initiate_rekey(a);
+
+	/* CREATE_CHILD_SA { SA, Ni, KEi } --> */
+	assert_hook_rekey(ike_rekey, 1, 3);
+	assert_no_notify(IN, REKEY_SA);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_ike_sa_state(b, IKE_REKEYED);
+	assert_child_sa_count(b, 0);
+	new_sa = assert_ike_sa_checkout(3, 4, FALSE);
+	assert_ike_sa_state(new_sa, IKE_ESTABLISHED);
+	assert_child_sa_count(new_sa, 1);
+	assert_ike_sa_count(1);
+	assert_hook();
+
+	/* <-- CREATE_CHILD_SA { SA, Nr, KEr } */
+	assert_hook_rekey(ike_rekey, 1, 3);
+	assert_no_notify(IN, REKEY_SA);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_ike_sa_state(a, IKE_DELETING);
+	assert_child_sa_count(a, 0);
+	new_sa = assert_ike_sa_checkout(3, 4, TRUE);
+	assert_ike_sa_state(new_sa, IKE_ESTABLISHED);
+	assert_child_sa_count(new_sa, 1);
+	assert_ike_sa_count(2);
+	assert_hook();
+
+	/* we don't expect this hook to get called anymore */
+	assert_hook_not_called(ike_rekey);
+
+	/* INFORMATIONAL { D } --> */
+	assert_single_payload(IN, PLV2_DELETE);
+	s = exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	ck_assert_int_eq(DESTROY_ME, s);
+	call_ikesa(b, destroy);
+	/* <-- INFORMATIONAL { } */
+	assert_message_empty(IN);
+	s = exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	ck_assert_int_eq(DESTROY_ME, s);
+	call_ikesa(a, destroy);
+
+	/* ike_rekey/ike_updown/child_updown */
+	assert_hook();
+	assert_hook();
+	assert_hook();
+
+	charon->ike_sa_manager->flush(charon->ike_sa_manager);
+}
+END_TEST
+
+/**
+ * IKE_SA rekeying where the responder does not agree with the DH group selected
+ * by the initiator, either initiated by the original initiator or responder of
+ * the IKE_SA.
+ */
+START_TEST(test_regular_ke_invalid)
+{
+	exchange_test_sa_conf_t conf = {
+		.initiator = {
+			.ike = "aes128-sha256-modp2048-modp3072",
+		},
+		.responder = {
+			.ike = "aes128-sha256-modp3072-modp2048",
+		},
+	};
+	ike_sa_t *a, *b, *sa;
+	status_t s;
+
+	lib->settings->set_bool(lib->settings, "%s.prefer_configured_proposals",
+							FALSE, lib->ns);
+	if (_i)
+	{	/* responder rekeys the IKE_SA */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &b, &a, &conf);
+	}
+	else
+	{	/* initiator rekeys the IKE_SA */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &a, &b, &conf);
+	}
+	/* these should never get called as this results in a successful rekeying */
+	assert_hook_not_called(ike_updown);
+	assert_hook_not_called(child_updown);
+
+	lib->settings->set_bool(lib->settings, "%s.prefer_configured_proposals",
+							TRUE, lib->ns);
+
+	initiate_rekey(a);
+
+	/* CREATE_CHILD_SA { SA, Ni, KEi } --> */
+	assert_hook_not_called(ike_rekey);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_ike_sa_state(b, IKE_ESTABLISHED);
+	assert_child_sa_count(b, 1);
+	assert_ike_sa_count(0);
+
+	/* <-- CREATE_CHILD_SA { N(INVAL_KE) } */
+	assert_single_notify(IN, INVALID_KE_PAYLOAD);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_ike_sa_state(a, IKE_REKEYING);
+	assert_child_sa_count(a, 1);
+	assert_ike_sa_count(0);
+	assert_hook();
+
+	/* CREATE_CHILD_SA { SA, Ni, KEi } --> */
+	assert_hook_rekey(ike_rekey, 1, 3);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_ike_sa_state(b, IKE_REKEYED);
+	assert_child_sa_count(b, 0);
+	sa = assert_ike_sa_checkout(3, 5, FALSE);
+	assert_ike_sa_state(sa, IKE_ESTABLISHED);
+	assert_child_sa_count(sa, 1);
+	assert_ike_sa_count(1);
+	assert_hook();
+
+	/* <-- CREATE_CHILD_SA { SA, Nr, KEr } */
+	assert_hook_rekey(ike_rekey, 1, 3);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_ike_sa_state(a, IKE_DELETING);
+	assert_child_sa_count(a, 0);
+	sa = assert_ike_sa_checkout(3, 5, TRUE);
+	assert_ike_sa_state(sa, IKE_ESTABLISHED);
+	assert_child_sa_count(sa, 1);
+	assert_ike_sa_count(2);
+	assert_hook();
+
+	/* we don't expect this hook to get called anymore */
+	assert_hook_not_called(ike_rekey);
+
+	/* INFORMATIONAL { D } --> */
+	assert_single_payload(IN, PLV2_DELETE);
+	s = exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	ck_assert_int_eq(DESTROY_ME, s);
+	call_ikesa(b, destroy);
+	/* <-- INFORMATIONAL { } */
+	assert_message_empty(IN);
+	s = exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	ck_assert_int_eq(DESTROY_ME, s);
+	call_ikesa(a, destroy);
+
+	/* ike_rekey/ike_updown/child_updown */
+	assert_hook();
+	assert_hook();
+	assert_hook();
+
+	charon->ike_sa_manager->flush(charon->ike_sa_manager);
+}
+END_TEST
+
+/**
+ * Both peers initiate the IKE_SA rekeying concurrently and should handle the
+ * collision properly depending on the nonces.
+ */
+START_TEST(test_collision)
+{
+	ike_sa_t *a, *b, *sa;
+	status_t status;
+
+	exchange_test_helper->establish_sa(exchange_test_helper,
+									   &a, &b, NULL);
+
+	/* When rekeyings collide we get two IKE_SAs with a total of four nonces.
+	 * The IKE_SA with the lowest nonce SHOULD be deleted by the peer that
+	 * created that IKE_SA.  The replaced IKE_SA is deleted by the peer that
+	 * initiated the surviving SA.
+	 * Four nonces and SPIs are needed (SPI 1 and 2 are used for the initial
+	 * IKE_SA):
+	 *   N1/3 -----\    /----- N2/4
+	 *              \--/-----> N3/5
+	 *   N4/6 <-------/ /----- ...
+	 *   ...  -----\
+	 * We test this four times, each time a different nonce is the lowest.
+	 */
+	struct {
+		/* Nonces used at each point */
+		u_char nonces[4];
+		/* SPIs of the deleted IKE_SAs (either redundant or replaced) */
+		uint32_t del_a_i, del_a_r;
+		uint32_t del_b_i, del_b_r;
+		/* SPIs of the kept IKE_SA */
+		uint32_t spi_i, spi_r;
+	} data[] = {
+		{ { 0x00, 0xFF, 0xFF, 0xFF }, 3, 5, 1, 2, 4, 6 },
+		{ { 0xFF, 0x00, 0xFF, 0xFF }, 1, 2, 4, 6, 3, 5 },
+		{ { 0xFF, 0xFF, 0x00, 0xFF }, 3, 5, 1, 2, 4, 6 },
+		{ { 0xFF, 0xFF, 0xFF, 0x00 }, 1, 2, 4, 6, 3, 5 },
+	};
+	/* these should never get called as this results in a successful rekeying */
+	assert_hook_not_called(ike_updown);
+	assert_hook_not_called(child_updown);
+
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[0];
+	initiate_rekey(a);
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[1];
+	initiate_rekey(b);
+
+	/* CREATE_CHILD_SA { SA, Ni, KEi } --> */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[2];
+	assert_hook_not_called(ike_rekey);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_ike_sa_state(b, IKE_REKEYING);
+	assert_child_sa_count(b, 1);
+	assert_ike_sa_count(0);
+	assert_hook();
+
+	/* <-- CREATE_CHILD_SA { SA, Ni, KEi } */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[3];
+	assert_hook_not_called(ike_rekey);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_ike_sa_state(a, IKE_REKEYING);
+	assert_child_sa_count(a, 1);
+	assert_ike_sa_count(0);
+	assert_hook();
+
+	/* simplify next steps by checking in original IKE_SAs */
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, a);
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, b);
+	assert_ike_sa_count(2);
+
+	/* <-- CREATE_CHILD_SA { SA, Nr, KEr } */
+	assert_hook_rekey(ike_rekey, 1, data[_i].spi_i);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	/* as original initiator a is initiator of both SAs it could delete */
+	sa = assert_ike_sa_checkout(data[_i].del_a_i, data[_i].del_a_r, TRUE);
+	assert_ike_sa_state(sa, IKE_DELETING);
+	assert_child_sa_count(sa, 0);
+	/* if b won it will delete the original SA a initiated */
+	sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r,
+								data[_i].del_b_i == 1);
+	assert_ike_sa_state(sa, IKE_REKEYED);
+	assert_child_sa_count(sa, 0);
+	sa = assert_ike_sa_checkout(data[_i].spi_i, data[_i].spi_r,
+								data[_i].del_a_i == 1);
+	assert_ike_sa_state(sa, IKE_ESTABLISHED);
+	assert_child_sa_count(sa, 1);
+	assert_ike_sa_count(4);
+	assert_hook();
+
+	/* CREATE_CHILD_SA { SA, Nr, KEr } --> */
+	assert_hook_rekey(ike_rekey, 1, data[_i].spi_i);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	/* if b wins it deletes the SA originally initiated by a */
+	sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r,
+								data[_i].del_b_i != 1);
+	assert_ike_sa_state(sa, IKE_DELETING);
+	assert_child_sa_count(sa, 0);
+	/* a only deletes SAs for which b is responder */
+	sa = assert_ike_sa_checkout(data[_i].del_a_i, data[_i].del_a_r, FALSE);
+	assert_ike_sa_state(sa, IKE_REKEYED);
+	assert_child_sa_count(sa, 0);
+	sa = assert_ike_sa_checkout(data[_i].spi_i, data[_i].spi_r,
+								data[_i].del_b_i == 1);
+	assert_ike_sa_state(sa, IKE_ESTABLISHED);
+	assert_child_sa_count(sa, 1);
+	assert_ike_sa_count(6);
+	assert_hook();
+
+	/* we don't expect this hook to get called anymore */
+	assert_hook_not_called(ike_rekey);
+
+	/* INFORMATIONAL { D } --> */
+	assert_single_payload(IN, PLV2_DELETE);
+	sa = assert_ike_sa_checkout(data[_i].del_a_i, data[_i].del_a_r, FALSE);
+	status = exchange_test_helper->process_message(exchange_test_helper, sa,
+												   NULL);
+	ck_assert_int_eq(DESTROY_ME, status);
+	charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa);
+	assert_ike_sa_count(5);
+	/* <-- INFORMATIONAL { D } */
+	assert_single_payload(IN, PLV2_DELETE);
+	sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r,
+								data[_i].del_b_i == 1);
+	status = exchange_test_helper->process_message(exchange_test_helper, sa,
+												   NULL);
+	ck_assert_int_eq(DESTROY_ME, status);
+	charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa);
+	assert_ike_sa_count(4);
+	/* <-- INFORMATIONAL { } */
+	assert_message_empty(IN);
+	sa = assert_ike_sa_checkout(data[_i].del_a_i, data[_i].del_a_r, TRUE);
+	status = exchange_test_helper->process_message(exchange_test_helper, sa,
+												   NULL);
+	ck_assert_int_eq(DESTROY_ME, status);
+	charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa);
+	assert_ike_sa_count(3);
+	/* INFORMATIONAL { } --> */
+	assert_message_empty(IN);
+	sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r,
+								data[_i].del_b_i != 1);
+	status = exchange_test_helper->process_message(exchange_test_helper, sa,
+												   NULL);
+	ck_assert_int_eq(DESTROY_ME, status);
+	charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa);
+	assert_ike_sa_count(2);
+
+	/* ike_rekey/ike_updown/child_updown */
+	assert_hook();
+	assert_hook();
+	assert_hook();
+
+	charon->ike_sa_manager->flush(charon->ike_sa_manager);
+}
+END_TEST
+
+/**
+ * Both peers initiate the IKE_SA rekeying concurrently but the proposed DH
+ * gropus are not the same.  After handling the INVALID_KE_PAYLOAD they should
+ * still handle the collision properly depending on the nonces.
+ */
+START_TEST(test_collision_ke_invalid)
+{
+	exchange_test_sa_conf_t conf = {
+		.initiator = {
+			.ike = "aes128-sha256-modp2048-modp3072",
+		},
+		.responder = {
+			.ike = "aes128-sha256-modp3072-modp2048",
+		},
+	};
+	ike_sa_t *a, *b, *sa;
+	status_t status;
+
+	lib->settings->set_bool(lib->settings, "%s.prefer_configured_proposals",
+							FALSE, lib->ns);
+
+	exchange_test_helper->establish_sa(exchange_test_helper,
+									   &a, &b, &conf);
+
+	lib->settings->set_bool(lib->settings, "%s.prefer_configured_proposals",
+							TRUE, lib->ns);
+
+	/* Six nonces and SPIs are needed (SPI 1 and 2 are used for the initial
+	 * IKE_SA):
+	 *     N1/3 -----\    /----- N2/4
+	 *                \--/-----> N3/5
+	 *     N4/6 <-------/  /---- INVAL_KE
+	 * INVAL_KE -----\    /
+	 *          <-----\--/
+	 *     N1/3 -----\ \------->
+	 *                \    /---- N2/4
+	 *                 \--/----> N5/7
+	 *     N6/8 <--------/ /---- ...
+	 *      ... ------\
+	 * We test this four times, each time a different nonce is the lowest.
+	 */
+	struct {
+		/* Nonces used at each point */
+		u_char nonces[4];
+		/* SPIs of the deleted IKE_SAs (either redundant or replaced) */
+		uint32_t del_a_i, del_a_r;
+		uint32_t del_b_i, del_b_r;
+		/* SPIs of the kept IKE_SA */
+		uint32_t spi_i, spi_r;
+	} data[] = {
+		{ { 0x00, 0xFF, 0xFF, 0xFF }, 3, 7, 1, 2, 4, 8 },
+		{ { 0xFF, 0x00, 0xFF, 0xFF }, 1, 2, 4, 8, 3, 7 },
+		{ { 0xFF, 0xFF, 0x00, 0xFF }, 3, 7, 1, 2, 4, 8 },
+		{ { 0xFF, 0xFF, 0xFF, 0x00 }, 1, 2, 4, 8, 3, 7 },
+	};
+	/* these should never get called as this results in a successful rekeying */
+	assert_hook_not_called(ike_updown);
+	assert_hook_not_called(child_updown);
+
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[0];
+	initiate_rekey(a);
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[1];
+	initiate_rekey(b);
+
+	/* CREATE_CHILD_SA { SA, Ni, KEi } --> */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[2];
+	assert_hook_not_called(ike_rekey);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_ike_sa_state(b, IKE_REKEYING);
+	assert_child_sa_count(b, 1);
+	assert_ike_sa_count(0);
+	assert_hook();
+
+	/* <-- CREATE_CHILD_SA { SA, Ni, KEi } */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[3];
+	assert_hook_not_called(ike_rekey);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_ike_sa_state(a, IKE_REKEYING);
+	assert_child_sa_count(a, 1);
+	assert_ike_sa_count(0);
+	assert_hook();
+
+	/* <-- CREATE_CHILD_SA { N(INVAL_KE) } */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[0];
+	assert_hook_not_called(ike_rekey);
+	assert_single_notify(IN, INVALID_KE_PAYLOAD);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_ike_sa_state(a, IKE_REKEYING);
+	assert_child_sa_count(a, 1);
+	assert_ike_sa_count(0);
+	assert_hook();
+
+	/* CREATE_CHILD_SA { N(INVAL_KE) } --> */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[1];
+	assert_hook_not_called(child_rekey);
+	assert_single_notify(IN, INVALID_KE_PAYLOAD);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_ike_sa_state(b, IKE_REKEYING);
+	assert_child_sa_count(b, 1);
+	assert_ike_sa_count(0);
+	assert_hook();
+
+	/* CREATE_CHILD_SA { SA, Ni, KEi } --> */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[2];
+	assert_hook_not_called(ike_rekey);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_ike_sa_state(b, IKE_REKEYING);
+	assert_child_sa_count(b, 1);
+	assert_ike_sa_count(0);
+	assert_hook();
+
+	/* <-- CREATE_CHILD_SA { SA, Ni, KEi } */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[3];
+	assert_hook_not_called(ike_rekey);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_ike_sa_state(a, IKE_REKEYING);
+	assert_child_sa_count(a, 1);
+	assert_ike_sa_count(0);
+	assert_hook();
+
+	/* simplify next steps by checking in original IKE_SAs */
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, a);
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, b);
+	assert_ike_sa_count(2);
+
+	/* <-- CREATE_CHILD_SA { SA, Nr, KEr } */
+	assert_hook_rekey(ike_rekey, 1, data[_i].spi_i);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	/* as original initiator a is initiator of both SAs it could delete */
+	sa = assert_ike_sa_checkout(data[_i].del_a_i, data[_i].del_a_r, TRUE);
+	assert_ike_sa_state(sa, IKE_DELETING);
+	assert_child_sa_count(sa, 0);
+	/* if b won it will delete the original SA a initiated */
+	sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r,
+								data[_i].del_b_i == 1);
+	assert_ike_sa_state(sa, IKE_REKEYED);
+	assert_child_sa_count(sa, 0);
+	sa = assert_ike_sa_checkout(data[_i].spi_i, data[_i].spi_r,
+								data[_i].del_a_i == 1);
+	assert_ike_sa_state(sa, IKE_ESTABLISHED);
+	assert_child_sa_count(sa, 1);
+	assert_ike_sa_count(4);
+	assert_hook();
+
+	/* CREATE_CHILD_SA { SA, Nr, KEr } --> */
+	assert_hook_rekey(ike_rekey, 1, data[_i].spi_i);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	/* if b wins it deletes the SA originally initiated by a */
+	sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r,
+								data[_i].del_b_i != 1);
+	assert_ike_sa_state(sa, IKE_DELETING);
+	assert_child_sa_count(sa, 0);
+	/* a only deletes SAs for which b is responder */
+	sa = assert_ike_sa_checkout(data[_i].del_a_i, data[_i].del_a_r, FALSE);
+	assert_ike_sa_state(sa, IKE_REKEYED);
+	assert_child_sa_count(sa, 0);
+	sa = assert_ike_sa_checkout(data[_i].spi_i, data[_i].spi_r,
+								data[_i].del_b_i == 1);
+	assert_ike_sa_state(sa, IKE_ESTABLISHED);
+	assert_child_sa_count(sa, 1);
+	assert_ike_sa_count(6);
+	assert_hook();
+
+	/* we don't expect this hook to get called anymore */
+	assert_hook_not_called(ike_rekey);
+
+	/* INFORMATIONAL { D } --> */
+	assert_single_payload(IN, PLV2_DELETE);
+	sa = assert_ike_sa_checkout(data[_i].del_a_i, data[_i].del_a_r, FALSE);
+	status = exchange_test_helper->process_message(exchange_test_helper, sa,
+												   NULL);
+	ck_assert_int_eq(DESTROY_ME, status);
+	charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa);
+	assert_ike_sa_count(5);
+	/* <-- INFORMATIONAL { D } */
+	assert_single_payload(IN, PLV2_DELETE);
+	sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r,
+								data[_i].del_b_i == 1);
+	status = exchange_test_helper->process_message(exchange_test_helper, sa,
+												   NULL);
+	ck_assert_int_eq(DESTROY_ME, status);
+	charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa);
+	assert_ike_sa_count(4);
+	/* <-- INFORMATIONAL { } */
+	assert_message_empty(IN);
+	sa = assert_ike_sa_checkout(data[_i].del_a_i, data[_i].del_a_r, TRUE);
+	status = exchange_test_helper->process_message(exchange_test_helper, sa,
+												   NULL);
+	ck_assert_int_eq(DESTROY_ME, status);
+	charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa);
+	assert_ike_sa_count(3);
+	/* INFORMATIONAL { } --> */
+	assert_message_empty(IN);
+	sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r,
+								data[_i].del_b_i != 1);
+	status = exchange_test_helper->process_message(exchange_test_helper, sa,
+												   NULL);
+	ck_assert_int_eq(DESTROY_ME, status);
+	charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa);
+	assert_ike_sa_count(2);
+
+	/* ike_rekey/ike_updown/child_updown */
+	assert_hook();
+	assert_hook();
+	assert_hook();
+
+	charon->ike_sa_manager->flush(charon->ike_sa_manager);
+}
+END_TEST
+
+/**
+ * This is like the collision above but one of the retries is delayed.
+ */
+START_TEST(test_collision_ke_invalid_delayed_retry)
+{
+	exchange_test_sa_conf_t conf = {
+		.initiator = {
+			.ike = "aes128-sha256-modp2048-modp3072",
+		},
+		.responder = {
+			.ike = "aes128-sha256-modp3072-modp2048",
+		},
+	};
+	ike_sa_t *a, *b, *sa;
+	message_t *msg;
+	status_t s;
+
+	lib->settings->set_bool(lib->settings, "%s.prefer_configured_proposals",
+							FALSE, lib->ns);
+
+	exchange_test_helper->establish_sa(exchange_test_helper,
+									   &a, &b, &conf);
+
+	lib->settings->set_bool(lib->settings, "%s.prefer_configured_proposals",
+							TRUE, lib->ns);
+
+	/* Five nonces and SPIs are needed (SPI 1 and 2 are used for the initial
+	 * IKE_SA):
+	 *     N1/3 -----\    /----- N2/4
+	 *                \--/-----> N3/5
+	 *     N4/6 <-------/  /---- INVAL_KE
+	 * INVAL_KE -----\    /
+	 *          <-----\--/
+	 *     N1/3 -----\ \------->
+	 *          <-----\--------- N2/4
+	 *     N5/7 -------\------->
+	 *          <-------\------- DELETE
+	 *      ... ------\  \----->
+	 *                     /---- TEMP_FAIL
+	 *
+	 * We test this three times, each time a different nonce is the lowest.
+	 */
+	struct {
+		/* Nonces used at each point */
+		u_char nonces[3];
+	} data[] = {
+		{ { 0x00, 0xFF, 0xFF } },
+		{ { 0xFF, 0x00, 0xFF } },
+		{ { 0xFF, 0xFF, 0x00 } },
+	};
+	/* these should never get called as this results in a successful rekeying */
+	assert_hook_not_called(ike_updown);
+	assert_hook_not_called(child_updown);
+
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[0];
+	initiate_rekey(a);
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[1];
+	initiate_rekey(b);
+
+	/* CREATE_CHILD_SA { SA, Ni, KEi } --> */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[2];
+	assert_hook_not_called(ike_rekey);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_ike_sa_state(b, IKE_REKEYING);
+	assert_child_sa_count(b, 1);
+	assert_ike_sa_count(0);
+	assert_hook();
+
+	/* <-- CREATE_CHILD_SA { SA, Ni, KEi } */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[0];
+	assert_hook_not_called(ike_rekey);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_ike_sa_state(a, IKE_REKEYING);
+	assert_child_sa_count(a, 1);
+	assert_ike_sa_count(0);
+	assert_hook();
+
+	/* <-- CREATE_CHILD_SA { N(INVAL_KE) } */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[0];
+	assert_hook_not_called(ike_rekey);
+	assert_single_notify(IN, INVALID_KE_PAYLOAD);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_ike_sa_state(a, IKE_REKEYING);
+	assert_child_sa_count(a, 1);
+	assert_ike_sa_count(0);
+	assert_hook();
+
+	/* CREATE_CHILD_SA { N(INVAL_KE) } --> */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[1];
+	assert_hook_not_called(child_rekey);
+	assert_single_notify(IN, INVALID_KE_PAYLOAD);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_ike_sa_state(b, IKE_REKEYING);
+	assert_child_sa_count(b, 1);
+	assert_ike_sa_count(0);
+	assert_hook();
+
+	/* delay the CREATE_CHILD_SA request from a to b */
+	msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+
+	/* <-- CREATE_CHILD_SA { SA, Ni, KEi } */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[2];
+	assert_hook_not_called(ike_rekey);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_ike_sa_state(a, IKE_REKEYING);
+	assert_child_sa_count(a, 1);
+	assert_ike_sa_count(0);
+	assert_hook();
+
+	/* CREATE_CHILD_SA { SA, Nr, KEr } --> */
+	assert_hook_rekey(ike_rekey, 1, 4);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_ike_sa_state(b, IKE_DELETING);
+	assert_child_sa_count(b, 0);
+	sa = assert_ike_sa_checkout(4, 7, TRUE);
+	assert_ike_sa_state(sa, IKE_ESTABLISHED);
+	assert_child_sa_count(sa, 1);
+	assert_ike_sa_count(1);
+	assert_hook();
+
+	/* CREATE_CHILD_SA { SA, Ni, KEi } --> (delayed) */
+	assert_single_notify(OUT, TEMPORARY_FAILURE);
+	exchange_test_helper->process_message(exchange_test_helper, b, msg);
+	assert_ike_sa_state(b, IKE_DELETING);
+
+	/* <-- INFORMATIONAL { D } */
+	assert_hook_rekey(ike_rekey, 1, 4);
+	assert_single_payload(IN, PLV2_DELETE);
+	s = exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	ck_assert_int_eq(DESTROY_ME, s);
+	call_ikesa(a, destroy);
+	sa = assert_ike_sa_checkout(4, 7, FALSE);
+	assert_ike_sa_state(sa, IKE_ESTABLISHED);
+	assert_child_sa_count(sa, 1);
+	assert_ike_sa_count(2);
+	assert_hook();
+
+	/* <-- CREATE_CHILD_SA { N(TEMP_FAIL) } */
+	/* the SA is already gone */
+	msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+	msg->destroy(msg);
+
+	/* INFORMATIONAL { } --> */
+	assert_hook_not_called(ike_rekey);
+	assert_message_empty(IN);
+	s = exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	ck_assert_int_eq(DESTROY_ME, s);
+	call_ikesa(b, destroy);
+	assert_hook();
+
+	/* ike_updown/child_updown */
+	assert_hook();
+	assert_hook();
+
+	charon->ike_sa_manager->flush(charon->ike_sa_manager);
+}
+END_TEST
+
+/**
+ * This is like the rekey collision above, but one peer deletes the
+ * redundant/old SA before the other peer receives the CREATE_CHILD_SA
+ * response:
+ *           Peer A                   Peer B
+ *            rekey ----\       /---- rekey
+ *                       \-----/----> detect collision
+ * detect collision <---------/ /----
+ *                  -----------/---->
+ *    handle delete <---------/------ delete redundant/old SA
+ *                  ---------/------>
+ *     handle rekey <-------/
+ *        delete SA ---------------->
+ *                  <----------------
+ *
+ * If peer B won the collision it deletes the old IKE_SA, in which case
+ * this situation is handled as if peer B was not aware of the collision (see
+ * below).  That is, peer A finalizes the rekeying initiated by the peer and
+ * deletes the IKE_SA (it has no way of knowing whether the peer was aware of
+ * the collision or not).  Peer B will expect the redundant IKE_SA to get
+ * deleted, but that will never happen if the response arrives after the SA is
+ * already gone.  So a job should be queued that deletes it after a while.
+ *
+ * If peer B lost it will switch to the new IKE_SA and delete the redundant
+ * IKE_SA and expect a delete for the old IKE_SA.  In this case peer A will
+ * simply retransmit until it receives a response to the rekey request, all the
+ * while ignoring the delete requests for the unknown IKE_SA.  Afterwards,
+ * everything works as in a regular collision (however, until peer A receives
+ * the response it will not be able to receive any messages on the new IKE_SA).
+ */
+START_TEST(test_collision_delayed_response)
+{
+	ike_sa_t *a, *b, *sa;
+	message_t *msg, *d;
+	status_t s;
+
+	exchange_test_helper->establish_sa(exchange_test_helper,
+									   &a, &b, NULL);
+
+	/* Four nonces and SPIs are needed (SPI 1 and 2 are used for the initial
+	 * IKE_SA):
+	 *   N1/3 -----\    /----- N2/4
+	 *              \--/-----> N3/5
+	 *   N4/6 <-------/ /----- ...
+	 *   ...  -----\
+	 * We test this four times, each time a different nonce is the lowest.
+	 */
+	struct {
+		/* Nonces used at each point */
+		u_char nonces[4];
+		/* SPIs of the deleted IKE_SAs (either redundant or replaced) */
+		uint32_t del_a_i, del_a_r;
+		uint32_t del_b_i, del_b_r;
+		/* SPIs of the kept IKE_SA */
+		uint32_t spi_i, spi_r;
+	} data[] = {
+		{ { 0x00, 0xFF, 0xFF, 0xFF }, 3, 5, 1, 2, 4, 6 },
+		{ { 0xFF, 0x00, 0xFF, 0xFF }, 1, 2, 4, 6, 3, 5 },
+		{ { 0xFF, 0xFF, 0x00, 0xFF }, 3, 5, 1, 2, 4, 6 },
+		{ { 0xFF, 0xFF, 0xFF, 0x00 }, 1, 2, 4, 6, 3, 5 },
+	};
+	/* these should never get called as this results in a successful rekeying */
+	assert_hook_not_called(ike_updown);
+	assert_hook_not_called(child_updown);
+
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[0];
+	initiate_rekey(a);
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[1];
+	initiate_rekey(b);
+
+	/* CREATE_CHILD_SA { SA, Ni, KEi } --> */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[2];
+	assert_hook_not_called(ike_rekey);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_ike_sa_state(b, IKE_REKEYING);
+	assert_child_sa_count(b, 1);
+	assert_ike_sa_count(0);
+	assert_hook();
+
+	/* <-- CREATE_CHILD_SA { SA, Ni, KEi } */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[3];
+	assert_hook_not_called(ike_rekey);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_ike_sa_state(a, IKE_REKEYING);
+	assert_child_sa_count(a, 1);
+	assert_ike_sa_count(0);
+	assert_hook();
+
+	/* delay the CREATE_CHILD_SA response from b to a */
+	msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+
+	/* simplify next steps by checking in original IKE_SAs */
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, a);
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, b);
+	assert_ike_sa_count(2);
+
+	/* CREATE_CHILD_SA { SA, Nr, KEr } --> */
+	assert_hook_rekey(ike_rekey, 1, data[_i].spi_i);
+	/* besides the job that retransmits the delete, we expect a job that
+	 * deletes the redundant IKE_SA if we expect the other to delete it */
+	assert_jobs_scheduled(data[_i].del_b_i == 1 ? 2 : 1);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	/* if b wins it deletes the SA originally initiated by a */
+	sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r,
+								data[_i].del_b_i != 1);
+	assert_ike_sa_state(sa, IKE_DELETING);
+	assert_child_sa_count(sa, 0);
+	/* a only deletes SAs for which b is responder */
+	sa = assert_ike_sa_checkout(data[_i].del_a_i, data[_i].del_a_r, FALSE);
+	assert_ike_sa_state(sa, IKE_REKEYED);
+	assert_child_sa_count(sa, 0);
+	sa = assert_ike_sa_checkout(data[_i].spi_i, data[_i].spi_r,
+								data[_i].del_b_i == 1);
+	assert_ike_sa_state(sa, IKE_ESTABLISHED);
+	assert_child_sa_count(sa, 1);
+	assert_ike_sa_count(4);
+	assert_scheduler();
+	assert_hook();
+
+	/* <-- INFORMATIONAL { D } */
+	if (data[_i].del_b_i == 1)
+	{	/* b won, it deletes the replaced IKE_SA */
+		assert_hook_rekey(ike_rekey, 1, data[_i].spi_i);
+		assert_single_payload(IN, PLV2_DELETE);
+		s = exchange_test_helper->process_message(exchange_test_helper, a,
+												  NULL);
+		ck_assert_int_eq(DESTROY_ME, s);
+		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, a);
+		sa = assert_ike_sa_checkout(data[_i].spi_i, data[_i].spi_r, FALSE);
+		assert_ike_sa_state(sa, IKE_ESTABLISHED);
+		assert_child_sa_count(sa, 1);
+		assert_ike_sa_count(4);
+		assert_hook();
+
+		/* INFORMATIONAL { } --> */
+		assert_hook_not_called(ike_rekey);
+		assert_message_empty(IN);
+		s = exchange_test_helper->process_message(exchange_test_helper, b,
+												  NULL);
+		ck_assert_int_eq(DESTROY_ME, s);
+		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, b);
+		assert_ike_sa_count(3);
+		assert_hook();
+		/* the job will later remove this redundant IKE_SA on b */
+		sa = assert_ike_sa_checkout(data[_i].del_a_i, data[_i].del_a_r, FALSE);
+		assert_ike_sa_state(sa, IKE_REKEYED);
+		assert_sa_idle(sa);
+		/* <-- CREATE_CHILD_SA { SA, Nr, KEr } (delayed) */
+		/* the IKE_SA (a) does not exist anymore */
+		msg->destroy(msg);
+	}
+	else
+	{	/* b lost, the delete is for the non-existing redundant IKE_SA */
+		d = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+
+		/* <-- CREATE_CHILD_SA { SA, Nr, KEr } (delayed) */
+		assert_hook_rekey(ike_rekey, 1, data[_i].spi_i);
+		exchange_test_helper->process_message(exchange_test_helper, a, msg);
+		/* as original initiator a is initiator of both SAs it could delete */
+		sa = assert_ike_sa_checkout(data[_i].del_a_i, data[_i].del_a_r, TRUE);
+		assert_ike_sa_state(sa, IKE_DELETING);
+		assert_child_sa_count(sa, 0);
+		/* this is the redundant SA b is trying to delete */
+		sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r, FALSE);
+		assert_ike_sa_state(sa, IKE_REKEYED);
+		assert_child_sa_count(sa, 0);
+		sa = assert_ike_sa_checkout(data[_i].spi_i, data[_i].spi_r,
+									data[_i].del_a_i == 1);
+		assert_ike_sa_state(sa, IKE_ESTABLISHED);
+		assert_child_sa_count(sa, 1);
+		assert_ike_sa_count(6);
+		assert_hook();
+
+		/* we don't expect this hook to get called anymore */
+		assert_hook_not_called(ike_rekey);
+
+		/* INFORMATIONAL { D } --> */
+		assert_single_payload(IN, PLV2_DELETE);
+		sa = assert_ike_sa_checkout(data[_i].del_a_i, data[_i].del_a_r, FALSE);
+		s = exchange_test_helper->process_message(exchange_test_helper, sa,
+												  NULL);
+		ck_assert_int_eq(DESTROY_ME, s);
+		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa);
+		assert_ike_sa_count(5);
+		/* <-- INFORMATIONAL { } */
+		assert_message_empty(IN);
+		sa = assert_ike_sa_checkout(data[_i].del_a_i, data[_i].del_a_r, TRUE);
+		s = exchange_test_helper->process_message(exchange_test_helper, sa,
+												  NULL);
+		ck_assert_int_eq(DESTROY_ME, s);
+		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa);
+		assert_ike_sa_count(4);
+
+		/* <-- INFORMATIONAL { D } (retransmit/delayed) */
+		assert_single_payload(IN, PLV2_DELETE);
+		sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r, FALSE);
+		s = exchange_test_helper->process_message(exchange_test_helper, sa, d);
+		ck_assert_int_eq(DESTROY_ME, s);
+		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa);
+		assert_ike_sa_count(3);
+		/* INFORMATIONAL { } --> */
+		assert_message_empty(IN);
+		sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r, TRUE);
+		s = exchange_test_helper->process_message(exchange_test_helper, sa,
+												  NULL);
+		ck_assert_int_eq(DESTROY_ME, s);
+		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa);
+		assert_ike_sa_count(2);
+		/* ike_rekey */
+		assert_hook();
+	}
+
+	/* ike_updown/child_updown */
+	assert_hook();
+	assert_hook();
+
+	charon->ike_sa_manager->flush(charon->ike_sa_manager);
+}
+END_TEST
+
+/**
+ * In this scenario one of the peers does not notice that there is a rekey
+ * collision because the other request is dropped:
+ *
+ *            rekey ----\       /---- rekey
+ *                       \     /
+ * detect collision <-----\---/
+ *                  -------\-------->
+ * detect collision <-------\-------- delete old SA
+ *           delete ---------\------>
+ *       rekey done           \-----> SA not found (or it never arrives)
+ */
+START_TEST(test_collision_dropped_request)
+{
+	ike_sa_t *a, *b, *sa;
+	message_t *msg;
+	status_t s;
+
+	exchange_test_helper->establish_sa(exchange_test_helper,
+									   &a, &b, NULL);
+
+	/* Three nonces and SPIs are needed (SPI 1 and 2 are used for the initial
+	 * CHILD_SA):
+	 *   N1/3 -----\    /----- N2/4
+	 *   N3/5 <-----\--/
+	 *   ...  -----\ \-------> ...
+	 * We test this three times, each time a different nonce is the lowest.
+	 */
+	struct {
+		/* Nonces used at each point */
+		u_char nonces[3];
+		/* SPIs of the deleted IKE_SAs (either redundant or replaced) */
+		uint32_t del_a_i, del_a_r;
+		uint32_t del_b_i, del_b_r;
+		/* SPIs of the kept IKE_SA */
+		uint32_t spi_i, spi_r;
+	} data[] = {
+		{ { 0x00, 0xFF, 0xFF }, 3, 5, 1, 2, 4, 6 },
+		{ { 0xFF, 0x00, 0xFF }, 1, 2, 4, 6, 3, 5 },
+		{ { 0xFF, 0xFF, 0x00 }, 3, 5, 1, 2, 4, 6 },
+		{ { 0xFF, 0xFF, 0xFF }, 1, 2, 4, 6, 3, 5 },
+	};
+	/* these should never get called as this results in a successful rekeying */
+	assert_hook_not_called(ike_updown);
+	assert_hook_not_called(child_updown);
+
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[0];
+	initiate_rekey(a);
+	/* drop the CREATE_CHILD_SA request from a to b */
+	msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+	msg->destroy(msg);
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[1];
+	initiate_rekey(b);
+
+	/* <-- CREATE_CHILD_SA { SA, Ni, KEi } */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[2];
+	assert_hook_not_called(ike_rekey);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_ike_sa_state(a, IKE_REKEYING);
+	assert_child_sa_count(a, 1);
+	assert_ike_sa_count(0);
+	assert_hook();
+
+	/* CREATE_CHILD_SA { SA, Ni, KEi } --> */
+	assert_hook_rekey(ike_rekey, 1, 4);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_ike_sa_state(b, IKE_DELETING);
+	assert_child_sa_count(b, 0);
+	sa = assert_ike_sa_checkout(4, 5, TRUE);
+	assert_ike_sa_state(sa, IKE_ESTABLISHED);
+	assert_child_sa_count(sa, 1);
+	assert_ike_sa_count(1);
+	assert_hook();
+
+	/* <-- INFORMATIONAL { D } */
+	assert_hook_rekey(ike_rekey, 1, 4);
+	assert_single_payload(IN, PLV2_DELETE);
+	s = exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	ck_assert_int_eq(DESTROY_ME, s);
+	call_ikesa(a, destroy);
+	sa = assert_ike_sa_checkout(4, 5, FALSE);
+	assert_ike_sa_state(sa, IKE_ESTABLISHED);
+	assert_child_sa_count(sa, 1);
+	assert_ike_sa_count(2);
+	assert_hook();
+
+	/* INFORMATIONAL { } --> */
+	assert_hook_not_called(ike_rekey);
+	assert_message_empty(IN);
+	s = exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	ck_assert_int_eq(DESTROY_ME, s);
+	call_ikesa(b, destroy);
+	assert_hook();
+
+	/* ike_updown/child_updown */
+	assert_hook();
+	assert_hook();
+
+	charon->ike_sa_manager->flush(charon->ike_sa_manager);
+}
+END_TEST
+
+/**
+ * In this scenario one of the peers does not notice that there is a rekey
+ * collision because the other request is delayed:
+ *
+ *            rekey ----\       /---- rekey
+ *                       \     /
+ * detect collision <-----\---/
+ *                  -------\-------->
+ *                          \   /---- delete old SA
+ *                           \-/----> detect collision
+ * detect collision <---------/ /---- TEMP_FAIL
+ *           delete -----------/---->
+ *       rekey done           /
+ *  sa already gone <--------/
+ */
+START_TEST(test_collision_delayed_request)
+{
+	ike_sa_t *a, *b, *sa;
+	message_t *msg;
+	status_t s;
+
+	exchange_test_helper->establish_sa(exchange_test_helper,
+									   &a, &b, NULL);
+
+	/* Three nonces and SPIs are needed (SPI 1 and 2 are used for the initial
+	 * CHILD_SA):
+	 *   N1/3 -----\    /----- N2/4
+	 *   N3/5 <-----\--/
+	 *   ...  -----\ \-------> ...
+	 * We test this three times, each time a different nonce is the lowest.
+	 */
+	struct {
+		/* Nonces used at each point */
+		u_char nonces[3];
+		/* SPIs of the deleted IKE_SAs (either redundant or replaced) */
+		uint32_t del_a_i, del_a_r;
+		uint32_t del_b_i, del_b_r;
+		/* SPIs of the kept IKE_SA */
+		uint32_t spi_i, spi_r;
+	} data[] = {
+		{ { 0x00, 0xFF, 0xFF }, 3, 5, 1, 2, 4, 6 },
+		{ { 0xFF, 0x00, 0xFF }, 1, 2, 4, 6, 3, 5 },
+		{ { 0xFF, 0xFF, 0x00 }, 3, 5, 1, 2, 4, 6 },
+		{ { 0xFF, 0xFF, 0xFF }, 1, 2, 4, 6, 3, 5 },
+	};
+	/* these should never get called as this results in a successful rekeying */
+	assert_hook_not_called(ike_updown);
+	assert_hook_not_called(child_updown);
+
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[0];
+	initiate_rekey(a);
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[1];
+	initiate_rekey(b);
+
+	/* delay the CREATE_CHILD_SA request from a to b */
+	msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+
+	/* <-- CREATE_CHILD_SA { SA, Ni, KEi } */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[2];
+	assert_hook_not_called(ike_rekey);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_ike_sa_state(a, IKE_REKEYING);
+	assert_child_sa_count(a, 1);
+	assert_ike_sa_count(0);
+	assert_hook();
+
+	/* CREATE_CHILD_SA { SA, Ni, KEi } --> */
+	assert_hook_rekey(ike_rekey, 1, 4);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_ike_sa_state(b, IKE_DELETING);
+	assert_child_sa_count(b, 0);
+	sa = assert_ike_sa_checkout(4, 5, TRUE);
+	assert_ike_sa_state(sa, IKE_ESTABLISHED);
+	assert_child_sa_count(sa, 1);
+	assert_ike_sa_count(1);
+	assert_hook();
+
+	/* CREATE_CHILD_SA { SA, Ni, KEi } --> (delayed) */
+	assert_single_notify(OUT, TEMPORARY_FAILURE);
+	exchange_test_helper->process_message(exchange_test_helper, b, msg);
+	assert_ike_sa_state(b, IKE_DELETING);
+
+	/* <-- INFORMATIONAL { D } */
+	assert_hook_rekey(ike_rekey, 1, 4);
+	assert_single_payload(IN, PLV2_DELETE);
+	s = exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	ck_assert_int_eq(DESTROY_ME, s);
+	call_ikesa(a, destroy);
+	sa = assert_ike_sa_checkout(4, 5, FALSE);
+	assert_ike_sa_state(sa, IKE_ESTABLISHED);
+	assert_child_sa_count(sa, 1);
+	assert_ike_sa_count(2);
+	assert_hook();
+
+	/* <-- CREATE_CHILD_SA { N(TEMP_FAIL) } */
+	/* the SA is already gone */
+	msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+	msg->destroy(msg);
+
+	/* INFORMATIONAL { } --> */
+	assert_hook_not_called(ike_rekey);
+	assert_message_empty(IN);
+	s = exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	ck_assert_int_eq(DESTROY_ME, s);
+	call_ikesa(b, destroy);
+	assert_hook();
+
+	/* ike_updown/child_updown */
+	assert_hook();
+	assert_hook();
+
+	charon->ike_sa_manager->flush(charon->ike_sa_manager);
+}
+END_TEST
+
+/**
+ * In this scenario one of the peers does not notice that there is a rekey
+ * collision and the delete arrives after the TEMPORARY_FAILURE notify:
+ *
+ *            rekey ----\       /---- rekey
+ *                       \     /
+ * detect collision <-----\---/
+ *                  -------\-------->
+ *                          \   /---- delete old SA
+ *                           \-/----> detect collision
+ *    no reschedule <---------/------ TEMP_FAIL
+ * detect collision <--------/
+ *           delete ---------------->
+ *       rekey done
+ */
+START_TEST(test_collision_delayed_request_and_delete)
+{
+	ike_sa_t *a, *b, *sa;
+	message_t *msg;
+	status_t s;
+
+	exchange_test_helper->establish_sa(exchange_test_helper,
+									   &a, &b, NULL);
+
+	/* Three nonces and SPIs are needed (SPI 1 and 2 are used for the initial
+	 * CHILD_SA):
+	 *   N1/3 -----\    /----- N2/4
+	 *   N3/5 <-----\--/
+	 *   ...  -----\ \-------> ...
+	 * We test this three times, each time a different nonce is the lowest.
+	 */
+	struct {
+		/* Nonces used at each point */
+		u_char nonces[3];
+		/* SPIs of the deleted IKE_SAs (either redundant or replaced) */
+		uint32_t del_a_i, del_a_r;
+		uint32_t del_b_i, del_b_r;
+		/* SPIs of the kept IKE_SA */
+		uint32_t spi_i, spi_r;
+	} data[] = {
+		{ { 0x00, 0xFF, 0xFF }, 3, 5, 1, 2, 4, 6 },
+		{ { 0xFF, 0x00, 0xFF }, 1, 2, 4, 6, 3, 5 },
+		{ { 0xFF, 0xFF, 0x00 }, 3, 5, 1, 2, 4, 6 },
+		{ { 0xFF, 0xFF, 0xFF }, 1, 2, 4, 6, 3, 5 },
+	};
+	/* these should never get called as this results in a successful rekeying */
+	assert_hook_not_called(ike_updown);
+	assert_hook_not_called(child_updown);
+
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[0];
+	initiate_rekey(a);
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[1];
+	initiate_rekey(b);
+
+	/* delay the CREATE_CHILD_SA request from a to b */
+	msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+
+	/* <-- CREATE_CHILD_SA { SA, Ni, KEi } */
+	exchange_test_helper->nonce_first_byte = data[_i].nonces[2];
+	assert_hook_not_called(ike_rekey);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_ike_sa_state(a, IKE_REKEYING);
+	assert_child_sa_count(a, 1);
+	assert_ike_sa_count(0);
+	assert_hook();
+
+	/* CREATE_CHILD_SA { SA, Ni, KEi } --> */
+	assert_hook_rekey(ike_rekey, 1, 4);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_ike_sa_state(b, IKE_DELETING);
+	assert_child_sa_count(b, 0);
+	sa = assert_ike_sa_checkout(4, 5, TRUE);
+	assert_ike_sa_state(sa, IKE_ESTABLISHED);
+	assert_child_sa_count(sa, 1);
+	assert_ike_sa_count(1);
+	assert_hook();
+
+	/* CREATE_CHILD_SA { SA, Ni, KEi } --> (delayed) */
+	assert_single_notify(OUT, TEMPORARY_FAILURE);
+	exchange_test_helper->process_message(exchange_test_helper, b, msg);
+	assert_ike_sa_state(b, IKE_DELETING);
+
+	/* delay the INFORMATIONAL request from b to a */
+	msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+
+	/* <-- CREATE_CHILD_SA { N(TEMP_FAIL) } */
+	assert_hook_rekey(ike_rekey, 1, 4);
+	assert_no_jobs_scheduled();
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_ike_sa_state(a, IKE_REKEYED);
+	assert_child_sa_count(a, 0);
+	sa = assert_ike_sa_checkout(4, 5, FALSE);
+	assert_ike_sa_state(sa, IKE_ESTABLISHED);
+	assert_child_sa_count(sa, 1);
+	assert_ike_sa_count(2);
+	assert_scheduler();
+	assert_hook();
+
+	/* <-- INFORMATIONAL { D } (delayed) */
+	assert_single_payload(IN, PLV2_DELETE);
+	s = exchange_test_helper->process_message(exchange_test_helper, a, msg);
+	ck_assert_int_eq(DESTROY_ME, s);
+	call_ikesa(a, destroy);
+
+	/* INFORMATIONAL { } --> */
+	assert_hook_not_called(ike_rekey);
+	assert_message_empty(IN);
+	s = exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	ck_assert_int_eq(DESTROY_ME, s);
+	call_ikesa(b, destroy);
+	assert_hook();
+
+	/* ike_updown/child_updown */
+	assert_hook();
+	assert_hook();
+
+	charon->ike_sa_manager->flush(charon->ike_sa_manager);
+}
+END_TEST
+
+/**
+ * One of the hosts initiates a DELETE of the IKE_SA the other peer is
+ * concurrently trying to rekey.
+ *
+ *            rekey ----\       /---- delete
+ *                       \-----/----> detect collision
+ * detect collision <---------/ /---- TEMP_FAIL
+ *           delete ----\      /
+ *                       \----/----->
+ *  sa already gone <--------/
+ */
+START_TEST(test_collision_delete)
+{
+	ike_sa_t *a, *b;
+	message_t *msg;
+	status_t s;
+
+	if (_i)
+	{	/* responder rekeys the IKE_SA */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &b, &a, NULL);
+	}
+	else
+	{	/* initiator rekeys the IKE_SA */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &a, &b, NULL);
+	}
+	/* this should never get called as this does not result in a successful
+	 * rekeying on either side */
+	assert_hook_not_called(ike_rekey);
+
+	initiate_rekey(a);
+	call_ikesa(b, delete);
+	assert_ike_sa_state(b, IKE_DELETING);
+
+	/* RFC 7296, 2.25.2: If a peer receives a request to rekey an IKE SA that
+	 * it is currently trying to close, it SHOULD reply with TEMPORARY_FAILURE.
+	 */
+
+	/* CREATE_CHILD_SA { SA, Ni, KEi } --> */
+	assert_hook_not_called(ike_updown);
+	assert_single_notify(OUT, TEMPORARY_FAILURE);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_ike_sa_state(b, IKE_DELETING);
+	assert_ike_sa_count(0);
+	assert_hook();
+
+	/* RFC 7296, 2.25.2: If a peer receives a request to close an IKE SA that
+	 * it is currently rekeying, it SHOULD reply as usual, and forget its own
+	 * rekeying request.
+	 */
+
+	/* <-- INFORMATIONAL { D } */
+	assert_hook_updown(ike_updown, FALSE);
+	assert_hook_updown(child_updown, FALSE);
+	assert_single_payload(IN, PLV2_DELETE);
+	assert_message_empty(OUT);
+	s = exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	ck_assert_int_eq(DESTROY_ME, s);
+	call_ikesa(a, destroy);
+	assert_hook();
+	assert_hook();
+
+	/* <-- CREATE_CHILD_SA { N(TEMP_FAIL) } */
+	/* the SA is already gone */
+	msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+	msg->destroy(msg);
+
+	/* INFORMATIONAL { } --> */
+	assert_hook_updown(ike_updown, FALSE);
+	assert_hook_updown(child_updown, FALSE);
+	s = exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	ck_assert_int_eq(DESTROY_ME, s);
+	call_ikesa(b, destroy);
+	assert_hook();
+	assert_hook();
+
+	/* ike_rekey */
+	assert_hook();
+}
+END_TEST
+
+/**
+ * One of the hosts initiates a DELETE of the IKE_SA the other peer is
+ * concurrently trying to rekey.  However, the delete request is delayed or
+ * dropped, so the peer doing the rekeying is unaware of the collision.
+ *
+ *            rekey ----\       /---- delete
+ *                       \-----/----> detect collision
+ *       reschedule <---------/------ TEMP_FAIL
+ *                  <--------/
+ *           delete ---------------->
+ */
+START_TEST(test_collision_delete_drop_delete)
+{
+	ike_sa_t *a, *b;
+	message_t *msg;
+	status_t s;
+
+	if (_i)
+	{	/* responder rekeys the IKE_SA */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &b, &a, NULL);
+	}
+	else
+	{	/* initiator rekeys the IKE_SA */
+		exchange_test_helper->establish_sa(exchange_test_helper,
+										   &a, &b, NULL);
+	}
+	/* this should never get called as this does not result in a successful
+	 * rekeying on either side */
+	assert_hook_not_called(ike_rekey);
+
+	initiate_rekey(a);
+	call_ikesa(b, delete);
+	assert_ike_sa_state(b, IKE_DELETING);
+
+	/* RFC 7296, 2.25.2: If a peer receives a request to rekey an IKE SA that
+	 * it is currently trying to close, it SHOULD reply with TEMPORARY_FAILURE.
+	 */
+
+	/* CREATE_CHILD_SA { SA, Ni, KEi } --> */
+	assert_hook_not_called(ike_updown);
+	assert_single_notify(OUT, TEMPORARY_FAILURE);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	assert_ike_sa_state(b, IKE_DELETING);
+	assert_ike_sa_count(0);
+	assert_hook();
+
+	/* delay the DELETE request */
+	msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+
+	/* <-- CREATE_CHILD_SA { N(TEMP_FAIL) } */
+	assert_hook_not_called(ike_updown);
+	assert_hook_not_called(child_updown);
+	/* we expect a job to retry the rekeying is scheduled */
+	assert_jobs_scheduled(1);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	assert_ike_sa_state(a, IKE_ESTABLISHED);
+	assert_scheduler();
+	assert_hook();
+	assert_hook();
+
+	/* <-- INFORMATIONAL { D } (delayed) */
+	assert_hook_updown(ike_updown, FALSE);
+	assert_hook_updown(child_updown, FALSE);
+	assert_single_payload(IN, PLV2_DELETE);
+	assert_message_empty(OUT);
+	s = exchange_test_helper->process_message(exchange_test_helper, a, msg);
+	ck_assert_int_eq(DESTROY_ME, s);
+	call_ikesa(a, destroy);
+	assert_hook();
+	assert_hook();
+
+	/* INFORMATIONAL { } --> */
+	assert_hook_updown(ike_updown, FALSE);
+	assert_hook_updown(child_updown, FALSE);
+	s = exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	ck_assert_int_eq(DESTROY_ME, s);
+	call_ikesa(b, destroy);
+	assert_hook();
+	assert_hook();
+
+	/* ike_rekey */
+	assert_hook();
+}
+END_TEST
+
+Suite *ike_rekey_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("ike rekey");
+
+	tc = tcase_create("regular");
+	tcase_add_loop_test(tc, test_regular, 0, 2);
+	tcase_add_loop_test(tc, test_regular_ke_invalid, 0, 2);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("collisions rekey");
+	tcase_add_loop_test(tc, test_collision, 0, 4);
+	tcase_add_loop_test(tc, test_collision_ke_invalid, 0, 4);
+	tcase_add_loop_test(tc, test_collision_ke_invalid_delayed_retry, 0, 3);
+	tcase_add_loop_test(tc, test_collision_delayed_response, 0, 4);
+	tcase_add_loop_test(tc, test_collision_dropped_request, 0, 3);
+	tcase_add_loop_test(tc, test_collision_delayed_request, 0, 3);
+	tcase_add_loop_test(tc, test_collision_delayed_request_and_delete, 0, 3);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("collisions delete");
+	tcase_add_loop_test(tc, test_collision_delete, 0, 2);
+	tcase_add_loop_test(tc, test_collision_delete_drop_delete, 0, 2);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libcharon/tests/suites/test_message_chapoly.c b/src/libcharon/tests/suites/test_message_chapoly.c
index e871cf6c2..f4a74abb4 100644
--- a/src/libcharon/tests/suites/test_message_chapoly.c
+++ b/src/libcharon/tests/suites/test_message_chapoly.c
@@ -40,7 +40,7 @@ METHOD(aead_t, get_iv_gen, iv_gen_t*,
 }
 
 METHOD(iv_gen_t, get_iv, bool,
-	iv_gen_t *this, u_int64_t seq, size_t size, u_int8_t *buffer)
+	iv_gen_t *this, uint64_t seq, size_t size, uint8_t *buffer)
 {
 	if (size != 8)
 	{
@@ -51,7 +51,7 @@ METHOD(iv_gen_t, get_iv, bool,
 }
 
 METHOD(iv_gen_t, allocate_iv, bool,
-	iv_gen_t *this, u_int64_t seq, size_t size, chunk_t *chunk)
+	iv_gen_t *this, uint64_t seq, size_t size, chunk_t *chunk)
 {
 	if (size != 8)
 	{
@@ -66,10 +66,10 @@ METHOD(iv_gen_t, allocate_iv, bool,
  */
 START_TEST(test_chacha20poly1305)
 {
-	u_int64_t spii, spir;
+	uint64_t spii, spir;
 	ike_sa_id_t *id;
 	message_t *m;
-	u_int32_t window = htonl(10);
+	uint32_t window = htonl(10);
 	chunk_t chunk, exp;
 	keymat_t keymat = {
 		.get_version = _get_version,
diff --git a/src/libcharon/tests/suites/test_proposal.c b/src/libcharon/tests/suites/test_proposal.c
new file mode 100644
index 000000000..a6226f68f
--- /dev/null
+++ b/src/libcharon/tests/suites/test_proposal.c
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <config/proposal.h>
+
+static struct {
+	char *self;
+	char *other;
+	char *expected;
+} select_data[] = {
+	{ "aes128", "aes128", "aes128" },
+	{ "aes128", "aes256", NULL },
+	{ "aes128-aes256", "aes256-aes128", "aes128" },
+	{ "aes256-aes128", "aes128-aes256", "aes256" },
+	{ "aes128-aes256-sha1-sha256", "aes256-aes128-sha256-sha1", "aes128-sha1" },
+	{ "aes256-aes128-sha256-sha1", "aes128-aes256-sha1-sha256", "aes256-sha256" },
+	{ "aes128-sha256-modp3072", "aes128-sha256", NULL },
+	{ "aes128-sha256", "aes128-sha256-modp3072", NULL },
+	{ "aes128-sha256-modp3072", "aes128-sha256-modpnone", NULL },
+	{ "aes128-sha256-modpnone", "aes128-sha256-modp3072", NULL },
+	{ "aes128-sha256-modp3072-modpnone", "aes128-sha256", "aes128-sha256" },
+	{ "aes128-sha256", "aes128-sha256-modp3072-modpnone", "aes128-sha256" },
+	{ "aes128-sha256-modp3072-modpnone", "aes128-sha256-modpnone-modp3072", "aes128-sha256-modp3072" },
+	{ "aes128-sha256-modpnone-modp3072", "aes128-sha256-modp3072-modpnone", "aes128-sha256-modpnone" },
+};
+
+START_TEST(test_select)
+{
+	proposal_t *self, *other, *selected, *expected;
+
+	self = proposal_create_from_string(PROTO_ESP,
+									   select_data[_i].self);
+	other = proposal_create_from_string(PROTO_ESP,
+										select_data[_i].other);
+	selected = self->select(self, other, FALSE);
+	if (select_data[_i].expected)
+	{
+		expected = proposal_create_from_string(PROTO_ESP,
+											   select_data[_i].expected);
+		ck_assert(selected);
+		ck_assert_msg(expected->equals(expected, selected), "proposal %P does "
+					  "not match expected %P", selected, expected);
+		expected->destroy(expected);
+	}
+	else
+	{
+		ck_assert(!selected);
+	}
+	DESTROY_IF(selected);
+	other->destroy(other);
+	self->destroy(self);
+}
+END_TEST
+
+Suite *proposal_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("proposal");
+
+	tc = tcase_create("select");
+	tcase_add_loop_test(tc, test_select, 0, countof(select_data));
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libcharon/tests/utils/exchange_test_asserts.c b/src/libcharon/tests/utils/exchange_test_asserts.c
new file mode 100644
index 000000000..2602b97b7
--- /dev/null
+++ b/src/libcharon/tests/utils/exchange_test_asserts.c
@@ -0,0 +1,182 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <inttypes.h>
+
+#include <test_suite.h>
+
+#include "exchange_test_asserts.h"
+
+/*
+ * Described in header
+ */
+bool exchange_test_asserts_hook(listener_t *listener)
+{
+	listener_hook_assert_t *this = (listener_hook_assert_t*)listener;
+
+	this->count++;
+	return TRUE;
+}
+
+/*
+ * Described in header
+ */
+bool exchange_test_asserts_ike_updown(listener_t *listener, ike_sa_t *ike_sa,
+									  bool up)
+{
+	listener_hook_assert_t *this = (listener_hook_assert_t*)listener;
+
+	this->count++;
+	assert_listener_msg(this->up == up, this, "IKE_SA not '%s'",
+						this->up ? "up" : "down");
+	return TRUE;
+}
+
+/*
+ * Described in header
+ */
+bool exchange_test_asserts_child_updown(listener_t *listener, ike_sa_t *ike_sa,
+										child_sa_t *child_sa, bool up)
+{
+	listener_hook_assert_t *this = (listener_hook_assert_t*)listener;
+
+	this->count++;
+	assert_listener_msg(this->up == up, this, "CHILD_SA not '%s'",
+						this->up ? "up" : "down");
+	return TRUE;
+}
+
+/*
+ * Described in header
+ */
+bool exchange_test_asserts_ike_rekey(listener_t *listener, ike_sa_t *old,
+									 ike_sa_t *new)
+{
+	listener_hook_assert_t *this = (listener_hook_assert_t*)listener;
+	ike_sa_id_t *id;
+	uint64_t spi;
+
+	this->count++;
+	id = old->get_id(old);
+	spi = id->get_initiator_spi(id);
+	assert_listener_msg(this->spi_old == spi, this, "unexpected old IKE_SA "
+						"%.16"PRIx64"_i instead of %.16"PRIx64"_i",
+						be64toh(spi), be64toh(this->spi_old));
+	id = new->get_id(new);
+	spi = id->get_initiator_spi(id);
+	assert_listener_msg(this->spi_new == spi, this, "unexpected new IKE_SA "
+						"%.16"PRIx64"_i instead of %.16"PRIx64"_i",
+						be64toh(spi), be64toh(this->spi_new));
+	return TRUE;
+}
+
+/*
+ * Described in header
+ */
+bool exchange_test_asserts_child_rekey(listener_t *listener, ike_sa_t *ike_sa,
+									   child_sa_t *old, child_sa_t *new)
+{
+	listener_hook_assert_t *this = (listener_hook_assert_t*)listener;
+	uint32_t spi, expected;
+
+	this->count++;
+	spi = old->get_spi(old, TRUE);
+	expected = this->spi_old;
+	assert_listener_msg(expected == spi, this, "unexpected old CHILD_SA %.8x "
+						"instead of %.8x", spi, expected);
+	spi = new->get_spi(new, TRUE);
+	expected = this->spi_new;
+	assert_listener_msg(expected == spi, this, "unexpected new CHILD_SA %.8x "
+						"instead of %.8x", spi, expected);
+	return TRUE;
+}
+
+/**
+ * Assert a given message rule
+ */
+static void assert_message_rule(listener_message_assert_t *this, message_t *msg,
+								listener_message_rule_t *rule)
+{
+	if (rule->expected)
+	{
+		if (rule->payload)
+		{
+			assert_listener_msg(msg->get_payload(msg, rule->payload),
+								this, "expected payload (%N) not found",
+								payload_type_names, rule->payload);
+
+		}
+		if (rule->notify)
+		{
+			assert_listener_msg(msg->get_notify(msg, rule->notify),
+								this, "expected notify payload (%N) not found",
+								notify_type_names, rule->notify);
+		}
+	}
+	else
+	{
+		if (rule->payload)
+		{
+			assert_listener_msg(!msg->get_payload(msg, rule->payload),
+								this, "unexpected payload (%N) found",
+								payload_type_names, rule->payload);
+
+		}
+		if (rule->notify)
+		{
+			assert_listener_msg(!msg->get_notify(msg, rule->notify),
+								this, "unexpected notify payload (%N) found",
+								notify_type_names, rule->notify);
+		}
+	}
+}
+
+/*
+ * Described in header
+ */
+bool exchange_test_asserts_message(listener_t *listener, ike_sa_t *ike_sa,
+								message_t *message, bool incoming, bool plain)
+{
+	listener_message_assert_t *this = (listener_message_assert_t*)listener;
+
+	if (plain && this->incoming == incoming)
+	{
+		if (this->count >= 0)
+		{
+			enumerator_t *enumerator;
+			int count = 0;
+			enumerator = message->create_payload_enumerator(message);
+			while (enumerator->enumerate(enumerator, NULL))
+			{
+				count++;
+			}
+			enumerator->destroy(enumerator);
+			assert_listener_msg(this->count == count, this, "unexpected payload "
+								"count in message (%d != %d)", this->count,
+								count);
+		}
+		if (this->num_rules)
+		{
+			int i;
+
+			for (i = 0; i < this->num_rules; i++)
+			{
+				assert_message_rule(this, message, &this->rules[i]);
+			}
+		}
+		return FALSE;
+	}
+	return TRUE;
+}
diff --git a/src/libcharon/tests/utils/exchange_test_asserts.h b/src/libcharon/tests/utils/exchange_test_asserts.h
new file mode 100644
index 000000000..32afcc2e4
--- /dev/null
+++ b/src/libcharon/tests/utils/exchange_test_asserts.h
@@ -0,0 +1,343 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * Special assertions using listener_t.
+ *
+ * @defgroup exchange_test_asserts exchange_test_asserts
+ * @{ @ingroup test_utils_c
+ */
+
+#ifndef EXCHANGE_TEST_ASSERTS_H_
+#define EXCHANGE_TEST_ASSERTS_H_
+
+#include <bus/listeners/listener.h>
+
+typedef struct listener_hook_assert_t listener_hook_assert_t;
+typedef struct listener_message_assert_t listener_message_assert_t;
+typedef struct listener_message_rule_t listener_message_rule_t;
+
+struct listener_hook_assert_t {
+
+	/**
+	 * Implemented interface
+	 */
+	listener_t listener;
+
+	/**
+	 * Original source file
+	 */
+	const char *file;
+
+	/**
+	 * Source line
+	 */
+	int line;
+
+	/**
+	 * Name of the hook
+	 */
+	const char *name;
+
+	/**
+	 * Expected number of calls (-1 to ignore)
+	 */
+	int expected;
+
+	/**
+	 * Number of times the hook was called
+	 */
+	int count;
+
+	/**
+	 * Expected updown result
+	 */
+	bool up;
+
+	/**
+	 * Initiator/Inbound SPIs to expect in rekey event
+	 */
+	uint64_t spi_old, spi_new;
+};
+
+/**
+ * Basic callback for methods on listener_t, counting the number of calls.
+ */
+bool exchange_test_asserts_hook(listener_t *this);
+
+/**
+ * Implementation of listener_t::ike_updown.
+ */
+bool exchange_test_asserts_ike_updown(listener_t *this, ike_sa_t *ike_sa,
+									  bool up);
+
+/**
+ * Implementation of listener_t::child_updown.
+ */
+bool exchange_test_asserts_child_updown(listener_t *this, ike_sa_t *ike_sa,
+										child_sa_t *child_sa, bool up);
+
+/**
+ * Implementation of listener_t::ike_rekey.
+ */
+bool exchange_test_asserts_ike_rekey(listener_t *this, ike_sa_t *old,
+									 ike_sa_t *new);
+
+/**
+ * Implementation of listener_t::child_rekey.
+ */
+bool exchange_test_asserts_child_rekey(listener_t *this, ike_sa_t *ike_sa,
+									   child_sa_t *old, child_sa_t *new);
+
+/**
+ * Check if a statement evaluates to TRUE, use original source file and line
+ * in the error message if not.
+ *
+ * @param x			statement to evaluate
+ * @param l			listener providing original source file and line
+ * @param fmt		printf format string
+ * @param ...		arguments for fmt
+ */
+#define assert_listener_msg(x, l, fmt, ...) ({ \
+	test_fail_if_worker_failed(); \
+	if (!(x)) \
+	{ \
+		test_fail_msg((l)->file, (l)->line, "%s: " fmt, #x, ##__VA_ARGS__); \
+	} \
+})
+
+/**
+ * Initialize an assertion that enforces that the given hook was called.
+ * Must be matched by a call to assert_hook().
+ *
+ * @param name		name of the hook
+ */
+#define assert_hook_called(name) \
+	_assert_hook_init(name, exchange_test_asserts_hook, .expected = 1)
+
+/**
+ * Initialize an assertion that enforces that the given hook was not called.
+ * Must be matched by a call to assert_hook().
+ *
+ * @param name		name of the hook
+ */
+#define assert_hook_not_called(name) \
+	_assert_hook_init(name, exchange_test_asserts_hook, .expected = 0)
+
+/**
+ * Initialize an assertion that enforces that the given updown hook was called
+ * with the expected result.
+ * Must be matched by a call to assert_hook().
+ *
+ * @param name		name of the hook
+ * @param e			whether to expect up in the hook to be TRUE or not
+ */
+#define assert_hook_updown(name, e) \
+	_assert_hook_init(name, \
+		streq(#name, "ike_updown") ? (void*)exchange_test_asserts_ike_updown \
+								   : (void*)exchange_test_asserts_child_updown, \
+		.expected = 1, \
+		.up = e, \
+	)
+
+/**
+ * Initialize an assertion that enforces that the given rekey hook was called
+ * with the SAs with the matching initiator/inbound SPIs.
+ * Must be matched by a call to assert_hook().
+ *
+ * @param name		name of the hook
+ * @param old		SPI of the old SA
+ * @param new		SPI of the new SA
+ */
+#define assert_hook_rekey(name, old, new) \
+	_assert_hook_init(name, \
+		streq(#name, "ike_rekey") ? (void*)exchange_test_asserts_ike_rekey \
+								   : (void*)exchange_test_asserts_child_rekey, \
+		.expected = 1, \
+		.spi_old = old, \
+		.spi_new = new, \
+	)
+
+/**
+ * Initialize assertions against invocations of listener_t hooks.  Each call
+ * must be matched by a call to assert_hook().
+ */
+#define _assert_hook_init(n, callback, ...) \
+do { \
+	listener_hook_assert_t _hook_listener = { \
+		.listener = { .n = (void*)callback, }, \
+		.file = __FILE__, \
+		.line = __LINE__, \
+		.name = #n, \
+		##__VA_ARGS__ \
+	}; \
+	exchange_test_helper->add_listener(exchange_test_helper, &_hook_listener.listener)
+
+/**
+ * Enforce the most recently initialized hook assertion.
+ */
+#define assert_hook() \
+	charon->bus->remove_listener(charon->bus, &_hook_listener.listener); \
+	if (_hook_listener.expected > 0) { \
+		if (_hook_listener.count > 0) { \
+			assert_listener_msg(_hook_listener.expected == _hook_listener.count, \
+								&_hook_listener, "hook '%s' was called %d times " \
+								"instead of %d", _hook_listener.name, \
+								_hook_listener.count, _hook_listener.expected); \
+		} else { \
+			assert_listener_msg(_hook_listener.count, &_hook_listener, \
+				"hook '%s' was not called (expected %d)", _hook_listener.name, \
+				_hook_listener.expected); \
+		} \
+	} else if (_hook_listener.expected == 0) { \
+		assert_listener_msg(_hook_listener.count == 0, &_hook_listener, \
+				"hook '%s' was called unexpectedly", _hook_listener.name); \
+	} \
+} while(FALSE)
+
+/**
+ * Rules regarding payloads/notifies to expect/not expect in a message
+ */
+struct listener_message_rule_t {
+
+	/**
+	 * Whether the payload/notify is expected in the message, FALSE to fail if
+	 * it is found
+	 */
+	bool expected;
+
+	/**
+	 * Payload type to expect/not expect
+	 */
+	payload_type_t payload;
+
+	/**
+	 * Notify type to expect/not expect (paylod type does not have to be
+	 * specified)
+	 */
+	notify_type_t notify;
+};
+
+/**
+ * Data used to check plaintext messages via listener_t
+ */
+struct listener_message_assert_t {
+
+	/**
+	 * Implemented interface
+	 */
+	listener_t listener;
+
+	/**
+	 * Original source file
+	 */
+	const char *file;
+
+	/**
+	 * Source line
+	 */
+	int line;
+
+	/**
+	 * Whether to check the next inbound or outbound message
+	 */
+	bool incoming;
+
+	/**
+	 * Payload count to expect (-1 to ignore the count)
+	 */
+	int count;
+
+	/**
+	 * Payloads to expect or not expect in a message
+	 */
+	listener_message_rule_t *rules;
+
+	/**
+	 * Number of rules
+	 */
+	int num_rules;
+};
+
+/**
+ * Implementation of listener_t::message collecting data and asserting
+ * certain things.
+ */
+bool exchange_test_asserts_message(listener_t *this, ike_sa_t *ike_sa,
+							message_t *message, bool incoming, bool plain);
+
+/**
+ * Assert that the next in- or outbound plaintext message is empty.
+ *
+ * @param dir			IN or OUT to check the next in- or outbound message
+ */
+#define assert_message_empty(dir) \
+				_assert_payload(dir, 0)
+
+/**
+ * Assert that the next in- or outbound plaintext message contains exactly
+ * one payload of the given type.
+ *
+ * @param dir			IN or OUT to check the next in- or outbound message
+ * @param expected		expected payload type
+ */
+#define assert_single_payload(dir, expected) \
+				_assert_payload(dir, 1, { TRUE, expected, 0 })
+
+/**
+ * Assert that the next in- or outbound plaintext message contains exactly
+ * one notify of the given type.
+ *
+ * @param dir			IN or OUT to check the next in- or outbound message
+ * @param expected		expected notify type
+ */
+#define assert_single_notify(dir, expected) \
+				_assert_payload(dir, 1, { TRUE, 0, expected })
+
+/**
+ * Assert that the next in- or outbound plaintext message contains a notify
+ * of the given type.
+ *
+ * @param dir			IN or OUT to check the next in- or outbound message
+ * @param expected		expected notify type
+ */
+#define assert_notify(dir, expected) \
+				_assert_payload(dir, -1, { TRUE, 0, expected })
+
+/**
+ * Assert that the next in- or outbound plaintext message does not contain a
+ * notify of the given type.
+ *
+ * @param dir			IN or OUT to check the next in- or outbound message
+ * @param unexpected	not expected notify type
+ */
+#define assert_no_notify(dir, unexpected) \
+				_assert_payload(dir, -1, { FALSE, 0, unexpected })
+
+#define _assert_payload(dir, c, ...) ({ \
+	listener_message_rule_t _rules[] = { __VA_ARGS__ }; \
+	listener_message_assert_t _listener = { \
+		.listener = { .message = exchange_test_asserts_message, }, \
+		.file = __FILE__, \
+		.line = __LINE__, \
+		.incoming = streq(#dir, "IN") ? TRUE : FALSE, \
+		.count = c, \
+		.rules = _rules, \
+		.num_rules = countof(_rules), \
+	}; \
+	exchange_test_helper->add_listener(exchange_test_helper, &_listener.listener); \
+})
+
+#endif /** EXCHANGE_TEST_ASSERTS_H_ @}*/
diff --git a/src/libcharon/tests/utils/exchange_test_helper.c b/src/libcharon/tests/utils/exchange_test_helper.c
new file mode 100644
index 000000000..f32906d5d
--- /dev/null
+++ b/src/libcharon/tests/utils/exchange_test_helper.c
@@ -0,0 +1,372 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "exchange_test_helper.h"
+#include "mock_dh.h"
+#include "mock_ipsec.h"
+#include "mock_nonce_gen.h"
+
+#include <collections/array.h>
+#include <credentials/sets/mem_cred.h>
+
+typedef struct private_exchange_test_helper_t private_exchange_test_helper_t;
+typedef struct private_backend_t private_backend_t;
+
+/**
+ * Private data
+ */
+struct private_exchange_test_helper_t {
+
+	/**
+	 * Public interface
+	 */
+	exchange_test_helper_t public;
+
+	/**
+	 * Credentials
+	 */
+	mem_cred_t *creds;
+
+	/**
+	 * IKE_SA SPI counter
+	 */
+	refcount_t ike_spi;
+
+	/**
+	 * List of registered listeners
+	 */
+	array_t *listeners;
+};
+
+/**
+ * Custom backend_t implementation
+ */
+struct private_backend_t {
+
+	/**
+	 * Public interface
+	 */
+	backend_t public;
+
+	/**
+	 * Responder ike_cfg
+	 */
+	ike_cfg_t *ike_cfg;
+
+	/**
+	 * Responder peer_cfg/child_cfg
+	 */
+	peer_cfg_t *peer_cfg;
+};
+
+CALLBACK(get_ike_spi, uint64_t,
+	private_exchange_test_helper_t *this)
+{
+	return (uint64_t)ref_get(&this->ike_spi);
+}
+
+/*
+ * Described in header
+ */
+exchange_test_helper_t *exchange_test_helper;
+
+static ike_cfg_t *create_ike_cfg(bool initiator, exchange_test_sa_conf_t *conf)
+{
+	ike_cfg_t *ike_cfg;
+	char *proposal = NULL;
+
+	ike_cfg = ike_cfg_create(IKEV2, TRUE, FALSE, "127.0.0.1", IKEV2_UDP_PORT,
+							 "127.0.0.1", IKEV2_UDP_PORT, FRAGMENTATION_NO, 0);
+	if (conf)
+	{
+		proposal = initiator ? conf->initiator.ike : conf->responder.ike;
+	}
+	if (proposal)
+	{
+		ike_cfg->add_proposal(ike_cfg,
+							proposal_create_from_string(PROTO_IKE, proposal));
+	}
+	else
+	{
+		ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+	}
+	return ike_cfg;
+}
+
+static child_cfg_t *create_child_cfg(bool initiator,
+									 exchange_test_sa_conf_t *conf)
+{
+	child_cfg_t *child_cfg;
+	child_cfg_create_t child = {
+		.mode = MODE_TUNNEL,
+	};
+	char *proposal = NULL;
+
+	child_cfg = child_cfg_create(initiator ? "init" : "resp", &child);
+	if (conf)
+	{
+		proposal = initiator ? conf->initiator.esp : conf->responder.esp;
+	}
+	if (proposal)
+	{
+		child_cfg->add_proposal(child_cfg,
+							proposal_create_from_string(PROTO_ESP, proposal));
+	}
+	else
+	{
+		child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+	}
+	child_cfg->add_traffic_selector(child_cfg, TRUE,
+								traffic_selector_create_dynamic(0, 0, 65535));
+	child_cfg->add_traffic_selector(child_cfg, FALSE,
+								traffic_selector_create_dynamic(0, 0, 65535));
+	return child_cfg;
+}
+
+static void add_auth_cfg(peer_cfg_t *peer_cfg, bool initiator, bool local)
+{
+	auth_cfg_t *auth;
+	char *id = "init";
+
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
+	if (initiator ^ local)
+	{
+		id = "resp";
+	}
+	auth->add(auth, AUTH_RULE_IDENTITY, identification_create_from_string(id));
+	peer_cfg->add_auth_cfg(peer_cfg, auth, local);
+}
+
+static peer_cfg_t *create_peer_cfg(bool initiator,
+								   exchange_test_sa_conf_t *conf)
+{
+	peer_cfg_t *peer_cfg;
+	peer_cfg_create_t peer = {
+		.cert_policy = CERT_SEND_IF_ASKED,
+		.unique = UNIQUE_REPLACE,
+		.keyingtries = 1,
+	};
+
+	peer_cfg = peer_cfg_create(initiator ? "init" : "resp",
+							   create_ike_cfg(initiator, conf), &peer);
+	add_auth_cfg(peer_cfg, initiator, TRUE);
+	add_auth_cfg(peer_cfg, initiator, FALSE);
+	return peer_cfg;
+}
+
+METHOD(backend_t, create_ike_cfg_enumerator, enumerator_t*,
+	private_backend_t *this, host_t *me, host_t *other)
+{
+	return enumerator_create_single(this->ike_cfg, NULL);
+}
+
+METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*,
+	private_backend_t *this, identification_t *me, identification_t *other)
+{
+	return enumerator_create_single(this->peer_cfg, NULL);
+}
+
+METHOD(exchange_test_helper_t, process_message, status_t,
+	private_exchange_test_helper_t *this, ike_sa_t *ike_sa, message_t *message)
+{
+	status_t status = FAILED;
+	ike_sa_id_t *id;
+
+	if (!message)
+	{
+		message = this->public.sender->dequeue(this->public.sender);
+	}
+	id = message->get_ike_sa_id(message);
+	id = id->clone(id);
+	id->switch_initiator(id);
+	if (!id->get_responder_spi(id) || id->equals(id, ike_sa->get_id(ike_sa)))
+	{
+		charon->bus->set_sa(charon->bus, ike_sa);
+		status = ike_sa->process_message(ike_sa, message);
+		charon->bus->set_sa(charon->bus, NULL);
+	}
+	message->destroy(message);
+	id->destroy(id);
+	return status;
+}
+
+METHOD(exchange_test_helper_t, establish_sa, void,
+	private_exchange_test_helper_t *this, ike_sa_t **init, ike_sa_t **resp,
+	exchange_test_sa_conf_t *conf)
+{
+	private_backend_t backend = {
+		.public = {
+			.create_ike_cfg_enumerator = _create_ike_cfg_enumerator,
+			.create_peer_cfg_enumerator = _create_peer_cfg_enumerator,
+			.get_peer_cfg_by_name = (void*)return_null,
+		},
+	};
+	ike_sa_id_t *id_i, *id_r;
+	ike_sa_t *sa_i, *sa_r;
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg;
+
+	sa_i = *init = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
+														IKEV2, TRUE);
+	id_i = sa_i->get_id(sa_i);
+
+	sa_r = *resp = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
+														IKEV2, FALSE);
+	id_r = sa_r->get_id(sa_r);
+
+	peer_cfg = create_peer_cfg(TRUE, conf);
+	child_cfg = create_child_cfg(TRUE, conf);
+	peer_cfg->add_child_cfg(peer_cfg, child_cfg->get_ref(child_cfg));
+	sa_i->set_peer_cfg(sa_i, peer_cfg);
+	peer_cfg->destroy(peer_cfg);
+	call_ikesa(sa_i, initiate, child_cfg, 0, NULL, NULL);
+
+	backend.ike_cfg = create_ike_cfg(FALSE, conf);
+	peer_cfg = backend.peer_cfg = create_peer_cfg(FALSE, conf);
+	child_cfg = create_child_cfg(FALSE, conf);
+	peer_cfg->add_child_cfg(peer_cfg, child_cfg->get_ref(child_cfg));
+	child_cfg->destroy(child_cfg);
+	charon->backends->add_backend(charon->backends, &backend.public);
+
+	/* IKE_SA_INIT --> */
+	id_r->set_initiator_spi(id_r, id_i->get_initiator_spi(id_i));
+	process_message(this, sa_r, NULL);
+	/* <-- IKE_SA_INIT */
+	id_i->set_responder_spi(id_i, id_r->get_responder_spi(id_r));
+	process_message(this, sa_i, NULL);
+	/* IKE_AUTH --> */
+	process_message(this, sa_r, NULL);
+	/* <-- IKE_AUTH */
+	process_message(this, sa_i, NULL);
+
+	charon->backends->remove_backend(charon->backends, &backend.public);
+	DESTROY_IF(backend.peer_cfg);
+	DESTROY_IF(backend.ike_cfg);
+}
+
+METHOD(exchange_test_helper_t, add_listener, void,
+	private_exchange_test_helper_t *this, listener_t *listener)
+{
+	array_insert_create(&this->listeners, ARRAY_TAIL, listener);
+	charon->bus->add_listener(charon->bus, listener);
+}
+
+/**
+ * Enable logging in charon as requested
+ */
+static void initialize_logging()
+{
+	int level = LEVEL_SILENT;
+	char *verbosity;
+
+	verbosity = getenv("TESTS_VERBOSITY");
+	if (verbosity)
+	{
+		level = atoi(verbosity);
+	}
+	lib->settings->set_int(lib->settings, "%s.filelog.stderr.default",
+			lib->settings->get_int(lib->settings, "%s.filelog.stderr.default",
+								   level, lib->ns), lib->ns);
+	lib->settings->set_bool(lib->settings, "%s.filelog.stderr.ike_name", TRUE,
+							lib->ns);
+	charon->load_loggers(charon, NULL, TRUE);
+}
+
+/**
+ * Create a nonce generator with the first byte
+ */
+static nonce_gen_t *create_nonce_gen()
+{
+	return mock_nonce_gen_create(exchange_test_helper->nonce_first_byte);
+}
+
+/*
+ * Described in header
+ */
+void exchange_test_helper_init(char *plugins)
+{
+	private_exchange_test_helper_t *this;
+	plugin_feature_t features[] = {
+		PLUGIN_REGISTER(DH, mock_dh_create),
+			/* we only need to support a limited number of DH groups */
+			PLUGIN_PROVIDE(DH, MODP_2048_BIT),
+			PLUGIN_PROVIDE(DH, MODP_3072_BIT),
+			PLUGIN_PROVIDE(DH, ECP_256_BIT),
+		PLUGIN_REGISTER(NONCE_GEN, create_nonce_gen),
+			PLUGIN_PROVIDE(NONCE_GEN),
+				PLUGIN_DEPENDS(RNG, RNG_WEAK),
+	};
+
+	INIT(this,
+		.public = {
+			.sender = mock_sender_create(),
+			.establish_sa = _establish_sa,
+			.process_message = _process_message,
+			.add_listener = _add_listener,
+		},
+		.creds = mem_cred_create(),
+	);
+
+	initialize_logging();
+	lib->plugins->add_static_features(lib->plugins, "exchange-test-helper",
+								features, countof(features), TRUE, NULL, NULL);
+	/* the libcharon unit tests only load the libstrongswan plugins, unless
+	 * TESTS_PLUGINS is defined */
+	charon->initialize(charon, plugins);
+	lib->plugins->status(lib->plugins, LEVEL_CTRL);
+
+	/* the original sender is not initialized because there is no socket */
+	charon->sender = (sender_t*)this->public.sender;
+	/* and there is no kernel plugin loaded
+	 * TODO: we'd have more control if we'd implement kernel_interface_t */
+	charon->kernel->add_ipsec_interface(charon->kernel, mock_ipsec_create);
+	/* like SPIs for IPsec SAs, make IKE SPIs predictable */
+	charon->ike_sa_manager->set_spi_cb(charon->ike_sa_manager, get_ike_spi,
+									   this);
+
+	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
+
+	this->creds->add_shared(this->creds,
+			shared_key_create(SHARED_IKE, chunk_clone(chunk_from_str("test"))),
+			identification_create_from_string("%any"), NULL);
+
+	exchange_test_helper = &this->public;
+}
+
+/*
+ * Described in header
+ */
+void exchange_test_helper_deinit()
+{
+	private_exchange_test_helper_t *this;
+	listener_t *listener;
+
+	this = (private_exchange_test_helper_t*)exchange_test_helper;
+
+	while (array_remove(this->listeners, ARRAY_HEAD, &listener))
+	{
+		charon->bus->remove_listener(charon->bus, listener);
+	}
+	lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
+	this->creds->destroy(this->creds);
+	/* flush SAs before destroying the sender (in case of test failures) */
+	charon->ike_sa_manager->flush(charon->ike_sa_manager);
+	/* charon won't destroy this as it didn't initialize the original sender */
+	charon->sender->destroy(charon->sender);
+	charon->sender = NULL;
+	array_destroy(this->listeners);
+	free(this);
+}
diff --git a/src/libcharon/tests/utils/exchange_test_helper.h b/src/libcharon/tests/utils/exchange_test_helper.h
new file mode 100644
index 000000000..e1fdb012a
--- /dev/null
+++ b/src/libcharon/tests/utils/exchange_test_helper.h
@@ -0,0 +1,128 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * This class and singleton object initializes charon and provides helper
+ * methods to create unit tests for IKEv2 exchanges.
+ *
+ * It also registers special implementations for the kernel_ipsec_t interface,
+ * the sender and provides dummy configs and credentials.
+ *
+ * @defgroup exchange_test_helper exchange_test_helper
+ * @{ @ingroup test_utils_c
+ */
+
+#ifndef EXCHANGE_TEST_HELPER_H_
+#define EXCHANGE_TEST_HELPER_H_
+
+#include <daemon.h>
+
+#include "mock_sender.h"
+
+typedef struct exchange_test_helper_t exchange_test_helper_t;
+typedef struct exchange_test_sa_conf_t exchange_test_sa_conf_t;
+
+struct exchange_test_helper_t {
+
+	/**
+	 * Sender instance used during tests
+	 */
+	mock_sender_t *sender;
+
+	/**
+	 * Set the initial byte of all nonces generated by future nonce
+	 * generators (already instatiated nonce generators are not affected).
+	 */
+	u_char nonce_first_byte;
+
+	/**
+	 * Creates an established IKE_SA/CHILD_SA
+	 *
+	 * @param[out] init		IKE_SA of the initiator
+	 * @param[out] resp		IKE_SA of the responder
+	 * @param conf			configuration for SAs
+	 */
+	void (*establish_sa)(exchange_test_helper_t *this, ike_sa_t **init,
+						 ike_sa_t **resp, exchange_test_sa_conf_t *conf);
+
+	/**
+	 * Pass a message to the given IKE_SA for processing, setting the IKE_SA on
+	 * the bus while processing the message.
+	 *
+	 * @param ike_sa		the IKE_SA receiving the message
+	 * @param message		the message, or NULL to pass the next message in the
+	 *						send queue (adopted)
+	 * @return				return value from ike_sa_t::process_message()
+	 */
+	status_t (*process_message)(exchange_test_helper_t *this, ike_sa_t *sa,
+								message_t *message);
+
+	/**
+	 * Register a listener with the bus.
+	 *
+	 * Don't use bus_t::add_listener() directly for listeners on the stack
+	 * as that could lead to invalid listeners registered when hooks are
+	 * triggered during cleanup if a test case fails.  All of the listeners
+	 * added this way are unregistered with the bus before cleaning up.
+	 *
+	 * @param listener		listener to add to the bus
+	 */
+	void (*add_listener)(exchange_test_helper_t *this, listener_t *listener);
+};
+
+struct exchange_test_sa_conf_t {
+
+	/**
+	 * Configuration for initiator and responder
+	 */
+	struct {
+		/** IKE proposal */
+		char *ike;
+		/** ESP proposal */
+		char *esp;
+	} initiator, responder;
+};
+
+/**
+ * Since we don't use the IKE_SA manager to checkout SAs use this to call a
+ * method on the given IKE_SA in its context.
+ */
+#define call_ikesa(sa, method, ...) ({ \
+	charon->bus->set_sa(charon->bus, sa); \
+	sa->method(sa, ##__VA_ARGS__); \
+	charon->bus->set_sa(charon->bus, NULL); \
+})
+
+/**
+ * The one and only instance of the helper object.
+ *
+ * Set between exchange_test_helper_setup() and exchange_test_helper_teardown()
+ * calls.
+ */
+extern exchange_test_helper_t *exchange_test_helper;
+
+/**
+ * Initialize charon and the helper object.
+ *
+ * @param plugins			plugins to load
+ */
+void exchange_test_helper_init(char *plugins);
+
+/**
+ * Deinitialize the helper object.
+ */
+void exchange_test_helper_deinit();
+
+#endif /** EXCHANGE_TEST_HELPER_H_ @} */
diff --git a/src/libcharon/tests/utils/job_asserts.h b/src/libcharon/tests/utils/job_asserts.h
new file mode 100644
index 000000000..3491f08c3
--- /dev/null
+++ b/src/libcharon/tests/utils/job_asserts.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * Special assertions against job handling.
+ *
+ * @defgroup job_asserts job_asserts
+ * @{ @ingroup test_utils_c
+ */
+
+#ifndef JOB_ASSERTS_H_
+#define JOB_ASSERTS_H_
+
+/**
+ * Initialize an assertion that enforces that no jobs were scheduled.
+ * Must be matched by a call to assert_scheduler().
+ */
+#define assert_no_jobs_scheduled() _assert_jobs_scheduled(0)
+
+/**
+ * Initialize an assertion that enforces that a specific number of jobs was
+ * scheduled.
+ * Must be matched by a call to assert_scheduler().
+ *
+ * @param count			expected number of jobs getting scheduled
+ */
+#define assert_jobs_scheduled(count) _assert_jobs_scheduled(count)
+
+/**
+ * Initialize assertions against job scheduling.
+ * Must be matched by a call to assert_scheduler().
+ */
+#define _assert_jobs_scheduled(count) \
+do { \
+	u_int _initial = lib->scheduler->get_job_load(lib->scheduler); \
+	u_int _expected = count
+
+/**
+ * Enforce scheduler asserts.
+ */
+#define assert_scheduler() \
+	u_int _actual = lib->scheduler->get_job_load(lib->scheduler) - _initial; \
+	test_assert_msg(_expected == _actual, "unexpected number of jobs " \
+					"scheduled (%u != %u)", _expected, _actual); \
+} while(FALSE)
+
+#endif /** JOB_ASSERTS_H_ @}*/
diff --git a/src/libcharon/tests/utils/mock_dh.c b/src/libcharon/tests/utils/mock_dh.c
new file mode 100644
index 000000000..153bf1166
--- /dev/null
+++ b/src/libcharon/tests/utils/mock_dh.c
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "mock_dh.h"
+
+typedef struct private_diffie_hellman_t private_diffie_hellman_t;
+
+/**
+ * Private data
+ */
+struct private_diffie_hellman_t {
+
+	/**
+	 * Public interface
+	 */
+	diffie_hellman_t public;
+
+	/**
+	 * Instantiated DH group
+	 */
+	diffie_hellman_group_t group;
+};
+
+METHOD(diffie_hellman_t, get_my_public_value, bool,
+	private_diffie_hellman_t *this, chunk_t *value)
+{
+	*value = chunk_empty;
+	return TRUE;
+}
+
+METHOD(diffie_hellman_t, set_other_public_value, bool,
+	private_diffie_hellman_t *this, chunk_t value)
+{
+	return TRUE;
+}
+
+METHOD(diffie_hellman_t, get_shared_secret, bool,
+	private_diffie_hellman_t *this, chunk_t *secret)
+{
+	*secret = chunk_empty;
+	return TRUE;
+}
+
+METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
+	private_diffie_hellman_t *this)
+{
+	return this->group;
+}
+
+METHOD(diffie_hellman_t, destroy, void,
+	private_diffie_hellman_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+diffie_hellman_t *mock_dh_create(diffie_hellman_group_t group)
+{
+	private_diffie_hellman_t *this;
+
+	INIT(this,
+		.public = {
+			.get_shared_secret = _get_shared_secret,
+			.set_other_public_value = _set_other_public_value,
+			.get_my_public_value = _get_my_public_value,
+			.get_dh_group = _get_dh_group,
+			.destroy = _destroy,
+		},
+		.group = group,
+	);
+	return &this->public;
+}
diff --git a/src/libcharon/tests/utils/mock_dh.h b/src/libcharon/tests/utils/mock_dh.h
new file mode 100644
index 000000000..332c65537
--- /dev/null
+++ b/src/libcharon/tests/utils/mock_dh.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * Provides a DH implementation that does no real work to make the tests run
+ * faster.
+ *
+ * @defgroup mock_dh mock_dh
+ * @{ @ingroup test_utils_c
+ */
+
+#ifndef MOCK_DH_H_
+#define MOCK_DH_H_
+
+#include <crypto/diffie_hellman.h>
+
+/**
+ * Creates a diffie_hellman_t object.
+ *
+ * @param group			Diffie Hellman group, supports MODP_NULL only
+ * @return				created object
+ */
+diffie_hellman_t *mock_dh_create(diffie_hellman_group_t group);
+
+#endif /** MOCK_DH_H_ @}*/
diff --git a/src/libcharon/tests/utils/mock_ipsec.c b/src/libcharon/tests/utils/mock_ipsec.c
new file mode 100644
index 000000000..d57a26a87
--- /dev/null
+++ b/src/libcharon/tests/utils/mock_ipsec.c
@@ -0,0 +1,128 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "mock_ipsec.h"
+
+typedef struct private_kernel_ipsec_t private_kernel_ipsec_t;
+
+/**
+ * Private data
+ */
+struct private_kernel_ipsec_t {
+
+	/**
+	 * Public interface
+	 */
+	kernel_ipsec_t public;
+
+	/**
+	 * Allocated SPI
+	 */
+	refcount_t spi;
+};
+
+METHOD(kernel_ipsec_t, get_spi, status_t,
+	private_kernel_ipsec_t *this, host_t *src, host_t *dst, uint8_t protocol,
+	uint32_t *spi)
+{
+	*spi = (uint32_t)ref_get(&this->spi);
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, get_cpi, status_t,
+	private_kernel_ipsec_t *this, host_t *src, host_t *dst, uint16_t *cpi)
+{
+	return FAILED;
+}
+
+METHOD(kernel_ipsec_t, add_sa, status_t,
+	private_kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_add_sa_t *data)
+{
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, update_sa, status_t,
+	private_kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_update_sa_t *data)
+{
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, query_sa, status_t,
+	private_kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_query_sa_t *data, uint64_t *bytes, uint64_t *packets,
+	time_t *time)
+{
+	return NOT_SUPPORTED;
+}
+
+METHOD(kernel_ipsec_t, del_sa, status_t,
+	private_kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_del_sa_t *data)
+{
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, add_policy, status_t,
+	private_kernel_ipsec_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_manage_policy_t *data)
+{
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, query_policy, status_t,
+	private_kernel_ipsec_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_query_policy_t *data, time_t *use_time)
+{
+	*use_time = 1;
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, del_policy, status_t,
+	private_kernel_ipsec_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_manage_policy_t *data)
+{
+	return SUCCESS;
+}
+
+/*
+ * Described in header
+ */
+kernel_ipsec_t *mock_ipsec_create()
+{
+	private_kernel_ipsec_t *this;
+
+	INIT(this,
+		.public = {
+			.get_spi = _get_spi,
+			.get_cpi = _get_cpi,
+			.add_sa = _add_sa,
+			.update_sa = _update_sa,
+			.query_sa = _query_sa,
+			.del_sa = _del_sa,
+			.flush_sas = (void*)return_failed,
+			.add_policy = _add_policy,
+			.query_policy = _query_policy,
+			.del_policy = _del_policy,
+			.flush_policies = (void*)return_failed,
+			.bypass_socket = (void*)return_true,
+			.enable_udp_decap = (void*)return_true,
+			.destroy = (void*)free,
+		},
+	);
+	return &this->public;
+}
diff --git a/src/libcharon/tests/utils/mock_ipsec.h b/src/libcharon/tests/utils/mock_ipsec.h
new file mode 100644
index 000000000..cbf21524a
--- /dev/null
+++ b/src/libcharon/tests/utils/mock_ipsec.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * kernel_ipsec_t implementation used for exchange unit tests.  Currently
+ * returns sequential SPIs, all other methods are noops.
+ *
+ * @defgroup mock_ipsec mock_ipsec
+ * @{ @ingroup test_utils_c
+ */
+
+#ifndef MOCK_IPSEC_H_
+#define MOCK_IPSEC_H_
+
+#include <kernel/kernel_ipsec.h>
+
+/**
+ * Create an instance of kernel_ipsec_t
+ *
+ * @return		created object
+ */
+kernel_ipsec_t *mock_ipsec_create();
+
+#endif /** MOCK_IPSEC_H_ @}*/
diff --git a/src/libcharon/tests/utils/mock_nonce_gen.c b/src/libcharon/tests/utils/mock_nonce_gen.c
new file mode 100644
index 000000000..30910f991
--- /dev/null
+++ b/src/libcharon/tests/utils/mock_nonce_gen.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "mock_nonce_gen.h"
+
+typedef struct private_nonce_gen_t private_nonce_gen_t;
+
+struct private_nonce_gen_t {
+
+	/**
+	 * Public interface
+	 */
+	nonce_gen_t public;
+
+	/**
+	 * Random number generator
+	 */
+	rng_t* rng;
+
+	/**
+	 * First byte to set to the nonces
+	 */
+	u_char first;
+};
+
+METHOD(nonce_gen_t, get_nonce, bool,
+	private_nonce_gen_t *this, size_t size, uint8_t *buffer)
+{
+	if (size > 0)
+	{
+		buffer[0] = this->first;
+		buffer++;
+		size--;
+	}
+	return this->rng->get_bytes(this->rng, size, buffer);
+}
+
+METHOD(nonce_gen_t, allocate_nonce, bool,
+	private_nonce_gen_t *this, size_t size, chunk_t *chunk)
+{
+	*chunk = chunk_alloc(size);
+	if (!get_nonce(this, chunk->len, chunk->ptr))
+	{
+		chunk_free(chunk);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(nonce_gen_t, destroy, void,
+	private_nonce_gen_t *this)
+{
+	DESTROY_IF(this->rng);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+nonce_gen_t *mock_nonce_gen_create(u_char first)
+{
+	private_nonce_gen_t *this;
+
+	INIT(this,
+		.public = {
+			.get_nonce = _get_nonce,
+			.allocate_nonce = _allocate_nonce,
+			.destroy = _destroy,
+		},
+		.rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK),
+		.first = first,
+	);
+	if (!this->rng)
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
diff --git a/src/libcharon/tests/utils/mock_nonce_gen.h b/src/libcharon/tests/utils/mock_nonce_gen.h
new file mode 100644
index 000000000..feeab8bc0
--- /dev/null
+++ b/src/libcharon/tests/utils/mock_nonce_gen.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * Special nonce generator that sets the first byte of the generated nonces to
+ * a fixed specified value.
+ *
+ * @defgroup mock_nonce_gen mock_nonce_gen
+ * @{ @ingroup test_utils_c
+ */
+
+#ifndef MOCK_NONCE_GEN_H_
+#define MOCK_NONCE_GEN_H_
+
+#include <crypto/nonce_gen.h>
+
+/**
+ * Creates a nonce_gen_t instance.
+ *
+ * @param first		first byte to set in generated nonces
+ * @return			created object
+ */
+nonce_gen_t *mock_nonce_gen_create(u_char first);
+
+#endif /** MOCK_NONCE_GEN_H_ @} */
diff --git a/src/libcharon/tests/utils/mock_sender.c b/src/libcharon/tests/utils/mock_sender.c
new file mode 100644
index 000000000..c090ff439
--- /dev/null
+++ b/src/libcharon/tests/utils/mock_sender.c
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "mock_sender.h"
+
+#include <collections/linked_list.h>
+
+typedef struct private_mock_sender_t private_mock_sender_t;
+
+/**
+ * Private data
+ */
+struct private_mock_sender_t {
+
+	/**
+	 * Public interface
+	 */
+	mock_sender_t public;
+
+	/**
+	 * Packet queue, as message_t*
+	 */
+	linked_list_t *queue;
+};
+
+
+METHOD(sender_t, send_, void,
+	private_mock_sender_t *this, packet_t *packet)
+{
+	message_t *message;
+
+	message = message_create_from_packet(packet);
+	message->parse_header(message);
+	this->queue->insert_last(this->queue, message);
+}
+
+METHOD(mock_sender_t, dequeue, message_t*,
+	private_mock_sender_t *this)
+{
+	message_t *message = NULL;
+
+	this->queue->remove_first(this->queue, (void**)&message);
+	return message;
+}
+
+METHOD(sender_t, destroy, void,
+	private_mock_sender_t *this)
+{
+	this->queue->destroy_offset(this->queue, offsetof(message_t, destroy));
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+mock_sender_t *mock_sender_create()
+{
+	private_mock_sender_t *this;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.send = _send_,
+				.send_no_marker = (void*)nop,
+				.flush = (void*)nop,
+				.destroy = _destroy,
+			},
+			.dequeue = _dequeue,
+		},
+		.queue = linked_list_create(),
+	);
+	return &this->public;
+}
diff --git a/src/libcharon/tests/utils/mock_sender.h b/src/libcharon/tests/utils/mock_sender.h
new file mode 100644
index 000000000..5eabddadc
--- /dev/null
+++ b/src/libcharon/tests/utils/mock_sender.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * sender_t implementation that does not pass the sent packet to a socket but
+ * instead provides it for immediate delivery to an ike_sa_t object.
+ *
+ * @defgroup mock_sender mock_sender
+ * @{ @ingroup test_utils_c
+ */
+
+#ifndef MOCK_SENDER_H_
+#define MOCK_SENDER_H_
+
+#include <encoding/message.h>
+#include <network/sender.h>
+
+typedef struct mock_sender_t mock_sender_t;
+
+struct mock_sender_t {
+
+	/**
+	 * Implemented interface
+	 */
+	sender_t interface;
+
+	/**
+	 * Remove the next packet in the send queue as message_t object.  The IKE
+	 * header is already parsed (which is assumed does not fail) so it can
+	 * directly be passed to ike_sa_t::process_message().
+	 *
+	 * @return		message or NULL if none is queued
+	 */
+	message_t *(*dequeue)(mock_sender_t *this);
+};
+
+/**
+ * Creates a mock_sender_t instance.
+ *
+ * @return			created object
+ */
+mock_sender_t *mock_sender_create();
+
+#endif /** MOCK_SENDER_H_ @} */
diff --git a/src/libcharon/tests/utils/sa_asserts.h b/src/libcharon/tests/utils/sa_asserts.h
new file mode 100644
index 000000000..7afa3b55b
--- /dev/null
+++ b/src/libcharon/tests/utils/sa_asserts.h
@@ -0,0 +1,145 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * Special assertions against IKE_SAs and CHILD_SAs (e.g. regarding their
+ * state).
+ *
+ * @defgroup sa_asserts sa_asserts
+ * @{ @ingroup test_utils_c
+ */
+
+#ifndef SA_ASSERTS_H_
+#define SA_ASSERTS_H_
+
+#include <inttypes.h>
+
+/**
+ * Check that there exists a specific number of IKE_SAs in the manager.
+ */
+#define assert_ike_sa_count(count) \
+({ \
+	typeof(count) _count = count; \
+	u_int _actual = charon->ike_sa_manager->get_count(charon->ike_sa_manager); \
+	test_assert_msg(_count == _actual, "unexpected number of IKE_SAs in " \
+					"manager (%d != %d)", _count, _actual); \
+})
+
+/**
+ * Check that the IKE_SA with the given SPIs and initiator flag is in the
+ * manager and return it.  Does not actually keep the SA checked out as
+ * that would block cleaning up if asserts against it fail (since we control
+ * access to SAs it's also not really necessary).
+ */
+#define assert_ike_sa_checkout(spi_i, spi_r, initiator) \
+({ \
+	typeof(spi_i) _spi_i = spi_i; \
+	typeof(spi_r) _spi_r = spi_r; \
+	typeof(initiator) _init = initiator; \
+	ike_sa_id_t *_id = ike_sa_id_create(IKEV2, _spi_i, _spi_r, _init); \
+	ike_sa_t *_ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, _id); \
+	test_assert_msg(_ike_sa, "IKE_SA with SPIs %.16"PRIx64"_i %.16"PRIx64"_r " \
+					"(%d) does not exist", be64toh(_spi_i), be64toh(_spi_r), _init); \
+	_id->destroy(_id); \
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, _ike_sa); \
+	_ike_sa; \
+})
+
+/**
+ * Check if the given IKE_SA is in the expected state.
+ */
+#define assert_ike_sa_state(ike_sa, state) \
+({ \
+	typeof(ike_sa) _sa = ike_sa; \
+	typeof(state) _state = state; \
+	test_assert_msg(_state == _sa->get_state(_sa), "%N != %N", \
+					ike_sa_state_names, _state, \
+					ike_sa_state_names, _sa->get_state(_sa)); \
+})
+
+/**
+ * Check that there exists a specific number of CHILD_SAs.
+ */
+#define assert_child_sa_count(ike_sa, count) \
+({ \
+	typeof(ike_sa) _sa = ike_sa; \
+	typeof(count) _count = count; \
+	test_assert_msg(_count == _sa->get_child_count(_sa), "unexpected number " \
+					"of CHILD_SAs in IKE_SA %s (%d != %d)", #ike_sa, _count, \
+					_sa->get_child_count(_sa)); \
+})
+
+/**
+ * Check if the CHILD_SA with the given SPI is in the expected state.
+ */
+#define assert_child_sa_state(ike_sa, spi, state) \
+({ \
+	typeof(ike_sa) _sa = ike_sa; \
+	typeof(spi) _spi = spi; \
+	typeof(state) _state = state; \
+	child_sa_t *_child = _sa->get_child_sa(_sa, PROTO_ESP, _spi, TRUE) ?: \
+						 _sa->get_child_sa(_sa, PROTO_ESP, _spi, FALSE); \
+	test_assert_msg(_child, "CHILD_SA with SPI %.8x does not exist", \
+					ntohl(_spi)); \
+	test_assert_msg(_state == _child->get_state(_child), "%N != %N", \
+					child_sa_state_names, _state, \
+					child_sa_state_names, _child->get_state(_child)); \
+})
+
+/**
+ * Assert that the CHILD_SA with the given inbound SPI does not exist.
+ */
+#define assert_child_sa_not_exists(ike_sa, spi) \
+({ \
+	typeof(ike_sa) _sa = ike_sa; \
+	typeof(spi) _spi = spi; \
+	child_sa_t *_child = _sa->get_child_sa(_sa, PROTO_ESP, _spi, TRUE) ?: \
+						 _sa->get_child_sa(_sa, PROTO_ESP, _spi, FALSE); \
+	test_assert_msg(!_child, "CHILD_SA with SPI %.8x exists", ntohl(_spi)); \
+})
+
+/**
+ * Assert that there is a specific number of tasks in a given queue
+ *
+ * @param ike_sa		IKE_SA to check
+ * @param count			number of expected tasks
+ * @param queue			queue to check (task_queue_t)
+ */
+#define assert_num_tasks(ike_sa, count, queue) \
+({ \
+	typeof(ike_sa) _sa = ike_sa; \
+	typeof(count) _count = count; \
+	int _c = 0; task_t *_task; \
+	enumerator_t *_enumerator = _sa->create_task_enumerator(_sa, queue); \
+	while (_enumerator->enumerate(_enumerator, &_task)) { _c++; } \
+	_enumerator->destroy(_enumerator); \
+	test_assert_msg(_count == _c, "unexpected number of tasks in " #queue " " \
+					"of IKE_SA %s (%d != %d)", #ike_sa, _count, _c); \
+})
+
+/**
+ * Assert that all task queues of the given IKE_SA are empty
+ *
+ * @param ike_sa		IKE_SA to check
+ */
+#define assert_sa_idle(ike_sa) \
+({ \
+	typeof(ike_sa) _ike_sa = ike_sa; \
+	assert_num_tasks(_ike_sa, 0, TASK_QUEUE_QUEUED); \
+	assert_num_tasks(_ike_sa, 0, TASK_QUEUE_ACTIVE); \
+	assert_num_tasks(_ike_sa, 0, TASK_QUEUE_PASSIVE); \
+})
+
+#endif /** SA_ASSERTS_H_ @}*/
author	Yves-Alexis Perez <corsac@debian.org>	2016-07-16 15:19:53 +0200
committer	Yves-Alexis Perez <corsac@debian.org>	2016-07-16 15:19:53 +0200
commit	bf372706c469764d59e9f29c39e3ecbebd72b8d2 (patch)
tree	0f0e296e2d50e4a7faf99ae6fa428d2681e81ea1 /src/libcharon
parent	518dd33c94e041db0444c7d1f33da363bb8e3faf (diff)
download	vyos-strongswan-bf372706c469764d59e9f29c39e3ecbebd72b8d2.tar.gz vyos-strongswan-bf372706c469764d59e9f29c39e3ecbebd72b8d2.zip