2280 files changed, 59677 insertions, 52617 deletions

diff --git a/Android.common.mk b/Android.common.mk
index ed12758cb..9824242d7 100644
--- a/Android.common.mk
+++ b/Android.common.mk
@@ -15,5 +15,5 @@ add_plugin = $(if $(call plugin_enabled,$(1)), \
               )
 
 # strongSwan version, replaced by top Makefile
-strongswan_VERSION := "5.0.1"
+strongswan_VERSION := "5.0.2"
 
diff --git a/Android.mk b/Android.mk
index 663b363cf..0b8da5b8d 100644
--- a/Android.mk
+++ b/Android.mk
@@ -22,7 +22,7 @@ strongswan_CHARON_PLUGINS := android-log openssl fips-prf random nonce pubkey \
 
 ifneq ($(strongswan_BUILD_SCEPCLIENT),)
 # plugins loaded by scepclient
-strongswan_SCEPCLIENT_PLUGINS := openssl curl fips-prf random pkcs1 pem
+strongswan_SCEPCLIENT_PLUGINS := openssl curl fips-prf random pkcs1 pkcs7 pem
 endif
 
 strongswan_STARTER_PLUGINS := kernel-netlink
@@ -67,6 +67,7 @@ strongswan_CFLAGS := \
 	-DHAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY \
 	-DHAVE_IPSEC_MODE_BEET \
 	-DHAVE_IPSEC_DIR_FWD \
+	-DOPENSSL_NO_CMS \
 	-DOPENSSL_NO_EC \
 	-DOPENSSL_NO_ECDSA \
 	-DOPENSSL_NO_ECDH \
diff --git a/Makefile.in b/Makefile.in
index 497abc834..2b952cc52 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -90,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(config_includedir)"
 HEADERS = $(nodist_config_include_HEADERS)
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
@@ -104,9 +110,11 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 distdir = $(PACKAGE)-$(VERSION)
 top_distdir = $(distdir)
 am__remove_distdir = \
-  { test ! -d "$(distdir)" \
-    || { find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
-         && rm -fr "$(distdir)"; }; }
+  if test -d "$(distdir)"; then \
+    find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
+      && rm -rf "$(distdir)" \
+      || { sleep 5 && rm -rf "$(distdir)"; }; \
+  else :; fi
 am__relativize = \
   dir0=`pwd`; \
   sed_first='s,^\([^/]*\)/.*$$,\1,'; \
@@ -135,6 +143,8 @@ am__relativize = \
 DIST_ARCHIVES = $(distdir).tar.gz
 GZIP_ENV = --best
 distuninstallcheck_listfiles = find . -type f -print
+am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \
+  | sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$'
 distcleancheck_listfiles = find . -type f -print
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
@@ -155,6 +165,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -182,6 +193,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -209,6 +221,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -221,6 +234,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -274,7 +288,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -333,7 +346,7 @@ all: $(BUILT_SOURCES) config.h
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
 .SUFFIXES:
-am--refresh:
+am--refresh: Makefile
 	@:
 $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
@@ -369,10 +382,8 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 
 config.h: stamp-h1
-	@if test ! -f $@; then \
-	  rm -f stamp-h1; \
-	  $(MAKE) $(AM_MAKEFLAGS) stamp-h1; \
-	else :; fi
+	@if test ! -f $@; then rm -f stamp-h1; else :; fi
+	@if test ! -f $@; then $(MAKE) $(AM_MAKEFLAGS) stamp-h1; else :; fi
 
 stamp-h1: $(srcdir)/config.h.in $(top_builddir)/config.status
 	@rm -f stamp-h1
@@ -412,9 +423,7 @@ uninstall-nodist_config_includeHEADERS:
 	@$(NORMAL_UNINSTALL)
 	@list='$(nodist_config_include_HEADERS)'; test -n "$(config_includedir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(config_includedir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(config_includedir)" && rm -f $$files
+	dir='$(DESTDIR)$(config_includedir)'; $(am__uninstall_files_from_dir)
 
 # This directory's subdirectories are mostly independent; you can cd
 # into them and run `make' without going through this Makefile.
@@ -623,7 +632,11 @@ dist-gzip: distdir
 	$(am__remove_distdir)
 
 dist-bzip2: distdir
-	tardir=$(distdir) && $(am__tar) | bzip2 -9 -c >$(distdir).tar.bz2
+	tardir=$(distdir) && $(am__tar) | BZIP2=$${BZIP2--9} bzip2 -c >$(distdir).tar.bz2
+	$(am__remove_distdir)
+
+dist-lzip: distdir
+	tardir=$(distdir) && $(am__tar) | lzip -c $${LZIP_OPT--9} >$(distdir).tar.lz
 	$(am__remove_distdir)
 
 dist-lzma: distdir
@@ -631,7 +644,7 @@ dist-lzma: distdir
 	$(am__remove_distdir)
 
 dist-xz: distdir
-	tardir=$(distdir) && $(am__tar) | xz -c >$(distdir).tar.xz
+	tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz
 	$(am__remove_distdir)
 
 dist-tarZ: distdir
@@ -662,6 +675,8 @@ distcheck: dist
 	  bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\
 	*.tar.lzma*) \
 	  lzma -dc $(distdir).tar.lzma | $(am__untar) ;;\
+	*.tar.lz*) \
+	  lzip -dc $(distdir).tar.lz | $(am__untar) ;;\
 	*.tar.xz*) \
 	  xz -dc $(distdir).tar.xz | $(am__untar) ;;\
 	*.tar.Z*) \
@@ -681,6 +696,7 @@ distcheck: dist
 	  && am__cwd=`pwd` \
 	  && $(am__cd) $(distdir)/_build \
 	  && ../configure --srcdir=.. --prefix="$$dc_install_base" \
+	    $(AM_DISTCHECK_CONFIGURE_FLAGS) \
 	    $(DISTCHECK_CONFIGURE_FLAGS) \
 	  && $(MAKE) $(AM_MAKEFLAGS) \
 	  && $(MAKE) $(AM_MAKEFLAGS) dvi \
@@ -709,8 +725,16 @@ distcheck: dist
 	  list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \
 	  sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x'
 distuninstallcheck:
-	@$(am__cd) '$(distuninstallcheck_dir)' \
-	&& test `$(distuninstallcheck_listfiles) | wc -l` -le 1 \
+	@test -n '$(distuninstallcheck_dir)' || { \
+	  echo 'ERROR: trying to run $@ with an empty' \
+	       '$$(distuninstallcheck_dir)' >&2; \
+	  exit 1; \
+	}; \
+	$(am__cd) '$(distuninstallcheck_dir)' || { \
+	  echo 'ERROR: cannot chdir into $(distuninstallcheck_dir)' >&2; \
+	  exit 1; \
+	}; \
+	test `$(am__distuninstallcheck_listfiles) | wc -l` -eq 0 \
 	   || { echo "ERROR: files left after uninstall:" ; \
 	        if test -n "$(DESTDIR)"; then \
 	          echo "  (check DESTDIR support)"; \
@@ -746,10 +770,15 @@ install-am: all-am
 
 installcheck: installcheck-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
@@ -841,14 +870,14 @@ uninstall-am: uninstall-nodist_config_includeHEADERS
 .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
 	all all-am am--refresh check check-am clean clean-generic \
 	clean-libtool clean-local ctags ctags-recursive dist dist-all \
-	dist-bzip2 dist-gzip dist-lzma dist-shar dist-tarZ dist-xz \
-	dist-zip distcheck distclean distclean-generic distclean-hdr \
-	distclean-libtool distclean-tags distcleancheck distdir \
-	distuninstallcheck dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-nodist_config_includeHEADERS install-pdf \
+	dist-bzip2 dist-gzip dist-lzip dist-lzma dist-shar dist-tarZ \
+	dist-xz dist-zip distcheck distclean distclean-generic \
+	distclean-hdr distclean-libtool distclean-tags distcleancheck \
+	distdir distuninstallcheck dvi dvi-am html html-am info \
+	info-am install install-am install-data install-data-am \
+	install-dvi install-dvi-am install-exec install-exec-am \
+	install-html install-html-am install-info install-info-am \
+	install-man install-nodist_config_includeHEADERS install-pdf \
 	install-pdf-am install-ps install-ps-am install-strip \
 	installcheck installcheck-am installdirs installdirs-am \
 	maintainer-clean maintainer-clean-generic mostlyclean \
diff --git a/NEWS b/NEWS
index e207dd6c6..95f7e1c60 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,54 @@
+strongswan-5.0.2
+----------------
+
+- Implemented all IETF Standard PA-TNC attributes and an OS IMC/IMV
+  pair using them to transfer operating system information.
+
+- The new "ipsec listcounters" command prints a list of global counter values
+  about received and sent IKE messages and rekeyings.
+
+- A new lookip plugin can perform fast lookup of tunnel information using a
+  clients virtual IP and can send notifications about established or deleted
+  tunnels. The "ipsec lookip" command can be used to query such information
+  or receive notifications.
+
+- The new error-notify plugin catches some common error conditions and allows
+  an external application to receive notifications for them over a UNIX socket.
+
+- IKE proposals can now use a PRF algorithm different to that defined for
+  integrity protection. If an algorithm with a "prf" prefix is defined
+  explicitly (such as prfsha1 or prfsha256), no implicit PRF algorithm based on
+  the integrity algorithm is added to the proposal.
+
+- The pkcs11 plugin can now load leftcert certificates from a smartcard for a
+  specific ipsec.conf conn section and cacert CA certificates for a specific ca
+  section.
+
+- The load-tester plugin gained additional options for certificate generation
+  and can load keys and multiple CA certificates from external files. It can
+  install a dedicated outer IP address for each tunnel and tunnel initiation
+  batches can be triggered and monitored externally using the
+  "ipsec load-tester" tool.
+
+- PKCS#7 container parsing has been modularized, and the openssl plugin
+  gained an alternative implementation to decrypt and verify such files.
+  In contrast to our own DER parser, OpenSSL can handle BER files, which is
+  required for interoperability of our scepclient with EJBCA.
+
+- Support for the proprietary IKEv1 fragmentation extension has been added.
+  Fragments are always handled on receipt but only sent if supported by the peer
+  and if enabled with the new fragmentation ipsec.conf option.
+
+- IKEv1 in charon can now parse certificates received in PKCS#7 containers and
+  supports NAT traversal as used by Windows clients. Patches courtesy of
+  Volker Rümelin.
+
+- The new rdrand plugin provides a high quality / high performance random
+  source using the Intel rdrand instruction found on Ivy Bridge processors.
+
+- The integration test environment was updated and now uses KVM and reproducible
+  guest images based on Debian.
+
 strongswan-5.0.1
 ----------------
 
diff --git a/TODO b/TODO
index 458384a8d..186d4d02b 100644
--- a/TODO
+++ b/TODO
@@ -2,31 +2,7 @@
                   strongSwan - TODO
                  ----------------------
 
-This is a TODO list we should keep in mind. A roadmap of the strongSwan
-project is available online at:
+A roadmap of the strongSwan project is available online at:
 
         http://wiki.strongswan.org/projects/strongswan/roadmap
 
-Certificate support
--------------------
-- synchronized CRL fetcher
-- Smartcard interface
-- Attribute certificates
-
-Stroke interface
-----------------
-- add a Rekey-Counter for SAs in "statusall"
-- ipsec statusall bytecount
-
-Misc
-----
-- Address pool/backend for virtual IP assignement
-
-libstrongswan stuff
--------------------
-- Header installation support (#include <strongswan/strongswan.h>?)
-- object style for leak detective, include an API
-- Cleanup/Refactor PEM/ASN1 stuff
-- replace file reads through chunk_read
-- rewrite lexparser in object-oriented style
-
diff --git a/aclocal.m4 b/aclocal.m4
index 9d68d0d80..b27ee7bab 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -1,7 +1,8 @@
-# generated automatically by aclocal 1.11.1 -*- Autoconf -*-
+# generated automatically by aclocal 1.11.3 -*- Autoconf -*-
 
 # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
-# 2005, 2006, 2007, 2008, 2009  Free Software Foundation, Inc.
+# 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software Foundation,
+# Inc.
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -13,8 +14,8 @@
 
 m4_ifndef([AC_AUTOCONF_VERSION],
   [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
-m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.67],,
-[m4_warning([this file was generated for autoconf 2.67.
+m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.68],,
+[m4_warning([this file was generated for autoconf 2.68.
 You have another version of autoconf.  It may work, but is not guaranteed to.
 If you have problems, you may need to regenerate the build system entirely.
 To do so, use the procedure documented by the package, typically `autoreconf'.])])
@@ -272,7 +273,8 @@ sixtyfour bits
 # ----------------------------------
 AC_DEFUN([PKG_PROG_PKG_CONFIG],
 [m4_pattern_forbid([^_?PKG_[A-Z_]+$])
-m4_pattern_allow([^PKG_CONFIG(_PATH)?$])
+m4_pattern_allow([^PKG_CONFIG(_(PATH|LIBDIR|SYSROOT_DIR|ALLOW_SYSTEM_(CFLAGS|LIBS)))?$])
+m4_pattern_allow([^PKG_CONFIG_(DISABLE_UNINSTALLED|TOP_BUILD_DIR|DEBUG_SPEW)$])
 AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])
 AC_ARG_VAR([PKG_CONFIG_PATH], [directories to add to pkg-config's search path])
 AC_ARG_VAR([PKG_CONFIG_LIBDIR], [path overriding pkg-config's built-in search path])
@@ -318,7 +320,8 @@ m4_define([_PKG_CONFIG],
     pkg_cv_[]$1="$$1"
  elif test -n "$PKG_CONFIG"; then
     PKG_CHECK_EXISTS([$3],
-                     [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`],
+                     [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes ],
 		     [pkg_failed=yes])
  else
     pkg_failed=untried
@@ -366,9 +369,9 @@ if test $pkg_failed = yes; then
    	AC_MSG_RESULT([no])
         _PKG_SHORT_ERRORS_SUPPORTED
         if test $_pkg_short_errors_supported = yes; then
-	        $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "$2" 2>&1`
+	        $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "$2" 2>&1`
         else 
-	        $1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors "$2" 2>&1`
+	        $1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "$2" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD
@@ -381,7 +384,7 @@ $$1_PKG_ERRORS
 Consider adjusting the PKG_CONFIG_PATH environment variable if you
 installed software in a non-standard prefix.
 
-_PKG_TEXT])dnl
+_PKG_TEXT])[]dnl
         ])
 elif test $pkg_failed = untried; then
      	AC_MSG_RESULT([no])
@@ -392,7 +395,7 @@ path to pkg-config.
 
 _PKG_TEXT
 
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.])dnl
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.])[]dnl
         ])
 else
 	$1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS
@@ -402,12 +405,15 @@ else
 fi[]dnl
 ])# PKG_CHECK_MODULES
 
-# Copyright (C) 2002, 2003, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# Copyright (C) 2002, 2003, 2005, 2006, 2007, 2008, 2011 Free Software
+# Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
+# serial 1
+
 # AM_AUTOMAKE_VERSION(VERSION)
 # ----------------------------
 # Automake X.Y traces this macro to ensure aclocal.m4 has been
@@ -417,7 +423,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION],
 [am__api_version='1.11'
 dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
 dnl require some minimum version.  Point them to the right macro.
-m4_if([$1], [1.11.1], [],
+m4_if([$1], [1.11.3], [],
       [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
 ])
 
@@ -433,19 +439,21 @@ m4_define([_AM_AUTOCONF_VERSION], [])
 # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
 # This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
 AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
-[AM_AUTOMAKE_VERSION([1.11.1])dnl
+[AM_AUTOMAKE_VERSION([1.11.3])dnl
 m4_ifndef([AC_AUTOCONF_VERSION],
   [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
 _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
 
 # AM_AUX_DIR_EXPAND                                         -*- Autoconf -*-
 
-# Copyright (C) 2001, 2003, 2005  Free Software Foundation, Inc.
+# Copyright (C) 2001, 2003, 2005, 2011 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
+# serial 1
+
 # For projects using AC_CONFIG_AUX_DIR([foo]), Autoconf sets
 # $ac_aux_dir to `$srcdir/foo'.  In other projects, it is set to
 # `$srcdir', `$srcdir/..', or `$srcdir/../..'.
@@ -527,14 +535,14 @@ AC_CONFIG_COMMANDS_PRE(
 Usually this means the macro was only invoked conditionally.]])
 fi])])
 
-# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2009
-# Free Software Foundation, Inc.
+# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2009,
+# 2010, 2011 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
-# serial 10
+# serial 12
 
 # There are a few dirty hacks below to avoid letting `AC_PROG_CC' be
 # written in clear, in which case automake, when reading aclocal.m4,
@@ -574,6 +582,7 @@ AC_CACHE_CHECK([dependency style of $depcc],
   # instance it was reported that on HP-UX the gcc test will end up
   # making a dummy file named `D' -- because `-MD' means `put the output
   # in D'.
+  rm -rf conftest.dir
   mkdir conftest.dir
   # Copy depcomp to subdir because otherwise we won't find it if we're
   # using a relative directory.
@@ -638,7 +647,7 @@ AC_CACHE_CHECK([dependency style of $depcc],
 	break
       fi
       ;;
-    msvisualcpp | msvcmsys)
+    msvc7 | msvc7msys | msvisualcpp | msvcmsys)
       # This compiler won't grok `-c -o', but also, the minuso test has
       # not run yet.  These depmodes are late enough in the game, and
       # so weak that their functioning should not be impacted.
@@ -703,10 +712,13 @@ AC_DEFUN([AM_DEP_TRACK],
 if test "x$enable_dependency_tracking" != xno; then
   am_depcomp="$ac_aux_dir/depcomp"
   AMDEPBACKSLASH='\'
+  am__nodep='_no'
 fi
 AM_CONDITIONAL([AMDEP], [test "x$enable_dependency_tracking" != xno])
 AC_SUBST([AMDEPBACKSLASH])dnl
 _AM_SUBST_NOTMAKE([AMDEPBACKSLASH])dnl
+AC_SUBST([am__nodep])dnl
+_AM_SUBST_NOTMAKE([am__nodep])dnl
 ])
 
 # Generate code to set up dependency tracking.              -*- Autoconf -*-
@@ -928,12 +940,15 @@ for _am_header in $config_headers :; do
 done
 echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count])
 
-# Copyright (C) 2001, 2003, 2005, 2008  Free Software Foundation, Inc.
+# Copyright (C) 2001, 2003, 2005, 2008, 2011 Free Software Foundation,
+# Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
+# serial 1
+
 # AM_PROG_INSTALL_SH
 # ------------------
 # Define $install_sh.
@@ -1065,12 +1080,15 @@ else
 fi
 ])
 
-# Copyright (C) 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# Copyright (C) 2003, 2004, 2005, 2006, 2011 Free Software Foundation,
+# Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
+# serial 1
+
 # AM_PROG_MKDIR_P
 # ---------------
 # Check for `mkdir -p'.
@@ -1093,13 +1111,14 @@ esac
 
 # Helper functions for option handling.                     -*- Autoconf -*-
 
-# Copyright (C) 2001, 2002, 2003, 2005, 2008  Free Software Foundation, Inc.
+# Copyright (C) 2001, 2002, 2003, 2005, 2008, 2010 Free Software
+# Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
-# serial 4
+# serial 5
 
 # _AM_MANGLE_OPTION(NAME)
 # -----------------------
@@ -1107,13 +1126,13 @@ AC_DEFUN([_AM_MANGLE_OPTION],
 [[_AM_OPTION_]m4_bpatsubst($1, [[^a-zA-Z0-9_]], [_])])
 
 # _AM_SET_OPTION(NAME)
-# ------------------------------
+# --------------------
 # Set option NAME.  Presently that only means defining a flag for this option.
 AC_DEFUN([_AM_SET_OPTION],
 [m4_define(_AM_MANGLE_OPTION([$1]), 1)])
 
 # _AM_SET_OPTIONS(OPTIONS)
-# ----------------------------------
+# ------------------------
 # OPTIONS is a space-separated list of Automake options.
 AC_DEFUN([_AM_SET_OPTIONS],
 [m4_foreach_w([_AM_Option], [$1], [_AM_SET_OPTION(_AM_Option)])])
@@ -1124,12 +1143,14 @@ AC_DEFUN([_AM_SET_OPTIONS],
 AC_DEFUN([_AM_IF_OPTION],
 [m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])])
 
-# Copyright (C) 2001, 2003, 2005  Free Software Foundation, Inc.
+# Copyright (C) 2001, 2003, 2005, 2011 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
+# serial 1
+
 # AM_RUN_LOG(COMMAND)
 # -------------------
 # Run COMMAND, save the exit status in ac_status, and log it.
@@ -1206,12 +1227,14 @@ Check your system clock])
 fi
 AC_MSG_RESULT(yes)])
 
-# Copyright (C) 2001, 2003, 2005  Free Software Foundation, Inc.
+# Copyright (C) 2001, 2003, 2005, 2011 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
+# serial 1
+
 # AM_PROG_INSTALL_STRIP
 # ---------------------
 # One issue with vendor `install' (even GNU) is that you can't
@@ -1234,13 +1257,13 @@ fi
 INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s"
 AC_SUBST([INSTALL_STRIP_PROGRAM])])
 
-# Copyright (C) 2006, 2008  Free Software Foundation, Inc.
+# Copyright (C) 2006, 2008, 2010 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
-# serial 2
+# serial 3
 
 # _AM_SUBST_NOTMAKE(VARIABLE)
 # ---------------------------
@@ -1249,13 +1272,13 @@ AC_SUBST([INSTALL_STRIP_PROGRAM])])
 AC_DEFUN([_AM_SUBST_NOTMAKE])
 
 # AM_SUBST_NOTMAKE(VARIABLE)
-# ---------------------------
+# --------------------------
 # Public sister of _AM_SUBST_NOTMAKE.
 AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)])
 
 # Check how to create a tarball.                            -*- Autoconf -*-
 
-# Copyright (C) 2004, 2005  Free Software Foundation, Inc.
+# Copyright (C) 2004, 2005, 2012 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -1277,10 +1300,11 @@ AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)])
 # a tarball read from stdin.
 #     $(am__untar) < result.tar
 AC_DEFUN([_AM_PROG_TAR],
-[# Always define AMTAR for backward compatibility.
-AM_MISSING_PROG([AMTAR], [tar])
+[# Always define AMTAR for backward compatibility.  Yes, it's still used
+# in the wild :-(  We should find a proper way to deprecate it ...
+AC_SUBST([AMTAR], ['$${TAR-tar}'])
 m4_if([$1], [v7],
-     [am__tar='${AMTAR} chof - "$$tardir"'; am__untar='${AMTAR} xf -'],
+     [am__tar='$${TAR-tar} chof - "$$tardir"' am__untar='$${TAR-tar} xf -'],
      [m4_case([$1], [ustar],, [pax],,
               [m4_fatal([Unknown tar format])])
 AC_MSG_CHECKING([how to create a $1 tar archive])
diff --git a/config.guess b/config.guess
index c2246a4f7..d622a44e5 100755
--- a/config.guess
+++ b/config.guess
@@ -1,10 +1,10 @@
 #! /bin/sh
 # Attempt to guess a canonical system name.
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010
-#   Free Software Foundation, Inc.
+#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
+#   2011, 2012 Free Software Foundation, Inc.
 
-timestamp='2009-12-30'
+timestamp='2012-02-10'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -17,9 +17,7 @@ timestamp='2009-12-30'
 # General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
-# 02110-1301, USA.
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
@@ -57,8 +55,8 @@ GNU config.guess ($timestamp)
 
 Originally written by Per Bothner.
 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free
-Software Foundation, Inc.
+2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012
+Free Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -145,7 +143,7 @@ UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
 case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
     *:NetBSD:*:*)
 	# NetBSD (nbsd) targets should (where applicable) match one or
-	# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
+	# more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*,
 	# *-*-netbsdecoff* and *-*-netbsd*.  For targets that recently
 	# switched to ELF, *-*-netbsd* would select the old
 	# object file format.  This provides both forward
@@ -181,7 +179,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 		fi
 		;;
 	    *)
-	        os=netbsd
+		os=netbsd
 		;;
 	esac
 	# The OS release
@@ -224,7 +222,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
 		;;
 	*5.*)
-	        UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
+		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
 		;;
 	esac
 	# According to Compaq, /usr/sbin/psrinfo has been available on
@@ -270,7 +268,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	# A Xn.n version is an unreleased experimental baselevel.
 	# 1.2 uses "1.2" for uname -r.
 	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
-	exit ;;
+	# Reset EXIT trap before exiting to avoid spurious non-zero exit code.
+	exitcode=$?
+	trap '' 0
+	exit $exitcode ;;
     Alpha\ *:Windows_NT*:*)
 	# How do we know it's Interix rather than the generic POSIX subsystem?
 	# Should we change UNAME_MACHINE based on the output of uname instead
@@ -296,7 +297,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	echo s390-ibm-zvmoe
 	exit ;;
     *:OS400:*:*)
-        echo powerpc-ibm-os400
+	echo powerpc-ibm-os400
 	exit ;;
     arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
 	echo arm-acorn-riscix${UNAME_RELEASE}
@@ -395,23 +396,23 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
     # MiNT.  But MiNT is downward compatible to TOS, so this should
     # be no problem.
     atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
-        echo m68k-atari-mint${UNAME_RELEASE}
+	echo m68k-atari-mint${UNAME_RELEASE}
 	exit ;;
     atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
 	echo m68k-atari-mint${UNAME_RELEASE}
-        exit ;;
+	exit ;;
     *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
-        echo m68k-atari-mint${UNAME_RELEASE}
+	echo m68k-atari-mint${UNAME_RELEASE}
 	exit ;;
     milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
-        echo m68k-milan-mint${UNAME_RELEASE}
-        exit ;;
+	echo m68k-milan-mint${UNAME_RELEASE}
+	exit ;;
     hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
-        echo m68k-hades-mint${UNAME_RELEASE}
-        exit ;;
+	echo m68k-hades-mint${UNAME_RELEASE}
+	exit ;;
     *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
-        echo m68k-unknown-mint${UNAME_RELEASE}
-        exit ;;
+	echo m68k-unknown-mint${UNAME_RELEASE}
+	exit ;;
     m68k:machten:*:*)
 	echo m68k-apple-machten${UNAME_RELEASE}
 	exit ;;
@@ -481,8 +482,8 @@ EOF
 	echo m88k-motorola-sysv3
 	exit ;;
     AViiON:dgux:*:*)
-        # DG/UX returns AViiON for all architectures
-        UNAME_PROCESSOR=`/usr/bin/uname -p`
+	# DG/UX returns AViiON for all architectures
+	UNAME_PROCESSOR=`/usr/bin/uname -p`
 	if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ]
 	then
 	    if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
@@ -495,7 +496,7 @@ EOF
 	else
 	    echo i586-dg-dgux${UNAME_RELEASE}
 	fi
- 	exit ;;
+	exit ;;
     M88*:DolphinOS:*:*)	# DolphinOS (SVR3)
 	echo m88k-dolphin-sysv3
 	exit ;;
@@ -552,7 +553,7 @@ EOF
 		echo rs6000-ibm-aix3.2
 	fi
 	exit ;;
-    *:AIX:*:[456])
+    *:AIX:*:[4567])
 	IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
 	if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
 		IBM_ARCH=rs6000
@@ -595,52 +596,52 @@ EOF
 	    9000/[678][0-9][0-9])
 		if [ -x /usr/bin/getconf ]; then
 		    sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
-                    sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
-                    case "${sc_cpu_version}" in
-                      523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
-                      528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
-                      532)                      # CPU_PA_RISC2_0
-                        case "${sc_kernel_bits}" in
-                          32) HP_ARCH="hppa2.0n" ;;
-                          64) HP_ARCH="hppa2.0w" ;;
+		    sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
+		    case "${sc_cpu_version}" in
+		      523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
+		      528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
+		      532)                      # CPU_PA_RISC2_0
+			case "${sc_kernel_bits}" in
+			  32) HP_ARCH="hppa2.0n" ;;
+			  64) HP_ARCH="hppa2.0w" ;;
 			  '') HP_ARCH="hppa2.0" ;;   # HP-UX 10.20
-                        esac ;;
-                    esac
+			esac ;;
+		    esac
 		fi
 		if [ "${HP_ARCH}" = "" ]; then
 		    eval $set_cc_for_build
-		    sed 's/^              //' << EOF >$dummy.c
+		    sed 's/^		//' << EOF >$dummy.c
 
-              #define _HPUX_SOURCE
-              #include <stdlib.h>
-              #include <unistd.h>
+		#define _HPUX_SOURCE
+		#include <stdlib.h>
+		#include <unistd.h>
 
-              int main ()
-              {
-              #if defined(_SC_KERNEL_BITS)
-                  long bits = sysconf(_SC_KERNEL_BITS);
-              #endif
-                  long cpu  = sysconf (_SC_CPU_VERSION);
+		int main ()
+		{
+		#if defined(_SC_KERNEL_BITS)
+		    long bits = sysconf(_SC_KERNEL_BITS);
+		#endif
+		    long cpu  = sysconf (_SC_CPU_VERSION);
 
-                  switch (cpu)
-              	{
-              	case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
-              	case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
-              	case CPU_PA_RISC2_0:
-              #if defined(_SC_KERNEL_BITS)
-              	    switch (bits)
-              		{
-              		case 64: puts ("hppa2.0w"); break;
-              		case 32: puts ("hppa2.0n"); break;
-              		default: puts ("hppa2.0"); break;
-              		} break;
-              #else  /* !defined(_SC_KERNEL_BITS) */
-              	    puts ("hppa2.0"); break;
-              #endif
-              	default: puts ("hppa1.0"); break;
-              	}
-                  exit (0);
-              }
+		    switch (cpu)
+			{
+			case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
+			case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
+			case CPU_PA_RISC2_0:
+		#if defined(_SC_KERNEL_BITS)
+			    switch (bits)
+				{
+				case 64: puts ("hppa2.0w"); break;
+				case 32: puts ("hppa2.0n"); break;
+				default: puts ("hppa2.0"); break;
+				} break;
+		#else  /* !defined(_SC_KERNEL_BITS) */
+			    puts ("hppa2.0"); break;
+		#endif
+			default: puts ("hppa1.0"); break;
+			}
+		    exit (0);
+		}
 EOF
 		    (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
 		    test -z "$HP_ARCH" && HP_ARCH=hppa
@@ -731,22 +732,22 @@ EOF
 	exit ;;
     C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
 	echo c1-convex-bsd
-        exit ;;
+	exit ;;
     C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
 	if getsysinfo -f scalar_acc
 	then echo c32-convex-bsd
 	else echo c2-convex-bsd
 	fi
-        exit ;;
+	exit ;;
     C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
 	echo c34-convex-bsd
-        exit ;;
+	exit ;;
     C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
 	echo c38-convex-bsd
-        exit ;;
+	exit ;;
     C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
 	echo c4-convex-bsd
-        exit ;;
+	exit ;;
     CRAY*Y-MP:*:*:*)
 	echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
 	exit ;;
@@ -770,14 +771,14 @@ EOF
 	exit ;;
     F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
 	FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
-        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
-        FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
-        echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
-        exit ;;
+	FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+	FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
+	echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+	exit ;;
     5000:UNIX_System_V:4.*:*)
-        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
-        FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
-        echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+	FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+	FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
+	echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
 	exit ;;
     i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
 	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
@@ -789,13 +790,12 @@ EOF
 	echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
 	exit ;;
     *:FreeBSD:*:*)
-	case ${UNAME_MACHINE} in
-	    pc98)
-		echo i386-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
+	UNAME_PROCESSOR=`/usr/bin/uname -p`
+	case ${UNAME_PROCESSOR} in
 	    amd64)
 		echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
 	    *)
-		echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
+		echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
 	esac
 	exit ;;
     i*:CYGWIN*:*)
@@ -804,15 +804,18 @@ EOF
     *:MINGW*:*)
 	echo ${UNAME_MACHINE}-pc-mingw32
 	exit ;;
+    i*:MSYS*:*)
+	echo ${UNAME_MACHINE}-pc-msys
+	exit ;;
     i*:windows32*:*)
-    	# uname -m includes "-pc" on this system.
-    	echo ${UNAME_MACHINE}-mingw32
+	# uname -m includes "-pc" on this system.
+	echo ${UNAME_MACHINE}-mingw32
 	exit ;;
     i*:PW*:*)
 	echo ${UNAME_MACHINE}-pc-pw32
 	exit ;;
     *:Interix*:*)
-    	case ${UNAME_MACHINE} in
+	case ${UNAME_MACHINE} in
 	    x86)
 		echo i586-pc-interix${UNAME_RELEASE}
 		exit ;;
@@ -858,6 +861,13 @@ EOF
     i*86:Minix:*:*)
 	echo ${UNAME_MACHINE}-pc-minix
 	exit ;;
+    aarch64:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    aarch64_be:Linux:*:*)
+	UNAME_MACHINE=aarch64_be
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
     alpha:Linux:*:*)
 	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
 	  EV5)   UNAME_MACHINE=alphaev5 ;;
@@ -867,7 +877,7 @@ EOF
 	  EV6)   UNAME_MACHINE=alphaev6 ;;
 	  EV67)  UNAME_MACHINE=alphaev67 ;;
 	  EV68*) UNAME_MACHINE=alphaev68 ;;
-        esac
+	esac
 	objdump --private-headers /bin/sh | grep -q ld.so.1
 	if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
 	echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
@@ -879,20 +889,29 @@ EOF
 	then
 	    echo ${UNAME_MACHINE}-unknown-linux-gnu
 	else
-	    echo ${UNAME_MACHINE}-unknown-linux-gnueabi
+	    if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \
+		| grep -q __ARM_PCS_VFP
+	    then
+		echo ${UNAME_MACHINE}-unknown-linux-gnueabi
+	    else
+		echo ${UNAME_MACHINE}-unknown-linux-gnueabihf
+	    fi
 	fi
 	exit ;;
     avr32*:Linux:*:*)
 	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
     cris:Linux:*:*)
-	echo cris-axis-linux-gnu
+	echo ${UNAME_MACHINE}-axis-linux-gnu
 	exit ;;
     crisv32:Linux:*:*)
-	echo crisv32-axis-linux-gnu
+	echo ${UNAME_MACHINE}-axis-linux-gnu
 	exit ;;
     frv:Linux:*:*)
-    	echo frv-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    hexagon:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
     i*86:Linux:*:*)
 	LIBC=gnu
@@ -934,7 +953,7 @@ EOF
 	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
 	;;
     or32:Linux:*:*)
-	echo or32-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
     padre:Linux:*:*)
 	echo sparc-unknown-linux-gnu
@@ -960,7 +979,7 @@ EOF
 	echo ${UNAME_MACHINE}-ibm-linux
 	exit ;;
     sh64*:Linux:*:*)
-    	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
     sh*:Linux:*:*)
 	echo ${UNAME_MACHINE}-unknown-linux-gnu
@@ -968,14 +987,17 @@ EOF
     sparc:Linux:*:* | sparc64:Linux:*:*)
 	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
+    tile*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
     vax:Linux:*:*)
 	echo ${UNAME_MACHINE}-dec-linux-gnu
 	exit ;;
     x86_64:Linux:*:*)
-	echo x86_64-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
     xtensa*:Linux:*:*)
-    	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
     i*86:DYNIX/ptx:4*:*)
 	# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
@@ -984,11 +1006,11 @@ EOF
 	echo i386-sequent-sysv4
 	exit ;;
     i*86:UNIX_SV:4.2MP:2.*)
-        # Unixware is an offshoot of SVR4, but it has its own version
-        # number series starting with 2...
-        # I am not positive that other SVR4 systems won't match this,
+	# Unixware is an offshoot of SVR4, but it has its own version
+	# number series starting with 2...
+	# I am not positive that other SVR4 systems won't match this,
 	# I just have to hope.  -- rms.
-        # Use sysv4.2uw... so that sysv4* matches it.
+	# Use sysv4.2uw... so that sysv4* matches it.
 	echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
 	exit ;;
     i*86:OS/2:*:*)
@@ -1020,7 +1042,7 @@ EOF
 	fi
 	exit ;;
     i*86:*:5:[678]*)
-    	# UnixWare 7.x, OpenUNIX and OpenServer 6.
+	# UnixWare 7.x, OpenUNIX and OpenServer 6.
 	case `/bin/uname -X | grep "^Machine"` in
 	    *486*)	     UNAME_MACHINE=i486 ;;
 	    *Pentium)	     UNAME_MACHINE=i586 ;;
@@ -1048,13 +1070,13 @@ EOF
 	exit ;;
     pc:*:*:*)
 	# Left here for compatibility:
-        # uname -m prints for DJGPP always 'pc', but it prints nothing about
-        # the processor, so we play safe by assuming i586.
+	# uname -m prints for DJGPP always 'pc', but it prints nothing about
+	# the processor, so we play safe by assuming i586.
 	# Note: whatever this is, it MUST be the same as what config.sub
 	# prints for the "djgpp" host, or else GDB configury will decide that
 	# this is a cross-build.
 	echo i586-pc-msdosdjgpp
-        exit ;;
+	exit ;;
     Intel:Mach:3*:*)
 	echo i386-pc-mach3
 	exit ;;
@@ -1089,8 +1111,8 @@ EOF
 	/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
 	  && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;;
     3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
-        /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
-          && { echo i486-ncr-sysv4; exit; } ;;
+	/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+	  && { echo i486-ncr-sysv4; exit; } ;;
     NCR*:*:4.2:* | MPRAS*:*:4.2:*)
 	OS_REL='.3'
 	test -r /etc/.relid \
@@ -1133,10 +1155,10 @@ EOF
 		echo ns32k-sni-sysv
 	fi
 	exit ;;
-    PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
-                      # says <Richard.M.Bartel@ccMail.Census.GOV>
-        echo i586-unisys-sysv4
-        exit ;;
+    PENTIUM:*:4.0*:*)	# Unisys `ClearPath HMP IX 4000' SVR4/MP effort
+			# says <Richard.M.Bartel@ccMail.Census.GOV>
+	echo i586-unisys-sysv4
+	exit ;;
     *:UNIX_System_V:4*:FTX*)
 	# From Gerald Hewes <hewes@openmarket.com>.
 	# How about differentiating between stratus architectures? -djm
@@ -1162,11 +1184,11 @@ EOF
 	exit ;;
     R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
 	if [ -d /usr/nec ]; then
-	        echo mips-nec-sysv${UNAME_RELEASE}
+		echo mips-nec-sysv${UNAME_RELEASE}
 	else
-	        echo mips-unknown-sysv${UNAME_RELEASE}
+		echo mips-unknown-sysv${UNAME_RELEASE}
 	fi
-        exit ;;
+	exit ;;
     BeBox:BeOS:*:*)	# BeOS running on hardware made by Be, PPC only.
 	echo powerpc-be-beos
 	exit ;;
@@ -1231,6 +1253,9 @@ EOF
     *:QNX:*:4*)
 	echo i386-pc-qnx
 	exit ;;
+    NEO-?:NONSTOP_KERNEL:*:*)
+	echo neo-tandem-nsk${UNAME_RELEASE}
+	exit ;;
     NSE-?:NONSTOP_KERNEL:*:*)
 	echo nse-tandem-nsk${UNAME_RELEASE}
 	exit ;;
@@ -1276,13 +1301,13 @@ EOF
 	echo pdp10-unknown-its
 	exit ;;
     SEI:*:*:SEIUX)
-        echo mips-sei-seiux${UNAME_RELEASE}
+	echo mips-sei-seiux${UNAME_RELEASE}
 	exit ;;
     *:DragonFly:*:*)
 	echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
 	exit ;;
     *:*VMS:*:*)
-    	UNAME_MACHINE=`(uname -p) 2>/dev/null`
+	UNAME_MACHINE=`(uname -p) 2>/dev/null`
 	case "${UNAME_MACHINE}" in
 	    A*) echo alpha-dec-vms ; exit ;;
 	    I*) echo ia64-dec-vms ; exit ;;
@@ -1300,6 +1325,9 @@ EOF
     i*86:AROS:*:*)
 	echo ${UNAME_MACHINE}-pc-aros
 	exit ;;
+    x86_64:VMkernel:*:*)
+	echo ${UNAME_MACHINE}-unknown-esx
+	exit ;;
 esac
 
 #echo '(No uname command or uname output not recognized.)' 1>&2
@@ -1322,11 +1350,11 @@ main ()
 #include <sys/param.h>
   printf ("m68k-sony-newsos%s\n",
 #ifdef NEWSOS4
-          "4"
+	"4"
 #else
-	  ""
+	""
 #endif
-         ); exit (0);
+	); exit (0);
 #endif
 #endif
 
diff --git a/config.h.in b/config.h.in
index 74893a7a4..3965ed25c 100644
--- a/config.h.in
+++ b/config.h.in
@@ -148,6 +148,12 @@
 /* Define to 1 if you have the `pthread_rwlock_init' function. */
 #undef HAVE_PTHREAD_RWLOCK_INIT
 
+/* Define to 1 if you have the `pthread_spin_init' function. */
+#undef HAVE_PTHREAD_SPIN_INIT
+
+/* Define to 1 if you have the `rb_errinfo' function. */
+#undef HAVE_RB_ERRINFO
+
 /* have netlink RTA_TABLE defined */
 #undef HAVE_RTA_TABLE
 
@@ -254,6 +260,9 @@
 /* Define to 1 if strerror_r returns char *. */
 #undef STRERROR_R_CHAR_P
 
+/* use TrouSerS library libtspi as TSS implementation */
+#undef TSS_TROUSERS
+
 /* support for IKEv1 protocol */
 #undef USE_IKEV1
 
@@ -281,3 +290,6 @@
 /* Define to 1 if `lex' declares `yytext' as a `char *' by default, not a
    `char[]'. */
 #undef YYTEXT_POINTER
+
+/* Define to `unsigned int' if <sys/types.h> does not define. */
+#undef size_t
diff --git a/config.sub b/config.sub
index c2d125724..c894da455 100755
--- a/config.sub
+++ b/config.sub
@@ -1,10 +1,10 @@
 #! /bin/sh
 # Configuration validation subroutine script.
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010
-#   Free Software Foundation, Inc.
+#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
+#   2011, 2012 Free Software Foundation, Inc.
 
-timestamp='2010-01-22'
+timestamp='2012-02-10'
 
 # This file is (in principle) common to ALL GNU software.
 # The presence of a machine in this file suggests that SOME GNU software
@@ -21,9 +21,7 @@ timestamp='2010-01-22'
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
-# 02110-1301, USA.
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
@@ -76,8 +74,8 @@ version="\
 GNU config.sub ($timestamp)
 
 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free
-Software Foundation, Inc.
+2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012
+Free Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -124,13 +122,18 @@ esac
 # Here we must recognize all the valid KERNEL-OS combinations.
 maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
 case $maybe_os in
-  nto-qnx* | linux-gnu* | linux-dietlibc | linux-newlib* | linux-uclibc* | \
-  uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | \
+  nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \
+  linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
+  knetbsd*-gnu* | netbsd*-gnu* | \
   kopensolaris*-gnu* | \
   storm-chaos* | os2-emx* | rtmk-nova*)
     os=-$maybe_os
     basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
     ;;
+  android-linux)
+    os=-linux-android
+    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown
+    ;;
   *)
     basic_machine=`echo $1 | sed 's/-[^-]*$//'`
     if [ $basic_machine != $1 ]
@@ -157,8 +160,8 @@ case $os in
 		os=
 		basic_machine=$1
 		;;
-        -bluegene*)
-	        os=-cnk
+	-bluegene*)
+		os=-cnk
 		;;
 	-sim | -cisco | -oki | -wec | -winbond)
 		os=
@@ -174,10 +177,10 @@ case $os in
 		os=-chorusos
 		basic_machine=$1
 		;;
- 	-chorusrdb)
- 		os=-chorusrdb
+	-chorusrdb)
+		os=-chorusrdb
 		basic_machine=$1
- 		;;
+		;;
 	-hiux*)
 		os=-hiuxwe2
 		;;
@@ -246,17 +249,22 @@ case $basic_machine in
 	# Some are omitted here because they have special meanings below.
 	1750a | 580 \
 	| a29k \
+	| aarch64 | aarch64_be \
 	| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
 	| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
 	| am33_2.0 \
 	| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \
+        | be32 | be64 \
 	| bfin \
 	| c4x | clipper \
 	| d10v | d30v | dlx | dsp16xx \
+	| epiphany \
 	| fido | fr30 | frv \
 	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
+	| hexagon \
 	| i370 | i860 | i960 | ia64 \
 	| ip2k | iq2000 \
+	| le32 | le64 \
 	| lm32 \
 	| m32c | m32r | m32rle | m68000 | m68k | m88k \
 	| maxq | mb | microblaze | mcore | mep | metag \
@@ -282,29 +290,39 @@ case $basic_machine in
 	| moxie \
 	| mt \
 	| msp430 \
+	| nds32 | nds32le | nds32be \
 	| nios | nios2 \
 	| ns16k | ns32k \
+	| open8 \
 	| or32 \
 	| pdp10 | pdp11 | pj | pjl \
-	| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
+	| powerpc | powerpc64 | powerpc64le | powerpcle \
 	| pyramid \
-	| rx \
+	| rl78 | rx \
 	| score \
 	| sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
 	| sh64 | sh64le \
 	| sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \
 	| sparcv8 | sparcv9 | sparcv9b | sparcv9v \
-	| spu | strongarm \
-	| tahoe | thumb | tic4x | tic80 | tron \
+	| spu \
+	| tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \
 	| ubicom32 \
-	| v850 | v850e \
+	| v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \
 	| we32k \
-	| x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \
+	| x86 | xc16x | xstormy16 | xtensa \
 	| z8k | z80)
 		basic_machine=$basic_machine-unknown
 		;;
-	m6811 | m68hc11 | m6812 | m68hc12 | picochip)
-		# Motorola 68HC11/12.
+	c54x)
+		basic_machine=tic54x-unknown
+		;;
+	c55x)
+		basic_machine=tic55x-unknown
+		;;
+	c6x)
+		basic_machine=tic6x-unknown
+		;;
+	m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | picochip)
 		basic_machine=$basic_machine-unknown
 		os=-none
 		;;
@@ -314,6 +332,21 @@ case $basic_machine in
 		basic_machine=mt-unknown
 		;;
 
+	strongarm | thumb | xscale)
+		basic_machine=arm-unknown
+		;;
+	xgate)
+		basic_machine=$basic_machine-unknown
+		os=-none
+		;;
+	xscaleeb)
+		basic_machine=armeb-unknown
+		;;
+
+	xscaleel)
+		basic_machine=armel-unknown
+		;;
+
 	# We use `pc' rather than `unknown'
 	# because (1) that's what they normally are, and
 	# (2) the word "unknown" tends to confuse beginning users.
@@ -328,21 +361,25 @@ case $basic_machine in
 	# Recognize the basic CPU types with company name.
 	580-* \
 	| a29k-* \
+	| aarch64-* | aarch64_be-* \
 	| alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
 	| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
 	| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
 	| arm-*  | armbe-* | armle-* | armeb-* | armv*-* \
 	| avr-* | avr32-* \
+	| be32-* | be64-* \
 	| bfin-* | bs2000-* \
-	| c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \
+	| c[123]* | c30-* | [cjt]90-* | c4x-* \
 	| clipper-* | craynv-* | cydra-* \
 	| d10v-* | d30v-* | dlx-* \
 	| elxsi-* \
 	| f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \
 	| h8300-* | h8500-* \
 	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
+	| hexagon-* \
 	| i*86-* | i860-* | i960-* | ia64-* \
 	| ip2k-* | iq2000-* \
+	| le32-* | le64-* \
 	| lm32-* \
 	| m32c-* | m32r-* | m32rle-* \
 	| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
@@ -368,26 +405,29 @@ case $basic_machine in
 	| mmix-* \
 	| mt-* \
 	| msp430-* \
+	| nds32-* | nds32le-* | nds32be-* \
 	| nios-* | nios2-* \
 	| none-* | np1-* | ns16k-* | ns32k-* \
+	| open8-* \
 	| orion-* \
 	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
-	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
+	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \
 	| pyramid-* \
-	| romp-* | rs6000-* | rx-* \
+	| rl78-* | romp-* | rs6000-* | rx-* \
 	| sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \
 	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
 	| sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \
 	| sparclite-* \
-	| sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | strongarm-* | sv1-* | sx?-* \
-	| tahoe-* | thumb-* \
+	| sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \
+	| tahoe-* \
 	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
-	| tile-* | tilegx-* \
+	| tile*-* \
 	| tron-* \
 	| ubicom32-* \
-	| v850-* | v850e-* | vax-* \
+	| v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \
+	| vax-* \
 	| we32k-* \
-	| x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \
+	| x86-* | x86_64-* | xc16x-* | xps100-* \
 	| xstormy16-* | xtensa*-* \
 	| ymp-* \
 	| z8k-* | z80-*)
@@ -412,7 +452,7 @@ case $basic_machine in
 		basic_machine=a29k-amd
 		os=-udi
 		;;
-    	abacus)
+	abacus)
 		basic_machine=abacus-unknown
 		;;
 	adobe68k)
@@ -482,11 +522,20 @@ case $basic_machine in
 		basic_machine=powerpc-ibm
 		os=-cnk
 		;;
+	c54x-*)
+		basic_machine=tic54x-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	c55x-*)
+		basic_machine=tic55x-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	c6x-*)
+		basic_machine=tic6x-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
 	c90)
 		basic_machine=c90-cray
 		os=-unicos
 		;;
-        cegcc)
+	cegcc)
 		basic_machine=arm-unknown
 		os=-cegcc
 		;;
@@ -518,7 +567,7 @@ case $basic_machine in
 		basic_machine=craynv-cray
 		os=-unicosmp
 		;;
-	cr16)
+	cr16 | cr16-*)
 		basic_machine=cr16-unknown
 		os=-elf
 		;;
@@ -676,7 +725,6 @@ case $basic_machine in
 	i370-ibm* | ibm*)
 		basic_machine=i370-ibm
 		;;
-# I'm not sure what "Sysv32" means.  Should this be sysv3.2?
 	i*86v32)
 		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
 		os=-sysv32
@@ -734,7 +782,7 @@ case $basic_machine in
 		basic_machine=ns32k-utek
 		os=-sysv
 		;;
-        microblaze)
+	microblaze)
 		basic_machine=microblaze-xilinx
 		;;
 	mingw32)
@@ -773,10 +821,18 @@ case $basic_machine in
 	ms1-*)
 		basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'`
 		;;
+	msys)
+		basic_machine=i386-pc
+		os=-msys
+		;;
 	mvs)
 		basic_machine=i370-ibm
 		os=-mvs
 		;;
+	nacl)
+		basic_machine=le32-unknown
+		os=-nacl
+		;;
 	ncr3000)
 		basic_machine=i486-ncr
 		os=-sysv4
@@ -841,6 +897,12 @@ case $basic_machine in
 	np1)
 		basic_machine=np1-gould
 		;;
+	neo-tandem)
+		basic_machine=neo-tandem
+		;;
+	nse-tandem)
+		basic_machine=nse-tandem
+		;;
 	nsr-tandem)
 		basic_machine=nsr-tandem
 		;;
@@ -923,9 +985,10 @@ case $basic_machine in
 		;;
 	power)	basic_machine=power-ibm
 		;;
-	ppc)	basic_machine=powerpc-unknown
+	ppc | ppcbe)	basic_machine=powerpc-unknown
 		;;
-	ppc-*)	basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
+	ppc-* | ppcbe-*)
+		basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
 		;;
 	ppcle | powerpclittle | ppc-le | powerpc-little)
 		basic_machine=powerpcle-unknown
@@ -1019,6 +1082,9 @@ case $basic_machine in
 		basic_machine=i860-stratus
 		os=-sysv4
 		;;
+	strongarm-* | thumb-*)
+		basic_machine=arm-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
 	sun2)
 		basic_machine=m68000-sun
 		;;
@@ -1075,25 +1141,8 @@ case $basic_machine in
 		basic_machine=t90-cray
 		os=-unicos
 		;;
-	tic54x | c54x*)
-		basic_machine=tic54x-unknown
-		os=-coff
-		;;
-	tic55x | c55x*)
-		basic_machine=tic55x-unknown
-		os=-coff
-		;;
-	tic6x | c6x*)
-		basic_machine=tic6x-unknown
-		os=-coff
-		;;
-        # This must be matched before tile*.
-        tilegx*)
-		basic_machine=tilegx-unknown
-		os=-linux-gnu
-		;;
 	tile*)
-		basic_machine=tile-unknown
+		basic_machine=$basic_machine-unknown
 		os=-linux-gnu
 		;;
 	tx39)
@@ -1163,6 +1212,9 @@ case $basic_machine in
 	xps | xps100)
 		basic_machine=xps100-honeywell
 		;;
+	xscale-* | xscalee[bl]-*)
+		basic_machine=`echo $basic_machine | sed 's/^xscale/arm/'`
+		;;
 	ymp)
 		basic_machine=ymp-cray
 		os=-unicos
@@ -1260,11 +1312,11 @@ esac
 if [ x"$os" != x"" ]
 then
 case $os in
-        # First match some system type aliases
-        # that might get confused with valid system types.
+	# First match some system type aliases
+	# that might get confused with valid system types.
 	# -solaris* is a basic system type, with this one exception.
-        -auroraux)
-	        os=-auroraux
+	-auroraux)
+		os=-auroraux
 		;;
 	-solaris1 | -solaris1.*)
 		os=`echo $os | sed -e 's|solaris1|sunos4|'`
@@ -1300,8 +1352,9 @@ case $os in
 	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
 	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
 	      | -chorusos* | -chorusrdb* | -cegcc* \
-	      | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
-	      | -mingw32* | -linux-gnu* | -linux-newlib* | -linux-uclibc* \
+	      | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
+	      | -mingw32* | -linux-gnu* | -linux-android* \
+	      | -linux-newlib* | -linux-uclibc* \
 	      | -uxpv* | -beos* | -mpeix* | -udk* \
 	      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
 	      | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
@@ -1348,7 +1401,7 @@ case $os in
 	-opened*)
 		os=-openedition
 		;;
-        -os400*)
+	-os400*)
 		os=-os400
 		;;
 	-wince*)
@@ -1397,7 +1450,7 @@ case $os in
 	-sinix*)
 		os=-sysv4
 		;;
-        -tpf*)
+	-tpf*)
 		os=-tpf
 		;;
 	-triton*)
@@ -1442,8 +1495,8 @@ case $os in
 	-dicos*)
 		os=-dicos
 		;;
-        -nacl*)
-	        ;;
+	-nacl*)
+		;;
 	-none)
 		;;
 	*)
@@ -1466,10 +1519,10 @@ else
 # system, and we'll never get to this point.
 
 case $basic_machine in
-        score-*)
+	score-*)
 		os=-elf
 		;;
-        spu-*)
+	spu-*)
 		os=-elf
 		;;
 	*-acorn)
@@ -1481,8 +1534,17 @@ case $basic_machine in
 	arm*-semi)
 		os=-aout
 		;;
-        c4x-* | tic4x-*)
-        	os=-coff
+	c4x-* | tic4x-*)
+		os=-coff
+		;;
+	tic54x-*)
+		os=-coff
+		;;
+	tic55x-*)
+		os=-coff
+		;;
+	tic6x-*)
+		os=-coff
 		;;
 	# This must come before the *-dec entry.
 	pdp10-*)
@@ -1502,14 +1564,11 @@ case $basic_machine in
 		;;
 	m68000-sun)
 		os=-sunos3
-		# This also exists in the configure program, but was not the
-		# default.
-		# os=-sunos4
 		;;
 	m68*-cisco)
 		os=-aout
 		;;
-        mep-*)
+	mep-*)
 		os=-elf
 		;;
 	mips*-cisco)
@@ -1536,7 +1595,7 @@ case $basic_machine in
 	*-ibm)
 		os=-aix
 		;;
-    	*-knuth)
+	*-knuth)
 		os=-mmixware
 		;;
 	*-wec)
diff --git a/configure b/configure
index 73023d5e0..7424477b3 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.67 for strongSwan 5.0.1.
+# Generated by GNU Autoconf 2.68 for strongSwan 5.0.2.
 #
 #
 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -89,6 +89,7 @@ fi
 IFS=" ""	$as_nl"
 
 # Find who we are.  Look in the path if we contain no directory separator.
+as_myself=
 case $0 in #((
   *[\\/]* ) as_myself=$0 ;;
   *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
@@ -171,7 +172,15 @@ test x\$exitcode = x0 || exit 1"
   as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO
   eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" &&
   test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1
-test \$(( 1 + 1 )) = 2 || exit 1"
+test \$(( 1 + 1 )) = 2 || exit 1
+
+  test -n \"\${ZSH_VERSION+set}\${BASH_VERSION+set}\" || (
+    ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+    ECHO=\$ECHO\$ECHO\$ECHO\$ECHO\$ECHO
+    ECHO=\$ECHO\$ECHO\$ECHO\$ECHO\$ECHO\$ECHO
+    PATH=/empty FPATH=/empty; export PATH FPATH
+    test \"X\`printf %s \$ECHO\`\" = \"X\$ECHO\" \\
+      || test \"X\`print -r -- \$ECHO\`\" = \"X\$ECHO\" ) || exit 1"
   if (eval "$as_required") 2>/dev/null; then :
   as_have_required=yes
 else
@@ -214,11 +223,18 @@ IFS=$as_save_IFS
   # We cannot yet assume a decent shell, so we have to provide a
 	# neutralization value for shells without unset; and this also
 	# works around shells that cannot unset nonexistent variables.
+	# Preserve -v and -x to the replacement shell.
 	BASH_ENV=/dev/null
 	ENV=/dev/null
 	(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
 	export CONFIG_SHELL
-	exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
+	case $- in # ((((
+	  *v*x* | *x*v* ) as_opts=-vx ;;
+	  *v* ) as_opts=-v ;;
+	  *x* ) as_opts=-x ;;
+	  * ) as_opts= ;;
+	esac
+	exec "$CONFIG_SHELL" $as_opts "$as_myself" ${1+"$@"}
 fi
 
     if test x$as_have_required = xno; then :
@@ -525,155 +541,8 @@ as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
 # Sed expression to map a string onto a valid variable name.
 as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
 
-
-
-# Check that we are running under the correct shell.
 SHELL=${CONFIG_SHELL-/bin/sh}
 
-case X$lt_ECHO in
-X*--fallback-echo)
-  # Remove one level of quotation (which was required for Make).
-  ECHO=`echo "$lt_ECHO" | sed 's,\\\\\$\\$0,'$0','`
-  ;;
-esac
-
-ECHO=${lt_ECHO-echo}
-if test "X$1" = X--no-reexec; then
-  # Discard the --no-reexec flag, and continue.
-  shift
-elif test "X$1" = X--fallback-echo; then
-  # Avoid inline document here, it may be left over
-  :
-elif test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' ; then
-  # Yippee, $ECHO works!
-  :
-else
-  # Restart under the correct shell.
-  exec $SHELL "$0" --no-reexec ${1+"$@"}
-fi
-
-if test "X$1" = X--fallback-echo; then
-  # used as fallback echo
-  shift
-  cat <<_LT_EOF
-$*
-_LT_EOF
-  exit 0
-fi
-
-# The HP-UX ksh and POSIX shell print the target directory to stdout
-# if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-
-if test -z "$lt_ECHO"; then
-  if test "X${echo_test_string+set}" != Xset; then
-    # find a string as large as possible, as long as the shell can cope with it
-    for cmd in 'sed 50q "$0"' 'sed 20q "$0"' 'sed 10q "$0"' 'sed 2q "$0"' 'echo test'; do
-      # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
-      if { echo_test_string=`eval $cmd`; } 2>/dev/null &&
-	 { test "X$echo_test_string" = "X$echo_test_string"; } 2>/dev/null
-      then
-        break
-      fi
-    done
-  fi
-
-  if test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' &&
-     echo_testing_string=`{ $ECHO "$echo_test_string"; } 2>/dev/null` &&
-     test "X$echo_testing_string" = "X$echo_test_string"; then
-    :
-  else
-    # The Solaris, AIX, and Digital Unix default echo programs unquote
-    # backslashes.  This makes it impossible to quote backslashes using
-    #   echo "$something" | sed 's/\\/\\\\/g'
-    #
-    # So, first we look for a working echo in the user's PATH.
-
-    lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-    for dir in $PATH /usr/ucb; do
-      IFS="$lt_save_ifs"
-      if (test -f $dir/echo || test -f $dir/echo$ac_exeext) &&
-         test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
-         echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` &&
-         test "X$echo_testing_string" = "X$echo_test_string"; then
-        ECHO="$dir/echo"
-        break
-      fi
-    done
-    IFS="$lt_save_ifs"
-
-    if test "X$ECHO" = Xecho; then
-      # We didn't find a better echo, so look for alternatives.
-      if test "X`{ print -r '\t'; } 2>/dev/null`" = 'X\t' &&
-         echo_testing_string=`{ print -r "$echo_test_string"; } 2>/dev/null` &&
-         test "X$echo_testing_string" = "X$echo_test_string"; then
-        # This shell has a builtin print -r that does the trick.
-        ECHO='print -r'
-      elif { test -f /bin/ksh || test -f /bin/ksh$ac_exeext; } &&
-	   test "X$CONFIG_SHELL" != X/bin/ksh; then
-        # If we have ksh, try running configure again with it.
-        ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh}
-        export ORIGINAL_CONFIG_SHELL
-        CONFIG_SHELL=/bin/ksh
-        export CONFIG_SHELL
-        exec $CONFIG_SHELL "$0" --no-reexec ${1+"$@"}
-      else
-        # Try using printf.
-        ECHO='printf %s\n'
-        if test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' &&
-	   echo_testing_string=`{ $ECHO "$echo_test_string"; } 2>/dev/null` &&
-	   test "X$echo_testing_string" = "X$echo_test_string"; then
-	  # Cool, printf works
-	  :
-        elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` &&
-	     test "X$echo_testing_string" = 'X\t' &&
-	     echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
-	     test "X$echo_testing_string" = "X$echo_test_string"; then
-	  CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL
-	  export CONFIG_SHELL
-	  SHELL="$CONFIG_SHELL"
-	  export SHELL
-	  ECHO="$CONFIG_SHELL $0 --fallback-echo"
-        elif echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` &&
-	     test "X$echo_testing_string" = 'X\t' &&
-	     echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
-	     test "X$echo_testing_string" = "X$echo_test_string"; then
-	  ECHO="$CONFIG_SHELL $0 --fallback-echo"
-        else
-	  # maybe with a smaller string...
-	  prev=:
-
-	  for cmd in 'echo test' 'sed 2q "$0"' 'sed 10q "$0"' 'sed 20q "$0"' 'sed 50q "$0"'; do
-	    if { test "X$echo_test_string" = "X`eval $cmd`"; } 2>/dev/null
-	    then
-	      break
-	    fi
-	    prev="$cmd"
-	  done
-
-	  if test "$prev" != 'sed 50q "$0"'; then
-	    echo_test_string=`eval $prev`
-	    export echo_test_string
-	    exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "$0" ${1+"$@"}
-	  else
-	    # Oops.  We lost completely, so just stick with echo.
-	    ECHO=echo
-	  fi
-        fi
-      fi
-    fi
-  fi
-fi
-
-# Copy echo and quote the copy suitably for passing to libtool from
-# the Makefile, instead of quoting the original, which is used later.
-lt_ECHO=$ECHO
-if test "X$lt_ECHO" = "X$CONFIG_SHELL $0 --fallback-echo"; then
-   lt_ECHO="$CONFIG_SHELL \\\$\$0 --fallback-echo"
-fi
-
-
-
 
 test -n "$DJDIR" || exec 7<&0 </dev/null
 exec 6>&1
@@ -698,8 +567,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='5.0.1'
-PACKAGE_STRING='strongSwan 5.0.1'
+PACKAGE_VERSION='5.0.2'
+PACKAGE_STRING='strongSwan 5.0.2'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -745,6 +614,8 @@ LTLIBOBJS
 LIBOBJS
 MONOLITHIC_FALSE
 MONOLITHIC_TRUE
+USE_TROUSERS_FALSE
+USE_TROUSERS_TRUE
 USE_PTS_FALSE
 USE_PTS_TRUE
 USE_IMCV_FALSE
@@ -837,6 +708,10 @@ USE_IMV_ATTESTATION_FALSE
 USE_IMV_ATTESTATION_TRUE
 USE_IMC_ATTESTATION_FALSE
 USE_IMC_ATTESTATION_TRUE
+USE_IMV_OS_FALSE
+USE_IMV_OS_TRUE
+USE_IMC_OS_FALSE
+USE_IMC_OS_TRUE
 USE_IMV_SCANNER_FALSE
 USE_IMV_SCANNER_TRUE
 USE_IMC_SCANNER_FALSE
@@ -913,6 +788,10 @@ USE_LED_FALSE
 USE_LED_TRUE
 USE_CERTEXPIRE_FALSE
 USE_CERTEXPIRE_TRUE
+USE_ERROR_NOTIFY_FALSE
+USE_ERROR_NOTIFY_TRUE
+USE_LOOKIP_FALSE
+USE_LOOKIP_TRUE
 USE_WHITELIST_FALSE
 USE_WHITELIST_TRUE
 USE_HA_FALSE
@@ -979,6 +858,8 @@ USE_PGP_FALSE
 USE_PGP_TRUE
 USE_PKCS8_FALSE
 USE_PKCS8_TRUE
+USE_PKCS7_FALSE
+USE_PKCS7_TRUE
 USE_PKCS1_FALSE
 USE_PKCS1_TRUE
 USE_PUBKEY_FALSE
@@ -993,6 +874,8 @@ USE_NONCE_FALSE
 USE_NONCE_TRUE
 USE_RANDOM_FALSE
 USE_RANDOM_TRUE
+USE_RDRAND_FALSE
+USE_RDRAND_TRUE
 USE_GMP_FALSE
 USE_GMP_TRUE
 USE_FIPS_PRF_FALSE
@@ -1049,6 +932,7 @@ MYSQLCFLAG
 MYSQLLIB
 MYSQLCONFIG
 clearsilver_LIBS
+RUBYLIB
 RUBYINCLUDE
 RUBY
 gtk_LIBS
@@ -1077,9 +961,11 @@ OTOOL
 LIPO
 NMEDIT
 DSYMUTIL
-lt_ECHO
+MANIFEST_TOOL
 RANLIB
+ac_ct_AR
 AR
+DLLTOOL
 OBJDUMP
 LN_S
 NM
@@ -1103,6 +989,7 @@ build
 am__fastdepCC_FALSE
 am__fastdepCC_TRUE
 CCDEPMODE
+am__nodep
 AMDEPBACKSLASH
 AMDEP_FALSE
 AMDEP_TRUE
@@ -1219,6 +1106,7 @@ with_linux_headers
 with_routing_table
 with_routing_table_prio
 with_ipsec_script
+with_tss
 with_capabilities
 with_mpz_powm_sec
 with_dev_headers
@@ -1239,6 +1127,7 @@ enable_sha1
 enable_sha2
 enable_fips_prf
 enable_gmp
+enable_rdrand
 enable_random
 enable_nonce
 enable_x509
@@ -1246,6 +1135,7 @@ enable_revocation
 enable_constraints
 enable_pubkey
 enable_pkcs1
+enable_pkcs7
 enable_pkcs8
 enable_pgp
 enable_dnskey
@@ -1298,6 +1188,8 @@ enable_imc_test
 enable_imv_test
 enable_imc_scanner
 enable_imv_scanner
+enable_imc_os
+enable_imv_os
 enable_imc_attestation
 enable_imv_attestation
 enable_kernel_netlink
@@ -1342,6 +1234,8 @@ enable_maemo
 enable_nm
 enable_ha
 enable_whitelist
+enable_lookip
+enable_error_notify
 enable_certexpire
 enable_led
 enable_duplicheck
@@ -1357,6 +1251,7 @@ enable_static
 with_pic
 enable_fast_install
 with_gnu_ld
+with_sysroot
 enable_libtool_lock
 '
       ac_precious_vars='build_alias
@@ -1791,7 +1686,7 @@ Try \`$0 --help' for more information"
     $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2
     expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null &&
       $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2
-    : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}
+    : "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}"
     ;;
 
   esac
@@ -1929,7 +1824,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 5.0.1 to adapt to many kinds of systems.
+\`configure' configures strongSwan 5.0.2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1999,7 +1894,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 5.0.1:";;
+     short | recursive ) echo "Configuration of strongSwan 5.0.2:";;
    esac
   cat <<\_ACEOF
 
@@ -2024,6 +1919,7 @@ Optional Features:
   --disable-fips-prf      disable FIPS PRF software implementation plugin.
   --disable-gmp           disable GNU MP (libgmp) based crypto implementation
                           plugin.
+  --enable-rdrand         enable Intel RDRAND random generator plugin.
   --disable-random        disable RNG implementation on top of /dev/(u)random.
   --disable-nonce         disable nonce generation plugin.
   --disable-x509          disable X509 certificate implementation plugin.
@@ -2031,6 +1927,7 @@ Optional Features:
   --disable-constraints   disable advanced X509 constraint checking plugin.
   --disable-pubkey        disable RAW public key support plugin.
   --disable-pkcs1         disable PKCS1 key decoding plugin.
+  --disable-pkcs7         disable PKCS7 container support plugin.
   --disable-pkcs8         disable PKCS8 private key decoding plugin.
   --disable-pgp           disable PGP key decoding plugin.
   --disable-dnskey        disable DNS RR key decoding plugin.
@@ -2094,6 +1991,8 @@ Optional Features:
   --enable-imv-test       enable IMV test module.
   --enable-imc-scanner    enable IMC port scanner module.
   --enable-imv-scanner    enable IMV port scanner module.
+  --enable-imc-os         enable IMC operating system module.
+  --enable-imv-os         enable IMV operating system module.
   --enable-imc-attestation
                           enable IMC attestation module.
   --enable-imv-attestation
@@ -2149,6 +2048,9 @@ Optional Features:
   --enable-nm             enable NetworkManager backend.
   --enable-ha             enable high availability cluster plugin.
   --enable-whitelist      enable peer identity whitelisting plugin.
+  --enable-lookip         enable fast virtual IP lookup and notification
+                          plugin.
+  --enable-error-notify   enable error notification plugin.
   --enable-certexpire     enable CSV export of expiration dates of used
                           certificates.
   --enable-led            enable plugin to control LEDs on IKEv2 activity
@@ -2211,6 +2113,9 @@ Optional Packages:
                           set priority for IPsec routing table (default: 220).
   --with-ipsec-script=arg change the name of the ipsec script (default:
                           ipsec).
+  --with-tss=arg          set implementation of the Trusted Computing Group's
+                          Software Stack (TSS). Currently the only supported
+                          value is "trousers" (default: no).
   --with-capabilities=arg set capability dropping library. Currently supported
                           values are "libcap" and "native" (default: no).
   --with-mpz_powm_sec=arg use the more side-channel resistant mpz_powm_sec in
@@ -2233,9 +2138,11 @@ Optional Packages:
                           default 4500). Set to 0 to allocate randomly.
   --with-lib-prefix[=DIR] search for libraries in DIR/include and DIR/lib
   --without-lib-prefix    don't search for libraries in includedir and libdir
-  --with-pic              try to use only PIC/non-PIC objects [default=use
+  --with-pic[=PKGS]       try to use only PIC/non-PIC objects [default=use
                           both]
   --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
+  --with-sysroot=DIR Search for dependent libraries within DIR
+                        (or the compiler's sysroot if not specified).
 
 Some influential environment variables:
   PKG_CONFIG  path to pkg-config utility
@@ -2251,8 +2158,9 @@ Some influential environment variables:
   CPPFLAGS    (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
               you have headers in a nonstandard directory <include dir>
   CPP         C preprocessor
-  YACC        The `Yet Another C Compiler' implementation to use. Defaults to
-              the first program found out of: `bison -y', `byacc', `yacc'.
+  YACC        The `Yet Another Compiler Compiler' implementation to use.
+              Defaults to the first program found out of: `bison -y', `byacc',
+              `yacc'.
   YFLAGS      The list of arguments that will be passed by default to $YACC.
               This script will default YFLAGS to the empty string to avoid a
               default value of `-d' given by some make applications.
@@ -2341,8 +2249,8 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 5.0.1
-generated by GNU Autoconf 2.67
+strongSwan configure 5.0.2
+generated by GNU Autoconf 2.68
 
 Copyright (C) 2010 Free Software Foundation, Inc.
 This configure script is free software; the Free Software Foundation
@@ -2388,7 +2296,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_retval=1
 fi
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
   as_fn_set_status $ac_retval
 
 } # ac_fn_c_try_compile
@@ -2425,7 +2333,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
     ac_retval=1
 fi
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
   as_fn_set_status $ac_retval
 
 } # ac_fn_c_try_cpp
@@ -2467,7 +2375,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
        ac_retval=$ac_status
 fi
   rm -rf conftest.dSYM conftest_ipa8_conftest.oo
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
   as_fn_set_status $ac_retval
 
 } # ac_fn_c_try_run
@@ -2481,7 +2389,7 @@ ac_fn_c_check_header_compile ()
   as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
 $as_echo_n "checking for $2... " >&6; }
-if eval "test \"\${$3+set}\"" = set; then :
+if eval \${$3+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -2499,7 +2407,7 @@ fi
 eval ac_res=\$$3
 	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
 $as_echo "$ac_res" >&6; }
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 
 } # ac_fn_c_check_header_compile
 
@@ -2544,7 +2452,7 @@ fi
   # interfere with the next link command; also delete a directory that is
   # left behind by Apple's compiler.  We do this before executing the actions.
   rm -rf conftest.dSYM conftest_ipa8_conftest.oo
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
   as_fn_set_status $ac_retval
 
 } # ac_fn_c_try_link
@@ -2557,7 +2465,7 @@ ac_fn_c_check_func ()
   as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
 $as_echo_n "checking for $2... " >&6; }
-if eval "test \"\${$3+set}\"" = set; then :
+if eval \${$3+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -2612,7 +2520,7 @@ fi
 eval ac_res=\$$3
 	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
 $as_echo "$ac_res" >&6; }
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 
 } # ac_fn_c_check_func
 
@@ -2625,7 +2533,7 @@ ac_fn_c_check_type ()
   as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
 $as_echo_n "checking for $2... " >&6; }
-if eval "test \"\${$3+set}\"" = set; then :
+if eval \${$3+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   eval "$3=no"
@@ -2666,7 +2574,7 @@ fi
 eval ac_res=\$$3
 	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
 $as_echo "$ac_res" >&6; }
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 
 } # ac_fn_c_check_type
 
@@ -2681,7 +2589,7 @@ ac_fn_c_check_decl ()
   as_decl_use=`echo $2|sed -e 's/(/((/' -e 's/)/) 0&/' -e 's/,/) 0& (/g'`
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $as_decl_name is declared" >&5
 $as_echo_n "checking whether $as_decl_name is declared... " >&6; }
-if eval "test \"\${$3+set}\"" = set; then :
+if eval \${$3+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -2712,7 +2620,7 @@ fi
 eval ac_res=\$$3
 	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
 $as_echo "$ac_res" >&6; }
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 
 } # ac_fn_c_check_decl
 
@@ -2724,10 +2632,10 @@ $as_echo "$ac_res" >&6; }
 ac_fn_c_check_header_mongrel ()
 {
   as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-  if eval "test \"\${$3+set}\"" = set; then :
+  if eval \${$3+:} false; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
 $as_echo_n "checking for $2... " >&6; }
-if eval "test \"\${$3+set}\"" = set; then :
+if eval \${$3+:} false; then :
   $as_echo_n "(cached) " >&6
 fi
 eval ac_res=\$$3
@@ -2790,7 +2698,7 @@ $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
 esac
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
 $as_echo_n "checking for $2... " >&6; }
-if eval "test \"\${$3+set}\"" = set; then :
+if eval \${$3+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   eval "$3=\$ac_header_compiler"
@@ -2799,7 +2707,7 @@ eval ac_res=\$$3
 	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
 $as_echo "$ac_res" >&6; }
 fi
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 
 } # ac_fn_c_check_header_mongrel
 
@@ -2812,7 +2720,7 @@ ac_fn_c_check_member ()
   as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2.$3" >&5
 $as_echo_n "checking for $2.$3... " >&6; }
-if eval "test \"\${$4+set}\"" = set; then :
+if eval \${$4+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -2856,15 +2764,15 @@ fi
 eval ac_res=\$$4
 	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
 $as_echo "$ac_res" >&6; }
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 
 } # ac_fn_c_check_member
 cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 5.0.1, which was
-generated by GNU Autoconf 2.67.  Invocation command line was
+It was created by strongSwan $as_me 5.0.2, which was
+generated by GNU Autoconf 2.68.  Invocation command line was
 
   $ $0 $@
 
@@ -3122,7 +3030,7 @@ $as_echo "$as_me: loading site script $ac_site_file" >&6;}
       || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
 as_fn_error $? "failed to load site script $ac_site_file
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
   fi
 done
 
@@ -3259,7 +3167,7 @@ ac_configure="$SHELL $ac_aux_dir/configure"  # Please don't use this var.
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a BSD-compatible install" >&5
 $as_echo_n "checking for a BSD-compatible install... " >&6; }
 if test -z "$INSTALL"; then
-if test "${ac_cv_path_install+set}" = set; then :
+if ${ac_cv_path_install+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
@@ -3346,11 +3254,11 @@ am_lf='
 '
 case `pwd` in
   *[\\\"\#\$\&\'\`$am_lf]*)
-    as_fn_error $? "unsafe absolute working directory name" "$LINENO" 5 ;;
+    as_fn_error $? "unsafe absolute working directory name" "$LINENO" 5;;
 esac
 case $srcdir in
   *[\\\"\#\$\&\'\`$am_lf\ \	]*)
-    as_fn_error $? "unsafe srcdir value: \`$srcdir'" "$LINENO" 5 ;;
+    as_fn_error $? "unsafe srcdir value: \`$srcdir'" "$LINENO" 5;;
 esac
 
 # Do `set' in a subshell so we don't clobber the current shell's
@@ -3436,7 +3344,7 @@ if test "$cross_compiling" != no; then
 set dummy ${ac_tool_prefix}strip; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_STRIP+set}" = set; then :
+if ${ac_cv_prog_STRIP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$STRIP"; then
@@ -3476,7 +3384,7 @@ if test -z "$ac_cv_prog_STRIP"; then
 set dummy strip; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then :
+if ${ac_cv_prog_ac_ct_STRIP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_STRIP"; then
@@ -3529,7 +3437,7 @@ INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s"
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a thread-safe mkdir -p" >&5
 $as_echo_n "checking for a thread-safe mkdir -p... " >&6; }
 if test -z "$MKDIR_P"; then
-  if test "${ac_cv_path_mkdir+set}" = set; then :
+  if ${ac_cv_path_mkdir+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
@@ -3580,7 +3488,7 @@ do
 set dummy $ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_AWK+set}" = set; then :
+if ${ac_cv_prog_AWK+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$AWK"; then
@@ -3620,7 +3528,7 @@ done
 $as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; }
 set x ${MAKE-make}
 ac_make=`$as_echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'`
-if eval "test \"\${ac_cv_prog_make_${ac_make}_set+set}\"" = set; then :
+if eval \${ac_cv_prog_make_${ac_make}_set+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat >conftest.make <<\_ACEOF
@@ -3678,7 +3586,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='5.0.1'
+ VERSION='5.0.2'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -3708,9 +3616,9 @@ MAKEINFO=${MAKEINFO-"${am_missing_run}makeinfo"}
 
 # We need awk for the "check" target.  The system "awk" is bad on
 # some platforms.
-# Always define AMTAR for backward compatibility.
-
-AMTAR=${AMTAR-"${am_missing_run}tar"}
+# Always define AMTAR for backward compatibility.  Yes, it's still used
+# in the wild :-(  We should find a proper way to deprecate it ...
+AMTAR='$${TAR-tar}'
 
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to create a ustar tar archive" >&5
@@ -3786,7 +3694,7 @@ do
 done
 rm -rf conftest.dir
 
-if test "${am_cv_prog_tar_ustar+set}" = set; then :
+if ${am_cv_prog_tar_ustar+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   am_cv_prog_tar_ustar=$_am_tool
@@ -3811,13 +3719,14 @@ $as_echo "#define CONFIG_H_INCLUDED /**/" >>confdefs.h
 
 
 
+
 if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
 	if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
 set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_path_PKG_CONFIG+set}" = set; then :
+if ${ac_cv_path_PKG_CONFIG+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   case $PKG_CONFIG in
@@ -3860,7 +3769,7 @@ if test -z "$ac_cv_path_PKG_CONFIG"; then
 set dummy pkg-config; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_path_ac_pt_PKG_CONFIG+set}" = set; then :
+if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   case $ac_pt_PKG_CONFIG in
@@ -4108,6 +4017,16 @@ fi
 
 
 
+# Check whether --with-tss was given.
+if test "${with_tss+set}" = set; then :
+  withval=$with_tss; tss="$withval"
+else
+  tss=no
+
+fi
+
+
+
 # Check whether --with-capabilities was given.
 if test "${with_capabilities+set}" = set; then :
   withval=$with_capabilities; capabilities="$withval"
@@ -4434,6 +4353,21 @@ else
 fi
 
 
+# Check whether --enable-rdrand was given.
+if test "${enable_rdrand+set}" = set; then :
+  enableval=$enable_rdrand; rdrand_given=true
+		if test x$enableval = xyes; then
+			rdrand=true
+		 else
+			rdrand=false
+		fi
+else
+  rdrand=false
+		rdrand_given=false
+
+fi
+
+
 # Check whether --enable-random was given.
 if test "${enable_random+set}" = set; then :
   enableval=$enable_random; random_given=true
@@ -4539,6 +4473,21 @@ else
 fi
 
 
+# Check whether --enable-pkcs7 was given.
+if test "${enable_pkcs7+set}" = set; then :
+  enableval=$enable_pkcs7; pkcs7_given=true
+		if test x$enableval = xyes; then
+			pkcs7=true
+		 else
+			pkcs7=false
+		fi
+else
+  pkcs7=true
+		pkcs7_given=false
+
+fi
+
+
 # Check whether --enable-pkcs8 was given.
 if test "${enable_pkcs8+set}" = set; then :
   enableval=$enable_pkcs8; pkcs8_given=true
@@ -5319,6 +5268,36 @@ else
 fi
 
 
+# Check whether --enable-imc-os was given.
+if test "${enable_imc_os+set}" = set; then :
+  enableval=$enable_imc_os; imc_os_given=true
+		if test x$enableval = xyes; then
+			imc_os=true
+		 else
+			imc_os=false
+		fi
+else
+  imc_os=false
+		imc_os_given=false
+
+fi
+
+
+# Check whether --enable-imv-os was given.
+if test "${enable_imv_os+set}" = set; then :
+  enableval=$enable_imv_os; imv_os_given=true
+		if test x$enableval = xyes; then
+			imv_os=true
+		 else
+			imv_os=false
+		fi
+else
+  imv_os=false
+		imv_os_given=false
+
+fi
+
+
 # Check whether --enable-imc-attestation was given.
 if test "${enable_imc_attestation+set}" = set; then :
   enableval=$enable_imc_attestation; imc_attestation_given=true
@@ -5979,6 +5958,36 @@ else
 fi
 
 
+# Check whether --enable-lookip was given.
+if test "${enable_lookip+set}" = set; then :
+  enableval=$enable_lookip; lookip_given=true
+		if test x$enableval = xyes; then
+			lookip=true
+		 else
+			lookip=false
+		fi
+else
+  lookip=false
+		lookip_given=false
+
+fi
+
+
+# Check whether --enable-error-notify was given.
+if test "${enable_error_notify+set}" = set; then :
+  enableval=$enable_error_notify; error_notify_given=true
+		if test x$enableval = xyes; then
+			error_notify=true
+		 else
+			error_notify=false
+		fi
+else
+  error_notify=false
+		error_notify_given=false
+
+fi
+
+
 # Check whether --enable-certexpire was given.
 if test "${enable_certexpire+set}" = set; then :
   enableval=$enable_certexpire; certexpire_given=true
@@ -6114,7 +6123,7 @@ if test -n "$ac_tool_prefix"; then
 set dummy ${ac_tool_prefix}gcc; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then :
+if ${ac_cv_prog_CC+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$CC"; then
@@ -6154,7 +6163,7 @@ if test -z "$ac_cv_prog_CC"; then
 set dummy gcc; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then :
+if ${ac_cv_prog_ac_ct_CC+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_CC"; then
@@ -6207,7 +6216,7 @@ if test -z "$CC"; then
 set dummy ${ac_tool_prefix}cc; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then :
+if ${ac_cv_prog_CC+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$CC"; then
@@ -6247,7 +6256,7 @@ if test -z "$CC"; then
 set dummy cc; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then :
+if ${ac_cv_prog_CC+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$CC"; then
@@ -6306,7 +6315,7 @@ if test -z "$CC"; then
 set dummy $ac_tool_prefix$ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then :
+if ${ac_cv_prog_CC+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$CC"; then
@@ -6350,7 +6359,7 @@ do
 set dummy $ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then :
+if ${ac_cv_prog_ac_ct_CC+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_CC"; then
@@ -6405,7 +6414,7 @@ fi
 test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
 as_fn_error $? "no acceptable C compiler found in \$PATH
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 
 # Provide some information about the compiler.
 $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5
@@ -6520,7 +6529,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
 as_fn_error 77 "C compiler cannot create executables
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
@@ -6563,7 +6572,7 @@ else
   { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
 as_fn_error $? "cannot compute suffix of executables: cannot compile and link
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 fi
 rm -f conftest conftest$ac_cv_exeext
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5
@@ -6622,7 +6631,7 @@ $as_echo "$ac_try_echo"; } >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
 as_fn_error $? "cannot run C compiled programs.
 If you meant to cross compile, use \`--host'.
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
     fi
   fi
 fi
@@ -6633,7 +6642,7 @@ rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out
 ac_clean_files=$ac_clean_files_save
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5
 $as_echo_n "checking for suffix of object files... " >&6; }
-if test "${ac_cv_objext+set}" = set; then :
+if ${ac_cv_objext+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -6674,7 +6683,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
 as_fn_error $? "cannot compute suffix of object files: cannot compile
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 fi
 rm -f conftest.$ac_cv_objext conftest.$ac_ext
 fi
@@ -6684,7 +6693,7 @@ OBJEXT=$ac_cv_objext
 ac_objext=$OBJEXT
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5
 $as_echo_n "checking whether we are using the GNU C compiler... " >&6; }
-if test "${ac_cv_c_compiler_gnu+set}" = set; then :
+if ${ac_cv_c_compiler_gnu+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -6721,7 +6730,7 @@ ac_test_CFLAGS=${CFLAGS+set}
 ac_save_CFLAGS=$CFLAGS
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5
 $as_echo_n "checking whether $CC accepts -g... " >&6; }
-if test "${ac_cv_prog_cc_g+set}" = set; then :
+if ${ac_cv_prog_cc_g+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_save_c_werror_flag=$ac_c_werror_flag
@@ -6799,7 +6808,7 @@ else
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5
 $as_echo_n "checking for $CC option to accept ISO C89... " >&6; }
-if test "${ac_cv_prog_cc_c89+set}" = set; then :
+if ${ac_cv_prog_cc_c89+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_cv_prog_cc_c89=no
@@ -6945,6 +6954,7 @@ fi
 if test "x$enable_dependency_tracking" != xno; then
   am_depcomp="$ac_aux_dir/depcomp"
   AMDEPBACKSLASH='\'
+  am__nodep='_no'
 fi
  if test "x$enable_dependency_tracking" != xno; then
   AMDEP_TRUE=
@@ -6960,7 +6970,7 @@ depcc="$CC"   am_compiler_list=
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking dependency style of $depcc" >&5
 $as_echo_n "checking dependency style of $depcc... " >&6; }
-if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then :
+if ${am_cv_CC_dependencies_compiler_type+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then
@@ -6969,6 +6979,7 @@ else
   # instance it was reported that on HP-UX the gcc test will end up
   # making a dummy file named `D' -- because `-MD' means `put the output
   # in D'.
+  rm -rf conftest.dir
   mkdir conftest.dir
   # Copy depcomp to subdir because otherwise we won't find it if we're
   # using a relative directory.
@@ -7028,7 +7039,7 @@ else
 	break
       fi
       ;;
-    msvisualcpp | msvcmsys)
+    msvc7 | msvc7msys | msvisualcpp | msvcmsys)
       # This compiler won't grok `-c -o', but also, the minuso test has
       # not run yet.  These depmodes are late enough in the game, and
       # so weak that their functioning should not be impacted.
@@ -7089,7 +7100,7 @@ $SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 ||
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking build system type" >&5
 $as_echo_n "checking build system type... " >&6; }
-if test "${ac_cv_build+set}" = set; then :
+if ${ac_cv_build+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_build_alias=$build_alias
@@ -7105,7 +7116,7 @@ fi
 $as_echo "$ac_cv_build" >&6; }
 case $ac_cv_build in
 *-*-*) ;;
-*) as_fn_error $? "invalid value of canonical build" "$LINENO" 5 ;;
+*) as_fn_error $? "invalid value of canonical build" "$LINENO" 5;;
 esac
 build=$ac_cv_build
 ac_save_IFS=$IFS; IFS='-'
@@ -7123,7 +7134,7 @@ case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking host system type" >&5
 $as_echo_n "checking host system type... " >&6; }
-if test "${ac_cv_host+set}" = set; then :
+if ${ac_cv_host+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test "x$host_alias" = x; then
@@ -7138,7 +7149,7 @@ fi
 $as_echo "$ac_cv_host" >&6; }
 case $ac_cv_host in
 *-*-*) ;;
-*) as_fn_error $? "invalid value of canonical host" "$LINENO" 5 ;;
+*) as_fn_error $? "invalid value of canonical host" "$LINENO" 5;;
 esac
 host=$ac_cv_host
 ac_save_IFS=$IFS; IFS='-'
@@ -7167,7 +7178,7 @@ if test -n "$CPP" && test -d "$CPP"; then
   CPP=
 fi
 if test -z "$CPP"; then
-  if test "${ac_cv_prog_CPP+set}" = set; then :
+  if ${ac_cv_prog_CPP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
       # Double quotes because CPP needs to be expanded
@@ -7283,7 +7294,7 @@ else
   { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
 as_fn_error $? "C preprocessor \"$CPP\" fails sanity check
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 fi
 
 ac_ext=c
@@ -7295,7 +7306,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5
 $as_echo_n "checking for grep that handles long lines and -e... " >&6; }
-if test "${ac_cv_path_GREP+set}" = set; then :
+if ${ac_cv_path_GREP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -z "$GREP"; then
@@ -7358,7 +7369,7 @@ $as_echo "$ac_cv_path_GREP" >&6; }
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5
 $as_echo_n "checking for egrep... " >&6; }
-if test "${ac_cv_path_EGREP+set}" = set; then :
+if ${ac_cv_path_EGREP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
@@ -7431,7 +7442,7 @@ $as_echo "$ac_cv_path_EGREP" >&6; }
     solaris*)
                                     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for 64-bit host" >&5
 $as_echo_n "checking for 64-bit host... " >&6; }
-if test "${gl_cv_solaris_64bit+set}" = set; then :
+if ${gl_cv_solaris_64bit+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -7618,7 +7629,7 @@ fi
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5
 $as_echo_n "checking for ANSI C header files... " >&6; }
-if test "${ac_cv_header_stdc+set}" = set; then :
+if ${ac_cv_header_stdc+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -7747,7 +7758,7 @@ done
 
  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether byte ordering is bigendian" >&5
 $as_echo_n "checking whether byte ordering is bigendian... " >&6; }
-if test "${ac_cv_c_bigendian+set}" = set; then :
+if ${ac_cv_c_bigendian+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_cv_c_bigendian=unknown
@@ -7966,7 +7977,7 @@ $as_echo "#define AC_APPLE_UNIVERSAL_BUILD 1" >>confdefs.h
      ;; #(
    *)
      as_fn_error $? "unknown endianness
- presetting ac_cv_c_bigendian=no (or yes) will help" "$LINENO" 5  ;;
+ presetting ac_cv_c_bigendian=no (or yes) will help" "$LINENO" 5 ;;
  esac
 
 
@@ -7980,8 +7991,8 @@ esac
 
 
 
-macro_version='2.2.6b'
-macro_revision='1.3017'
+macro_version='2.4.2'
+macro_revision='1.3337'
 
 
 
@@ -7997,9 +8008,78 @@ macro_revision='1.3017'
 
 ltmain="$ac_aux_dir/ltmain.sh"
 
+# Backslashify metacharacters that are still active within
+# double-quoted strings.
+sed_quote_subst='s/\(["`$\\]\)/\\\1/g'
+
+# Same as above, but do not quote variable references.
+double_quote_subst='s/\(["`\\]\)/\\\1/g'
+
+# Sed substitution to delay expansion of an escaped shell variable in a
+# double_quote_subst'ed string.
+delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
+
+# Sed substitution to delay expansion of an escaped single quote.
+delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g'
+
+# Sed substitution to avoid accidental globbing in evaled expressions
+no_glob_subst='s/\*/\\\*/g'
+
+ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO
+ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO$ECHO
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to print strings" >&5
+$as_echo_n "checking how to print strings... " >&6; }
+# Test print first, because it will be a builtin if present.
+if test "X`( print -r -- -n ) 2>/dev/null`" = X-n && \
+   test "X`print -r -- $ECHO 2>/dev/null`" = "X$ECHO"; then
+  ECHO='print -r --'
+elif test "X`printf %s $ECHO 2>/dev/null`" = "X$ECHO"; then
+  ECHO='printf %s\n'
+else
+  # Use this function as a fallback that always works.
+  func_fallback_echo ()
+  {
+    eval 'cat <<_LTECHO_EOF
+$1
+_LTECHO_EOF'
+  }
+  ECHO='func_fallback_echo'
+fi
+
+# func_echo_all arg...
+# Invoke $ECHO with all args, space-separated.
+func_echo_all ()
+{
+    $ECHO ""
+}
+
+case "$ECHO" in
+  printf*) { $as_echo "$as_me:${as_lineno-$LINENO}: result: printf" >&5
+$as_echo "printf" >&6; } ;;
+  print*) { $as_echo "$as_me:${as_lineno-$LINENO}: result: print -r" >&5
+$as_echo "print -r" >&6; } ;;
+  *) { $as_echo "$as_me:${as_lineno-$LINENO}: result: cat" >&5
+$as_echo "cat" >&6; } ;;
+esac
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a sed that does not truncate output" >&5
 $as_echo_n "checking for a sed that does not truncate output... " >&6; }
-if test "${ac_cv_path_SED+set}" = set; then :
+if ${ac_cv_path_SED+:} false; then :
   $as_echo_n "(cached) " >&6
 else
             ac_script=s/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/
@@ -8081,7 +8161,7 @@ Xsed="$SED -e 1s/^X//"
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for fgrep" >&5
 $as_echo_n "checking for fgrep... " >&6; }
-if test "${ac_cv_path_FGREP+set}" = set; then :
+if ${ac_cv_path_FGREP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if echo 'ab*c' | $GREP -F 'ab*c' >/dev/null 2>&1
@@ -8212,7 +8292,7 @@ else
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for non-GNU ld" >&5
 $as_echo_n "checking for non-GNU ld... " >&6; }
 fi
-if test "${lt_cv_path_LD+set}" = set; then :
+if ${lt_cv_path_LD+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -z "$LD"; then
@@ -8252,7 +8332,7 @@ fi
 test -z "$LD" && as_fn_error $? "no acceptable ld found in \$PATH" "$LINENO" 5
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if the linker ($LD) is GNU ld" >&5
 $as_echo_n "checking if the linker ($LD) is GNU ld... " >&6; }
-if test "${lt_cv_prog_gnu_ld+set}" = set; then :
+if ${lt_cv_prog_gnu_ld+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   # I'd rather use --version here, but apparently some GNU lds only accept -v.
@@ -8279,7 +8359,7 @@ with_gnu_ld=$lt_cv_prog_gnu_ld
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for BSD- or MS-compatible name lister (nm)" >&5
 $as_echo_n "checking for BSD- or MS-compatible name lister (nm)... " >&6; }
-if test "${lt_cv_path_NM+set}" = set; then :
+if ${lt_cv_path_NM+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$NM"; then
@@ -8332,14 +8412,17 @@ if test "$lt_cv_path_NM" != "no"; then
   NM="$lt_cv_path_NM"
 else
   # Didn't find any BSD compatible name lister, look for dumpbin.
-  if test -n "$ac_tool_prefix"; then
-  for ac_prog in "dumpbin -symbols" "link -dump -symbols"
+  if test -n "$DUMPBIN"; then :
+    # Let the user override the test.
+  else
+    if test -n "$ac_tool_prefix"; then
+  for ac_prog in dumpbin "link -dump"
   do
     # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
 set dummy $ac_tool_prefix$ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_DUMPBIN+set}" = set; then :
+if ${ac_cv_prog_DUMPBIN+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$DUMPBIN"; then
@@ -8377,13 +8460,13 @@ fi
 fi
 if test -z "$DUMPBIN"; then
   ac_ct_DUMPBIN=$DUMPBIN
-  for ac_prog in "dumpbin -symbols" "link -dump -symbols"
+  for ac_prog in dumpbin "link -dump"
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_DUMPBIN+set}" = set; then :
+if ${ac_cv_prog_ac_ct_DUMPBIN+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_DUMPBIN"; then
@@ -8432,6 +8515,15 @@ esac
   fi
 fi
 
+    case `$DUMPBIN -symbols /dev/null 2>&1 | sed '1q'` in
+    *COFF*)
+      DUMPBIN="$DUMPBIN -symbols"
+      ;;
+    *)
+      DUMPBIN=:
+      ;;
+    esac
+  fi
 
   if test "$DUMPBIN" != ":"; then
     NM="$DUMPBIN"
@@ -8446,18 +8538,18 @@ test -z "$NM" && NM=nm
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking the name lister ($NM) interface" >&5
 $as_echo_n "checking the name lister ($NM) interface... " >&6; }
-if test "${lt_cv_nm_interface+set}" = set; then :
+if ${lt_cv_nm_interface+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_nm_interface="BSD nm"
   echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:8454: $ac_compile\"" >&5)
+  (eval echo "\"\$as_me:$LINENO: $ac_compile\"" >&5)
   (eval "$ac_compile" 2>conftest.err)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:8457: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+  (eval echo "\"\$as_me:$LINENO: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:8460: output\"" >&5)
+  (eval echo "\"\$as_me:$LINENO: output\"" >&5)
   cat conftest.out >&5
   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
     lt_cv_nm_interface="MS dumpbin"
@@ -8481,7 +8573,7 @@ fi
 # find the maximum length of command line arguments
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking the maximum length of command line arguments" >&5
 $as_echo_n "checking the maximum length of command line arguments... " >&6; }
-if test "${lt_cv_sys_max_cmd_len+set}" = set; then :
+if ${lt_cv_sys_max_cmd_len+:} false; then :
   $as_echo_n "(cached) " >&6
 else
     i=0
@@ -8514,6 +8606,11 @@ else
     lt_cv_sys_max_cmd_len=8192;
     ;;
 
+  mint*)
+    # On MiNT this can take a long time and run out of memory.
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
   amigaos*)
     # On AmigaOS with pdksh, this test takes hours, literally.
     # So we just punt and use a minimum line length of 8192.
@@ -8539,6 +8636,11 @@ else
     lt_cv_sys_max_cmd_len=196608
     ;;
 
+  os2*)
+    # The test takes a long time on OS/2.
+    lt_cv_sys_max_cmd_len=8192
+    ;;
+
   osf*)
     # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
     # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
@@ -8578,8 +8680,8 @@ else
       # If test is not a shell built-in, we'll probably end up computing a
       # maximum length that is only half of the actual maximum length, but
       # we can't tell.
-      while { test "X"`$SHELL $0 --fallback-echo "X$teststring$teststring" 2>/dev/null` \
-	         = "XX$teststring$teststring"; } >/dev/null 2>&1 &&
+      while { test "X"`env echo "$teststring$teststring" 2>/dev/null` \
+	         = "X$teststring$teststring"; } >/dev/null 2>&1 &&
 	      test $i != 17 # 1/2 MB should be enough
       do
         i=`expr $i + 1`
@@ -8621,8 +8723,8 @@ $as_echo_n "checking whether the shell understands some XSI constructs... " >&6;
 # Try some XSI features
 xsi_shell=no
 ( _lt_dummy="a/b/c"
-  test "${_lt_dummy##*/},${_lt_dummy%/*},"${_lt_dummy%"$_lt_dummy"}, \
-      = c,a/b,, \
+  test "${_lt_dummy##*/},${_lt_dummy%/*},${_lt_dummy#??}"${_lt_dummy%"$_lt_dummy"}, \
+      = c,a/b,b/c, \
     && eval 'test $(( 1 + 1 )) -eq 2 \
     && test "${#_lt_dummy}" -eq 5' ) >/dev/null 2>&1 \
   && xsi_shell=yes
@@ -8671,9 +8773,83 @@ esac
 
 
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to convert $build file names to $host format" >&5
+$as_echo_n "checking how to convert $build file names to $host format... " >&6; }
+if ${lt_cv_to_host_file_cmd+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $host in
+  *-*-mingw* )
+    case $build in
+      *-*-mingw* ) # actually msys
+        lt_cv_to_host_file_cmd=func_convert_file_msys_to_w32
+        ;;
+      *-*-cygwin* )
+        lt_cv_to_host_file_cmd=func_convert_file_cygwin_to_w32
+        ;;
+      * ) # otherwise, assume *nix
+        lt_cv_to_host_file_cmd=func_convert_file_nix_to_w32
+        ;;
+    esac
+    ;;
+  *-*-cygwin* )
+    case $build in
+      *-*-mingw* ) # actually msys
+        lt_cv_to_host_file_cmd=func_convert_file_msys_to_cygwin
+        ;;
+      *-*-cygwin* )
+        lt_cv_to_host_file_cmd=func_convert_file_noop
+        ;;
+      * ) # otherwise, assume *nix
+        lt_cv_to_host_file_cmd=func_convert_file_nix_to_cygwin
+        ;;
+    esac
+    ;;
+  * ) # unhandled hosts (and "normal" native builds)
+    lt_cv_to_host_file_cmd=func_convert_file_noop
+    ;;
+esac
+
+fi
+
+to_host_file_cmd=$lt_cv_to_host_file_cmd
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_to_host_file_cmd" >&5
+$as_echo "$lt_cv_to_host_file_cmd" >&6; }
+
+
+
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to convert $build file names to toolchain format" >&5
+$as_echo_n "checking how to convert $build file names to toolchain format... " >&6; }
+if ${lt_cv_to_tool_file_cmd+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  #assume ordinary cross tools, or native build.
+lt_cv_to_tool_file_cmd=func_convert_file_noop
+case $host in
+  *-*-mingw* )
+    case $build in
+      *-*-mingw* ) # actually msys
+        lt_cv_to_tool_file_cmd=func_convert_file_msys_to_w32
+        ;;
+    esac
+    ;;
+esac
+
+fi
+
+to_tool_file_cmd=$lt_cv_to_tool_file_cmd
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_to_tool_file_cmd" >&5
+$as_echo "$lt_cv_to_tool_file_cmd" >&6; }
+
+
+
+
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $LD option to reload object files" >&5
 $as_echo_n "checking for $LD option to reload object files... " >&6; }
-if test "${lt_cv_ld_reload_flag+set}" = set; then :
+if ${lt_cv_ld_reload_flag+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_ld_reload_flag='-r'
@@ -8687,6 +8863,11 @@ case $reload_flag in
 esac
 reload_cmds='$LD$reload_flag -o $output$reload_objs'
 case $host_os in
+  cygwin* | mingw* | pw32* | cegcc*)
+    if test "$GCC" != yes; then
+      reload_cmds=false
+    fi
+    ;;
   darwin*)
     if test "$GCC" = yes; then
       reload_cmds='$LTCC $LTCFLAGS -nostdlib ${wl}-r -o $output$reload_objs'
@@ -8709,7 +8890,7 @@ if test -n "$ac_tool_prefix"; then
 set dummy ${ac_tool_prefix}objdump; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_OBJDUMP+set}" = set; then :
+if ${ac_cv_prog_OBJDUMP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$OBJDUMP"; then
@@ -8749,7 +8930,7 @@ if test -z "$ac_cv_prog_OBJDUMP"; then
 set dummy objdump; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_OBJDUMP+set}" = set; then :
+if ${ac_cv_prog_ac_ct_OBJDUMP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_OBJDUMP"; then
@@ -8808,7 +8989,7 @@ test -z "$OBJDUMP" && OBJDUMP=objdump
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to recognize dependent libraries" >&5
 $as_echo_n "checking how to recognize dependent libraries... " >&6; }
-if test "${lt_cv_deplibs_check_method+set}" = set; then :
+if ${lt_cv_deplibs_check_method+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_file_magic_cmd='$MAGIC_CMD'
@@ -8850,16 +9031,18 @@ mingw* | pw32*)
   # Base MSYS/MinGW do not provide the 'file' command needed by
   # func_win32_libid shell function, so use a weaker test based on 'objdump',
   # unless we find 'file', for example because we are cross-compiling.
-  if ( file / ) >/dev/null 2>&1; then
+  # func_win32_libid assumes BSD nm, so disallow it if using MS dumpbin.
+  if ( test "$lt_cv_nm_interface" = "BSD nm" && file / ) >/dev/null 2>&1; then
     lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
     lt_cv_file_magic_cmd='func_win32_libid'
   else
-    lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
+    # Keep this pattern in sync with the one in func_win32_libid.
+    lt_cv_deplibs_check_method='file_magic file format (pei*-i386(.*architecture: i386)?|pe-arm-wince|pe-x86-64)'
     lt_cv_file_magic_cmd='$OBJDUMP -f'
   fi
   ;;
 
-cegcc)
+cegcc*)
   # use the weaker test based on 'objdump'. See mingw*.
   lt_cv_deplibs_check_method='file_magic file format pe-arm-.*little(.*architecture: arm)?'
   lt_cv_file_magic_cmd='$OBJDUMP -f'
@@ -8889,6 +9072,10 @@ gnu*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
+haiku*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
 hpux10.20* | hpux11*)
   lt_cv_file_magic_cmd=/usr/bin/file
   case $host_cpu in
@@ -8897,11 +9084,11 @@ hpux10.20* | hpux11*)
     lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
     ;;
   hppa*64*)
-    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]'
+    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF[ -][0-9][0-9])(-bit)?( [LM]SB)? shared object( file)?[, -]* PA-RISC [0-9]\.[0-9]'
     lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl
     ;;
   *)
-    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|PA-RISC[0-9].[0-9]) shared library'
+    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|PA-RISC[0-9]\.[0-9]) shared library'
     lt_cv_file_magic_test_file=/usr/lib/libc.sl
     ;;
   esac
@@ -8922,7 +9109,7 @@ irix5* | irix6* | nonstopux*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-# This must be Linux ELF.
+# This must be glibc/ELF.
 linux* | k*bsd*-gnu | kopensolaris*-gnu)
   lt_cv_deplibs_check_method=pass_all
   ;;
@@ -9004,6 +9191,21 @@ esac
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_deplibs_check_method" >&5
 $as_echo "$lt_cv_deplibs_check_method" >&6; }
+
+file_magic_glob=
+want_nocaseglob=no
+if test "$build" = "$host"; then
+  case $host_os in
+  mingw* | pw32*)
+    if ( shopt | grep nocaseglob ) >/dev/null 2>&1; then
+      want_nocaseglob=yes
+    else
+      file_magic_glob=`echo aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ | $SED -e "s/\(..\)/s\/[\1]\/[\1]\/g;/g"`
+    fi
+    ;;
+  esac
+fi
+
 file_magic_cmd=$lt_cv_file_magic_cmd
 deplibs_check_method=$lt_cv_deplibs_check_method
 test -z "$deplibs_check_method" && deplibs_check_method=unknown
@@ -9019,12 +9221,165 @@ test -z "$deplibs_check_method" && deplibs_check_method=unknown
 
 
 
+
+
+
+
+
+
+
+
+
+
 if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}ar", so it can be a program name with args.
-set dummy ${ac_tool_prefix}ar; ac_word=$2
+  # Extract the first word of "${ac_tool_prefix}dlltool", so it can be a program name with args.
+set dummy ${ac_tool_prefix}dlltool; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_DLLTOOL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$DLLTOOL"; then
+  ac_cv_prog_DLLTOOL="$DLLTOOL" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_DLLTOOL="${ac_tool_prefix}dlltool"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+DLLTOOL=$ac_cv_prog_DLLTOOL
+if test -n "$DLLTOOL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $DLLTOOL" >&5
+$as_echo "$DLLTOOL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_DLLTOOL"; then
+  ac_ct_DLLTOOL=$DLLTOOL
+  # Extract the first word of "dlltool", so it can be a program name with args.
+set dummy dlltool; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_AR+set}" = set; then :
+if ${ac_cv_prog_ac_ct_DLLTOOL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$ac_ct_DLLTOOL"; then
+  ac_cv_prog_ac_ct_DLLTOOL="$ac_ct_DLLTOOL" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_DLLTOOL="dlltool"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_DLLTOOL=$ac_cv_prog_ac_ct_DLLTOOL
+if test -n "$ac_ct_DLLTOOL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_DLLTOOL" >&5
+$as_echo "$ac_ct_DLLTOOL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+  if test "x$ac_ct_DLLTOOL" = x; then
+    DLLTOOL="false"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    DLLTOOL=$ac_ct_DLLTOOL
+  fi
+else
+  DLLTOOL="$ac_cv_prog_DLLTOOL"
+fi
+
+test -z "$DLLTOOL" && DLLTOOL=dlltool
+
+
+
+
+
+
+
+
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to associate runtime and link libraries" >&5
+$as_echo_n "checking how to associate runtime and link libraries... " >&6; }
+if ${lt_cv_sharedlib_from_linklib_cmd+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_sharedlib_from_linklib_cmd='unknown'
+
+case $host_os in
+cygwin* | mingw* | pw32* | cegcc*)
+  # two different shell functions defined in ltmain.sh
+  # decide which to use based on capabilities of $DLLTOOL
+  case `$DLLTOOL --help 2>&1` in
+  *--identify-strict*)
+    lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib
+    ;;
+  *)
+    lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib_fallback
+    ;;
+  esac
+  ;;
+*)
+  # fallback: assume linklib IS sharedlib
+  lt_cv_sharedlib_from_linklib_cmd="$ECHO"
+  ;;
+esac
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_sharedlib_from_linklib_cmd" >&5
+$as_echo "$lt_cv_sharedlib_from_linklib_cmd" >&6; }
+sharedlib_from_linklib_cmd=$lt_cv_sharedlib_from_linklib_cmd
+test -z "$sharedlib_from_linklib_cmd" && sharedlib_from_linklib_cmd=$ECHO
+
+
+
+
+
+
+
+if test -n "$ac_tool_prefix"; then
+  for ac_prog in ar
+  do
+    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_AR+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$AR"; then
@@ -9037,7 +9392,7 @@ do
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_AR="${ac_tool_prefix}ar"
+    ac_cv_prog_AR="$ac_tool_prefix$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
@@ -9057,14 +9412,18 @@ $as_echo "no" >&6; }
 fi
 
 
+    test -n "$AR" && break
+  done
 fi
-if test -z "$ac_cv_prog_AR"; then
+if test -z "$AR"; then
   ac_ct_AR=$AR
-  # Extract the first word of "ar", so it can be a program name with args.
-set dummy ar; ac_word=$2
+  for ac_prog in ar
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_AR+set}" = set; then :
+if ${ac_cv_prog_ac_ct_AR+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_AR"; then
@@ -9077,7 +9436,7 @@ do
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_AR="ar"
+    ac_cv_prog_ac_ct_AR="$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
@@ -9096,6 +9455,10 @@ else
 $as_echo "no" >&6; }
 fi
 
+
+  test -n "$ac_ct_AR" && break
+done
+
   if test "x$ac_ct_AR" = x; then
     AR="false"
   else
@@ -9107,16 +9470,72 @@ ac_tool_warned=yes ;;
 esac
     AR=$ac_ct_AR
   fi
-else
-  AR="$ac_cv_prog_AR"
 fi
 
-test -z "$AR" && AR=ar
-test -z "$AR_FLAGS" && AR_FLAGS=cru
+: ${AR=ar}
+: ${AR_FLAGS=cru}
+
+
+
+
+
+
+
+
+
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for archiver @FILE support" >&5
+$as_echo_n "checking for archiver @FILE support... " >&6; }
+if ${lt_cv_ar_at_file+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_ar_at_file=no
+   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
 
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  echo conftest.$ac_objext > conftest.lst
+      lt_ar_try='$AR $AR_FLAGS libconftest.a @conftest.lst >&5'
+      { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$lt_ar_try\""; } >&5
+  (eval $lt_ar_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+      if test "$ac_status" -eq 0; then
+	# Ensure the archiver fails upon bogus file names.
+	rm -f conftest.$ac_objext libconftest.a
+	{ { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$lt_ar_try\""; } >&5
+  (eval $lt_ar_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+	if test "$ac_status" -ne 0; then
+          lt_cv_ar_at_file=@
+        fi
+      fi
+      rm -f conftest.* libconftest.a
 
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ar_at_file" >&5
+$as_echo "$lt_cv_ar_at_file" >&6; }
 
+if test "x$lt_cv_ar_at_file" = xno; then
+  archiver_list_spec=
+else
+  archiver_list_spec=$lt_cv_ar_at_file
+fi
 
 
 
@@ -9129,7 +9548,7 @@ if test -n "$ac_tool_prefix"; then
 set dummy ${ac_tool_prefix}strip; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_STRIP+set}" = set; then :
+if ${ac_cv_prog_STRIP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$STRIP"; then
@@ -9169,7 +9588,7 @@ if test -z "$ac_cv_prog_STRIP"; then
 set dummy strip; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then :
+if ${ac_cv_prog_ac_ct_STRIP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_STRIP"; then
@@ -9228,7 +9647,7 @@ if test -n "$ac_tool_prefix"; then
 set dummy ${ac_tool_prefix}ranlib; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_RANLIB+set}" = set; then :
+if ${ac_cv_prog_RANLIB+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$RANLIB"; then
@@ -9268,7 +9687,7 @@ if test -z "$ac_cv_prog_RANLIB"; then
 set dummy ranlib; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then :
+if ${ac_cv_prog_ac_ct_RANLIB+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_RANLIB"; then
@@ -9330,15 +9749,27 @@ old_postuninstall_cmds=
 if test -n "$RANLIB"; then
   case $host_os in
   openbsd*)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$tool_oldlib"
     ;;
   *)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$tool_oldlib"
     ;;
   esac
-  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$tool_oldlib"
 fi
 
+case $host_os in
+  darwin*)
+    lock_old_archive_extraction=yes ;;
+  *)
+    lock_old_archive_extraction=no ;;
+esac
+
+
+
+
+
+
 
 
 
@@ -9385,7 +9816,7 @@ compiler=$CC
 # Check for command to grab the raw symbol name followed by C symbol from nm.
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking command to parse $NM output from $compiler object" >&5
 $as_echo_n "checking command to parse $NM output from $compiler object... " >&6; }
-if test "${lt_cv_sys_global_symbol_pipe+set}" = set; then :
+if ${lt_cv_sys_global_symbol_pipe+:} false; then :
   $as_echo_n "(cached) " >&6
 else
 
@@ -9446,8 +9877,8 @@ esac
 lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
 
 # Transform an extracted symbol line into symbol name and symbol address
-lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"\2\", (void *) \&\2},/p'"
-lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([^ ]*\) \(lib[^ ]*\)$/  {\"\2\", (void *) \&\2},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"lib\2\", (void *) \&\2},/p'"
+lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\)[ ]*$/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"\2\", (void *) \&\2},/p'"
+lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n -e 's/^: \([^ ]*\)[ ]*$/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([^ ]*\) \(lib[^ ]*\)$/  {\"\2\", (void *) \&\2},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"lib\2\", (void *) \&\2},/p'"
 
 # Handle CRLF in mingw tool chain
 opt_cr=
@@ -9471,6 +9902,7 @@ for ac_symprfx in "" "_"; do
     # which start with @ or ?.
     lt_cv_sys_global_symbol_pipe="$AWK '"\
 "     {last_section=section; section=\$ 3};"\
+"     /^COFF SYMBOL TABLE/{for(i in hide) delete hide[i]};"\
 "     /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\
 "     \$ 0!~/External *\|/{next};"\
 "     / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\
@@ -9483,6 +9915,7 @@ for ac_symprfx in "" "_"; do
   else
     lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[	 ]\($symcode$symcode*\)[	 ][	 ]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'"
   fi
+  lt_cv_sys_global_symbol_pipe="$lt_cv_sys_global_symbol_pipe | sed '/ __gnu_lto/d'"
 
   # Check to see that the pipe works correctly.
   pipe_works=no
@@ -9508,8 +9941,8 @@ _LT_EOF
   test $ac_status = 0; }; then
     # Now try to grab the symbols.
     nlist=conftest.nm
-    if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist\""; } >&5
-  (eval $NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) 2>&5
+    if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist\""; } >&5
+  (eval $NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) 2>&5
   ac_status=$?
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; } && test -s "$nlist"; then
@@ -9524,6 +9957,18 @@ _LT_EOF
       if $GREP ' nm_test_var$' "$nlist" >/dev/null; then
 	if $GREP ' nm_test_func$' "$nlist" >/dev/null; then
 	  cat <<_LT_EOF > conftest.$ac_ext
+/* Keep this code in sync between libtool.m4, ltmain, lt_system.h, and tests.  */
+#if defined(_WIN32) || defined(__CYGWIN__) || defined(_WIN32_WCE)
+/* DATA imports from DLLs on WIN32 con't be const, because runtime
+   relocations are performed -- see ld's documentation on pseudo-relocs.  */
+# define LT_DLSYM_CONST
+#elif defined(__osf__)
+/* This system does not cope well with relocations in const data.  */
+# define LT_DLSYM_CONST
+#else
+# define LT_DLSYM_CONST const
+#endif
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -9535,7 +9980,7 @@ _LT_EOF
 	  cat <<_LT_EOF >> conftest.$ac_ext
 
 /* The mapping between symbol names and symbols.  */
-const struct {
+LT_DLSYM_CONST struct {
   const char *name;
   void       *address;
 }
@@ -9561,8 +10006,8 @@ static const void *lt_preloaded_setup() {
 _LT_EOF
 	  # Now try linking the two files.
 	  mv conftest.$ac_objext conftstm.$ac_objext
-	  lt_save_LIBS="$LIBS"
-	  lt_save_CFLAGS="$CFLAGS"
+	  lt_globsym_save_LIBS=$LIBS
+	  lt_globsym_save_CFLAGS=$CFLAGS
 	  LIBS="conftstm.$ac_objext"
 	  CFLAGS="$CFLAGS$lt_prog_compiler_no_builtin_flag"
 	  if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_link\""; } >&5
@@ -9572,8 +10017,8 @@ _LT_EOF
   test $ac_status = 0; } && test -s conftest${ac_exeext}; then
 	    pipe_works=yes
 	  fi
-	  LIBS="$lt_save_LIBS"
-	  CFLAGS="$lt_save_CFLAGS"
+	  LIBS=$lt_globsym_save_LIBS
+	  CFLAGS=$lt_globsym_save_CFLAGS
 	else
 	  echo "cannot find nm_test_func in $nlist" >&5
 	fi
@@ -9610,6 +10055,27 @@ else
 $as_echo "ok" >&6; }
 fi
 
+# Response file support.
+if test "$lt_cv_nm_interface" = "MS dumpbin"; then
+  nm_file_list_spec='@'
+elif $NM --help 2>/dev/null | grep '[@]FILE' >/dev/null; then
+  nm_file_list_spec='@'
+fi
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 
 
 
@@ -9622,10 +10088,38 @@ fi
 
 
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for sysroot" >&5
+$as_echo_n "checking for sysroot... " >&6; }
 
+# Check whether --with-sysroot was given.
+if test "${with_sysroot+set}" = set; then :
+  withval=$with_sysroot;
+else
+  with_sysroot=no
+fi
 
 
+lt_sysroot=
+case ${with_sysroot} in #(
+ yes)
+   if test "$GCC" = yes; then
+     lt_sysroot=`$CC --print-sysroot 2>/dev/null`
+   fi
+   ;; #(
+ /*)
+   lt_sysroot=`echo "$with_sysroot" | sed -e "$sed_quote_subst"`
+   ;; #(
+ no|'')
+   ;; #(
+ *)
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${with_sysroot}" >&5
+$as_echo "${with_sysroot}" >&6; }
+   as_fn_error $? "The sysroot must be an absolute path." "$LINENO" 5
+   ;;
+esac
 
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${lt_sysroot:-no}" >&5
+$as_echo "${lt_sysroot:-no}" >&6; }
 
 
 
@@ -9662,7 +10156,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 9665 "configure"' > conftest.$ac_ext
+  echo '#line '$LINENO' "configure"' > conftest.$ac_ext
   if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -9756,7 +10250,7 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
   CFLAGS="$CFLAGS -belf"
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler needs -belf" >&5
 $as_echo_n "checking whether the C compiler needs -belf... " >&6; }
-if test "${lt_cv_cc_needs_belf+set}" = set; then :
+if ${lt_cv_cc_needs_belf+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_ext=c
@@ -9797,7 +10291,7 @@ $as_echo "$lt_cv_cc_needs_belf" >&6; }
     CFLAGS="$SAVE_CFLAGS"
   fi
   ;;
-sparc*-*solaris*)
+*-*solaris*)
   # Find out which ABI we are using.
   echo 'int i;' > conftest.$ac_ext
   if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
@@ -9808,7 +10302,20 @@ sparc*-*solaris*)
     case `/usr/bin/file conftest.o` in
     *64-bit*)
       case $lt_cv_prog_gnu_ld in
-      yes*) LD="${LD-ld} -m elf64_sparc" ;;
+      yes*)
+        case $host in
+        i?86-*-solaris*)
+          LD="${LD-ld} -m elf_x86_64"
+          ;;
+        sparc*-*-solaris*)
+          LD="${LD-ld} -m elf64_sparc"
+          ;;
+        esac
+        # GNU ld 2.21 introduced _sol2 emulations.  Use them if available.
+        if ${LD-ld} -V | grep _sol2 >/dev/null 2>&1; then
+          LD="${LD-ld}_sol2"
+        fi
+        ;;
       *)
 	if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
 	  LD="${LD-ld} -64"
@@ -9824,6 +10331,123 @@ esac
 
 need_locks="$enable_libtool_lock"
 
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}mt", so it can be a program name with args.
+set dummy ${ac_tool_prefix}mt; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_MANIFEST_TOOL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$MANIFEST_TOOL"; then
+  ac_cv_prog_MANIFEST_TOOL="$MANIFEST_TOOL" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_MANIFEST_TOOL="${ac_tool_prefix}mt"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+MANIFEST_TOOL=$ac_cv_prog_MANIFEST_TOOL
+if test -n "$MANIFEST_TOOL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MANIFEST_TOOL" >&5
+$as_echo "$MANIFEST_TOOL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_MANIFEST_TOOL"; then
+  ac_ct_MANIFEST_TOOL=$MANIFEST_TOOL
+  # Extract the first word of "mt", so it can be a program name with args.
+set dummy mt; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_ac_ct_MANIFEST_TOOL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$ac_ct_MANIFEST_TOOL"; then
+  ac_cv_prog_ac_ct_MANIFEST_TOOL="$ac_ct_MANIFEST_TOOL" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_MANIFEST_TOOL="mt"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_MANIFEST_TOOL=$ac_cv_prog_ac_ct_MANIFEST_TOOL
+if test -n "$ac_ct_MANIFEST_TOOL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_MANIFEST_TOOL" >&5
+$as_echo "$ac_ct_MANIFEST_TOOL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+  if test "x$ac_ct_MANIFEST_TOOL" = x; then
+    MANIFEST_TOOL=":"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    MANIFEST_TOOL=$ac_ct_MANIFEST_TOOL
+  fi
+else
+  MANIFEST_TOOL="$ac_cv_prog_MANIFEST_TOOL"
+fi
+
+test -z "$MANIFEST_TOOL" && MANIFEST_TOOL=mt
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if $MANIFEST_TOOL is a manifest tool" >&5
+$as_echo_n "checking if $MANIFEST_TOOL is a manifest tool... " >&6; }
+if ${lt_cv_path_mainfest_tool+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_path_mainfest_tool=no
+  echo "$as_me:$LINENO: $MANIFEST_TOOL '-?'" >&5
+  $MANIFEST_TOOL '-?' 2>conftest.err > conftest.out
+  cat conftest.err >&5
+  if $GREP 'Manifest Tool' conftest.out > /dev/null; then
+    lt_cv_path_mainfest_tool=yes
+  fi
+  rm -f conftest*
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_path_mainfest_tool" >&5
+$as_echo "$lt_cv_path_mainfest_tool" >&6; }
+if test "x$lt_cv_path_mainfest_tool" != xyes; then
+  MANIFEST_TOOL=:
+fi
+
+
+
+
+
 
   case $host_os in
     rhapsody* | darwin*)
@@ -9832,7 +10456,7 @@ need_locks="$enable_libtool_lock"
 set dummy ${ac_tool_prefix}dsymutil; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_DSYMUTIL+set}" = set; then :
+if ${ac_cv_prog_DSYMUTIL+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$DSYMUTIL"; then
@@ -9872,7 +10496,7 @@ if test -z "$ac_cv_prog_DSYMUTIL"; then
 set dummy dsymutil; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_DSYMUTIL+set}" = set; then :
+if ${ac_cv_prog_ac_ct_DSYMUTIL+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_DSYMUTIL"; then
@@ -9924,7 +10548,7 @@ fi
 set dummy ${ac_tool_prefix}nmedit; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_NMEDIT+set}" = set; then :
+if ${ac_cv_prog_NMEDIT+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$NMEDIT"; then
@@ -9964,7 +10588,7 @@ if test -z "$ac_cv_prog_NMEDIT"; then
 set dummy nmedit; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_NMEDIT+set}" = set; then :
+if ${ac_cv_prog_ac_ct_NMEDIT+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_NMEDIT"; then
@@ -10016,7 +10640,7 @@ fi
 set dummy ${ac_tool_prefix}lipo; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_LIPO+set}" = set; then :
+if ${ac_cv_prog_LIPO+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$LIPO"; then
@@ -10056,7 +10680,7 @@ if test -z "$ac_cv_prog_LIPO"; then
 set dummy lipo; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_LIPO+set}" = set; then :
+if ${ac_cv_prog_ac_ct_LIPO+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_LIPO"; then
@@ -10108,7 +10732,7 @@ fi
 set dummy ${ac_tool_prefix}otool; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_OTOOL+set}" = set; then :
+if ${ac_cv_prog_OTOOL+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$OTOOL"; then
@@ -10148,7 +10772,7 @@ if test -z "$ac_cv_prog_OTOOL"; then
 set dummy otool; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_OTOOL+set}" = set; then :
+if ${ac_cv_prog_ac_ct_OTOOL+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_OTOOL"; then
@@ -10200,7 +10824,7 @@ fi
 set dummy ${ac_tool_prefix}otool64; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_OTOOL64+set}" = set; then :
+if ${ac_cv_prog_OTOOL64+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$OTOOL64"; then
@@ -10240,7 +10864,7 @@ if test -z "$ac_cv_prog_OTOOL64"; then
 set dummy otool64; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_OTOOL64+set}" = set; then :
+if ${ac_cv_prog_ac_ct_OTOOL64+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_OTOOL64"; then
@@ -10315,7 +10939,7 @@ fi
 
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -single_module linker flag" >&5
 $as_echo_n "checking for -single_module linker flag... " >&6; }
-if test "${lt_cv_apple_cc_single_mod+set}" = set; then :
+if ${lt_cv_apple_cc_single_mod+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_apple_cc_single_mod=no
@@ -10331,7 +10955,13 @@ else
 	$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
 	  -dynamiclib -Wl,-single_module conftest.c 2>conftest.err
         _lt_result=$?
-	if test -f libconftest.dylib && test ! -s conftest.err && test $_lt_result = 0; then
+	# If there is a non-empty error log, and "single_module"
+	# appears in it, assume the flag caused a linker warning
+        if test -s conftest.err && $GREP single_module conftest.err; then
+	  cat conftest.err >&5
+	# Otherwise, if the output was created with a 0 exit code from
+	# the compiler, it worked.
+	elif test -f libconftest.dylib && test $_lt_result -eq 0; then
 	  lt_cv_apple_cc_single_mod=yes
 	else
 	  cat conftest.err >&5
@@ -10342,9 +10972,10 @@ else
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_apple_cc_single_mod" >&5
 $as_echo "$lt_cv_apple_cc_single_mod" >&6; }
+
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -exported_symbols_list linker flag" >&5
 $as_echo_n "checking for -exported_symbols_list linker flag... " >&6; }
-if test "${lt_cv_ld_exported_symbols_list+set}" = set; then :
+if ${lt_cv_ld_exported_symbols_list+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_ld_exported_symbols_list=no
@@ -10374,6 +11005,41 @@ rm -f core conftest.err conftest.$ac_objext \
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_exported_symbols_list" >&5
 $as_echo "$lt_cv_ld_exported_symbols_list" >&6; }
+
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -force_load linker flag" >&5
+$as_echo_n "checking for -force_load linker flag... " >&6; }
+if ${lt_cv_ld_force_load+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_ld_force_load=no
+      cat > conftest.c << _LT_EOF
+int forced_loaded() { return 2;}
+_LT_EOF
+      echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&5
+      $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&5
+      echo "$AR cru libconftest.a conftest.o" >&5
+      $AR cru libconftest.a conftest.o 2>&5
+      echo "$RANLIB libconftest.a" >&5
+      $RANLIB libconftest.a 2>&5
+      cat > conftest.c << _LT_EOF
+int main() { return 0;}
+_LT_EOF
+      echo "$LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a" >&5
+      $LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a 2>conftest.err
+      _lt_result=$?
+      if test -s conftest.err && $GREP force_load conftest.err; then
+	cat conftest.err >&5
+      elif test -f conftest && test $_lt_result -eq 0 && $GREP forced_load conftest >/dev/null 2>&1 ; then
+	lt_cv_ld_force_load=yes
+      else
+	cat conftest.err >&5
+      fi
+        rm -f conftest.err libconftest.a conftest conftest.c
+        rm -rf conftest.dSYM
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_force_load" >&5
+$as_echo "$lt_cv_ld_force_load" >&6; }
     case $host_os in
     rhapsody* | darwin1.[012])
       _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;;
@@ -10401,7 +11067,7 @@ $as_echo "$lt_cv_ld_exported_symbols_list" >&6; }
     else
       _lt_dar_export_syms='~$NMEDIT -s $output_objdir/${libname}-symbols.expsym ${lib}'
     fi
-    if test "$DSYMUTIL" != ":"; then
+    if test "$DSYMUTIL" != ":" && test "$lt_cv_ld_force_load" = "no"; then
       _lt_dsymutil='~$DSYMUTIL $lib || :'
     else
       _lt_dsymutil=
@@ -10413,7 +11079,7 @@ for ac_header in dlfcn.h
 do :
   ac_fn_c_check_header_compile "$LINENO" "dlfcn.h" "ac_cv_header_dlfcn_h" "$ac_includes_default
 "
-if test "x$ac_cv_header_dlfcn_h" = x""yes; then :
+if test "x$ac_cv_header_dlfcn_h" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_DLFCN_H 1
 _ACEOF
@@ -10424,6 +11090,8 @@ done
 
 
 
+
+
 # Set options
 
 
@@ -10499,7 +11167,22 @@ fi
 
 # Check whether --with-pic was given.
 if test "${with_pic+set}" = set; then :
-  withval=$with_pic; pic_mode="$withval"
+  withval=$with_pic; lt_p=${PACKAGE-default}
+    case $withval in
+    yes|no) pic_mode=$withval ;;
+    *)
+      pic_mode=default
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for lt_pkg in $withval; do
+	IFS="$lt_save_ifs"
+	if test "X$lt_pkg" = "X$lt_p"; then
+	  pic_mode=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac
 else
   pic_mode=default
 fi
@@ -10576,6 +11259,11 @@ LIBTOOL='$(SHELL) $(top_builddir)/libtool'
 
 
 
+
+
+
+
+
 test -z "$LN_S" && LN_S="ln -s"
 
 
@@ -10597,7 +11285,7 @@ fi
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for objdir" >&5
 $as_echo_n "checking for objdir... " >&6; }
-if test "${lt_cv_objdir+set}" = set; then :
+if ${lt_cv_objdir+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   rm -f .libs 2>/dev/null
@@ -10625,19 +11313,6 @@ _ACEOF
 
 
 
-
-
-
-
-
-
-
-
-
-
-
-
-
 case $host_os in
 aix3*)
   # AIX sometimes has problems with the GCC collect2 program.  For some
@@ -10650,23 +11325,6 @@ aix3*)
   ;;
 esac
 
-# Sed substitution that helps us do robust quoting.  It backslashifies
-# metacharacters that are still active within double-quoted strings.
-sed_quote_subst='s/\(["`$\\]\)/\\\1/g'
-
-# Same as above, but do not quote variable references.
-double_quote_subst='s/\(["`\\]\)/\\\1/g'
-
-# Sed substitution to delay expansion of an escaped shell variable in a
-# double_quote_subst'ed string.
-delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
-
-# Sed substitution to delay expansion of an escaped single quote.
-delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g'
-
-# Sed substitution to avoid accidental globbing in evaled expressions
-no_glob_subst='s/\*/\\\*/g'
-
 # Global variables:
 ofile=libtool
 can_build_shared=yes
@@ -10695,7 +11353,7 @@ for cc_temp in $compiler""; do
     *) break;;
   esac
 done
-cc_basename=`$ECHO "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+cc_basename=`$ECHO "$cc_temp" | $SED "s%.*/%%; s%^$host_alias-%%"`
 
 
 # Only perform the check for file, if the check method requires it
@@ -10705,7 +11363,7 @@ file_magic*)
   if test "$file_magic_cmd" = '$MAGIC_CMD'; then
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ${ac_tool_prefix}file" >&5
 $as_echo_n "checking for ${ac_tool_prefix}file... " >&6; }
-if test "${lt_cv_path_MAGIC_CMD+set}" = set; then :
+if ${lt_cv_path_MAGIC_CMD+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   case $MAGIC_CMD in
@@ -10771,7 +11429,7 @@ if test -z "$lt_cv_path_MAGIC_CMD"; then
   if test -n "$ac_tool_prefix"; then
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for file" >&5
 $as_echo_n "checking for file... " >&6; }
-if test "${lt_cv_path_MAGIC_CMD+set}" = set; then :
+if ${lt_cv_path_MAGIC_CMD+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   case $MAGIC_CMD in
@@ -10904,11 +11562,16 @@ if test -n "$compiler"; then
 lt_prog_compiler_no_builtin_flag=
 
 if test "$GCC" = yes; then
-  lt_prog_compiler_no_builtin_flag=' -fno-builtin'
+  case $cc_basename in
+  nvcc*)
+    lt_prog_compiler_no_builtin_flag=' -Xcompiler -fno-builtin' ;;
+  *)
+    lt_prog_compiler_no_builtin_flag=' -fno-builtin' ;;
+  esac
 
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
 $as_echo_n "checking if $compiler supports -fno-rtti -fno-exceptions... " >&6; }
-if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then :
+if ${lt_cv_prog_compiler_rtti_exceptions+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_prog_compiler_rtti_exceptions=no
@@ -10924,15 +11587,15 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10927: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:10931: \$? = $ac_status" >&5
+   echo "$as_me:$LINENO: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
-     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' >conftest.exp
      $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
      if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
        lt_cv_prog_compiler_rtti_exceptions=yes
@@ -10961,8 +11624,6 @@ fi
 lt_prog_compiler_pic=
 lt_prog_compiler_static=
 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $compiler option to produce PIC" >&5
-$as_echo_n "checking for $compiler option to produce PIC... " >&6; }
 
   if test "$GCC" = yes; then
     lt_prog_compiler_wl='-Wl,'
@@ -11010,6 +11671,12 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; }
       lt_prog_compiler_pic='-fno-common'
       ;;
 
+    haiku*)
+      # PIC is the default for Haiku.
+      # The "-static" flag exists, but is broken.
+      lt_prog_compiler_static=
+      ;;
+
     hpux*)
       # PIC is the default for 64-bit PA HP-UX, but not for 32-bit
       # PA HP-UX.  On IA64 HP-UX, PIC is the default but the pic flag
@@ -11052,6 +11719,15 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; }
       lt_prog_compiler_pic='-fPIC'
       ;;
     esac
+
+    case $cc_basename in
+    nvcc*) # Cuda Compiler Driver 2.2
+      lt_prog_compiler_wl='-Xlinker '
+      if test -n "$lt_prog_compiler_pic"; then
+        lt_prog_compiler_pic="-Xcompiler $lt_prog_compiler_pic"
+      fi
+      ;;
+    esac
   else
     # PORTME Check for flag to pass linker flags through the system compiler.
     case $host_os in
@@ -11114,7 +11790,13 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; }
 	lt_prog_compiler_pic='--shared'
 	lt_prog_compiler_static='--static'
 	;;
-      pgcc* | pgf77* | pgf90* | pgf95*)
+      nagfor*)
+	# NAG Fortran compiler
+	lt_prog_compiler_wl='-Wl,-Wl,,'
+	lt_prog_compiler_pic='-PIC'
+	lt_prog_compiler_static='-Bstatic'
+	;;
+      pgcc* | pgf77* | pgf90* | pgf95* | pgfortran*)
         # Portland Group compilers (*not* the Pentium gcc compiler,
 	# which looks to be a dead project)
 	lt_prog_compiler_wl='-Wl,'
@@ -11126,25 +11808,40 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; }
         # All Alpha code is PIC.
         lt_prog_compiler_static='-non_shared'
         ;;
-      xl*)
-	# IBM XL C 8.0/Fortran 10.1 on PPC
+      xl* | bgxl* | bgf* | mpixl*)
+	# IBM XL C 8.0/Fortran 10.1, 11.1 on PPC and BlueGene
 	lt_prog_compiler_wl='-Wl,'
 	lt_prog_compiler_pic='-qpic'
 	lt_prog_compiler_static='-qstaticlink'
 	;;
       *)
 	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ Ceres\ Fortran* | *Sun*Fortran*\ [1-7].* | *Sun*Fortran*\ 8.[0-3]*)
+	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
+	  lt_prog_compiler_pic='-KPIC'
+	  lt_prog_compiler_static='-Bstatic'
+	  lt_prog_compiler_wl=''
+	  ;;
+	*Sun\ F* | *Sun*Fortran*)
+	  lt_prog_compiler_pic='-KPIC'
+	  lt_prog_compiler_static='-Bstatic'
+	  lt_prog_compiler_wl='-Qoption ld '
+	  ;;
 	*Sun\ C*)
 	  # Sun C 5.9
 	  lt_prog_compiler_pic='-KPIC'
 	  lt_prog_compiler_static='-Bstatic'
 	  lt_prog_compiler_wl='-Wl,'
 	  ;;
-	*Sun\ F*)
-	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
-	  lt_prog_compiler_pic='-KPIC'
+        *Intel*\ [CF]*Compiler*)
+	  lt_prog_compiler_wl='-Wl,'
+	  lt_prog_compiler_pic='-fPIC'
+	  lt_prog_compiler_static='-static'
+	  ;;
+	*Portland\ Group*)
+	  lt_prog_compiler_wl='-Wl,'
+	  lt_prog_compiler_pic='-fpic'
 	  lt_prog_compiler_static='-Bstatic'
-	  lt_prog_compiler_wl=''
 	  ;;
 	esac
 	;;
@@ -11176,7 +11873,7 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; }
       lt_prog_compiler_pic='-KPIC'
       lt_prog_compiler_static='-Bstatic'
       case $cc_basename in
-      f77* | f90* | f95*)
+      f77* | f90* | f95* | sunf77* | sunf90* | sunf95*)
 	lt_prog_compiler_wl='-Qoption ld ';;
       *)
 	lt_prog_compiler_wl='-Wl,';;
@@ -11233,13 +11930,17 @@ case $host_os in
     lt_prog_compiler_pic="$lt_prog_compiler_pic -DPIC"
     ;;
 esac
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_prog_compiler_pic" >&5
-$as_echo "$lt_prog_compiler_pic" >&6; }
-
-
-
-
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $compiler option to produce PIC" >&5
+$as_echo_n "checking for $compiler option to produce PIC... " >&6; }
+if ${lt_cv_prog_compiler_pic+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_prog_compiler_pic=$lt_prog_compiler_pic
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_pic" >&5
+$as_echo "$lt_cv_prog_compiler_pic" >&6; }
+lt_prog_compiler_pic=$lt_cv_prog_compiler_pic
 
 #
 # Check to make sure the PIC flag actually works.
@@ -11247,7 +11948,7 @@ $as_echo "$lt_prog_compiler_pic" >&6; }
 if test -n "$lt_prog_compiler_pic"; then
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5
 $as_echo_n "checking if $compiler PIC flag $lt_prog_compiler_pic works... " >&6; }
-if test "${lt_cv_prog_compiler_pic_works+set}" = set; then :
+if ${lt_cv_prog_compiler_pic_works+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_prog_compiler_pic_works=no
@@ -11263,15 +11964,15 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:11266: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:11270: \$? = $ac_status" >&5
+   echo "$as_me:$LINENO: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
-     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' >conftest.exp
      $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
      if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
        lt_cv_prog_compiler_pic_works=yes
@@ -11300,13 +12001,18 @@ fi
 
 
 
+
+
+
+
+
 #
 # Check to make sure the static flag actually works.
 #
 wl=$lt_prog_compiler_wl eval lt_tmp_static_flag=\"$lt_prog_compiler_static\"
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler static flag $lt_tmp_static_flag works" >&5
 $as_echo_n "checking if $compiler static flag $lt_tmp_static_flag works... " >&6; }
-if test "${lt_cv_prog_compiler_static_works+set}" = set; then :
+if ${lt_cv_prog_compiler_static_works+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_prog_compiler_static_works=no
@@ -11319,7 +12025,7 @@ else
      if test -s conftest.err; then
        # Append any errors to the config.log.
        cat conftest.err 1>&5
-       $ECHO "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
+       $ECHO "$_lt_linker_boilerplate" | $SED '/^$/d' > conftest.exp
        $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
        if diff conftest.exp conftest.er2 >/dev/null; then
          lt_cv_prog_compiler_static_works=yes
@@ -11349,7 +12055,7 @@ fi
 
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -c -o file.$ac_objext" >&5
 $as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; }
-if test "${lt_cv_prog_compiler_c_o+set}" = set; then :
+if ${lt_cv_prog_compiler_c_o+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_prog_compiler_c_o=no
@@ -11368,16 +12074,16 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:11371: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:11375: \$? = $ac_status" >&5
+   echo "$as_me:$LINENO: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
-     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' > out/conftest.exp
      $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
      if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
        lt_cv_prog_compiler_c_o=yes
@@ -11404,7 +12110,7 @@ $as_echo "$lt_cv_prog_compiler_c_o" >&6; }
 
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -c -o file.$ac_objext" >&5
 $as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; }
-if test "${lt_cv_prog_compiler_c_o+set}" = set; then :
+if ${lt_cv_prog_compiler_c_o+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_prog_compiler_c_o=no
@@ -11423,16 +12129,16 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:11426: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:11430: \$? = $ac_status" >&5
+   echo "$as_me:$LINENO: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
-     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' > out/conftest.exp
      $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
      if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
        lt_cv_prog_compiler_c_o=yes
@@ -11498,7 +12204,6 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie
   hardcode_direct=no
   hardcode_direct_absolute=no
   hardcode_libdir_flag_spec=
-  hardcode_libdir_flag_spec_ld=
   hardcode_libdir_separator=
   hardcode_minus_L=no
   hardcode_shlibpath_var=unsupported
@@ -11542,13 +12247,39 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie
   openbsd*)
     with_gnu_ld=no
     ;;
-  linux* | k*bsd*-gnu)
+  linux* | k*bsd*-gnu | gnu*)
     link_all_deplibs=no
     ;;
   esac
 
   ld_shlibs=yes
+
+  # On some targets, GNU ld is compatible enough with the native linker
+  # that we're better off using the native interface for both.
+  lt_use_gnu_ld_interface=no
   if test "$with_gnu_ld" = yes; then
+    case $host_os in
+      aix*)
+	# The AIX port of GNU ld has always aspired to compatibility
+	# with the native linker.  However, as the warning in the GNU ld
+	# block says, versions before 2.19.5* couldn't really create working
+	# shared libraries, regardless of the interface used.
+	case `$LD -v 2>&1` in
+	  *\ \(GNU\ Binutils\)\ 2.19.5*) ;;
+	  *\ \(GNU\ Binutils\)\ 2.[2-9]*) ;;
+	  *\ \(GNU\ Binutils\)\ [3-9]*) ;;
+	  *)
+	    lt_use_gnu_ld_interface=yes
+	    ;;
+	esac
+	;;
+      *)
+	lt_use_gnu_ld_interface=yes
+	;;
+    esac
+  fi
+
+  if test "$lt_use_gnu_ld_interface" = yes; then
     # If archive_cmds runs LD, not CC, wlarc should be empty
     wlarc='${wl}'
 
@@ -11582,11 +12313,12 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie
 	ld_shlibs=no
 	cat <<_LT_EOF 1>&2
 
-*** Warning: the GNU linker, at least up to release 2.9.1, is reported
+*** Warning: the GNU linker, at least up to release 2.19, is reported
 *** to be unable to reliably create shared libraries on AIX.
 *** Therefore, libtool is disabling shared libraries support.  If you
-*** really care for shared libraries, you may want to modify your PATH
-*** so that a non-GNU linker is found, and then restart.
+*** really care for shared libraries, you may want to install binutils
+*** 2.20 or above, or modify your PATH so that a non-GNU linker is found.
+*** You will then need to restart the configuration process.
 
 _LT_EOF
       fi
@@ -11622,10 +12354,12 @@ _LT_EOF
       # _LT_TAGVAR(hardcode_libdir_flag_spec, ) is actually meaningless,
       # as there is no search path for DLLs.
       hardcode_libdir_flag_spec='-L$libdir'
+      export_dynamic_flag_spec='${wl}--export-all-symbols'
       allow_undefined_flag=unsupported
       always_export_symbols=no
       enable_shared_with_static_runtimes=yes
-      export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
+      export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/;s/^.*[ ]__nm__\([^ ]*\)[ ][^ ]*/\1 DATA/;/^I[ ]/d;/^[AITW][ ]/s/.* //'\'' | sort | uniq > $export_symbols'
+      exclude_expsyms='[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname'
 
       if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then
         archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
@@ -11643,6 +12377,11 @@ _LT_EOF
       fi
       ;;
 
+    haiku*)
+      archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      link_all_deplibs=yes
+      ;;
+
     interix[3-9]*)
       hardcode_direct=no
       hardcode_shlibpath_var=no
@@ -11668,15 +12407,16 @@ _LT_EOF
       if $LD --help 2>&1 | $EGREP ': supported targets:.* elf' > /dev/null \
 	 && test "$tmp_diet" = no
       then
-	tmp_addflag=
+	tmp_addflag=' $pic_flag'
 	tmp_sharedflag='-shared'
 	case $cc_basename,$host_cpu in
         pgcc*)				# Portland Group C compiler
-	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
 	  tmp_addflag=' $pic_flag'
 	  ;;
-	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
-	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	pgf77* | pgf90* | pgf95* | pgfortran*)
+					# Portland Group f77 and f90 compilers
+	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
 	  tmp_addflag=' $pic_flag -Mnomain' ;;
 	ecc*,ia64* | icc*,ia64*)	# Intel C compiler on ia64
 	  tmp_addflag=' -i_dynamic' ;;
@@ -11687,13 +12427,17 @@ _LT_EOF
 	lf95*)				# Lahey Fortran 8.1
 	  whole_archive_flag_spec=
 	  tmp_sharedflag='--shared' ;;
-	xl[cC]*)			# IBM XL C 8.0 on PPC (deal with xlf below)
+	xl[cC]* | bgxl[cC]* | mpixl[cC]*) # IBM XL C 8.0 on PPC (deal with xlf below)
 	  tmp_sharedflag='-qmkshrobj'
 	  tmp_addflag= ;;
+	nvcc*)	# Cuda Compiler Driver 2.2
+	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
+	  compiler_needs_object=yes
+	  ;;
 	esac
 	case `$CC -V 2>&1 | sed 5q` in
 	*Sun\ C*)			# Sun C 5.9
-	  whole_archive_flag_spec='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	  whole_archive_flag_spec='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
 	  compiler_needs_object=yes
 	  tmp_sharedflag='-G' ;;
 	*Sun\ F*)			# Sun Fortran 8.3
@@ -11709,17 +12453,16 @@ _LT_EOF
         fi
 
 	case $cc_basename in
-	xlf*)
+	xlf* | bgf* | bgxlf* | mpixlf*)
 	  # IBM XL Fortran 10.1 on PPC cannot create shared libs itself
 	  whole_archive_flag_spec='--whole-archive$convenience --no-whole-archive'
-	  hardcode_libdir_flag_spec=
-	  hardcode_libdir_flag_spec_ld='-rpath $libdir'
-	  archive_cmds='$LD -shared $libobjs $deplibs $compiler_flags -soname $soname -o $lib'
+	  hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+	  archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib'
 	  if test "x$supports_anon_versioning" = xyes; then
 	    archive_expsym_cmds='echo "{ global:" > $output_objdir/$libname.ver~
 	      cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
 	      echo "local: *; };" >> $output_objdir/$libname.ver~
-	      $LD -shared $libobjs $deplibs $compiler_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib'
+	      $LD -shared $libobjs $deplibs $linker_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib'
 	  fi
 	  ;;
 	esac
@@ -11733,8 +12476,8 @@ _LT_EOF
 	archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
 	wlarc=
       else
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
       fi
       ;;
 
@@ -11752,8 +12495,8 @@ _LT_EOF
 
 _LT_EOF
       elif $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
       else
 	ld_shlibs=no
       fi
@@ -11799,8 +12542,8 @@ _LT_EOF
 
     *)
       if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
       else
 	ld_shlibs=no
       fi
@@ -11840,8 +12583,10 @@ _LT_EOF
       else
 	# If we're using GNU nm, then we don't want the "-C" option.
 	# -C means demangle to AIX nm, but means don't demangle with GNU nm
+	# Also, AIX nm treats weak defined symbols like other global
+	# defined symbols, whereas GNU nm marks them as "W".
 	if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then
-	  export_symbols_cmds='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && (substr(\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
+	  export_symbols_cmds='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && (substr(\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
 	else
 	  export_symbols_cmds='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && (substr(\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
 	fi
@@ -11929,7 +12674,13 @@ _LT_EOF
 	allow_undefined_flag='-berok'
         # Determine the default libpath from the value encoded in an
         # empty executable.
-        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+        if test "${lt_cv_aix_libpath+set}" = set; then
+  aix_libpath=$lt_cv_aix_libpath
+else
+  if ${lt_cv_aix_libpath_+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 int
@@ -11942,25 +12693,32 @@ main ()
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
 
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-fi
+  lt_aix_libpath_sed='
+      /Import File Strings/,/^$/ {
+	  /^0/ {
+	      s/^0  *\([^ ]*\) *$/\1/
+	      p
+	  }
+      }'
+  lt_cv_aix_libpath_=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+  # Check for a 64-bit object if we didn't find anything.
+  if test -z "$lt_cv_aix_libpath_"; then
+    lt_cv_aix_libpath_=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+  fi
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+  if test -z "$lt_cv_aix_libpath_"; then
+    lt_cv_aix_libpath_="/usr/lib:/lib"
+  fi
+
+fi
+
+  aix_libpath=$lt_cv_aix_libpath_
+fi
 
         hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
-        archive_expsym_cmds='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then $ECHO "X${wl}${allow_undefined_flag}" | $Xsed; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+        archive_expsym_cmds='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then func_echo_all "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
       else
 	if test "$host_cpu" = ia64; then
 	  hardcode_libdir_flag_spec='${wl}-R $libdir:/usr/lib:/lib'
@@ -11969,7 +12727,13 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	else
 	 # Determine the default libpath from the value encoded in an
 	 # empty executable.
-	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+	 if test "${lt_cv_aix_libpath+set}" = set; then
+  aix_libpath=$lt_cv_aix_libpath
+else
+  if ${lt_cv_aix_libpath_+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 int
@@ -11982,30 +12746,42 @@ main ()
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
 
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-fi
+  lt_aix_libpath_sed='
+      /Import File Strings/,/^$/ {
+	  /^0/ {
+	      s/^0  *\([^ ]*\) *$/\1/
+	      p
+	  }
+      }'
+  lt_cv_aix_libpath_=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+  # Check for a 64-bit object if we didn't find anything.
+  if test -z "$lt_cv_aix_libpath_"; then
+    lt_cv_aix_libpath_=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+  fi
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+  if test -z "$lt_cv_aix_libpath_"; then
+    lt_cv_aix_libpath_="/usr/lib:/lib"
+  fi
+
+fi
+
+  aix_libpath=$lt_cv_aix_libpath_
+fi
 
 	 hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
 	  # Warning - without using the other run time loading flags,
 	  # -berok will link without error, but may produce a broken library.
 	  no_undefined_flag=' ${wl}-bernotok'
 	  allow_undefined_flag=' ${wl}-berok'
-	  # Exported symbols can be pulled into shared objects from archives
-	  whole_archive_flag_spec='$convenience'
+	  if test "$with_gnu_ld" = yes; then
+	    # We only use this code for GNU lds that support --whole-archive.
+	    whole_archive_flag_spec='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
+	  else
+	    # Exported symbols can be pulled into shared objects from archives
+	    whole_archive_flag_spec='$convenience'
+	  fi
 	  archive_cmds_need_lc=yes
 	  # This is similar to how AIX traditionally builds its shared libraries.
 	  archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
@@ -12037,20 +12813,64 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       # Microsoft Visual C++.
       # hardcode_libdir_flag_spec is actually meaningless, as there is
       # no search path for DLLs.
-      hardcode_libdir_flag_spec=' '
-      allow_undefined_flag=unsupported
-      # Tell ltmain to make .lib files, not .a files.
-      libext=lib
-      # Tell ltmain to make .dll files, not .so files.
-      shrext_cmds=".dll"
-      # FIXME: Setting linknames here is a bad hack.
-      archive_cmds='$CC -o $lib $libobjs $compiler_flags `$ECHO "X$deplibs" | $Xsed -e '\''s/ -lc$//'\''` -link -dll~linknames='
-      # The linker will automatically build a .lib file if we build a DLL.
-      old_archive_from_new_cmds='true'
-      # FIXME: Should let the user specify the lib program.
-      old_archive_cmds='lib -OUT:$oldlib$oldobjs$old_deplibs'
-      fix_srcfile_path='`cygpath -w "$srcfile"`'
-      enable_shared_with_static_runtimes=yes
+      case $cc_basename in
+      cl*)
+	# Native MSVC
+	hardcode_libdir_flag_spec=' '
+	allow_undefined_flag=unsupported
+	always_export_symbols=yes
+	file_list_spec='@'
+	# Tell ltmain to make .lib files, not .a files.
+	libext=lib
+	# Tell ltmain to make .dll files, not .so files.
+	shrext_cmds=".dll"
+	# FIXME: Setting linknames here is a bad hack.
+	archive_cmds='$CC -o $output_objdir/$soname $libobjs $compiler_flags $deplibs -Wl,-dll~linknames='
+	archive_expsym_cmds='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	    sed -n -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' -e '1\\\!p' < $export_symbols > $output_objdir/$soname.exp;
+	  else
+	    sed -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' < $export_symbols > $output_objdir/$soname.exp;
+	  fi~
+	  $CC -o $tool_output_objdir$soname $libobjs $compiler_flags $deplibs "@$tool_output_objdir$soname.exp" -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~
+	  linknames='
+	# The linker will not automatically build a static lib if we build a DLL.
+	# _LT_TAGVAR(old_archive_from_new_cmds, )='true'
+	enable_shared_with_static_runtimes=yes
+	exclude_expsyms='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*'
+	export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1,DATA/'\'' | $SED -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
+	# Don't use ranlib
+	old_postinstall_cmds='chmod 644 $oldlib'
+	postlink_cmds='lt_outputfile="@OUTPUT@"~
+	  lt_tool_outputfile="@TOOL_OUTPUT@"~
+	  case $lt_outputfile in
+	    *.exe|*.EXE) ;;
+	    *)
+	      lt_outputfile="$lt_outputfile.exe"
+	      lt_tool_outputfile="$lt_tool_outputfile.exe"
+	      ;;
+	  esac~
+	  if test "$MANIFEST_TOOL" != ":" && test -f "$lt_outputfile.manifest"; then
+	    $MANIFEST_TOOL -manifest "$lt_tool_outputfile.manifest" -outputresource:"$lt_tool_outputfile" || exit 1;
+	    $RM "$lt_outputfile.manifest";
+	  fi'
+	;;
+      *)
+	# Assume MSVC wrapper
+	hardcode_libdir_flag_spec=' '
+	allow_undefined_flag=unsupported
+	# Tell ltmain to make .lib files, not .a files.
+	libext=lib
+	# Tell ltmain to make .dll files, not .so files.
+	shrext_cmds=".dll"
+	# FIXME: Setting linknames here is a bad hack.
+	archive_cmds='$CC -o $lib $libobjs $compiler_flags `func_echo_all "$deplibs" | $SED '\''s/ -lc$//'\''` -link -dll~linknames='
+	# The linker will automatically build a .lib file if we build a DLL.
+	old_archive_from_new_cmds='true'
+	# FIXME: Should let the user specify the lib program.
+	old_archive_cmds='lib -OUT:$oldlib$oldobjs$old_deplibs'
+	enable_shared_with_static_runtimes=yes
+	;;
+      esac
       ;;
 
     darwin* | rhapsody*)
@@ -12060,7 +12880,12 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
   hardcode_direct=no
   hardcode_automatic=yes
   hardcode_shlibpath_var=unsupported
-  whole_archive_flag_spec=''
+  if test "$lt_cv_ld_force_load" = "yes"; then
+    whole_archive_flag_spec='`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience ${wl}-force_load,$conv\"; done; func_echo_all \"$new_convenience\"`'
+
+  else
+    whole_archive_flag_spec=''
+  fi
   link_all_deplibs=yes
   allow_undefined_flag="$_lt_dar_allow_undefined"
   case $cc_basename in
@@ -12068,7 +12893,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
      *) _lt_dar_can_shared=$GCC ;;
   esac
   if test "$_lt_dar_can_shared" = "yes"; then
-    output_verbose_link_cmd=echo
+    output_verbose_link_cmd=func_echo_all
     archive_cmds="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
     module_cmds="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
     archive_expsym_cmds="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
@@ -12086,10 +12911,6 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       hardcode_shlibpath_var=no
       ;;
 
-    freebsd1*)
-      ld_shlibs=no
-      ;;
-
     # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
     # support.  Future versions do this automatically, but an explicit c++rt0.o
     # does not break anything, and helps significantly (at the cost of a little
@@ -12102,7 +12923,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ;;
 
     # Unfortunately, older versions of FreeBSD 2 do not have this feature.
-    freebsd2*)
+    freebsd2.*)
       archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
       hardcode_direct=yes
       hardcode_minus_L=yes
@@ -12111,7 +12932,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 
     # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
     freebsd* | dragonfly*)
-      archive_cmds='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
+      archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
       hardcode_libdir_flag_spec='-R$libdir'
       hardcode_direct=yes
       hardcode_shlibpath_var=no
@@ -12119,7 +12940,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 
     hpux9*)
       if test "$GCC" = yes; then
-	archive_cmds='$RM $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+	archive_cmds='$RM $output_objdir/$soname~$CC -shared $pic_flag ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
       else
 	archive_cmds='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
       fi
@@ -12134,14 +12955,13 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ;;
 
     hpux10*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+      if test "$GCC" = yes && test "$with_gnu_ld" = no; then
+	archive_cmds='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
       else
 	archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
       fi
       if test "$with_gnu_ld" = no; then
 	hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
-	hardcode_libdir_flag_spec_ld='+b $libdir'
 	hardcode_libdir_separator=:
 	hardcode_direct=yes
 	hardcode_direct_absolute=yes
@@ -12153,16 +12973,16 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ;;
 
     hpux11*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+      if test "$GCC" = yes && test "$with_gnu_ld" = no; then
 	case $host_cpu in
 	hppa*64*)
 	  archive_cmds='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	ia64*)
-	  archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  archive_cmds='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	*)
-	  archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  archive_cmds='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	esac
       else
@@ -12174,7 +12994,46 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	  archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	*)
-	  archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+
+	  # Older versions of the 11.00 compiler do not understand -b yet
+	  # (HP92453-01 A.11.01.20 doesn't, HP92453-01 B.11.X.35175-35176.GP does)
+	  { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC understands -b" >&5
+$as_echo_n "checking if $CC understands -b... " >&6; }
+if ${lt_cv_prog_compiler__b+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_prog_compiler__b=no
+   save_LDFLAGS="$LDFLAGS"
+   LDFLAGS="$LDFLAGS -b"
+   echo "$lt_simple_link_test_code" > conftest.$ac_ext
+   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
+     # The linker can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test -s conftest.err; then
+       # Append any errors to the config.log.
+       cat conftest.err 1>&5
+       $ECHO "$_lt_linker_boilerplate" | $SED '/^$/d' > conftest.exp
+       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+       if diff conftest.exp conftest.er2 >/dev/null; then
+         lt_cv_prog_compiler__b=yes
+       fi
+     else
+       lt_cv_prog_compiler__b=yes
+     fi
+   fi
+   $RM -r conftest*
+   LDFLAGS="$save_LDFLAGS"
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler__b" >&5
+$as_echo "$lt_cv_prog_compiler__b" >&6; }
+
+if test x"$lt_cv_prog_compiler__b" = xyes; then
+    archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+else
+    archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+fi
+
 	  ;;
 	esac
       fi
@@ -12202,26 +13061,39 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 
     irix5* | irix6* | nonstopux*)
       if test "$GCC" = yes; then
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 	# Try to use the -exported_symbol ld option, if it does not
 	# work, assume that -exports_file does not work either and
 	# implicitly export all symbols.
-        save_LDFLAGS="$LDFLAGS"
-        LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null"
-        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+	# This should be the same for all languages, so no per-tag cache variable.
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the $host_os linker accepts -exported_symbol" >&5
+$as_echo_n "checking whether the $host_os linker accepts -exported_symbol... " >&6; }
+if ${lt_cv_irix_exported_symbol+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  save_LDFLAGS="$LDFLAGS"
+	   LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null"
+	   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-int foo(void) {}
+int foo (void) { return 0; }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib'
-
+  lt_cv_irix_exported_symbol=yes
+else
+  lt_cv_irix_exported_symbol=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
-        LDFLAGS="$save_LDFLAGS"
+           LDFLAGS="$save_LDFLAGS"
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_irix_exported_symbol" >&5
+$as_echo "$lt_cv_irix_exported_symbol" >&6; }
+	if test "$lt_cv_irix_exported_symbol" = yes; then
+          archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib'
+	fi
       else
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
-	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -exports_file $export_symbols -o $lib'
+	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
+	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -exports_file $export_symbols -o $lib'
       fi
       archive_cmds_need_lc='no'
       hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
@@ -12283,17 +13155,17 @@ rm -f core conftest.err conftest.$ac_objext \
       hardcode_libdir_flag_spec='-L$libdir'
       hardcode_minus_L=yes
       allow_undefined_flag=unsupported
-      archive_cmds='$ECHO "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$ECHO DATA >> $output_objdir/$libname.def~$ECHO " SINGLE NONSHARED" >> $output_objdir/$libname.def~$ECHO EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
+      archive_cmds='$ECHO "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~echo DATA >> $output_objdir/$libname.def~echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
       old_archive_from_new_cmds='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
       ;;
 
     osf3*)
       if test "$GCC" = yes; then
 	allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
       else
 	allow_undefined_flag=' -expect_unresolved \*'
-	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
       fi
       archive_cmds_need_lc='no'
       hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
@@ -12303,13 +13175,13 @@ rm -f core conftest.err conftest.$ac_objext \
     osf4* | osf5*)	# as osf3* with the addition of -msym flag
       if test "$GCC" = yes; then
 	allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	archive_cmds='$CC -shared${allow_undefined_flag} $pic_flag $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 	hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
       else
 	allow_undefined_flag=' -expect_unresolved \*'
-	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
 	archive_expsym_cmds='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; printf "%s\\n" "-hidden">> $lib.exp~
-	$CC -shared${allow_undefined_flag} ${wl}-input ${wl}$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib~$RM $lib.exp'
+	$CC -shared${allow_undefined_flag} ${wl}-input ${wl}$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib~$RM $lib.exp'
 
 	# Both c and cxx compiler support -rpath directly
 	hardcode_libdir_flag_spec='-rpath $libdir'
@@ -12322,9 +13194,9 @@ rm -f core conftest.err conftest.$ac_objext \
       no_undefined_flag=' -z defs'
       if test "$GCC" = yes; then
 	wlarc='${wl}'
-	archive_cmds='$CC -shared ${wl}-z ${wl}text ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_cmds='$CC -shared $pic_flag ${wl}-z ${wl}text ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
 	archive_expsym_cmds='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
-	  $CC -shared ${wl}-z ${wl}text ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp'
+	  $CC -shared $pic_flag ${wl}-z ${wl}text ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp'
       else
 	case `$CC -V 2>&1` in
 	*"Compilers 5.0"*)
@@ -12512,44 +13384,50 @@ x|xyes)
       # to ld, don't add -lc before -lgcc.
       { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether -lc should be explicitly linked in" >&5
 $as_echo_n "checking whether -lc should be explicitly linked in... " >&6; }
-      $RM conftest*
-      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+if ${lt_cv_archive_cmds_need_lc+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  $RM conftest*
+	echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
-      if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
+	if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; } 2>conftest.err; then
-        soname=conftest
-        lib=conftest
-        libobjs=conftest.$ac_objext
-        deplibs=
-        wl=$lt_prog_compiler_wl
-	pic_flag=$lt_prog_compiler_pic
-        compiler_flags=-v
-        linker_flags=-v
-        verstring=
-        output_objdir=.
-        libname=conftest
-        lt_save_allow_undefined_flag=$allow_undefined_flag
-        allow_undefined_flag=
-        if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1\""; } >&5
+	  soname=conftest
+	  lib=conftest
+	  libobjs=conftest.$ac_objext
+	  deplibs=
+	  wl=$lt_prog_compiler_wl
+	  pic_flag=$lt_prog_compiler_pic
+	  compiler_flags=-v
+	  linker_flags=-v
+	  verstring=
+	  output_objdir=.
+	  libname=conftest
+	  lt_save_allow_undefined_flag=$allow_undefined_flag
+	  allow_undefined_flag=
+	  if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1\""; } >&5
   (eval $archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1) 2>&5
   ac_status=$?
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }
-        then
-	  archive_cmds_need_lc=no
-        else
-	  archive_cmds_need_lc=yes
-        fi
-        allow_undefined_flag=$lt_save_allow_undefined_flag
-      else
-        cat conftest.err 1>&5
-      fi
-      $RM conftest*
-      { $as_echo "$as_me:${as_lineno-$LINENO}: result: $archive_cmds_need_lc" >&5
-$as_echo "$archive_cmds_need_lc" >&6; }
+	  then
+	    lt_cv_archive_cmds_need_lc=no
+	  else
+	    lt_cv_archive_cmds_need_lc=yes
+	  fi
+	  allow_undefined_flag=$lt_save_allow_undefined_flag
+	else
+	  cat conftest.err 1>&5
+	fi
+	$RM conftest*
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_archive_cmds_need_lc" >&5
+$as_echo "$lt_cv_archive_cmds_need_lc" >&6; }
+      archive_cmds_need_lc=$lt_cv_archive_cmds_need_lc
       ;;
     esac
   fi
@@ -12707,11 +13585,6 @@ esac
 
 
 
-
-
-
-
-
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking dynamic linker characteristics" >&5
 $as_echo_n "checking dynamic linker characteristics... " >&6; }
 
@@ -12720,16 +13593,23 @@ if test "$GCC" = yes; then
     darwin*) lt_awk_arg="/^libraries:/,/LR/" ;;
     *) lt_awk_arg="/^libraries:/" ;;
   esac
-  lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-  if $ECHO "$lt_search_path_spec" | $GREP ';' >/dev/null ; then
+  case $host_os in
+    mingw* | cegcc*) lt_sed_strip_eq="s,=\([A-Za-z]:\),\1,g" ;;
+    *) lt_sed_strip_eq="s,=/,/,g" ;;
+  esac
+  lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e $lt_sed_strip_eq`
+  case $lt_search_path_spec in
+  *\;*)
     # if the path contains ";" then we assume it to be the separator
     # otherwise default to the standard path separator (i.e. ":") - it is
     # assumed that no part of a normal pathname contains ";" but that should
     # okay in the real world where ";" in dirpaths is itself problematic.
-    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED -e 's/;/ /g'`
-  else
-    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-  fi
+    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED 's/;/ /g'`
+    ;;
+  *)
+    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED "s/$PATH_SEPARATOR/ /g"`
+    ;;
+  esac
   # Ok, now we have the path, separated by spaces, we can step through it
   # and add multilib dir if necessary.
   lt_tmp_lt_search_path_spec=
@@ -12742,7 +13622,7 @@ if test "$GCC" = yes; then
 	lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path"
     fi
   done
-  lt_search_path_spec=`$ECHO $lt_tmp_lt_search_path_spec | awk '
+  lt_search_path_spec=`$ECHO "$lt_tmp_lt_search_path_spec" | awk '
 BEGIN {RS=" "; FS="/|\n";} {
   lt_foo="";
   lt_count=0;
@@ -12762,7 +13642,13 @@ BEGIN {RS=" "; FS="/|\n";} {
   if (lt_foo != "") { lt_freq[lt_foo]++; }
   if (lt_freq[lt_foo] == 1) { print lt_foo; }
 }'`
-  sys_lib_search_path_spec=`$ECHO $lt_search_path_spec`
+  # AWK program above erroneously prepends '/' to C:/dos/paths
+  # for these hosts.
+  case $host_os in
+    mingw* | cegcc*) lt_search_path_spec=`$ECHO "$lt_search_path_spec" |\
+      $SED 's,/\([A-Za-z]:\),\1,g'` ;;
+  esac
+  sys_lib_search_path_spec=`$ECHO "$lt_search_path_spec" | $lt_NL2SP`
 else
   sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
 fi
@@ -12788,7 +13674,7 @@ need_version=unknown
 
 case $host_os in
 aix3*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
   shlibpath_var=LIBPATH
 
@@ -12797,7 +13683,7 @@ aix3*)
   ;;
 
 aix[4-9]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   hardcode_into_libs=yes
@@ -12850,7 +13736,7 @@ amigaos*)
   m68k)
     library_names_spec='$libname.ixlibrary $libname.a'
     # Create ${libname}_ixlibrary.a entries in /sys/libs.
-    finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$ECHO "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+    finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`func_echo_all "$lib" | $SED '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
     ;;
   esac
   ;;
@@ -12862,7 +13748,7 @@ beos*)
   ;;
 
 bsdi[45]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
@@ -12881,8 +13767,9 @@ cygwin* | mingw* | pw32* | cegcc*)
   need_version=no
   need_lib_prefix=no
 
-  case $GCC,$host_os in
-  yes,cygwin* | yes,mingw* | yes,pw32* | yes,cegcc*)
+  case $GCC,$cc_basename in
+  yes,*)
+    # gcc
     library_names_spec='$libname.dll.a'
     # DLL is installed to $(libdir)/../bin by postinstall_cmds
     postinstall_cmds='base_file=`basename \${file}`~
@@ -12903,36 +13790,83 @@ cygwin* | mingw* | pw32* | cegcc*)
     cygwin*)
       # Cygwin DLLs use 'cyg' prefix rather than 'lib'
       soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
+
+      sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/lib/w32api"
       ;;
     mingw* | cegcc*)
       # MinGW DLLs use traditional 'lib' prefix
       soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec=`$CC -print-search-dirs | $GREP "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-      if $ECHO "$sys_lib_search_path_spec" | $GREP ';[c-zC-Z]:/' >/dev/null; then
-        # It is most probably a Windows format PATH printed by
-        # mingw gcc, but we are running on Cygwin. Gcc prints its search
-        # path with ; separators, and with drive letters. We can handle the
-        # drive letters (cygwin fileutils understands them), so leave them,
-        # especially as we might pass files found there to a mingw objdump,
-        # which wouldn't understand a cygwinified path. Ahh.
-        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-      else
-        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-      fi
       ;;
     pw32*)
       # pw32 DLLs use 'pw' prefix rather than 'lib'
       library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
       ;;
     esac
+    dynamic_linker='Win32 ld.exe'
+    ;;
+
+  *,cl*)
+    # Native MSVC
+    libname_spec='$name'
+    soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+    library_names_spec='${libname}.dll.lib'
+
+    case $build_os in
+    mingw*)
+      sys_lib_search_path_spec=
+      lt_save_ifs=$IFS
+      IFS=';'
+      for lt_path in $LIB
+      do
+        IFS=$lt_save_ifs
+        # Let DOS variable expansion print the short 8.3 style file name.
+        lt_path=`cd "$lt_path" 2>/dev/null && cmd //C "for %i in (".") do @echo %~si"`
+        sys_lib_search_path_spec="$sys_lib_search_path_spec $lt_path"
+      done
+      IFS=$lt_save_ifs
+      # Convert to MSYS style.
+      sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | sed -e 's|\\\\|/|g' -e 's| \\([a-zA-Z]\\):| /\\1|g' -e 's|^ ||'`
+      ;;
+    cygwin*)
+      # Convert to unix form, then to dos form, then back to unix form
+      # but this time dos style (no spaces!) so that the unix form looks
+      # like /cygdrive/c/PROGRA~1:/cygdr...
+      sys_lib_search_path_spec=`cygpath --path --unix "$LIB"`
+      sys_lib_search_path_spec=`cygpath --path --dos "$sys_lib_search_path_spec" 2>/dev/null`
+      sys_lib_search_path_spec=`cygpath --path --unix "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"`
+      ;;
+    *)
+      sys_lib_search_path_spec="$LIB"
+      if $ECHO "$sys_lib_search_path_spec" | $GREP ';[c-zC-Z]:/' >/dev/null; then
+        # It is most probably a Windows format PATH.
+        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      # FIXME: find the short name or the path components, as spaces are
+      # common. (e.g. "Program Files" -> "PROGRA~1")
+      ;;
+    esac
+
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \${file}`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i; echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $RM \$dlpath'
+    shlibpath_overrides_runpath=yes
+    dynamic_linker='Win32 link.exe'
     ;;
 
   *)
+    # Assume MSVC wrapper
     library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
+    dynamic_linker='Win32 ld.exe'
     ;;
   esac
-  dynamic_linker='Win32 ld.exe'
   # FIXME: first we should search . and the directory the executable is in
   shlibpath_var=PATH
   ;;
@@ -12953,7 +13887,7 @@ darwin* | rhapsody*)
   ;;
 
 dgux*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
@@ -12961,10 +13895,6 @@ dgux*)
   shlibpath_var=LD_LIBRARY_PATH
   ;;
 
-freebsd1*)
-  dynamic_linker=no
-  ;;
-
 freebsd* | dragonfly*)
   # DragonFly does not have aout.  When/if they implement a new
   # versioning mechanism, adjust this.
@@ -12972,7 +13902,7 @@ freebsd* | dragonfly*)
     objformat=`/usr/bin/objformat`
   else
     case $host_os in
-    freebsd[123]*) objformat=aout ;;
+    freebsd[23].*) objformat=aout ;;
     *) objformat=elf ;;
     esac
   fi
@@ -12990,7 +13920,7 @@ freebsd* | dragonfly*)
   esac
   shlibpath_var=LD_LIBRARY_PATH
   case $host_os in
-  freebsd2*)
+  freebsd2.*)
     shlibpath_overrides_runpath=yes
     ;;
   freebsd3.[01]* | freebsdelf3.[01]*)
@@ -13010,12 +13940,26 @@ freebsd* | dragonfly*)
   ;;
 
 gnu*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
+haiku*)
+  version_type=linux # correct to gnu/linux during the next big refactor
+  need_lib_prefix=no
+  need_version=no
+  dynamic_linker="$host_os runtime_loader"
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
   hardcode_into_libs=yes
   ;;
 
@@ -13061,12 +14005,14 @@ hpux9* | hpux10* | hpux11*)
     soname_spec='${libname}${release}${shared_ext}$major'
     ;;
   esac
-  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  # HP-UX runs *really* slowly unless shared libraries are mode 555, ...
   postinstall_cmds='chmod 555 $lib'
+  # or fails outright, so override atomically:
+  install_override_mode=555
   ;;
 
 interix[3-9]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
@@ -13082,7 +14028,7 @@ irix5* | irix6* | nonstopux*)
     nonstopux*) version_type=nonstopux ;;
     *)
 	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
+		version_type=linux # correct to gnu/linux during the next big refactor
 	else
 		version_type=irix
 	fi ;;
@@ -13119,9 +14065,9 @@ linux*oldld* | linux*aout* | linux*coff*)
   dynamic_linker=no
   ;;
 
-# This must be Linux ELF.
+# This must be glibc/ELF.
 linux* | k*bsd*-gnu | kopensolaris*-gnu)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -13129,12 +14075,17 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu)
   finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
   shlibpath_var=LD_LIBRARY_PATH
   shlibpath_overrides_runpath=no
+
   # Some binutils ld are patched to set DT_RUNPATH
-  save_LDFLAGS=$LDFLAGS
-  save_libdir=$libdir
-  eval "libdir=/foo; wl=\"$lt_prog_compiler_wl\"; \
-       LDFLAGS=\"\$LDFLAGS $hardcode_libdir_flag_spec\""
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+  if ${lt_cv_shlibpath_overrides_runpath+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_shlibpath_overrides_runpath=no
+    save_LDFLAGS=$LDFLAGS
+    save_libdir=$libdir
+    eval "libdir=/foo; wl=\"$lt_prog_compiler_wl\"; \
+	 LDFLAGS=\"\$LDFLAGS $hardcode_libdir_flag_spec\""
+    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 int
@@ -13147,13 +14098,17 @@ main ()
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
   if  ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null; then :
-  shlibpath_overrides_runpath=yes
+  lt_cv_shlibpath_overrides_runpath=yes
 fi
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
-  LDFLAGS=$save_LDFLAGS
-  libdir=$save_libdir
+    LDFLAGS=$save_LDFLAGS
+    libdir=$save_libdir
+
+fi
+
+  shlibpath_overrides_runpath=$lt_cv_shlibpath_overrides_runpath
 
   # This implies no fast_install, which is unacceptable.
   # Some rework will be needed to allow for fast_install
@@ -13162,7 +14117,7 @@ rm -f core conftest.err conftest.$ac_objext \
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
     sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
   fi
 
@@ -13206,7 +14161,7 @@ netbsd*)
   ;;
 
 newsos6)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   shlibpath_var=LD_LIBRARY_PATH
   shlibpath_overrides_runpath=yes
@@ -13275,7 +14230,7 @@ rdos*)
   ;;
 
 solaris*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -13300,7 +14255,7 @@ sunos4*)
   ;;
 
 sysv4 | sysv4.3*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
@@ -13324,7 +14279,7 @@ sysv4 | sysv4.3*)
 
 sysv4*MP*)
   if test -d /usr/nec ;then
-    version_type=linux
+    version_type=linux # correct to gnu/linux during the next big refactor
     library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
     soname_spec='$libname${shared_ext}.$major'
     shlibpath_var=LD_LIBRARY_PATH
@@ -13355,7 +14310,7 @@ sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
 
 tpf*)
   # TPF is a cross-target only.  Preferred cross-host = GNU/Linux.
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -13365,7 +14320,7 @@ tpf*)
   ;;
 
 uts4*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
@@ -13477,6 +14432,11 @@ fi
 
 
 
+
+
+
+
+
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to hardcode library paths into programs" >&5
 $as_echo_n "checking how to hardcode library paths into programs... " >&6; }
 hardcode_action=
@@ -13549,7 +14509,7 @@ else
   # if libdl is installed we need to link against it
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5
 $as_echo_n "checking for dlopen in -ldl... " >&6; }
-if test "${ac_cv_lib_dl_dlopen+set}" = set; then :
+if ${ac_cv_lib_dl_dlopen+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -13583,7 +14543,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlopen" >&5
 $as_echo "$ac_cv_lib_dl_dlopen" >&6; }
-if test "x$ac_cv_lib_dl_dlopen" = x""yes; then :
+if test "x$ac_cv_lib_dl_dlopen" = xyes; then :
   lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
 else
 
@@ -13597,12 +14557,12 @@ fi
 
   *)
     ac_fn_c_check_func "$LINENO" "shl_load" "ac_cv_func_shl_load"
-if test "x$ac_cv_func_shl_load" = x""yes; then :
+if test "x$ac_cv_func_shl_load" = xyes; then :
   lt_cv_dlopen="shl_load"
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for shl_load in -ldld" >&5
 $as_echo_n "checking for shl_load in -ldld... " >&6; }
-if test "${ac_cv_lib_dld_shl_load+set}" = set; then :
+if ${ac_cv_lib_dld_shl_load+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -13636,16 +14596,16 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dld_shl_load" >&5
 $as_echo "$ac_cv_lib_dld_shl_load" >&6; }
-if test "x$ac_cv_lib_dld_shl_load" = x""yes; then :
+if test "x$ac_cv_lib_dld_shl_load" = xyes; then :
   lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld"
 else
   ac_fn_c_check_func "$LINENO" "dlopen" "ac_cv_func_dlopen"
-if test "x$ac_cv_func_dlopen" = x""yes; then :
+if test "x$ac_cv_func_dlopen" = xyes; then :
   lt_cv_dlopen="dlopen"
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5
 $as_echo_n "checking for dlopen in -ldl... " >&6; }
-if test "${ac_cv_lib_dl_dlopen+set}" = set; then :
+if ${ac_cv_lib_dl_dlopen+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -13679,12 +14639,12 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlopen" >&5
 $as_echo "$ac_cv_lib_dl_dlopen" >&6; }
-if test "x$ac_cv_lib_dl_dlopen" = x""yes; then :
+if test "x$ac_cv_lib_dl_dlopen" = xyes; then :
   lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -lsvld" >&5
 $as_echo_n "checking for dlopen in -lsvld... " >&6; }
-if test "${ac_cv_lib_svld_dlopen+set}" = set; then :
+if ${ac_cv_lib_svld_dlopen+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -13718,12 +14678,12 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_svld_dlopen" >&5
 $as_echo "$ac_cv_lib_svld_dlopen" >&6; }
-if test "x$ac_cv_lib_svld_dlopen" = x""yes; then :
+if test "x$ac_cv_lib_svld_dlopen" = xyes; then :
   lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dld_link in -ldld" >&5
 $as_echo_n "checking for dld_link in -ldld... " >&6; }
-if test "${ac_cv_lib_dld_dld_link+set}" = set; then :
+if ${ac_cv_lib_dld_dld_link+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -13757,7 +14717,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dld_dld_link" >&5
 $as_echo "$ac_cv_lib_dld_dld_link" >&6; }
-if test "x$ac_cv_lib_dld_dld_link" = x""yes; then :
+if test "x$ac_cv_lib_dld_dld_link" = xyes; then :
   lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld"
 fi
 
@@ -13798,7 +14758,7 @@ fi
 
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether a program can dlopen itself" >&5
 $as_echo_n "checking whether a program can dlopen itself... " >&6; }
-if test "${lt_cv_dlopen_self+set}" = set; then :
+if ${lt_cv_dlopen_self+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   	  if test "$cross_compiling" = yes; then :
@@ -13807,7 +14767,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 13810 "configure"
+#line $LINENO "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -13848,7 +14808,13 @@ else
 #  endif
 #endif
 
-void fnord() { int i=42;}
+/* When -fvisbility=hidden is used, assume the code has been annotated
+   correspondingly for the symbols needed.  */
+#if defined(__GNUC__) && (((__GNUC__ == 3) && (__GNUC_MINOR__ >= 3)) || (__GNUC__ > 3))
+int fnord () __attribute__((visibility("default")));
+#endif
+
+int fnord () { return 42; }
 int main ()
 {
   void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
@@ -13857,7 +14823,11 @@ int main ()
   if (self)
     {
       if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      else
+        {
+	  if (dlsym( self,"_fnord"))  status = $lt_dlneed_uscore;
+          else puts (dlerror ());
+	}
       /* dlclose (self); */
     }
   else
@@ -13894,7 +14864,7 @@ $as_echo "$lt_cv_dlopen_self" >&6; }
       wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\"
       { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether a statically linked program can dlopen itself" >&5
 $as_echo_n "checking whether a statically linked program can dlopen itself... " >&6; }
-if test "${lt_cv_dlopen_self_static+set}" = set; then :
+if ${lt_cv_dlopen_self_static+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   	  if test "$cross_compiling" = yes; then :
@@ -13903,7 +14873,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 13906 "configure"
+#line $LINENO "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -13944,7 +14914,13 @@ else
 #  endif
 #endif
 
-void fnord() { int i=42;}
+/* When -fvisbility=hidden is used, assume the code has been annotated
+   correspondingly for the symbols needed.  */
+#if defined(__GNUC__) && (((__GNUC__ == 3) && (__GNUC_MINOR__ >= 3)) || (__GNUC__ > 3))
+int fnord () __attribute__((visibility("default")));
+#endif
+
+int fnord () { return 42; }
 int main ()
 {
   void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
@@ -13953,7 +14929,11 @@ int main ()
   if (self)
     {
       if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      else
+        {
+	  if (dlsym( self,"_fnord"))  status = $lt_dlneed_uscore;
+          else puts (dlerror ());
+	}
       /* dlclose (self); */
     }
   else
@@ -14122,6 +15102,8 @@ CC="$lt_save_CC"
 
 
 
+
+
         ac_config_commands="$ac_config_commands libtool"
 
 
@@ -14132,7 +15114,7 @@ CC="$lt_save_CC"
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5
 $as_echo_n "checking for egrep... " >&6; }
-if test "${ac_cv_path_EGREP+set}" = set; then :
+if ${ac_cv_path_EGREP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
@@ -14203,7 +15185,7 @@ do
 set dummy $ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_AWK+set}" = set; then :
+if ${ac_cv_prog_AWK+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$AWK"; then
@@ -14245,7 +15227,7 @@ do
 set dummy $ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_LEX+set}" = set; then :
+if ${ac_cv_prog_LEX+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$LEX"; then
@@ -14315,7 +15297,7 @@ $as_echo "$ac_try_echo"; } >&5
   test $ac_status = 0; }
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking lex output file root" >&5
 $as_echo_n "checking lex output file root... " >&6; }
-if test "${ac_cv_prog_lex_root+set}" = set; then :
+if ${ac_cv_prog_lex_root+:} false; then :
   $as_echo_n "(cached) " >&6
 else
 
@@ -14334,7 +15316,7 @@ LEX_OUTPUT_ROOT=$ac_cv_prog_lex_root
 if test -z "${LEXLIB+set}"; then
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking lex library" >&5
 $as_echo_n "checking lex library... " >&6; }
-if test "${ac_cv_lib_lex+set}" = set; then :
+if ${ac_cv_lib_lex+:} false; then :
   $as_echo_n "(cached) " >&6
 else
 
@@ -14364,7 +15346,7 @@ fi
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether yytext is a pointer" >&5
 $as_echo_n "checking whether yytext is a pointer... " >&6; }
-if test "${ac_cv_prog_lex_yytext_pointer+set}" = set; then :
+if ${ac_cv_prog_lex_yytext_pointer+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   # POSIX says lex can declare yytext either as a pointer or an array; the
@@ -14375,7 +15357,8 @@ ac_save_LIBS=$LIBS
 LIBS="$LEXLIB $ac_save_LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-#define YYTEXT_POINTER 1
+
+  #define YYTEXT_POINTER 1
 `cat $LEX_OUTPUT_ROOT.c`
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
@@ -14402,7 +15385,7 @@ do
 set dummy $ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_YACC+set}" = set; then :
+if ${ac_cv_prog_YACC+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$YACC"; then
@@ -14443,7 +15426,7 @@ test -n "$YACC" || YACC="yacc"
 set dummy perl; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_path_PERL+set}" = set; then :
+if ${ac_cv_path_PERL+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   case $PERL in
@@ -14484,7 +15467,7 @@ fi
 set dummy gperf; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_path_GPERF+set}" = set; then :
+if ${ac_cv_path_GPERF+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   case $GPERF in
@@ -14568,7 +15551,7 @@ if test x$tnc_imc = xtrue -o x$tnc_imv = xtrue -o x$tnccs_11 = xtrue -o x$tnccs_
 	tnc_tnccs=true;
 fi
 
-if test x$imc_test = xtrue -o x$imv_test = xtrue -o x$imc_scanner = xtrue -o x$imv_scanner = xtrue -o x$imc_attestation = xtrue -o x$imv_attestation = xtrue; then
+if test x$imc_test = xtrue -o x$imv_test = xtrue -o x$imc_scanner = xtrue -o x$imv_scanner = xtrue -o x$imc_os = xtrue -o x$imv_os = xtrue -o x$imc_attestation = xtrue -o x$imv_attestation = xtrue; then
 	imcv=true;
 fi
 
@@ -14606,7 +15589,7 @@ fi
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdbool.h that conforms to C99" >&5
 $as_echo_n "checking for stdbool.h that conforms to C99... " >&6; }
-if test "${ac_cv_header_stdbool_h+set}" = set; then :
+if ${ac_cv_header_stdbool_h+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -14638,7 +15621,7 @@ else
 	char b[false == 0 ? 1 : -1];
 	char c[__bool_true_false_are_defined == 1 ? 1 : -1];
 	char d[(bool) 0.5 == true ? 1 : -1];
-	bool e = &s;
+	/* See body of main program for 'e'.  */
 	char f[(_Bool) 0.0 == false ? 1 : -1];
 	char g[true];
 	char h[sizeof (_Bool)];
@@ -14649,25 +15632,6 @@ else
 	_Bool n[m];
 	char o[sizeof n == m * sizeof n[0] ? 1 : -1];
 	char p[-1 - (_Bool) 0 < 0 && -1 - (bool) 0 < 0 ? 1 : -1];
-#	if defined __xlc__ || defined __GNUC__
-	 /* Catch a bug in IBM AIX xlc compiler version 6.0.0.0
-	    reported by James Lemley on 2005-10-05; see
-	    http://lists.gnu.org/archive/html/bug-coreutils/2005-10/msg00086.html
-	    This test is not quite right, since xlc is allowed to
-	    reject this program, as the initializer for xlcbug is
-	    not one of the forms that C requires support for.
-	    However, doing the test right would require a runtime
-	    test, and that would make cross-compilation harder.
-	    Let us hope that IBM fixes the xlc bug, and also adds
-	    support for this kind of constant expression.  In the
-	    meantime, this test will reject xlc, which is OK, since
-	    our stdbool.h substitute should suffice.  We also test
-	    this with GCC, where it should work, to detect more
-	    quickly whether someone messes up the test in the
-	    future.  */
-	 char digs[] = "0123456789";
-	 int xlcbug = 1 / (&(digs + 5)[-2 + (bool) 1] == &digs[4] ? 1 : -1);
-#	endif
 	/* Catch a bug in an HP-UX C compiler.  See
 	   http://gcc.gnu.org/ml/gcc-patches/2003-12/msg02303.html
 	   http://lists.gnu.org/archive/html/bug-coreutils/2005-11/msg00161.html
@@ -14679,6 +15643,7 @@ int
 main ()
 {
 
+	bool e = &s;
 	*pq |= q;
 	*pq |= ! q;
 	/* Refer to every declared value, to avoid compiler optimizations.  */
@@ -14699,7 +15664,7 @@ fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdbool_h" >&5
 $as_echo "$ac_cv_header_stdbool_h" >&6; }
 ac_fn_c_check_type "$LINENO" "_Bool" "ac_cv_type__Bool" "$ac_includes_default"
-if test "x$ac_cv_type__Bool" = x""yes; then :
+if test "x$ac_cv_type__Bool" = xyes; then :
 
 cat >>confdefs.h <<_ACEOF
 #define HAVE__BOOL 1
@@ -14714,11 +15679,22 @@ $as_echo "#define HAVE_STDBOOL_H 1" >>confdefs.h
 
 fi
 
+ac_fn_c_check_type "$LINENO" "size_t" "ac_cv_type_size_t" "$ac_includes_default"
+if test "x$ac_cv_type_size_t" = xyes; then :
+
+else
+
+cat >>confdefs.h <<_ACEOF
+#define size_t unsigned int
+_ACEOF
+
+fi
+
 # The Ultrix 4.2 mips builtin alloca declared by alloca.h only works
 # for constant arguments.  Useless!
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working alloca.h" >&5
 $as_echo_n "checking for working alloca.h... " >&6; }
-if test "${ac_cv_working_alloca_h+set}" = set; then :
+if ${ac_cv_working_alloca_h+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -14751,7 +15727,7 @@ fi
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for alloca" >&5
 $as_echo_n "checking for alloca... " >&6; }
-if test "${ac_cv_func_alloca_works+set}" = set; then :
+if ${ac_cv_func_alloca_works+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -14770,7 +15746,7 @@ else
  #pragma alloca
 #   else
 #    ifndef alloca /* predefined by HP cc +Olibcalls */
-char *alloca ();
+void *alloca (size_t);
 #    endif
 #   endif
 #  endif
@@ -14814,7 +15790,7 @@ $as_echo "#define C_ALLOCA 1" >>confdefs.h
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether \`alloca.c' needs Cray hooks" >&5
 $as_echo_n "checking whether \`alloca.c' needs Cray hooks... " >&6; }
-if test "${ac_cv_os_cray+set}" = set; then :
+if ${ac_cv_os_cray+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -14855,7 +15831,7 @@ fi
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking stack direction for C alloca" >&5
 $as_echo_n "checking stack direction for C alloca... " >&6; }
-if test "${ac_cv_c_stack_direction+set}" = set; then :
+if ${ac_cv_c_stack_direction+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test "$cross_compiling" = yes; then :
@@ -14904,7 +15880,7 @@ _ACEOF
 fi
 
 ac_fn_c_check_decl "$LINENO" "strerror_r" "ac_cv_have_decl_strerror_r" "$ac_includes_default"
-if test "x$ac_cv_have_decl_strerror_r" = x""yes; then :
+if test "x$ac_cv_have_decl_strerror_r" = xyes; then :
   ac_have_decl=1
 else
   ac_have_decl=0
@@ -14917,7 +15893,7 @@ _ACEOF
 for ac_func in strerror_r
 do :
   ac_fn_c_check_func "$LINENO" "strerror_r" "ac_cv_func_strerror_r"
-if test "x$ac_cv_func_strerror_r" = x""yes; then :
+if test "x$ac_cv_func_strerror_r" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_STRERROR_R 1
 _ACEOF
@@ -14927,7 +15903,7 @@ done
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether strerror_r returns char *" >&5
 $as_echo_n "checking whether strerror_r returns char *... " >&6; }
-if test "${ac_cv_func_strerror_r_char_p+set}" = set; then :
+if ${ac_cv_func_strerror_r_char_p+:} false; then :
   $as_echo_n "(cached) " >&6
 else
 
@@ -15001,7 +15977,7 @@ saved_LIBS=$LIBS
 LIBS=""
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dlopen" >&5
 $as_echo_n "checking for library containing dlopen... " >&6; }
-if test "${ac_cv_search_dlopen+set}" = set; then :
+if ${ac_cv_search_dlopen+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_func_search_save_LIBS=$LIBS
@@ -15035,11 +16011,11 @@ for ac_lib in '' dl; do
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext
-  if test "${ac_cv_search_dlopen+set}" = set; then :
+  if ${ac_cv_search_dlopen+:} false; then :
   break
 fi
 done
-if test "${ac_cv_search_dlopen+set}" = set; then :
+if ${ac_cv_search_dlopen+:} false; then :
 
 else
   ac_cv_search_dlopen=no
@@ -15060,7 +16036,7 @@ fi
 LIBS=""
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing backtrace" >&5
 $as_echo_n "checking for library containing backtrace... " >&6; }
-if test "${ac_cv_search_backtrace+set}" = set; then :
+if ${ac_cv_search_backtrace+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_func_search_save_LIBS=$LIBS
@@ -15094,11 +16070,11 @@ for ac_lib in '' execinfo; do
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext
-  if test "${ac_cv_search_backtrace+set}" = set; then :
+  if ${ac_cv_search_backtrace+:} false; then :
   break
 fi
 done
-if test "${ac_cv_search_backtrace+set}" = set; then :
+if ${ac_cv_search_backtrace+:} false; then :
 
 else
   ac_cv_search_backtrace=no
@@ -15117,7 +16093,7 @@ fi
 for ac_func in backtrace
 do :
   ac_fn_c_check_func "$LINENO" "backtrace" "ac_cv_func_backtrace"
-if test "x$ac_cv_func_backtrace" = x""yes; then :
+if test "x$ac_cv_func_backtrace" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_BACKTRACE 1
 _ACEOF
@@ -15130,7 +16106,7 @@ done
 LIBS=""
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing socket" >&5
 $as_echo_n "checking for library containing socket... " >&6; }
-if test "${ac_cv_search_socket+set}" = set; then :
+if ${ac_cv_search_socket+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_func_search_save_LIBS=$LIBS
@@ -15164,11 +16140,11 @@ for ac_lib in '' socket; do
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext
-  if test "${ac_cv_search_socket+set}" = set; then :
+  if ${ac_cv_search_socket+:} false; then :
   break
 fi
 done
-if test "${ac_cv_search_socket+set}" = set; then :
+if ${ac_cv_search_socket+:} false; then :
 
 else
   ac_cv_search_socket=no
@@ -15185,7 +16161,7 @@ if test "$ac_res" != no; then :
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for socket in -lnsl" >&5
 $as_echo_n "checking for socket in -lnsl... " >&6; }
-if test "${ac_cv_lib_nsl_socket+set}" = set; then :
+if ${ac_cv_lib_nsl_socket+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -15219,7 +16195,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nsl_socket" >&5
 $as_echo "$ac_cv_lib_nsl_socket" >&6; }
-if test "x$ac_cv_lib_nsl_socket" = x""yes; then :
+if test "x$ac_cv_lib_nsl_socket" = xyes; then :
   SOCKLIB="-lsocket -lnsl"
 fi
 
@@ -15231,7 +16207,7 @@ fi
 LIBS=""
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing clock_gettime" >&5
 $as_echo_n "checking for library containing clock_gettime... " >&6; }
-if test "${ac_cv_search_clock_gettime+set}" = set; then :
+if ${ac_cv_search_clock_gettime+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_func_search_save_LIBS=$LIBS
@@ -15265,11 +16241,11 @@ for ac_lib in '' rt; do
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext
-  if test "${ac_cv_search_clock_gettime+set}" = set; then :
+  if ${ac_cv_search_clock_gettime+:} false; then :
   break
 fi
 done
-if test "${ac_cv_search_clock_gettime+set}" = set; then :
+if ${ac_cv_search_clock_gettime+:} false; then :
 
 else
   ac_cv_search_clock_gettime=no
@@ -15288,7 +16264,7 @@ fi
 for ac_func in clock_gettime
 do :
   ac_fn_c_check_func "$LINENO" "clock_gettime" "ac_cv_func_clock_gettime"
-if test "x$ac_cv_func_clock_gettime" = x""yes; then :
+if test "x$ac_cv_func_clock_gettime" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_CLOCK_GETTIME 1
 _ACEOF
@@ -15301,7 +16277,7 @@ done
 LIBS=""
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing pthread_create" >&5
 $as_echo_n "checking for library containing pthread_create... " >&6; }
-if test "${ac_cv_search_pthread_create+set}" = set; then :
+if ${ac_cv_search_pthread_create+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_func_search_save_LIBS=$LIBS
@@ -15335,11 +16311,11 @@ for ac_lib in '' pthread; do
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext
-  if test "${ac_cv_search_pthread_create+set}" = set; then :
+  if ${ac_cv_search_pthread_create+:} false; then :
   break
 fi
 done
-if test "${ac_cv_search_pthread_create+set}" = set; then :
+if ${ac_cv_search_pthread_create+:} false; then :
 
 else
   ac_cv_search_pthread_create=no
@@ -15396,7 +16372,7 @@ $as_echo "unknown" >&6; };
 	 for ac_func in pthread_condattr_setclock
 do :
   ac_fn_c_check_func "$LINENO" "pthread_condattr_setclock" "ac_cv_func_pthread_condattr_setclock"
-if test "x$ac_cv_func_pthread_condattr_setclock" = x""yes; then :
+if test "x$ac_cv_func_pthread_condattr_setclock" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_PTHREAD_CONDATTR_SETCLOCK 1
 _ACEOF
@@ -15433,7 +16409,7 @@ fi
 for ac_func in pthread_condattr_init
 do :
   ac_fn_c_check_func "$LINENO" "pthread_condattr_init" "ac_cv_func_pthread_condattr_init"
-if test "x$ac_cv_func_pthread_condattr_init" = x""yes; then :
+if test "x$ac_cv_func_pthread_condattr_init" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_PTHREAD_CONDATTR_INIT 1
 _ACEOF
@@ -15444,7 +16420,7 @@ done
 for ac_func in pthread_cond_timedwait_monotonic
 do :
   ac_fn_c_check_func "$LINENO" "pthread_cond_timedwait_monotonic" "ac_cv_func_pthread_cond_timedwait_monotonic"
-if test "x$ac_cv_func_pthread_cond_timedwait_monotonic" = x""yes; then :
+if test "x$ac_cv_func_pthread_cond_timedwait_monotonic" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_PTHREAD_COND_TIMEDWAIT_MONOTONIC 1
 _ACEOF
@@ -15455,7 +16431,7 @@ done
 for ac_func in pthread_cancel
 do :
   ac_fn_c_check_func "$LINENO" "pthread_cancel" "ac_cv_func_pthread_cancel"
-if test "x$ac_cv_func_pthread_cancel" = x""yes; then :
+if test "x$ac_cv_func_pthread_cancel" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_PTHREAD_CANCEL 1
 _ACEOF
@@ -15466,7 +16442,7 @@ done
 for ac_func in pthread_rwlock_init
 do :
   ac_fn_c_check_func "$LINENO" "pthread_rwlock_init" "ac_cv_func_pthread_rwlock_init"
-if test "x$ac_cv_func_pthread_rwlock_init" = x""yes; then :
+if test "x$ac_cv_func_pthread_rwlock_init" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_PTHREAD_RWLOCK_INIT 1
 _ACEOF
@@ -15474,10 +16450,21 @@ _ACEOF
 fi
 done
 
+for ac_func in pthread_spin_init
+do :
+  ac_fn_c_check_func "$LINENO" "pthread_spin_init" "ac_cv_func_pthread_spin_init"
+if test "x$ac_cv_func_pthread_spin_init" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_PTHREAD_SPIN_INIT 1
+_ACEOF
+
+fi
+done
+
 for ac_func in sem_timedwait
 do :
   ac_fn_c_check_func "$LINENO" "sem_timedwait" "ac_cv_func_sem_timedwait"
-if test "x$ac_cv_func_sem_timedwait" = x""yes; then :
+if test "x$ac_cv_func_sem_timedwait" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_SEM_TIMEDWAIT 1
 _ACEOF
@@ -15488,7 +16475,7 @@ done
 LIBS=$saved_LIBS
 
 ac_fn_c_check_func "$LINENO" "gettid" "ac_cv_func_gettid"
-if test "x$ac_cv_func_gettid" = x""yes; then :
+if test "x$ac_cv_func_gettid" = xyes; then :
 
 $as_echo "#define HAVE_GETTID /**/" >>confdefs.h
 
@@ -15570,7 +16557,7 @@ done
 for ac_header in netinet/ip6.h
 do :
   ac_fn_c_check_header_mongrel "$LINENO" "netinet/ip6.h" "ac_cv_header_netinet_ip6_h" "$ac_includes_default"
-if test "x$ac_cv_header_netinet_ip6_h" = x""yes; then :
+if test "x$ac_cv_header_netinet_ip6_h" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_NETINET_IP6_H 1
 _ACEOF
@@ -15585,7 +16572,7 @@ ac_fn_c_check_member "$LINENO" "struct sockaddr" "sa_len" "ac_cv_member_struct_s
 	#include <sys/socket.h>
 
 "
-if test "x$ac_cv_member_struct_sockaddr_sa_len" = x""yes; then :
+if test "x$ac_cv_member_struct_sockaddr_sa_len" = xyes; then :
 
 cat >>confdefs.h <<_ACEOF
 #define HAVE_STRUCT_SOCKADDR_SA_LEN 1
@@ -15605,7 +16592,7 @@ ac_fn_c_check_member "$LINENO" "struct sadb_x_policy" "sadb_x_policy_priority" "
 	#endif
 
 "
-if test "x$ac_cv_member_struct_sadb_x_policy_sadb_x_policy_priority" = x""yes; then :
+if test "x$ac_cv_member_struct_sadb_x_policy_sadb_x_policy_priority" = xyes; then :
 
 cat >>confdefs.h <<_ACEOF
 #define HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY 1
@@ -15811,13 +16798,13 @@ fi
 
 
 ac_fn_c_check_func "$LINENO" "register_printf_specifier" "ac_cv_func_register_printf_specifier"
-if test "x$ac_cv_func_register_printf_specifier" = x""yes; then :
+if test "x$ac_cv_func_register_printf_specifier" = xyes; then :
 
 $as_echo "#define HAVE_PRINTF_SPECIFIER /**/" >>confdefs.h
 
 else
   ac_fn_c_check_func "$LINENO" "register_printf_function" "ac_cv_func_register_printf_function"
-if test "x$ac_cv_func_register_printf_function" = x""yes; then :
+if test "x$ac_cv_func_register_printf_function" = xyes; then :
 
 $as_echo "#define HAVE_PRINTF_FUNCTION /**/" >>confdefs.h
 
@@ -15837,7 +16824,7 @@ fi
 if test x$vstr = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lvstr" >&5
 $as_echo_n "checking for main in -lvstr... " >&6; }
-if test "${ac_cv_lib_vstr_main+set}" = set; then :
+if ${ac_cv_lib_vstr_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -15865,7 +16852,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_vstr_main" >&5
 $as_echo "$ac_cv_lib_vstr_main" >&6; }
-if test "x$ac_cv_lib_vstr_main" = x""yes; then :
+if test "x$ac_cv_lib_vstr_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "Vstr string library not found" "$LINENO" 5
@@ -15881,7 +16868,7 @@ if test x$gmp = xtrue; then
 	saved_LIBS=$LIBS
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lgmp" >&5
 $as_echo_n "checking for main in -lgmp... " >&6; }
-if test "${ac_cv_lib_gmp_main+set}" = set; then :
+if ${ac_cv_lib_gmp_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -15909,7 +16896,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gmp_main" >&5
 $as_echo "$ac_cv_lib_gmp_main" >&6; }
-if test "x$ac_cv_lib_gmp_main" = x""yes; then :
+if test "x$ac_cv_lib_gmp_main" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_LIBGMP 1
 _ACEOF
@@ -15985,7 +16972,7 @@ fi
 if test x$ldap = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lldap" >&5
 $as_echo_n "checking for main in -lldap... " >&6; }
-if test "${ac_cv_lib_ldap_main+set}" = set; then :
+if ${ac_cv_lib_ldap_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16013,7 +17000,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ldap_main" >&5
 $as_echo "$ac_cv_lib_ldap_main" >&6; }
-if test "x$ac_cv_lib_ldap_main" = x""yes; then :
+if test "x$ac_cv_lib_ldap_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "LDAP library ldap not found" "$LINENO" 5
@@ -16022,7 +17009,7 @@ ac_cv_lib_ldap=ac_cv_lib_ldap_main
 
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -llber" >&5
 $as_echo_n "checking for main in -llber... " >&6; }
-if test "${ac_cv_lib_lber_main+set}" = set; then :
+if ${ac_cv_lib_lber_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16050,7 +17037,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_lber_main" >&5
 $as_echo "$ac_cv_lib_lber_main" >&6; }
-if test "x$ac_cv_lib_lber_main" = x""yes; then :
+if test "x$ac_cv_lib_lber_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "LDAP library lber not found" "$LINENO" 5
@@ -16058,7 +17045,7 @@ fi
 ac_cv_lib_lber=ac_cv_lib_lber_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "ldap.h" "ac_cv_header_ldap_h" "$ac_includes_default"
-if test "x$ac_cv_header_ldap_h" = x""yes; then :
+if test "x$ac_cv_header_ldap_h" = xyes; then :
 
 else
   as_fn_error $? "LDAP header ldap.h not found!" "$LINENO" 5
@@ -16070,7 +17057,7 @@ fi
 if test x$curl = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lcurl" >&5
 $as_echo_n "checking for main in -lcurl... " >&6; }
-if test "${ac_cv_lib_curl_main+set}" = set; then :
+if ${ac_cv_lib_curl_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16098,7 +17085,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_curl_main" >&5
 $as_echo "$ac_cv_lib_curl_main" >&6; }
-if test "x$ac_cv_lib_curl_main" = x""yes; then :
+if test "x$ac_cv_lib_curl_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "CURL library curl not found" "$LINENO" 5
@@ -16106,7 +17093,7 @@ fi
 ac_cv_lib_curl=ac_cv_lib_curl_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "curl/curl.h" "ac_cv_header_curl_curl_h" "$ac_includes_default"
-if test "x$ac_cv_header_curl_curl_h" = x""yes; then :
+if test "x$ac_cv_header_curl_curl_h" = xyes; then :
 
 else
   as_fn_error $? "CURL header curl/curl.h not found!" "$LINENO" 5
@@ -16131,6 +17118,7 @@ if test -n "$soup_CFLAGS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_soup_CFLAGS=`$PKG_CONFIG --cflags "libsoup-2.4" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -16147,6 +17135,7 @@ if test -n "$soup_LIBS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_soup_LIBS=`$PKG_CONFIG --libs "libsoup-2.4" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -16166,9 +17155,9 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        soup_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "libsoup-2.4" 2>&1`
+	        soup_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libsoup-2.4" 2>&1`
         else
-	        soup_PKG_ERRORS=`$PKG_CONFIG --print-errors "libsoup-2.4" 2>&1`
+	        soup_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libsoup-2.4" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$soup_PKG_ERRORS" >&5
@@ -16197,7 +17186,7 @@ and soup_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 else
 	soup_CFLAGS=$pkg_cv_soup_CFLAGS
 	soup_LIBS=$pkg_cv_soup_LIBS
@@ -16225,6 +17214,7 @@ if test -n "$xml_CFLAGS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_xml_CFLAGS=`$PKG_CONFIG --cflags "libxml-2.0" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -16241,6 +17231,7 @@ if test -n "$xml_LIBS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_xml_LIBS=`$PKG_CONFIG --libs "libxml-2.0" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -16260,9 +17251,9 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        xml_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "libxml-2.0" 2>&1`
+	        xml_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libxml-2.0" 2>&1`
         else
-	        xml_PKG_ERRORS=`$PKG_CONFIG --print-errors "libxml-2.0" 2>&1`
+	        xml_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libxml-2.0" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$xml_PKG_ERRORS" >&5
@@ -16291,7 +17282,7 @@ and xml_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 else
 	xml_CFLAGS=$pkg_cv_xml_CFLAGS
 	xml_LIBS=$pkg_cv_xml_LIBS
@@ -16319,6 +17310,7 @@ if test -n "$axis2c_CFLAGS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_axis2c_CFLAGS=`$PKG_CONFIG --cflags "axis2c" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -16335,6 +17327,7 @@ if test -n "$axis2c_LIBS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_axis2c_LIBS=`$PKG_CONFIG --libs "axis2c" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -16354,9 +17347,9 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        axis2c_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "axis2c" 2>&1`
+	        axis2c_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "axis2c" 2>&1`
         else
-	        axis2c_PKG_ERRORS=`$PKG_CONFIG --print-errors "axis2c" 2>&1`
+	        axis2c_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "axis2c" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$axis2c_PKG_ERRORS" >&5
@@ -16385,7 +17378,7 @@ and axis2c_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 else
 	axis2c_CFLAGS=$pkg_cv_axis2c_CFLAGS
 	axis2c_LIBS=$pkg_cv_axis2c_LIBS
@@ -16397,10 +17390,10 @@ fi
 
 fi
 
-if test x$imc_attestation = xtrue -o x$imv_attestation = xtrue; then
+if test x$tss = xtrousers; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -ltspi" >&5
 $as_echo_n "checking for main in -ltspi... " >&6; }
-if test "${ac_cv_lib_tspi_main+set}" = set; then :
+if ${ac_cv_lib_tspi_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16428,7 +17421,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_tspi_main" >&5
 $as_echo "$ac_cv_lib_tspi_main" >&6; }
-if test "x$ac_cv_lib_tspi_main" = x""yes; then :
+if test "x$ac_cv_lib_tspi_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "TrouSerS library libtspi not found" "$LINENO" 5
@@ -16436,13 +17429,16 @@ fi
 ac_cv_lib_tspi=ac_cv_lib_tspi_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "trousers/tss.h" "ac_cv_header_trousers_tss_h" "$ac_includes_default"
-if test "x$ac_cv_header_trousers_tss_h" = x""yes; then :
+if test "x$ac_cv_header_trousers_tss_h" = xyes; then :
 
 else
   as_fn_error $? "TrouSerS header trousers/tss.h not found!" "$LINENO" 5
 fi
 
 
+
+$as_echo "#define TSS_TROUSERS /**/" >>confdefs.h
+
 fi
 
 if test x$dumm = xtrue; then
@@ -16461,6 +17457,7 @@ if test -n "$gtk_CFLAGS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_gtk_CFLAGS=`$PKG_CONFIG --cflags "gtk+-2.0 vte" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -16477,6 +17474,7 @@ if test -n "$gtk_LIBS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_gtk_LIBS=`$PKG_CONFIG --libs "gtk+-2.0 vte" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -16496,9 +17494,9 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        gtk_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "gtk+-2.0 vte" 2>&1`
+	        gtk_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "gtk+-2.0 vte" 2>&1`
         else
-	        gtk_PKG_ERRORS=`$PKG_CONFIG --print-errors "gtk+-2.0 vte" 2>&1`
+	        gtk_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "gtk+-2.0 vte" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$gtk_PKG_ERRORS" >&5
@@ -16527,7 +17525,7 @@ and gtk_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 else
 	gtk_CFLAGS=$pkg_cv_gtk_CFLAGS
 	gtk_LIBS=$pkg_cv_gtk_LIBS
@@ -16543,7 +17541,7 @@ do
 set dummy $ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_RUBY+set}" = set; then :
+if ${ac_cv_prog_RUBY+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$RUBY"; then
@@ -16582,34 +17580,79 @@ done
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for Ruby header files" >&5
 $as_echo_n "checking for Ruby header files... " >&6; }
 	if test -n "$RUBY"; then
-		RUBYDIR=`($RUBY -rmkmf -e 'print Config::CONFIG["archdir"] || $archdir') 2>/dev/null`
-		if test -n "$RUBYDIR"; then
-			dirs="$RUBYDIR"
-			RUBYINCLUDE=none
-			for i in $dirs; do
-				if test -r $i/ruby.h; then
-					{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $i" >&5
-$as_echo "$i" >&6; }
-					RUBYINCLUDE="-I$i"
-					break;
-				fi
-			done
-			if test x"$RUBYINCLUDE" = xnone; then
-				as_fn_error $? "ruby.h not found" "$LINENO" 5
+		RUBYINCLUDE=
+		RUBYDIR=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG["rubyhdrdir"] || ""') 2>/dev/null`
+		if test -n "$RUBYDIR" -a -r "$RUBYDIR/ruby.h"; then
+			RUBYARCH=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG["arch"] || ""') 2>/dev/null`
+			if test -n "$RUBYARCH"; then
+				{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $RUBYDIR" >&5
+$as_echo "$RUBYDIR" >&6; }
+				RUBYINCLUDE="-I$RUBYDIR -I$RUBYDIR/$RUBYARCH"
 			fi
-
 		else
-			as_fn_error $? "unable to determine ruby configuration" "$LINENO" 5
+			RUBYDIR=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG["archdir"] || ""') 2>/dev/null`
+			if test -n "$RUBYDIR" -a -r "$RUBYDIR/ruby.h"; then
+				{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $RUBYDIR" >&5
+$as_echo "$RUBYDIR" >&6; }
+				RUBYINCLUDE="-I$RUBYDIR"
+			fi
+		fi
+		if test -z "$RUBYINCLUDE"; then
+			as_fn_error $? "ruby.h not found" "$LINENO" 5
 		fi
+
 	else
 		as_fn_error $? "don't know how to run ruby" "$LINENO" 5
 	fi
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libruby" >&5
+$as_echo_n "checking for libruby... " >&6; }
+	saved_LIBS=$LIBS
+	LIBS=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG["LIBRUBYARG_SHARED"] || ""') 2>/dev/null`
+	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char ruby_init ();
+int
+main ()
+{
+return ruby_init ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LIBS" >&5
+$as_echo "$LIBS" >&6; }; RUBYLIB=$LIBS
+else
+  as_fn_error $? "not found" "$LINENO" 5
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
+	for ac_func in rb_errinfo
+do :
+  ac_fn_c_check_func "$LINENO" "rb_errinfo" "ac_cv_func_rb_errinfo"
+if test "x$ac_cv_func_rb_errinfo" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_RB_ERRINFO 1
+_ACEOF
+
+fi
+done
+
+	LIBS=$saved_LIBS
 fi
 
 if test x$fast = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lneo_cgi" >&5
 $as_echo_n "checking for main in -lneo_cgi... " >&6; }
-if test "${ac_cv_lib_neo_cgi_main+set}" = set; then :
+if ${ac_cv_lib_neo_cgi_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16637,7 +17680,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_neo_cgi_main" >&5
 $as_echo "$ac_cv_lib_neo_cgi_main" >&6; }
-if test "x$ac_cv_lib_neo_cgi_main" = x""yes; then :
+if test "x$ac_cv_lib_neo_cgi_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "ClearSilver library neo_cgi not found!" "$LINENO" 5
@@ -16646,7 +17689,7 @@ ac_cv_lib_neo_cgi=ac_cv_lib_neo_cgi_main
 
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lneo_utl" >&5
 $as_echo_n "checking for main in -lneo_utl... " >&6; }
-if test "${ac_cv_lib_neo_utl_main+set}" = set; then :
+if ${ac_cv_lib_neo_utl_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16674,7 +17717,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_neo_utl_main" >&5
 $as_echo "$ac_cv_lib_neo_utl_main" >&6; }
-if test "x$ac_cv_lib_neo_utl_main" = x""yes; then :
+if test "x$ac_cv_lib_neo_utl_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "ClearSilver library neo_utl not found!" "$LINENO" 5
@@ -16716,7 +17759,7 @@ rm -f core conftest.err conftest.$ac_objext \
 
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lfcgi" >&5
 $as_echo_n "checking for main in -lfcgi... " >&6; }
-if test "${ac_cv_lib_fcgi_main+set}" = set; then :
+if ${ac_cv_lib_fcgi_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16744,7 +17787,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_fcgi_main" >&5
 $as_echo "$ac_cv_lib_fcgi_main" >&6; }
-if test "x$ac_cv_lib_fcgi_main" = x""yes; then :
+if test "x$ac_cv_lib_fcgi_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "FastCGI library fcgi not found!" "$LINENO" 5
@@ -16752,7 +17795,7 @@ fi
 ac_cv_lib_fcgi=ac_cv_lib_fcgi_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "fcgiapp.h" "ac_cv_header_fcgiapp_h" "$ac_includes_default"
-if test "x$ac_cv_header_fcgiapp_h" = x""yes; then :
+if test "x$ac_cv_header_fcgiapp_h" = xyes; then :
 
 else
   as_fn_error $? "FastCGI header file fcgiapp.h not found!" "$LINENO" 5
@@ -16766,7 +17809,7 @@ if test x$mysql = xtrue; then
 set dummy mysql_config; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_path_MYSQLCONFIG+set}" = set; then :
+if ${ac_cv_path_MYSQLCONFIG+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   case $MYSQLCONFIG in
@@ -16815,7 +17858,7 @@ fi
 if test x$sqlite = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lsqlite3" >&5
 $as_echo_n "checking for main in -lsqlite3... " >&6; }
-if test "${ac_cv_lib_sqlite3_main+set}" = set; then :
+if ${ac_cv_lib_sqlite3_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16843,7 +17886,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_sqlite3_main" >&5
 $as_echo "$ac_cv_lib_sqlite3_main" >&6; }
-if test "x$ac_cv_lib_sqlite3_main" = x""yes; then :
+if test "x$ac_cv_lib_sqlite3_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "SQLite library sqlite3 not found" "$LINENO" 5
@@ -16851,7 +17894,7 @@ fi
 ac_cv_lib_sqlite3=ac_cv_lib_sqlite3_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "sqlite3.h" "ac_cv_header_sqlite3_h" "$ac_includes_default"
-if test "x$ac_cv_header_sqlite3_h" = x""yes; then :
+if test "x$ac_cv_header_sqlite3_h" = xyes; then :
 
 else
   as_fn_error $? "SQLite header sqlite3.h not found!" "$LINENO" 5
@@ -16914,7 +17957,7 @@ fi
 if test x$openssl = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lcrypto" >&5
 $as_echo_n "checking for main in -lcrypto... " >&6; }
-if test "${ac_cv_lib_crypto_main+set}" = set; then :
+if ${ac_cv_lib_crypto_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16942,7 +17985,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_main" >&5
 $as_echo "$ac_cv_lib_crypto_main" >&6; }
-if test "x$ac_cv_lib_crypto_main" = x""yes; then :
+if test "x$ac_cv_lib_crypto_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "OpenSSL crypto library not found" "$LINENO" 5
@@ -16950,7 +17993,7 @@ fi
 ac_cv_lib_crypto=ac_cv_lib_crypto_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "openssl/evp.h" "ac_cv_header_openssl_evp_h" "$ac_includes_default"
-if test "x$ac_cv_header_openssl_evp_h" = x""yes; then :
+if test "x$ac_cv_header_openssl_evp_h" = xyes; then :
 
 else
   as_fn_error $? "OpenSSL header openssl/evp.h not found!" "$LINENO" 5
@@ -16962,7 +18005,7 @@ fi
 if test x$gcrypt = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lgcrypt" >&5
 $as_echo_n "checking for main in -lgcrypt... " >&6; }
-if test "${ac_cv_lib_gcrypt_main+set}" = set; then :
+if ${ac_cv_lib_gcrypt_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16990,7 +18033,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gcrypt_main" >&5
 $as_echo "$ac_cv_lib_gcrypt_main" >&6; }
-if test "x$ac_cv_lib_gcrypt_main" = x""yes; then :
+if test "x$ac_cv_lib_gcrypt_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "gcrypt library not found" "$LINENO" 5
@@ -16998,7 +18041,7 @@ fi
 ac_cv_lib_gcrypt=ac_cv_lib_gcrypt_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "gcrypt.h" "ac_cv_header_gcrypt_h" "$ac_includes_default"
-if test "x$ac_cv_header_gcrypt_h" = x""yes; then :
+if test "x$ac_cv_header_gcrypt_h" = xyes; then :
 
 else
   as_fn_error $? "gcrypt header gcrypt.h not found!" "$LINENO" 5
@@ -17035,7 +18078,7 @@ fi
 if test x$uci = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -luci" >&5
 $as_echo_n "checking for main in -luci... " >&6; }
-if test "${ac_cv_lib_uci_main+set}" = set; then :
+if ${ac_cv_lib_uci_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -17063,7 +18106,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_uci_main" >&5
 $as_echo "$ac_cv_lib_uci_main" >&6; }
-if test "x$ac_cv_lib_uci_main" = x""yes; then :
+if test "x$ac_cv_lib_uci_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "UCI library libuci not found" "$LINENO" 5
@@ -17071,7 +18114,7 @@ fi
 ac_cv_lib_uci=ac_cv_lib_uci_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "uci.h" "ac_cv_header_uci_h" "$ac_includes_default"
-if test "x$ac_cv_header_uci_h" = x""yes; then :
+if test "x$ac_cv_header_uci_h" = xyes; then :
 
 else
   as_fn_error $? "UCI header uci.h not found!" "$LINENO" 5
@@ -17083,7 +18126,7 @@ fi
 if test x$android = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lcutils" >&5
 $as_echo_n "checking for main in -lcutils... " >&6; }
-if test "${ac_cv_lib_cutils_main+set}" = set; then :
+if ${ac_cv_lib_cutils_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -17111,7 +18154,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_cutils_main" >&5
 $as_echo "$ac_cv_lib_cutils_main" >&6; }
-if test "x$ac_cv_lib_cutils_main" = x""yes; then :
+if test "x$ac_cv_lib_cutils_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "Android library libcutils not found" "$LINENO" 5
@@ -17119,7 +18162,7 @@ fi
 ac_cv_lib_cutils=ac_cv_lib_cutils_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "cutils/properties.h" "ac_cv_header_cutils_properties_h" "$ac_includes_default"
-if test "x$ac_cv_header_cutils_properties_h" = x""yes; then :
+if test "x$ac_cv_header_cutils_properties_h" = xyes; then :
 
 else
   as_fn_error $? "Android header cutils/properties.h not found!" "$LINENO" 5
@@ -17146,6 +18189,7 @@ if test -n "$maemo_CFLAGS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_maemo_CFLAGS=`$PKG_CONFIG --cflags "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -17162,6 +18206,7 @@ if test -n "$maemo_LIBS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_maemo_LIBS=`$PKG_CONFIG --libs "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -17181,9 +18226,9 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        maemo_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>&1`
+	        maemo_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>&1`
         else
-	        maemo_PKG_ERRORS=`$PKG_CONFIG --print-errors "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>&1`
+	        maemo_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$maemo_PKG_ERRORS" >&5
@@ -17212,7 +18257,7 @@ and maemo_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 else
 	maemo_CFLAGS=$pkg_cv_maemo_CFLAGS
 	maemo_LIBS=$pkg_cv_maemo_LIBS
@@ -17242,6 +18287,7 @@ if test -n "$pcsclite_CFLAGS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_pcsclite_CFLAGS=`$PKG_CONFIG --cflags "libpcsclite" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -17258,6 +18304,7 @@ if test -n "$pcsclite_LIBS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_pcsclite_LIBS=`$PKG_CONFIG --libs "libpcsclite" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -17277,9 +18324,9 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        pcsclite_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "libpcsclite" 2>&1`
+	        pcsclite_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libpcsclite" 2>&1`
         else
-	        pcsclite_PKG_ERRORS=`$PKG_CONFIG --print-errors "libpcsclite" 2>&1`
+	        pcsclite_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libpcsclite" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$pcsclite_PKG_ERRORS" >&5
@@ -17308,7 +18355,7 @@ and pcsclite_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 else
 	pcsclite_CFLAGS=$pkg_cv_pcsclite_CFLAGS
 	pcsclite_LIBS=$pkg_cv_pcsclite_LIBS
@@ -17342,6 +18389,7 @@ if test -n "$nm_CFLAGS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_nm_CFLAGS=`$PKG_CONFIG --cflags "NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -17358,6 +18406,7 @@ if test -n "$nm_LIBS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_nm_LIBS=`$PKG_CONFIG --libs "NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -17377,9 +18426,9 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn" 2>&1`
+	        nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn" 2>&1`
         else
-	        nm_PKG_ERRORS=`$PKG_CONFIG --print-errors "NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn" 2>&1`
+	        nm_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$nm_PKG_ERRORS" >&5
@@ -17408,7 +18457,7 @@ and nm_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 else
 	nm_CFLAGS=$pkg_cv_nm_CFLAGS
 	nm_LIBS=$pkg_cv_nm_LIBS
@@ -17432,6 +18481,7 @@ if test -n "$nm_CFLAGS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_nm_CFLAGS=`$PKG_CONFIG --cflags "NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -17448,6 +18498,7 @@ if test -n "$nm_LIBS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_nm_LIBS=`$PKG_CONFIG --libs "NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -17467,9 +18518,9 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn" 2>&1`
+	        nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn" 2>&1`
         else
-	        nm_PKG_ERRORS=`$PKG_CONFIG --print-errors "NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn" 2>&1`
+	        nm_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$nm_PKG_ERRORS" >&5
@@ -17498,7 +18549,7 @@ and nm_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 else
 	nm_CFLAGS=$pkg_cv_nm_CFLAGS
 	nm_LIBS=$pkg_cv_nm_LIBS
@@ -17515,7 +18566,7 @@ fi
 if test x$xauth_pam = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpam" >&5
 $as_echo_n "checking for main in -lpam... " >&6; }
-if test "${ac_cv_lib_pam_main+set}" = set; then :
+if ${ac_cv_lib_pam_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -17543,7 +18594,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pam_main" >&5
 $as_echo "$ac_cv_lib_pam_main" >&6; }
-if test "x$ac_cv_lib_pam_main" = x""yes; then :
+if test "x$ac_cv_lib_pam_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "PAM library not found" "$LINENO" 5
@@ -17551,7 +18602,7 @@ fi
 ac_cv_lib_pam=ac_cv_lib_pam_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "security/pam_appl.h" "ac_cv_header_security_pam_appl_h" "$ac_includes_default"
-if test "x$ac_cv_header_security_pam_appl_h" = x""yes; then :
+if test "x$ac_cv_header_security_pam_appl_h" = xyes; then :
 
 else
   as_fn_error $? "PAM header security/pam_appl.h not found!" "$LINENO" 5
@@ -17566,7 +18617,7 @@ $as_echo "$as_me: Usage of the native Linux capabilities interface is deprecated
 			for ac_header in sys/capability.h
 do :
   ac_fn_c_check_header_mongrel "$LINENO" "sys/capability.h" "ac_cv_header_sys_capability_h" "$ac_includes_default"
-if test "x$ac_cv_header_sys_capability_h" = x""yes; then :
+if test "x$ac_cv_header_sys_capability_h" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_SYS_CAPABILITY_H 1
 _ACEOF
@@ -17576,7 +18627,7 @@ fi
 done
 
 	ac_fn_c_check_func "$LINENO" "capset" "ac_cv_func_capset"
-if test "x$ac_cv_func_capset" = x""yes; then :
+if test "x$ac_cv_func_capset" = xyes; then :
 
 else
   as_fn_error $? "capset() not found!" "$LINENO" 5
@@ -17590,7 +18641,7 @@ fi
 if test x$capabilities = xlibcap; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lcap" >&5
 $as_echo_n "checking for main in -lcap... " >&6; }
-if test "${ac_cv_lib_cap_main+set}" = set; then :
+if ${ac_cv_lib_cap_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -17618,7 +18669,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_cap_main" >&5
 $as_echo "$ac_cv_lib_cap_main" >&6; }
-if test "x$ac_cv_lib_cap_main" = x""yes; then :
+if test "x$ac_cv_lib_cap_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "libcap library not found" "$LINENO" 5
@@ -17626,7 +18677,7 @@ fi
 ac_cv_lib_cap=ac_cv_lib_cap_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "sys/capability.h" "ac_cv_header_sys_capability_h" "$ac_includes_default"
-if test "x$ac_cv_header_sys_capability_h" = x""yes; then :
+if test "x$ac_cv_header_sys_capability_h" = xyes; then :
 
 $as_echo "#define HAVE_SYS_CAPABILITY_H /**/" >>confdefs.h
 
@@ -17694,7 +18745,7 @@ fi
 if test x$bfd_backtraces = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lbfd" >&5
 $as_echo_n "checking for main in -lbfd... " >&6; }
-if test "${ac_cv_lib_bfd_main+set}" = set; then :
+if ${ac_cv_lib_bfd_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -17722,7 +18773,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_bfd_main" >&5
 $as_echo "$ac_cv_lib_bfd_main" >&6; }
-if test "x$ac_cv_lib_bfd_main" = x""yes; then :
+if test "x$ac_cv_lib_bfd_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "binutils libbfd not found!" "$LINENO" 5
@@ -17730,7 +18781,7 @@ fi
 ac_cv_lib_bfd=ac_cv_lib_bfd_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "bfd.h" "ac_cv_header_bfd_h" "$ac_includes_default"
-if test "x$ac_cv_header_bfd_h" = x""yes; then :
+if test "x$ac_cv_header_bfd_h" = xyes; then :
 
 $as_echo "#define HAVE_BFD_H /**/" >>confdefs.h
 
@@ -17929,6 +18980,19 @@ if test x$md5 = xtrue; then
 
 	fi
 
+if test x$rdrand = xtrue; then
+		s_plugins=${s_plugins}" rdrand"
+		charon_plugins=${charon_plugins}" rdrand"
+		openac_plugins=${openac_plugins}" rdrand"
+		scepclient_plugins=${scepclient_plugins}" rdrand"
+		pki_plugins=${pki_plugins}" rdrand"
+		scripts_plugins=${scripts_plugins}" rdrand"
+		medsrv_plugins=${medsrv_plugins}" rdrand"
+		attest_plugins=${attest_plugins}" rdrand"
+		nm_plugins=${nm_plugins}" rdrand"
+
+	fi
+
 if test x$random = xtrue; then
 		s_plugins=${s_plugins}" random"
 		charon_plugins=${charon_plugins}" random"
@@ -17995,6 +19059,13 @@ if test x$pkcs1 = xtrue; then
 
 	fi
 
+if test x$pkcs7 = xtrue; then
+		s_plugins=${s_plugins}" pkcs7"
+		scepclient_plugins=${scepclient_plugins}" pkcs7"
+		pki_plugins=${pki_plugins}" pkcs7"
+
+	fi
+
 if test x$pkcs8 = xtrue; then
 		s_plugins=${s_plugins}" pkcs8"
 		charon_plugins=${charon_plugins}" pkcs8"
@@ -18477,6 +19548,18 @@ if test x$whitelist = xtrue; then
 
 	fi
 
+if test x$lookip = xtrue; then
+		c_plugins=${c_plugins}" lookip"
+		charon_plugins=${charon_plugins}" lookip"
+
+	fi
+
+if test x$error_notify = xtrue; then
+		c_plugins=${c_plugins}" error-notify"
+		charon_plugins=${charon_plugins}" error-notify"
+
+	fi
+
 if test x$certexpire = xtrue; then
 		c_plugins=${c_plugins}" certexpire"
 		charon_plugins=${charon_plugins}" certexpire"
@@ -18660,6 +19743,14 @@ else
   USE_GMP_FALSE=
 fi
 
+ if test x$rdrand = xtrue; then
+  USE_RDRAND_TRUE=
+  USE_RDRAND_FALSE='#'
+else
+  USE_RDRAND_TRUE='#'
+  USE_RDRAND_FALSE=
+fi
+
  if test x$random = xtrue; then
   USE_RANDOM_TRUE=
   USE_RANDOM_FALSE='#'
@@ -18716,6 +19807,14 @@ else
   USE_PKCS1_FALSE=
 fi
 
+ if test x$pkcs7 = xtrue; then
+  USE_PKCS7_TRUE=
+  USE_PKCS7_FALSE='#'
+else
+  USE_PKCS7_TRUE='#'
+  USE_PKCS7_FALSE=
+fi
+
  if test x$pkcs8 = xtrue; then
   USE_PKCS8_TRUE=
   USE_PKCS8_FALSE='#'
@@ -18981,6 +20080,22 @@ else
   USE_WHITELIST_FALSE=
 fi
 
+ if test x$lookip = xtrue; then
+  USE_LOOKIP_TRUE=
+  USE_LOOKIP_FALSE='#'
+else
+  USE_LOOKIP_TRUE='#'
+  USE_LOOKIP_FALSE=
+fi
+
+ if test x$error_notify = xtrue; then
+  USE_ERROR_NOTIFY_TRUE=
+  USE_ERROR_NOTIFY_FALSE='#'
+else
+  USE_ERROR_NOTIFY_TRUE='#'
+  USE_ERROR_NOTIFY_FALSE=
+fi
+
  if test x$certexpire = xtrue; then
   USE_CERTEXPIRE_TRUE=
   USE_CERTEXPIRE_FALSE='#'
@@ -19285,6 +20400,22 @@ else
   USE_IMV_SCANNER_FALSE=
 fi
 
+ if test x$imc_os = xtrue; then
+  USE_IMC_OS_TRUE=
+  USE_IMC_OS_FALSE='#'
+else
+  USE_IMC_OS_TRUE='#'
+  USE_IMC_OS_FALSE=
+fi
+
+ if test x$imv_os = xtrue; then
+  USE_IMV_OS_TRUE=
+  USE_IMV_OS_FALSE='#'
+else
+  USE_IMV_OS_TRUE='#'
+  USE_IMV_OS_FALSE=
+fi
+
  if test x$imc_attestation = xtrue; then
   USE_IMC_ATTESTATION_TRUE=
   USE_IMC_ATTESTATION_FALSE='#'
@@ -19655,6 +20786,14 @@ else
   USE_PTS_FALSE=
 fi
 
+ if test x$tss = xtrousers; then
+  USE_TROUSERS_TRUE=
+  USE_TROUSERS_FALSE='#'
+else
+  USE_TROUSERS_TRUE='#'
+  USE_TROUSERS_FALSE=
+fi
+
  if test x$monolithic = xtrue; then
   MONOLITHIC_TRUE=
   MONOLITHIC_FALSE='#'
@@ -19692,7 +20831,7 @@ $as_echo "#define USE_IKEV2 /**/" >>confdefs.h
 fi
 
 
-ac_config_files="$ac_config_files Makefile man/Makefile init/Makefile init/systemd/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libpts/Makefile src/libpts/plugins/imc_attestation/Makefile src/libpts/plugins/imv_attestation/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/charon/Makefile src/charon-nm/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/tnc_imc/Makefile src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/tnc_tnccs/Makefile src/libcharon/plugins/tnccs_11/Makefile src/libcharon/plugins/tnccs_20/Makefile src/libcharon/plugins/tnccs_dynamic/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/android/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile scripts/Makefile testing/Makefile"
+ac_config_files="$ac_config_files Makefile man/Makefile init/Makefile init/systemd/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libpts/Makefile src/libpts/plugins/imc_attestation/Makefile src/libpts/plugins/imv_attestation/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/charon/Makefile src/charon-nm/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/tnc_imc/Makefile src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/tnc_tnccs/Makefile src/libcharon/plugins/tnccs_11/Makefile src/libcharon/plugins/tnccs_20/Makefile src/libcharon/plugins/tnccs_dynamic/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/android/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile scripts/Makefile testing/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -19758,10 +20897,21 @@ $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
      :end' >>confcache
 if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
   if test -w "$cache_file"; then
-    test "x$cache_file" != "x/dev/null" &&
+    if test "x$cache_file" != "x/dev/null"; then
       { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5
 $as_echo "$as_me: updating cache $cache_file" >&6;}
-    cat confcache >$cache_file
+      if test ! -f "$cache_file" || test -h "$cache_file"; then
+	cat confcache >"$cache_file"
+      else
+        case $cache_file in #(
+        */* | ?:*)
+	  mv -f confcache "$cache_file"$$ &&
+	  mv -f "$cache_file"$$ "$cache_file" ;; #(
+        *)
+	  mv -f confcache "$cache_file" ;;
+	esac
+      fi
+    fi
   else
     { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5
 $as_echo "$as_me: not updating unwritable cache $cache_file" >&6;}
@@ -19869,6 +21019,10 @@ if test -z "${USE_GMP_TRUE}" && test -z "${USE_GMP_FALSE}"; then
   as_fn_error $? "conditional \"USE_GMP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_RDRAND_TRUE}" && test -z "${USE_RDRAND_FALSE}"; then
+  as_fn_error $? "conditional \"USE_RDRAND\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_RANDOM_TRUE}" && test -z "${USE_RANDOM_FALSE}"; then
   as_fn_error $? "conditional \"USE_RANDOM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -19897,6 +21051,10 @@ if test -z "${USE_PKCS1_TRUE}" && test -z "${USE_PKCS1_FALSE}"; then
   as_fn_error $? "conditional \"USE_PKCS1\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_PKCS7_TRUE}" && test -z "${USE_PKCS7_FALSE}"; then
+  as_fn_error $? "conditional \"USE_PKCS7\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_PKCS8_TRUE}" && test -z "${USE_PKCS8_FALSE}"; then
   as_fn_error $? "conditional \"USE_PKCS8\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -20029,6 +21187,14 @@ if test -z "${USE_WHITELIST_TRUE}" && test -z "${USE_WHITELIST_FALSE}"; then
   as_fn_error $? "conditional \"USE_WHITELIST\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_LOOKIP_TRUE}" && test -z "${USE_LOOKIP_FALSE}"; then
+  as_fn_error $? "conditional \"USE_LOOKIP\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_ERROR_NOTIFY_TRUE}" && test -z "${USE_ERROR_NOTIFY_FALSE}"; then
+  as_fn_error $? "conditional \"USE_ERROR_NOTIFY\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_CERTEXPIRE_TRUE}" && test -z "${USE_CERTEXPIRE_FALSE}"; then
   as_fn_error $? "conditional \"USE_CERTEXPIRE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -20181,6 +21347,14 @@ if test -z "${USE_IMV_SCANNER_TRUE}" && test -z "${USE_IMV_SCANNER_FALSE}"; then
   as_fn_error $? "conditional \"USE_IMV_SCANNER\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_IMC_OS_TRUE}" && test -z "${USE_IMC_OS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_IMC_OS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_IMV_OS_TRUE}" && test -z "${USE_IMV_OS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_IMV_OS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_IMC_ATTESTATION_TRUE}" && test -z "${USE_IMC_ATTESTATION_FALSE}"; then
   as_fn_error $? "conditional \"USE_IMC_ATTESTATION\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -20365,12 +21539,16 @@ if test -z "${USE_PTS_TRUE}" && test -z "${USE_PTS_FALSE}"; then
   as_fn_error $? "conditional \"USE_PTS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_TROUSERS_TRUE}" && test -z "${USE_TROUSERS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_TROUSERS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${MONOLITHIC_TRUE}" && test -z "${MONOLITHIC_FALSE}"; then
   as_fn_error $? "conditional \"MONOLITHIC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 
-: ${CONFIG_STATUS=./config.status}
+: "${CONFIG_STATUS=./config.status}"
 ac_write_fail=0
 ac_clean_files_save=$ac_clean_files
 ac_clean_files="$ac_clean_files $CONFIG_STATUS"
@@ -20471,6 +21649,7 @@ fi
 IFS=" ""	$as_nl"
 
 # Find who we are.  Look in the path if we contain no directory separator.
+as_myself=
 case $0 in #((
   *[\\/]* ) as_myself=$0 ;;
   *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
@@ -20777,8 +21956,8 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 5.0.1, which was
-generated by GNU Autoconf 2.67.  Invocation command line was
+This file was extended by strongSwan $as_me 5.0.2, which was
+generated by GNU Autoconf 2.68.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
   CONFIG_HEADERS  = $CONFIG_HEADERS
@@ -20843,8 +22022,8 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-strongSwan config.status 5.0.1
-configured by $0, generated by GNU Autoconf 2.67,
+strongSwan config.status 5.0.2
+configured by $0, generated by GNU Autoconf 2.68,
   with options \\"\$ac_cs_config\\"
 
 Copyright (C) 2010 Free Software Foundation, Inc.
@@ -20972,131 +22151,154 @@ AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir"
 sed_quote_subst='$sed_quote_subst'
 double_quote_subst='$double_quote_subst'
 delay_variable_subst='$delay_variable_subst'
-macro_version='`$ECHO "X$macro_version" | $Xsed -e "$delay_single_quote_subst"`'
-macro_revision='`$ECHO "X$macro_revision" | $Xsed -e "$delay_single_quote_subst"`'
-enable_shared='`$ECHO "X$enable_shared" | $Xsed -e "$delay_single_quote_subst"`'
-enable_static='`$ECHO "X$enable_static" | $Xsed -e "$delay_single_quote_subst"`'
-pic_mode='`$ECHO "X$pic_mode" | $Xsed -e "$delay_single_quote_subst"`'
-enable_fast_install='`$ECHO "X$enable_fast_install" | $Xsed -e "$delay_single_quote_subst"`'
-host_alias='`$ECHO "X$host_alias" | $Xsed -e "$delay_single_quote_subst"`'
-host='`$ECHO "X$host" | $Xsed -e "$delay_single_quote_subst"`'
-host_os='`$ECHO "X$host_os" | $Xsed -e "$delay_single_quote_subst"`'
-build_alias='`$ECHO "X$build_alias" | $Xsed -e "$delay_single_quote_subst"`'
-build='`$ECHO "X$build" | $Xsed -e "$delay_single_quote_subst"`'
-build_os='`$ECHO "X$build_os" | $Xsed -e "$delay_single_quote_subst"`'
-SED='`$ECHO "X$SED" | $Xsed -e "$delay_single_quote_subst"`'
-Xsed='`$ECHO "X$Xsed" | $Xsed -e "$delay_single_quote_subst"`'
-GREP='`$ECHO "X$GREP" | $Xsed -e "$delay_single_quote_subst"`'
-EGREP='`$ECHO "X$EGREP" | $Xsed -e "$delay_single_quote_subst"`'
-FGREP='`$ECHO "X$FGREP" | $Xsed -e "$delay_single_quote_subst"`'
-LD='`$ECHO "X$LD" | $Xsed -e "$delay_single_quote_subst"`'
-NM='`$ECHO "X$NM" | $Xsed -e "$delay_single_quote_subst"`'
-LN_S='`$ECHO "X$LN_S" | $Xsed -e "$delay_single_quote_subst"`'
-max_cmd_len='`$ECHO "X$max_cmd_len" | $Xsed -e "$delay_single_quote_subst"`'
-ac_objext='`$ECHO "X$ac_objext" | $Xsed -e "$delay_single_quote_subst"`'
-exeext='`$ECHO "X$exeext" | $Xsed -e "$delay_single_quote_subst"`'
-lt_unset='`$ECHO "X$lt_unset" | $Xsed -e "$delay_single_quote_subst"`'
-lt_SP2NL='`$ECHO "X$lt_SP2NL" | $Xsed -e "$delay_single_quote_subst"`'
-lt_NL2SP='`$ECHO "X$lt_NL2SP" | $Xsed -e "$delay_single_quote_subst"`'
-reload_flag='`$ECHO "X$reload_flag" | $Xsed -e "$delay_single_quote_subst"`'
-reload_cmds='`$ECHO "X$reload_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-OBJDUMP='`$ECHO "X$OBJDUMP" | $Xsed -e "$delay_single_quote_subst"`'
-deplibs_check_method='`$ECHO "X$deplibs_check_method" | $Xsed -e "$delay_single_quote_subst"`'
-file_magic_cmd='`$ECHO "X$file_magic_cmd" | $Xsed -e "$delay_single_quote_subst"`'
-AR='`$ECHO "X$AR" | $Xsed -e "$delay_single_quote_subst"`'
-AR_FLAGS='`$ECHO "X$AR_FLAGS" | $Xsed -e "$delay_single_quote_subst"`'
-STRIP='`$ECHO "X$STRIP" | $Xsed -e "$delay_single_quote_subst"`'
-RANLIB='`$ECHO "X$RANLIB" | $Xsed -e "$delay_single_quote_subst"`'
-old_postinstall_cmds='`$ECHO "X$old_postinstall_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-old_postuninstall_cmds='`$ECHO "X$old_postuninstall_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-old_archive_cmds='`$ECHO "X$old_archive_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-CC='`$ECHO "X$CC" | $Xsed -e "$delay_single_quote_subst"`'
-CFLAGS='`$ECHO "X$CFLAGS" | $Xsed -e "$delay_single_quote_subst"`'
-compiler='`$ECHO "X$compiler" | $Xsed -e "$delay_single_quote_subst"`'
-GCC='`$ECHO "X$GCC" | $Xsed -e "$delay_single_quote_subst"`'
-lt_cv_sys_global_symbol_pipe='`$ECHO "X$lt_cv_sys_global_symbol_pipe" | $Xsed -e "$delay_single_quote_subst"`'
-lt_cv_sys_global_symbol_to_cdecl='`$ECHO "X$lt_cv_sys_global_symbol_to_cdecl" | $Xsed -e "$delay_single_quote_subst"`'
-lt_cv_sys_global_symbol_to_c_name_address='`$ECHO "X$lt_cv_sys_global_symbol_to_c_name_address" | $Xsed -e "$delay_single_quote_subst"`'
-lt_cv_sys_global_symbol_to_c_name_address_lib_prefix='`$ECHO "X$lt_cv_sys_global_symbol_to_c_name_address_lib_prefix" | $Xsed -e "$delay_single_quote_subst"`'
-objdir='`$ECHO "X$objdir" | $Xsed -e "$delay_single_quote_subst"`'
-SHELL='`$ECHO "X$SHELL" | $Xsed -e "$delay_single_quote_subst"`'
-ECHO='`$ECHO "X$ECHO" | $Xsed -e "$delay_single_quote_subst"`'
-MAGIC_CMD='`$ECHO "X$MAGIC_CMD" | $Xsed -e "$delay_single_quote_subst"`'
-lt_prog_compiler_no_builtin_flag='`$ECHO "X$lt_prog_compiler_no_builtin_flag" | $Xsed -e "$delay_single_quote_subst"`'
-lt_prog_compiler_wl='`$ECHO "X$lt_prog_compiler_wl" | $Xsed -e "$delay_single_quote_subst"`'
-lt_prog_compiler_pic='`$ECHO "X$lt_prog_compiler_pic" | $Xsed -e "$delay_single_quote_subst"`'
-lt_prog_compiler_static='`$ECHO "X$lt_prog_compiler_static" | $Xsed -e "$delay_single_quote_subst"`'
-lt_cv_prog_compiler_c_o='`$ECHO "X$lt_cv_prog_compiler_c_o" | $Xsed -e "$delay_single_quote_subst"`'
-need_locks='`$ECHO "X$need_locks" | $Xsed -e "$delay_single_quote_subst"`'
-DSYMUTIL='`$ECHO "X$DSYMUTIL" | $Xsed -e "$delay_single_quote_subst"`'
-NMEDIT='`$ECHO "X$NMEDIT" | $Xsed -e "$delay_single_quote_subst"`'
-LIPO='`$ECHO "X$LIPO" | $Xsed -e "$delay_single_quote_subst"`'
-OTOOL='`$ECHO "X$OTOOL" | $Xsed -e "$delay_single_quote_subst"`'
-OTOOL64='`$ECHO "X$OTOOL64" | $Xsed -e "$delay_single_quote_subst"`'
-libext='`$ECHO "X$libext" | $Xsed -e "$delay_single_quote_subst"`'
-shrext_cmds='`$ECHO "X$shrext_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-extract_expsyms_cmds='`$ECHO "X$extract_expsyms_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-archive_cmds_need_lc='`$ECHO "X$archive_cmds_need_lc" | $Xsed -e "$delay_single_quote_subst"`'
-enable_shared_with_static_runtimes='`$ECHO "X$enable_shared_with_static_runtimes" | $Xsed -e "$delay_single_quote_subst"`'
-export_dynamic_flag_spec='`$ECHO "X$export_dynamic_flag_spec" | $Xsed -e "$delay_single_quote_subst"`'
-whole_archive_flag_spec='`$ECHO "X$whole_archive_flag_spec" | $Xsed -e "$delay_single_quote_subst"`'
-compiler_needs_object='`$ECHO "X$compiler_needs_object" | $Xsed -e "$delay_single_quote_subst"`'
-old_archive_from_new_cmds='`$ECHO "X$old_archive_from_new_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-old_archive_from_expsyms_cmds='`$ECHO "X$old_archive_from_expsyms_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-archive_cmds='`$ECHO "X$archive_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-archive_expsym_cmds='`$ECHO "X$archive_expsym_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-module_cmds='`$ECHO "X$module_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-module_expsym_cmds='`$ECHO "X$module_expsym_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-with_gnu_ld='`$ECHO "X$with_gnu_ld" | $Xsed -e "$delay_single_quote_subst"`'
-allow_undefined_flag='`$ECHO "X$allow_undefined_flag" | $Xsed -e "$delay_single_quote_subst"`'
-no_undefined_flag='`$ECHO "X$no_undefined_flag" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_libdir_flag_spec='`$ECHO "X$hardcode_libdir_flag_spec" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_libdir_flag_spec_ld='`$ECHO "X$hardcode_libdir_flag_spec_ld" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_libdir_separator='`$ECHO "X$hardcode_libdir_separator" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_direct='`$ECHO "X$hardcode_direct" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_direct_absolute='`$ECHO "X$hardcode_direct_absolute" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_minus_L='`$ECHO "X$hardcode_minus_L" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_shlibpath_var='`$ECHO "X$hardcode_shlibpath_var" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_automatic='`$ECHO "X$hardcode_automatic" | $Xsed -e "$delay_single_quote_subst"`'
-inherit_rpath='`$ECHO "X$inherit_rpath" | $Xsed -e "$delay_single_quote_subst"`'
-link_all_deplibs='`$ECHO "X$link_all_deplibs" | $Xsed -e "$delay_single_quote_subst"`'
-fix_srcfile_path='`$ECHO "X$fix_srcfile_path" | $Xsed -e "$delay_single_quote_subst"`'
-always_export_symbols='`$ECHO "X$always_export_symbols" | $Xsed -e "$delay_single_quote_subst"`'
-export_symbols_cmds='`$ECHO "X$export_symbols_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-exclude_expsyms='`$ECHO "X$exclude_expsyms" | $Xsed -e "$delay_single_quote_subst"`'
-include_expsyms='`$ECHO "X$include_expsyms" | $Xsed -e "$delay_single_quote_subst"`'
-prelink_cmds='`$ECHO "X$prelink_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-file_list_spec='`$ECHO "X$file_list_spec" | $Xsed -e "$delay_single_quote_subst"`'
-variables_saved_for_relink='`$ECHO "X$variables_saved_for_relink" | $Xsed -e "$delay_single_quote_subst"`'
-need_lib_prefix='`$ECHO "X$need_lib_prefix" | $Xsed -e "$delay_single_quote_subst"`'
-need_version='`$ECHO "X$need_version" | $Xsed -e "$delay_single_quote_subst"`'
-version_type='`$ECHO "X$version_type" | $Xsed -e "$delay_single_quote_subst"`'
-runpath_var='`$ECHO "X$runpath_var" | $Xsed -e "$delay_single_quote_subst"`'
-shlibpath_var='`$ECHO "X$shlibpath_var" | $Xsed -e "$delay_single_quote_subst"`'
-shlibpath_overrides_runpath='`$ECHO "X$shlibpath_overrides_runpath" | $Xsed -e "$delay_single_quote_subst"`'
-libname_spec='`$ECHO "X$libname_spec" | $Xsed -e "$delay_single_quote_subst"`'
-library_names_spec='`$ECHO "X$library_names_spec" | $Xsed -e "$delay_single_quote_subst"`'
-soname_spec='`$ECHO "X$soname_spec" | $Xsed -e "$delay_single_quote_subst"`'
-postinstall_cmds='`$ECHO "X$postinstall_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-postuninstall_cmds='`$ECHO "X$postuninstall_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-finish_cmds='`$ECHO "X$finish_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-finish_eval='`$ECHO "X$finish_eval" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_into_libs='`$ECHO "X$hardcode_into_libs" | $Xsed -e "$delay_single_quote_subst"`'
-sys_lib_search_path_spec='`$ECHO "X$sys_lib_search_path_spec" | $Xsed -e "$delay_single_quote_subst"`'
-sys_lib_dlsearch_path_spec='`$ECHO "X$sys_lib_dlsearch_path_spec" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_action='`$ECHO "X$hardcode_action" | $Xsed -e "$delay_single_quote_subst"`'
-enable_dlopen='`$ECHO "X$enable_dlopen" | $Xsed -e "$delay_single_quote_subst"`'
-enable_dlopen_self='`$ECHO "X$enable_dlopen_self" | $Xsed -e "$delay_single_quote_subst"`'
-enable_dlopen_self_static='`$ECHO "X$enable_dlopen_self_static" | $Xsed -e "$delay_single_quote_subst"`'
-old_striplib='`$ECHO "X$old_striplib" | $Xsed -e "$delay_single_quote_subst"`'
-striplib='`$ECHO "X$striplib" | $Xsed -e "$delay_single_quote_subst"`'
+macro_version='`$ECHO "$macro_version" | $SED "$delay_single_quote_subst"`'
+macro_revision='`$ECHO "$macro_revision" | $SED "$delay_single_quote_subst"`'
+enable_shared='`$ECHO "$enable_shared" | $SED "$delay_single_quote_subst"`'
+enable_static='`$ECHO "$enable_static" | $SED "$delay_single_quote_subst"`'
+pic_mode='`$ECHO "$pic_mode" | $SED "$delay_single_quote_subst"`'
+enable_fast_install='`$ECHO "$enable_fast_install" | $SED "$delay_single_quote_subst"`'
+SHELL='`$ECHO "$SHELL" | $SED "$delay_single_quote_subst"`'
+ECHO='`$ECHO "$ECHO" | $SED "$delay_single_quote_subst"`'
+PATH_SEPARATOR='`$ECHO "$PATH_SEPARATOR" | $SED "$delay_single_quote_subst"`'
+host_alias='`$ECHO "$host_alias" | $SED "$delay_single_quote_subst"`'
+host='`$ECHO "$host" | $SED "$delay_single_quote_subst"`'
+host_os='`$ECHO "$host_os" | $SED "$delay_single_quote_subst"`'
+build_alias='`$ECHO "$build_alias" | $SED "$delay_single_quote_subst"`'
+build='`$ECHO "$build" | $SED "$delay_single_quote_subst"`'
+build_os='`$ECHO "$build_os" | $SED "$delay_single_quote_subst"`'
+SED='`$ECHO "$SED" | $SED "$delay_single_quote_subst"`'
+Xsed='`$ECHO "$Xsed" | $SED "$delay_single_quote_subst"`'
+GREP='`$ECHO "$GREP" | $SED "$delay_single_quote_subst"`'
+EGREP='`$ECHO "$EGREP" | $SED "$delay_single_quote_subst"`'
+FGREP='`$ECHO "$FGREP" | $SED "$delay_single_quote_subst"`'
+LD='`$ECHO "$LD" | $SED "$delay_single_quote_subst"`'
+NM='`$ECHO "$NM" | $SED "$delay_single_quote_subst"`'
+LN_S='`$ECHO "$LN_S" | $SED "$delay_single_quote_subst"`'
+max_cmd_len='`$ECHO "$max_cmd_len" | $SED "$delay_single_quote_subst"`'
+ac_objext='`$ECHO "$ac_objext" | $SED "$delay_single_quote_subst"`'
+exeext='`$ECHO "$exeext" | $SED "$delay_single_quote_subst"`'
+lt_unset='`$ECHO "$lt_unset" | $SED "$delay_single_quote_subst"`'
+lt_SP2NL='`$ECHO "$lt_SP2NL" | $SED "$delay_single_quote_subst"`'
+lt_NL2SP='`$ECHO "$lt_NL2SP" | $SED "$delay_single_quote_subst"`'
+lt_cv_to_host_file_cmd='`$ECHO "$lt_cv_to_host_file_cmd" | $SED "$delay_single_quote_subst"`'
+lt_cv_to_tool_file_cmd='`$ECHO "$lt_cv_to_tool_file_cmd" | $SED "$delay_single_quote_subst"`'
+reload_flag='`$ECHO "$reload_flag" | $SED "$delay_single_quote_subst"`'
+reload_cmds='`$ECHO "$reload_cmds" | $SED "$delay_single_quote_subst"`'
+OBJDUMP='`$ECHO "$OBJDUMP" | $SED "$delay_single_quote_subst"`'
+deplibs_check_method='`$ECHO "$deplibs_check_method" | $SED "$delay_single_quote_subst"`'
+file_magic_cmd='`$ECHO "$file_magic_cmd" | $SED "$delay_single_quote_subst"`'
+file_magic_glob='`$ECHO "$file_magic_glob" | $SED "$delay_single_quote_subst"`'
+want_nocaseglob='`$ECHO "$want_nocaseglob" | $SED "$delay_single_quote_subst"`'
+DLLTOOL='`$ECHO "$DLLTOOL" | $SED "$delay_single_quote_subst"`'
+sharedlib_from_linklib_cmd='`$ECHO "$sharedlib_from_linklib_cmd" | $SED "$delay_single_quote_subst"`'
+AR='`$ECHO "$AR" | $SED "$delay_single_quote_subst"`'
+AR_FLAGS='`$ECHO "$AR_FLAGS" | $SED "$delay_single_quote_subst"`'
+archiver_list_spec='`$ECHO "$archiver_list_spec" | $SED "$delay_single_quote_subst"`'
+STRIP='`$ECHO "$STRIP" | $SED "$delay_single_quote_subst"`'
+RANLIB='`$ECHO "$RANLIB" | $SED "$delay_single_quote_subst"`'
+old_postinstall_cmds='`$ECHO "$old_postinstall_cmds" | $SED "$delay_single_quote_subst"`'
+old_postuninstall_cmds='`$ECHO "$old_postuninstall_cmds" | $SED "$delay_single_quote_subst"`'
+old_archive_cmds='`$ECHO "$old_archive_cmds" | $SED "$delay_single_quote_subst"`'
+lock_old_archive_extraction='`$ECHO "$lock_old_archive_extraction" | $SED "$delay_single_quote_subst"`'
+CC='`$ECHO "$CC" | $SED "$delay_single_quote_subst"`'
+CFLAGS='`$ECHO "$CFLAGS" | $SED "$delay_single_quote_subst"`'
+compiler='`$ECHO "$compiler" | $SED "$delay_single_quote_subst"`'
+GCC='`$ECHO "$GCC" | $SED "$delay_single_quote_subst"`'
+lt_cv_sys_global_symbol_pipe='`$ECHO "$lt_cv_sys_global_symbol_pipe" | $SED "$delay_single_quote_subst"`'
+lt_cv_sys_global_symbol_to_cdecl='`$ECHO "$lt_cv_sys_global_symbol_to_cdecl" | $SED "$delay_single_quote_subst"`'
+lt_cv_sys_global_symbol_to_c_name_address='`$ECHO "$lt_cv_sys_global_symbol_to_c_name_address" | $SED "$delay_single_quote_subst"`'
+lt_cv_sys_global_symbol_to_c_name_address_lib_prefix='`$ECHO "$lt_cv_sys_global_symbol_to_c_name_address_lib_prefix" | $SED "$delay_single_quote_subst"`'
+nm_file_list_spec='`$ECHO "$nm_file_list_spec" | $SED "$delay_single_quote_subst"`'
+lt_sysroot='`$ECHO "$lt_sysroot" | $SED "$delay_single_quote_subst"`'
+objdir='`$ECHO "$objdir" | $SED "$delay_single_quote_subst"`'
+MAGIC_CMD='`$ECHO "$MAGIC_CMD" | $SED "$delay_single_quote_subst"`'
+lt_prog_compiler_no_builtin_flag='`$ECHO "$lt_prog_compiler_no_builtin_flag" | $SED "$delay_single_quote_subst"`'
+lt_prog_compiler_pic='`$ECHO "$lt_prog_compiler_pic" | $SED "$delay_single_quote_subst"`'
+lt_prog_compiler_wl='`$ECHO "$lt_prog_compiler_wl" | $SED "$delay_single_quote_subst"`'
+lt_prog_compiler_static='`$ECHO "$lt_prog_compiler_static" | $SED "$delay_single_quote_subst"`'
+lt_cv_prog_compiler_c_o='`$ECHO "$lt_cv_prog_compiler_c_o" | $SED "$delay_single_quote_subst"`'
+need_locks='`$ECHO "$need_locks" | $SED "$delay_single_quote_subst"`'
+MANIFEST_TOOL='`$ECHO "$MANIFEST_TOOL" | $SED "$delay_single_quote_subst"`'
+DSYMUTIL='`$ECHO "$DSYMUTIL" | $SED "$delay_single_quote_subst"`'
+NMEDIT='`$ECHO "$NMEDIT" | $SED "$delay_single_quote_subst"`'
+LIPO='`$ECHO "$LIPO" | $SED "$delay_single_quote_subst"`'
+OTOOL='`$ECHO "$OTOOL" | $SED "$delay_single_quote_subst"`'
+OTOOL64='`$ECHO "$OTOOL64" | $SED "$delay_single_quote_subst"`'
+libext='`$ECHO "$libext" | $SED "$delay_single_quote_subst"`'
+shrext_cmds='`$ECHO "$shrext_cmds" | $SED "$delay_single_quote_subst"`'
+extract_expsyms_cmds='`$ECHO "$extract_expsyms_cmds" | $SED "$delay_single_quote_subst"`'
+archive_cmds_need_lc='`$ECHO "$archive_cmds_need_lc" | $SED "$delay_single_quote_subst"`'
+enable_shared_with_static_runtimes='`$ECHO "$enable_shared_with_static_runtimes" | $SED "$delay_single_quote_subst"`'
+export_dynamic_flag_spec='`$ECHO "$export_dynamic_flag_spec" | $SED "$delay_single_quote_subst"`'
+whole_archive_flag_spec='`$ECHO "$whole_archive_flag_spec" | $SED "$delay_single_quote_subst"`'
+compiler_needs_object='`$ECHO "$compiler_needs_object" | $SED "$delay_single_quote_subst"`'
+old_archive_from_new_cmds='`$ECHO "$old_archive_from_new_cmds" | $SED "$delay_single_quote_subst"`'
+old_archive_from_expsyms_cmds='`$ECHO "$old_archive_from_expsyms_cmds" | $SED "$delay_single_quote_subst"`'
+archive_cmds='`$ECHO "$archive_cmds" | $SED "$delay_single_quote_subst"`'
+archive_expsym_cmds='`$ECHO "$archive_expsym_cmds" | $SED "$delay_single_quote_subst"`'
+module_cmds='`$ECHO "$module_cmds" | $SED "$delay_single_quote_subst"`'
+module_expsym_cmds='`$ECHO "$module_expsym_cmds" | $SED "$delay_single_quote_subst"`'
+with_gnu_ld='`$ECHO "$with_gnu_ld" | $SED "$delay_single_quote_subst"`'
+allow_undefined_flag='`$ECHO "$allow_undefined_flag" | $SED "$delay_single_quote_subst"`'
+no_undefined_flag='`$ECHO "$no_undefined_flag" | $SED "$delay_single_quote_subst"`'
+hardcode_libdir_flag_spec='`$ECHO "$hardcode_libdir_flag_spec" | $SED "$delay_single_quote_subst"`'
+hardcode_libdir_separator='`$ECHO "$hardcode_libdir_separator" | $SED "$delay_single_quote_subst"`'
+hardcode_direct='`$ECHO "$hardcode_direct" | $SED "$delay_single_quote_subst"`'
+hardcode_direct_absolute='`$ECHO "$hardcode_direct_absolute" | $SED "$delay_single_quote_subst"`'
+hardcode_minus_L='`$ECHO "$hardcode_minus_L" | $SED "$delay_single_quote_subst"`'
+hardcode_shlibpath_var='`$ECHO "$hardcode_shlibpath_var" | $SED "$delay_single_quote_subst"`'
+hardcode_automatic='`$ECHO "$hardcode_automatic" | $SED "$delay_single_quote_subst"`'
+inherit_rpath='`$ECHO "$inherit_rpath" | $SED "$delay_single_quote_subst"`'
+link_all_deplibs='`$ECHO "$link_all_deplibs" | $SED "$delay_single_quote_subst"`'
+always_export_symbols='`$ECHO "$always_export_symbols" | $SED "$delay_single_quote_subst"`'
+export_symbols_cmds='`$ECHO "$export_symbols_cmds" | $SED "$delay_single_quote_subst"`'
+exclude_expsyms='`$ECHO "$exclude_expsyms" | $SED "$delay_single_quote_subst"`'
+include_expsyms='`$ECHO "$include_expsyms" | $SED "$delay_single_quote_subst"`'
+prelink_cmds='`$ECHO "$prelink_cmds" | $SED "$delay_single_quote_subst"`'
+postlink_cmds='`$ECHO "$postlink_cmds" | $SED "$delay_single_quote_subst"`'
+file_list_spec='`$ECHO "$file_list_spec" | $SED "$delay_single_quote_subst"`'
+variables_saved_for_relink='`$ECHO "$variables_saved_for_relink" | $SED "$delay_single_quote_subst"`'
+need_lib_prefix='`$ECHO "$need_lib_prefix" | $SED "$delay_single_quote_subst"`'
+need_version='`$ECHO "$need_version" | $SED "$delay_single_quote_subst"`'
+version_type='`$ECHO "$version_type" | $SED "$delay_single_quote_subst"`'
+runpath_var='`$ECHO "$runpath_var" | $SED "$delay_single_quote_subst"`'
+shlibpath_var='`$ECHO "$shlibpath_var" | $SED "$delay_single_quote_subst"`'
+shlibpath_overrides_runpath='`$ECHO "$shlibpath_overrides_runpath" | $SED "$delay_single_quote_subst"`'
+libname_spec='`$ECHO "$libname_spec" | $SED "$delay_single_quote_subst"`'
+library_names_spec='`$ECHO "$library_names_spec" | $SED "$delay_single_quote_subst"`'
+soname_spec='`$ECHO "$soname_spec" | $SED "$delay_single_quote_subst"`'
+install_override_mode='`$ECHO "$install_override_mode" | $SED "$delay_single_quote_subst"`'
+postinstall_cmds='`$ECHO "$postinstall_cmds" | $SED "$delay_single_quote_subst"`'
+postuninstall_cmds='`$ECHO "$postuninstall_cmds" | $SED "$delay_single_quote_subst"`'
+finish_cmds='`$ECHO "$finish_cmds" | $SED "$delay_single_quote_subst"`'
+finish_eval='`$ECHO "$finish_eval" | $SED "$delay_single_quote_subst"`'
+hardcode_into_libs='`$ECHO "$hardcode_into_libs" | $SED "$delay_single_quote_subst"`'
+sys_lib_search_path_spec='`$ECHO "$sys_lib_search_path_spec" | $SED "$delay_single_quote_subst"`'
+sys_lib_dlsearch_path_spec='`$ECHO "$sys_lib_dlsearch_path_spec" | $SED "$delay_single_quote_subst"`'
+hardcode_action='`$ECHO "$hardcode_action" | $SED "$delay_single_quote_subst"`'
+enable_dlopen='`$ECHO "$enable_dlopen" | $SED "$delay_single_quote_subst"`'
+enable_dlopen_self='`$ECHO "$enable_dlopen_self" | $SED "$delay_single_quote_subst"`'
+enable_dlopen_self_static='`$ECHO "$enable_dlopen_self_static" | $SED "$delay_single_quote_subst"`'
+old_striplib='`$ECHO "$old_striplib" | $SED "$delay_single_quote_subst"`'
+striplib='`$ECHO "$striplib" | $SED "$delay_single_quote_subst"`'
 
 LTCC='$LTCC'
 LTCFLAGS='$LTCFLAGS'
 compiler='$compiler_DEFAULT'
 
+# A function that is used when there is no print builtin or printf.
+func_fallback_echo ()
+{
+  eval 'cat <<_LTECHO_EOF
+\$1
+_LTECHO_EOF'
+}
+
 # Quote evaled strings.
-for var in SED \
+for var in SHELL \
+ECHO \
+PATH_SEPARATOR \
+SED \
 GREP \
 EGREP \
 FGREP \
@@ -21109,8 +22311,13 @@ reload_flag \
 OBJDUMP \
 deplibs_check_method \
 file_magic_cmd \
+file_magic_glob \
+want_nocaseglob \
+DLLTOOL \
+sharedlib_from_linklib_cmd \
 AR \
 AR_FLAGS \
+archiver_list_spec \
 STRIP \
 RANLIB \
 CC \
@@ -21120,14 +22327,14 @@ lt_cv_sys_global_symbol_pipe \
 lt_cv_sys_global_symbol_to_cdecl \
 lt_cv_sys_global_symbol_to_c_name_address \
 lt_cv_sys_global_symbol_to_c_name_address_lib_prefix \
-SHELL \
-ECHO \
+nm_file_list_spec \
 lt_prog_compiler_no_builtin_flag \
-lt_prog_compiler_wl \
 lt_prog_compiler_pic \
+lt_prog_compiler_wl \
 lt_prog_compiler_static \
 lt_cv_prog_compiler_c_o \
 need_locks \
+MANIFEST_TOOL \
 DSYMUTIL \
 NMEDIT \
 LIPO \
@@ -21141,9 +22348,7 @@ with_gnu_ld \
 allow_undefined_flag \
 no_undefined_flag \
 hardcode_libdir_flag_spec \
-hardcode_libdir_flag_spec_ld \
 hardcode_libdir_separator \
-fix_srcfile_path \
 exclude_expsyms \
 include_expsyms \
 file_list_spec \
@@ -21151,12 +22356,13 @@ variables_saved_for_relink \
 libname_spec \
 library_names_spec \
 soname_spec \
+install_override_mode \
 finish_eval \
 old_striplib \
 striplib; do
-    case \`eval \\\\\$ECHO "X\\\\\$\$var"\` in
+    case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in
     *[\\\\\\\`\\"\\\$]*)
-      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"X\\\$\$var\\" | \\\$Xsed -e \\"\\\$sed_quote_subst\\"\\\`\\\\\\""
+      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED \\"\\\$sed_quote_subst\\"\\\`\\\\\\""
       ;;
     *)
       eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\""
@@ -21178,14 +22384,15 @@ module_cmds \
 module_expsym_cmds \
 export_symbols_cmds \
 prelink_cmds \
+postlink_cmds \
 postinstall_cmds \
 postuninstall_cmds \
 finish_cmds \
 sys_lib_search_path_spec \
 sys_lib_dlsearch_path_spec; do
-    case \`eval \\\\\$ECHO "X\\\\\$\$var"\` in
+    case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in
     *[\\\\\\\`\\"\\\$]*)
-      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"X\\\$\$var\\" | \\\$Xsed -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\""
+      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\""
       ;;
     *)
       eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\""
@@ -21193,12 +22400,6 @@ sys_lib_dlsearch_path_spec; do
     esac
 done
 
-# Fix-up fallback echo if it was mangled by the above quoting rules.
-case \$lt_ECHO in
-*'\\\$0 --fallback-echo"')  lt_ECHO=\`\$ECHO "X\$lt_ECHO" | \$Xsed -e 's/\\\\\\\\\\\\\\\$0 --fallback-echo"\$/\$0 --fallback-echo"/'\`
-  ;;
-esac
-
 ac_aux_dir='$ac_aux_dir'
 xsi_shell='$xsi_shell'
 lt_shell_append='$lt_shell_append'
@@ -21247,6 +22448,7 @@ do
     "src/libstrongswan/plugins/sha2/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sha2/Makefile" ;;
     "src/libstrongswan/plugins/fips_prf/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/fips_prf/Makefile" ;;
     "src/libstrongswan/plugins/gmp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gmp/Makefile" ;;
+    "src/libstrongswan/plugins/rdrand/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/rdrand/Makefile" ;;
     "src/libstrongswan/plugins/random/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/random/Makefile" ;;
     "src/libstrongswan/plugins/nonce/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/nonce/Makefile" ;;
     "src/libstrongswan/plugins/hmac/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/hmac/Makefile" ;;
@@ -21256,6 +22458,7 @@ do
     "src/libstrongswan/plugins/constraints/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/constraints/Makefile" ;;
     "src/libstrongswan/plugins/pubkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pubkey/Makefile" ;;
     "src/libstrongswan/plugins/pkcs1/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs1/Makefile" ;;
+    "src/libstrongswan/plugins/pkcs7/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs7/Makefile" ;;
     "src/libstrongswan/plugins/pkcs8/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs8/Makefile" ;;
     "src/libstrongswan/plugins/pgp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pgp/Makefile" ;;
     "src/libstrongswan/plugins/dnskey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/dnskey/Makefile" ;;
@@ -21297,6 +22500,8 @@ do
     "src/libimcv/plugins/imv_test/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imv_test/Makefile" ;;
     "src/libimcv/plugins/imc_scanner/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imc_scanner/Makefile" ;;
     "src/libimcv/plugins/imv_scanner/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imv_scanner/Makefile" ;;
+    "src/libimcv/plugins/imc_os/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imc_os/Makefile" ;;
+    "src/libimcv/plugins/imv_os/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imv_os/Makefile" ;;
     "src/charon/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/Makefile" ;;
     "src/charon-nm/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon-nm/Makefile" ;;
     "src/libcharon/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/Makefile" ;;
@@ -21341,6 +22546,8 @@ do
     "src/libcharon/plugins/uci/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/uci/Makefile" ;;
     "src/libcharon/plugins/ha/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/ha/Makefile" ;;
     "src/libcharon/plugins/whitelist/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/whitelist/Makefile" ;;
+    "src/libcharon/plugins/lookip/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/lookip/Makefile" ;;
+    "src/libcharon/plugins/error_notify/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/error_notify/Makefile" ;;
     "src/libcharon/plugins/certexpire/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/certexpire/Makefile" ;;
     "src/libcharon/plugins/led/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/led/Makefile" ;;
     "src/libcharon/plugins/duplicheck/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/duplicheck/Makefile" ;;
@@ -21373,7 +22580,7 @@ do
     "scripts/Makefile") CONFIG_FILES="$CONFIG_FILES scripts/Makefile" ;;
     "testing/Makefile") CONFIG_FILES="$CONFIG_FILES testing/Makefile" ;;
 
-  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5 ;;
+  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
   esac
 done
 
@@ -21396,9 +22603,10 @@ fi
 # after its creation but before its name has been assigned to `$tmp'.
 $debug ||
 {
-  tmp=
+  tmp= ac_tmp=
   trap 'exit_status=$?
-  { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status
+  : "${ac_tmp:=$tmp}"
+  { test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status
 ' 0
   trap 'as_fn_exit 1' 1 2 13 15
 }
@@ -21406,12 +22614,13 @@ $debug ||
 
 {
   tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` &&
-  test -n "$tmp" && test -d "$tmp"
+  test -d "$tmp"
 }  ||
 {
   tmp=./conf$$-$RANDOM
   (umask 077 && mkdir "$tmp")
 } || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5
+ac_tmp=$tmp
 
 # Set up the scripts for CONFIG_FILES section.
 # No need to generate them if there are no CONFIG_FILES.
@@ -21433,7 +22642,7 @@ else
   ac_cs_awk_cr=$ac_cr
 fi
 
-echo 'BEGIN {' >"$tmp/subs1.awk" &&
+echo 'BEGIN {' >"$ac_tmp/subs1.awk" &&
 _ACEOF
 
 
@@ -21461,7 +22670,7 @@ done
 rm -f conf$$subs.sh
 
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
-cat >>"\$tmp/subs1.awk" <<\\_ACAWK &&
+cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK &&
 _ACEOF
 sed -n '
 h
@@ -21509,7 +22718,7 @@ t delim
 rm -f conf$$subs.awk
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 _ACAWK
-cat >>"\$tmp/subs1.awk" <<_ACAWK &&
+cat >>"\$ac_tmp/subs1.awk" <<_ACAWK &&
   for (key in S) S_is_set[key] = 1
   FS = ""
 
@@ -21541,7 +22750,7 @@ if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then
   sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g"
 else
   cat
-fi < "$tmp/subs1.awk" > "$tmp/subs.awk" \
+fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \
   || as_fn_error $? "could not setup config files machinery" "$LINENO" 5
 _ACEOF
 
@@ -21575,7 +22784,7 @@ fi # test -n "$CONFIG_FILES"
 # No need to generate them if there are no CONFIG_HEADERS.
 # This happens for instance with `./config.status Makefile'.
 if test -n "$CONFIG_HEADERS"; then
-cat >"$tmp/defines.awk" <<\_ACAWK ||
+cat >"$ac_tmp/defines.awk" <<\_ACAWK ||
 BEGIN {
 _ACEOF
 
@@ -21587,8 +22796,8 @@ _ACEOF
 # handling of long lines.
 ac_delim='%!_!# '
 for ac_last_try in false false :; do
-  ac_t=`sed -n "/$ac_delim/p" confdefs.h`
-  if test -z "$ac_t"; then
+  ac_tt=`sed -n "/$ac_delim/p" confdefs.h`
+  if test -z "$ac_tt"; then
     break
   elif $ac_last_try; then
     as_fn_error $? "could not make $CONFIG_HEADERS" "$LINENO" 5
@@ -21689,7 +22898,7 @@ do
   esac
   case $ac_mode$ac_tag in
   :[FHL]*:*);;
-  :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5 ;;
+  :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5;;
   :[FH]-) ac_tag=-:-;;
   :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
   esac
@@ -21708,7 +22917,7 @@ do
     for ac_f
     do
       case $ac_f in
-      -) ac_f="$tmp/stdin";;
+      -) ac_f="$ac_tmp/stdin";;
       *) # Look for the file first in the build tree, then in the source tree
 	 # (if the path is not absolute).  The absolute path cannot be DOS-style,
 	 # because $ac_f cannot contain `:'.
@@ -21717,7 +22926,7 @@ do
 	   [\\/$]*) false;;
 	   *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
 	   esac ||
-	   as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5 ;;
+	   as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5;;
       esac
       case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac
       as_fn_append ac_file_inputs " '$ac_f'"
@@ -21743,8 +22952,8 @@ $as_echo "$as_me: creating $ac_file" >&6;}
     esac
 
     case $ac_tag in
-    *:-:* | *:-) cat >"$tmp/stdin" \
-      || as_fn_error $? "could not create $ac_file" "$LINENO" 5  ;;
+    *:-:* | *:-) cat >"$ac_tmp/stdin" \
+      || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;;
     esac
     ;;
   esac
@@ -21880,21 +23089,22 @@ s&@INSTALL@&$ac_INSTALL&;t t
 s&@MKDIR_P@&$ac_MKDIR_P&;t t
 $ac_datarootdir_hack
 "
-eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$tmp/subs.awk" >$tmp/out \
-  || as_fn_error $? "could not create $ac_file" "$LINENO" 5
+eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \
+  >$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5
 
 test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
-  { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&
-  { ac_out=`sed -n '/^[	 ]*datarootdir[	 ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } &&
+  { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } &&
+  { ac_out=`sed -n '/^[	 ]*datarootdir[	 ]*:*=/p' \
+      "$ac_tmp/out"`; test -z "$ac_out"; } &&
   { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir'
 which seems to be undefined.  Please make sure it is defined" >&5
 $as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
 which seems to be undefined.  Please make sure it is defined" >&2;}
 
-  rm -f "$tmp/stdin"
+  rm -f "$ac_tmp/stdin"
   case $ac_file in
-  -) cat "$tmp/out" && rm -f "$tmp/out";;
-  *) rm -f "$ac_file" && mv "$tmp/out" "$ac_file";;
+  -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";;
+  *) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";;
   esac \
   || as_fn_error $? "could not create $ac_file" "$LINENO" 5
  ;;
@@ -21905,20 +23115,20 @@ which seems to be undefined.  Please make sure it is defined" >&2;}
   if test x"$ac_file" != x-; then
     {
       $as_echo "/* $configure_input  */" \
-      && eval '$AWK -f "$tmp/defines.awk"' "$ac_file_inputs"
-    } >"$tmp/config.h" \
+      && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs"
+    } >"$ac_tmp/config.h" \
       || as_fn_error $? "could not create $ac_file" "$LINENO" 5
-    if diff "$ac_file" "$tmp/config.h" >/dev/null 2>&1; then
+    if diff "$ac_file" "$ac_tmp/config.h" >/dev/null 2>&1; then
       { $as_echo "$as_me:${as_lineno-$LINENO}: $ac_file is unchanged" >&5
 $as_echo "$as_me: $ac_file is unchanged" >&6;}
     else
       rm -f "$ac_file"
-      mv "$tmp/config.h" "$ac_file" \
+      mv "$ac_tmp/config.h" "$ac_file" \
 	|| as_fn_error $? "could not create $ac_file" "$LINENO" 5
     fi
   else
     $as_echo "/* $configure_input  */" \
-      && eval '$AWK -f "$tmp/defines.awk"' "$ac_file_inputs" \
+      && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" \
       || as_fn_error $? "could not create -" "$LINENO" 5
   fi
 # Compute "$ac_file"'s index in $config_headers.
@@ -22080,7 +23290,8 @@ $as_echo X"$file" |
 # NOTE: Changes made to this file will be lost: look at ltmain.sh.
 #
 #   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
-#                 2006, 2007, 2008 Free Software Foundation, Inc.
+#                 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+#                 Foundation, Inc.
 #   Written by Gordon Matzigkeit, 1996
 #
 #   This file is part of GNU Libtool.
@@ -22128,6 +23339,15 @@ pic_mode=$pic_mode
 # Whether or not to optimize for fast installation.
 fast_install=$enable_fast_install
 
+# Shell to use when invoking shell scripts.
+SHELL=$lt_SHELL
+
+# An echo program that protects backslashes.
+ECHO=$lt_ECHO
+
+# The PATH separator for the build system.
+PATH_SEPARATOR=$lt_PATH_SEPARATOR
+
 # The host system.
 host_alias=$host_alias
 host=$host
@@ -22177,9 +23397,11 @@ SP2NL=$lt_lt_SP2NL
 # turn newlines into spaces.
 NL2SP=$lt_lt_NL2SP
 
-# How to create reloadable object files.
-reload_flag=$lt_reload_flag
-reload_cmds=$lt_reload_cmds
+# convert \$build file names to \$host format.
+to_host_file_cmd=$lt_cv_to_host_file_cmd
+
+# convert \$build files to toolchain format.
+to_tool_file_cmd=$lt_cv_to_tool_file_cmd
 
 # An object symbol dumper.
 OBJDUMP=$lt_OBJDUMP
@@ -22187,13 +23409,30 @@ OBJDUMP=$lt_OBJDUMP
 # Method to check whether dependent libraries are shared objects.
 deplibs_check_method=$lt_deplibs_check_method
 
-# Command to use when deplibs_check_method == "file_magic".
+# Command to use when deplibs_check_method = "file_magic".
 file_magic_cmd=$lt_file_magic_cmd
 
+# How to find potential files when deplibs_check_method = "file_magic".
+file_magic_glob=$lt_file_magic_glob
+
+# Find potential files using nocaseglob when deplibs_check_method = "file_magic".
+want_nocaseglob=$lt_want_nocaseglob
+
+# DLL creation program.
+DLLTOOL=$lt_DLLTOOL
+
+# Command to associate shared and link libraries.
+sharedlib_from_linklib_cmd=$lt_sharedlib_from_linklib_cmd
+
 # The archiver.
 AR=$lt_AR
+
+# Flags to create an archive.
 AR_FLAGS=$lt_AR_FLAGS
 
+# How to feed a file listing to the archiver.
+archiver_list_spec=$lt_archiver_list_spec
+
 # A symbol stripping program.
 STRIP=$lt_STRIP
 
@@ -22202,6 +23441,9 @@ RANLIB=$lt_RANLIB
 old_postinstall_cmds=$lt_old_postinstall_cmds
 old_postuninstall_cmds=$lt_old_postuninstall_cmds
 
+# Whether to use a lock for old archive extraction.
+lock_old_archive_extraction=$lock_old_archive_extraction
+
 # A C compiler.
 LTCC=$lt_CC
 
@@ -22220,14 +23462,14 @@ global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
 # Transform the output of nm in a C name address pair when lib prefix is needed.
 global_symbol_to_c_name_address_lib_prefix=$lt_lt_cv_sys_global_symbol_to_c_name_address_lib_prefix
 
-# The name of the directory that contains temporary libtool files.
-objdir=$objdir
+# Specify filename containing input files for \$NM.
+nm_file_list_spec=$lt_nm_file_list_spec
 
-# Shell to use when invoking shell scripts.
-SHELL=$lt_SHELL
+# The root where to search for dependent libraries,and in which our libraries should be installed.
+lt_sysroot=$lt_sysroot
 
-# An echo program that does not interpret backslashes.
-ECHO=$lt_ECHO
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
 
 # Used to examine libraries when file_magic_cmd begins with "file".
 MAGIC_CMD=$MAGIC_CMD
@@ -22235,6 +23477,9 @@ MAGIC_CMD=$MAGIC_CMD
 # Must we lock files when doing compilation?
 need_locks=$lt_need_locks
 
+# Manifest tool.
+MANIFEST_TOOL=$lt_MANIFEST_TOOL
+
 # Tool to manipulate archived DWARF debug symbol files on Mac OS X.
 DSYMUTIL=$lt_DSYMUTIL
 
@@ -22291,6 +23536,9 @@ library_names_spec=$lt_library_names_spec
 # The coded name of the library, if different from the real name.
 soname_spec=$lt_soname_spec
 
+# Permission mode override for installation of shared libraries.
+install_override_mode=$lt_install_override_mode
+
 # Command to use after installation of a shared archive.
 postinstall_cmds=$lt_postinstall_cmds
 
@@ -22330,6 +23578,10 @@ striplib=$lt_striplib
 # The linker used to build libraries.
 LD=$lt_LD
 
+# How to create reloadable object files.
+reload_flag=$lt_reload_flag
+reload_cmds=$lt_reload_cmds
+
 # Commands used to build an old-style archive.
 old_archive_cmds=$lt_old_archive_cmds
 
@@ -22342,12 +23594,12 @@ with_gcc=$GCC
 # Compiler flag to turn off builtin functions.
 no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag
 
-# How to pass a linker flag through the compiler.
-wl=$lt_lt_prog_compiler_wl
-
 # Additional compiler flags for building library objects.
 pic_flag=$lt_lt_prog_compiler_pic
 
+# How to pass a linker flag through the compiler.
+wl=$lt_lt_prog_compiler_wl
+
 # Compiler flag to prevent dynamic linking.
 link_static_flag=$lt_lt_prog_compiler_static
 
@@ -22397,10 +23649,6 @@ no_undefined_flag=$lt_no_undefined_flag
 # This must work even if \$libdir does not exist
 hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec
 
-# If ld is used when linking, flag to hardcode \$libdir into a binary
-# during linking.  This must work even if \$libdir does not exist.
-hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld
-
 # Whether we need a single "-rpath" flag with a separated argument.
 hardcode_libdir_separator=$lt_hardcode_libdir_separator
 
@@ -22434,9 +23682,6 @@ inherit_rpath=$inherit_rpath
 # Whether libtool must link a program against all its dependency libraries.
 link_all_deplibs=$link_all_deplibs
 
-# Fix the shell variable \$srcfile for the compiler.
-fix_srcfile_path=$lt_fix_srcfile_path
-
 # Set to "yes" if exported symbols are required.
 always_export_symbols=$always_export_symbols
 
@@ -22452,6 +23697,9 @@ include_expsyms=$lt_include_expsyms
 # Commands necessary for linking programs (against libraries) with templates.
 prelink_cmds=$lt_prelink_cmds
 
+# Commands necessary for finishing linking programs.
+postlink_cmds=$lt_postlink_cmds
+
 # Specify filename containing input files.
 file_list_spec=$lt_file_list_spec
 
@@ -22484,212 +23732,169 @@ ltmain="$ac_aux_dir/ltmain.sh"
   # if finds mixed CR/LF and LF-only lines.  Since sed operates in
   # text mode, it properly converts lines to CR/LF.  This bash problem
   # is reportedly fixed, but why not run on old versions too?
-  sed '/^# Generated shell functions inserted here/q' "$ltmain" >> "$cfgfile" \
-    || (rm -f "$cfgfile"; exit 1)
-
-  case $xsi_shell in
-  yes)
-    cat << \_LT_EOF >> "$cfgfile"
-
-# func_dirname file append nondir_replacement
-# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
-# otherwise set result to NONDIR_REPLACEMENT.
-func_dirname ()
-{
-  case ${1} in
-    */*) func_dirname_result="${1%/*}${2}" ;;
-    *  ) func_dirname_result="${3}" ;;
-  esac
-}
-
-# func_basename file
-func_basename ()
-{
-  func_basename_result="${1##*/}"
-}
-
-# func_dirname_and_basename file append nondir_replacement
-# perform func_basename and func_dirname in a single function
-# call:
-#   dirname:  Compute the dirname of FILE.  If nonempty,
-#             add APPEND to the result, otherwise set result
-#             to NONDIR_REPLACEMENT.
-#             value returned in "$func_dirname_result"
-#   basename: Compute filename of FILE.
-#             value retuned in "$func_basename_result"
-# Implementation must be kept synchronized with func_dirname
-# and func_basename. For efficiency, we do not delegate to
-# those functions but instead duplicate the functionality here.
-func_dirname_and_basename ()
-{
-  case ${1} in
-    */*) func_dirname_result="${1%/*}${2}" ;;
-    *  ) func_dirname_result="${3}" ;;
-  esac
-  func_basename_result="${1##*/}"
-}
-
-# func_stripname prefix suffix name
-# strip PREFIX and SUFFIX off of NAME.
-# PREFIX and SUFFIX must not contain globbing or regex special
-# characters, hashes, percent signs, but SUFFIX may contain a leading
-# dot (in which case that matches only a dot).
-func_stripname ()
-{
-  # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are
-  # positional parameters, so assign one to ordinary parameter first.
-  func_stripname_result=${3}
-  func_stripname_result=${func_stripname_result#"${1}"}
-  func_stripname_result=${func_stripname_result%"${2}"}
-}
-
-# func_opt_split
-func_opt_split ()
-{
-  func_opt_split_opt=${1%%=*}
-  func_opt_split_arg=${1#*=}
-}
-
-# func_lo2o object
-func_lo2o ()
-{
-  case ${1} in
-    *.lo) func_lo2o_result=${1%.lo}.${objext} ;;
-    *)    func_lo2o_result=${1} ;;
-  esac
-}
-
-# func_xform libobj-or-source
-func_xform ()
-{
-  func_xform_result=${1%.*}.lo
-}
-
-# func_arith arithmetic-term...
-func_arith ()
-{
-  func_arith_result=$(( $* ))
-}
-
-# func_len string
-# STRING may not start with a hyphen.
-func_len ()
-{
-  func_len_result=${#1}
-}
-
-_LT_EOF
-    ;;
-  *) # Bourne compatible functions.
-    cat << \_LT_EOF >> "$cfgfile"
-
-# func_dirname file append nondir_replacement
-# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
-# otherwise set result to NONDIR_REPLACEMENT.
-func_dirname ()
-{
-  # Extract subdirectory from the argument.
-  func_dirname_result=`$ECHO "X${1}" | $Xsed -e "$dirname"`
-  if test "X$func_dirname_result" = "X${1}"; then
-    func_dirname_result="${3}"
-  else
-    func_dirname_result="$func_dirname_result${2}"
-  fi
-}
-
-# func_basename file
-func_basename ()
-{
-  func_basename_result=`$ECHO "X${1}" | $Xsed -e "$basename"`
-}
-
-
-# func_stripname prefix suffix name
-# strip PREFIX and SUFFIX off of NAME.
-# PREFIX and SUFFIX must not contain globbing or regex special
-# characters, hashes, percent signs, but SUFFIX may contain a leading
-# dot (in which case that matches only a dot).
-# func_strip_suffix prefix name
-func_stripname ()
-{
-  case ${2} in
-    .*) func_stripname_result=`$ECHO "X${3}" \
-           | $Xsed -e "s%^${1}%%" -e "s%\\\\${2}\$%%"`;;
-    *)  func_stripname_result=`$ECHO "X${3}" \
-           | $Xsed -e "s%^${1}%%" -e "s%${2}\$%%"`;;
-  esac
-}
-
-# sed scripts:
-my_sed_long_opt='1s/^\(-[^=]*\)=.*/\1/;q'
-my_sed_long_arg='1s/^-[^=]*=//'
-
-# func_opt_split
-func_opt_split ()
-{
-  func_opt_split_opt=`$ECHO "X${1}" | $Xsed -e "$my_sed_long_opt"`
-  func_opt_split_arg=`$ECHO "X${1}" | $Xsed -e "$my_sed_long_arg"`
-}
-
-# func_lo2o object
-func_lo2o ()
-{
-  func_lo2o_result=`$ECHO "X${1}" | $Xsed -e "$lo2o"`
-}
-
-# func_xform libobj-or-source
-func_xform ()
-{
-  func_xform_result=`$ECHO "X${1}" | $Xsed -e 's/\.[^.]*$/.lo/'`
-}
-
-# func_arith arithmetic-term...
-func_arith ()
-{
-  func_arith_result=`expr "$@"`
-}
-
-# func_len string
-# STRING may not start with a hyphen.
-func_len ()
-{
-  func_len_result=`expr "$1" : ".*" 2>/dev/null || echo $max_cmd_len`
-}
-
-_LT_EOF
-esac
-
-case $lt_shell_append in
-  yes)
-    cat << \_LT_EOF >> "$cfgfile"
-
-# func_append var value
-# Append VALUE to the end of shell variable VAR.
-func_append ()
-{
-  eval "$1+=\$2"
-}
-_LT_EOF
-    ;;
-  *)
-    cat << \_LT_EOF >> "$cfgfile"
-
-# func_append var value
-# Append VALUE to the end of shell variable VAR.
-func_append ()
-{
-  eval "$1=\$$1\$2"
-}
-
-_LT_EOF
-    ;;
-  esac
-
-
-  sed -n '/^# Generated shell functions inserted here/,$p' "$ltmain" >> "$cfgfile" \
-    || (rm -f "$cfgfile"; exit 1)
-
-  mv -f "$cfgfile" "$ofile" ||
+  sed '$q' "$ltmain" >> "$cfgfile" \
+     || (rm -f "$cfgfile"; exit 1)
+
+  if test x"$xsi_shell" = xyes; then
+  sed -e '/^func_dirname ()$/,/^} # func_dirname /c\
+func_dirname ()\
+{\
+\    case ${1} in\
+\      */*) func_dirname_result="${1%/*}${2}" ;;\
+\      *  ) func_dirname_result="${3}" ;;\
+\    esac\
+} # Extended-shell func_dirname implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_basename ()$/,/^} # func_basename /c\
+func_basename ()\
+{\
+\    func_basename_result="${1##*/}"\
+} # Extended-shell func_basename implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_dirname_and_basename ()$/,/^} # func_dirname_and_basename /c\
+func_dirname_and_basename ()\
+{\
+\    case ${1} in\
+\      */*) func_dirname_result="${1%/*}${2}" ;;\
+\      *  ) func_dirname_result="${3}" ;;\
+\    esac\
+\    func_basename_result="${1##*/}"\
+} # Extended-shell func_dirname_and_basename implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_stripname ()$/,/^} # func_stripname /c\
+func_stripname ()\
+{\
+\    # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are\
+\    # positional parameters, so assign one to ordinary parameter first.\
+\    func_stripname_result=${3}\
+\    func_stripname_result=${func_stripname_result#"${1}"}\
+\    func_stripname_result=${func_stripname_result%"${2}"}\
+} # Extended-shell func_stripname implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_split_long_opt ()$/,/^} # func_split_long_opt /c\
+func_split_long_opt ()\
+{\
+\    func_split_long_opt_name=${1%%=*}\
+\    func_split_long_opt_arg=${1#*=}\
+} # Extended-shell func_split_long_opt implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_split_short_opt ()$/,/^} # func_split_short_opt /c\
+func_split_short_opt ()\
+{\
+\    func_split_short_opt_arg=${1#??}\
+\    func_split_short_opt_name=${1%"$func_split_short_opt_arg"}\
+} # Extended-shell func_split_short_opt implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_lo2o ()$/,/^} # func_lo2o /c\
+func_lo2o ()\
+{\
+\    case ${1} in\
+\      *.lo) func_lo2o_result=${1%.lo}.${objext} ;;\
+\      *)    func_lo2o_result=${1} ;;\
+\    esac\
+} # Extended-shell func_lo2o implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_xform ()$/,/^} # func_xform /c\
+func_xform ()\
+{\
+    func_xform_result=${1%.*}.lo\
+} # Extended-shell func_xform implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_arith ()$/,/^} # func_arith /c\
+func_arith ()\
+{\
+    func_arith_result=$(( $* ))\
+} # Extended-shell func_arith implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_len ()$/,/^} # func_len /c\
+func_len ()\
+{\
+    func_len_result=${#1}\
+} # Extended-shell func_len implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+fi
+
+if test x"$lt_shell_append" = xyes; then
+  sed -e '/^func_append ()$/,/^} # func_append /c\
+func_append ()\
+{\
+    eval "${1}+=\\${2}"\
+} # Extended-shell func_append implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_append_quoted ()$/,/^} # func_append_quoted /c\
+func_append_quoted ()\
+{\
+\    func_quote_for_eval "${2}"\
+\    eval "${1}+=\\\\ \\$func_quote_for_eval_result"\
+} # Extended-shell func_append_quoted implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  # Save a `func_append' function call where possible by direct use of '+='
+  sed -e 's%func_append \([a-zA-Z_]\{1,\}\) "%\1+="%g' $cfgfile > $cfgfile.tmp \
+    && mv -f "$cfgfile.tmp" "$cfgfile" \
+      || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+  test 0 -eq $? || _lt_function_replace_fail=:
+else
+  # Save a `func_append' function call even when '+=' is not available
+  sed -e 's%func_append \([a-zA-Z_]\{1,\}\) "%\1="$\1%g' $cfgfile > $cfgfile.tmp \
+    && mv -f "$cfgfile.tmp" "$cfgfile" \
+      || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+  test 0 -eq $? || _lt_function_replace_fail=:
+fi
+
+if test x"$_lt_function_replace_fail" = x":"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Unable to substitute extended shell functions in $ofile" >&5
+$as_echo "$as_me: WARNING: Unable to substitute extended shell functions in $ofile" >&2;}
+fi
+
+
+   mv -f "$cfgfile" "$ofile" ||
     (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
   chmod +x "$ofile"
 
diff --git a/configure.in b/configure.in
index d4d54e3ce..2c3e739d6 100644
--- a/configure.in
+++ b/configure.in
@@ -16,7 +16,7 @@ dnl ===========================
 dnl  initialize & set some vars
 dnl ===========================
 
-AC_INIT(strongSwan,5.0.1)
+AC_INIT(strongSwan,5.0.2)
 AM_INIT_AUTOMAKE(tar-ustar)
 AC_CONFIG_MACRO_DIR([m4/config])
 AC_CONFIG_HEADERS([config.h])
@@ -44,6 +44,7 @@ ARG_WITH_SUBST([routing-table],      [220], [set routing table to use for IPsec
 ARG_WITH_SUBST([routing-table-prio], [220], [set priority for IPsec routing table])
 ARG_WITH_SUBST([ipsec-script],       [ipsec], [change the name of the ipsec script])
 
+ARG_WITH_SET([tss],                  [no], [set implementation of the Trusted Computing Group's Software Stack (TSS). Currently the only supported value is "trousers"])
 ARG_WITH_SET([capabilities],         [no], [set capability dropping library. Currently supported values are "libcap" and "native"])
 ARG_WITH_SET([mpz_powm_sec],         [yes], [use the more side-channel resistant mpz_powm_sec in libgmp, if available])
 ARG_WITH_SET([dev-headers],          [no], [install strongSwan development headers to directory.])
@@ -111,6 +112,7 @@ ARG_DISBL_SET([sha1],           [disable SHA1 software implementation plugin.])
 ARG_DISBL_SET([sha2],           [disable SHA256/SHA384/SHA512 software implementation plugin.])
 ARG_DISBL_SET([fips-prf],       [disable FIPS PRF software implementation plugin.])
 ARG_DISBL_SET([gmp],            [disable GNU MP (libgmp) based crypto implementation plugin.])
+ARG_ENABL_SET([rdrand],         [enable Intel RDRAND random generator plugin.])
 ARG_DISBL_SET([random],         [disable RNG implementation on top of /dev/(u)random.])
 ARG_DISBL_SET([nonce],          [disable nonce generation plugin.])
 ARG_DISBL_SET([x509],           [disable X509 certificate implementation plugin.])
@@ -118,6 +120,7 @@ ARG_DISBL_SET([revocation],     [disable X509 CRL/OCSP revocation check plugin.]
 ARG_DISBL_SET([constraints],    [disable advanced X509 constraint checking plugin.])
 ARG_DISBL_SET([pubkey],         [disable RAW public key support plugin.])
 ARG_DISBL_SET([pkcs1],          [disable PKCS1 key decoding plugin.])
+ARG_DISBL_SET([pkcs7],          [disable PKCS7 container support plugin.])
 ARG_DISBL_SET([pkcs8],          [disable PKCS8 private key decoding plugin.])
 ARG_DISBL_SET([pgp],            [disable PGP key decoding plugin.])
 ARG_DISBL_SET([dnskey],         [disable DNS RR key decoding plugin.])
@@ -170,6 +173,8 @@ ARG_ENABL_SET([imc-test],       [enable IMC test module.])
 ARG_ENABL_SET([imv-test],       [enable IMV test module.])
 ARG_ENABL_SET([imc-scanner],    [enable IMC port scanner module.])
 ARG_ENABL_SET([imv-scanner],    [enable IMV port scanner module.])
+ARG_ENABL_SET([imc-os],         [enable IMC operating system module.])
+ARG_ENABL_SET([imv-os],         [enable IMV operating system module.])
 ARG_ENABL_SET([imc-attestation],[enable IMC attestation module.])
 ARG_ENABL_SET([imv-attestation],[enable IMV attestation module.])
 ARG_DISBL_SET([kernel-netlink], [disable the netlink kernel interface.])
@@ -214,6 +219,8 @@ ARG_ENABL_SET([maemo],          [enable Maemo specific plugin.])
 ARG_ENABL_SET([nm],             [enable NetworkManager backend.])
 ARG_ENABL_SET([ha],             [enable high availability cluster plugin.])
 ARG_ENABL_SET([whitelist],      [enable peer identity whitelisting plugin.])
+ARG_ENABL_SET([lookip],         [enable fast virtual IP lookup and notification plugin.])
+ARG_ENABL_SET([error-notify],   [enable error notification plugin.])
 ARG_ENABL_SET([certexpire],     [enable CSV export of expiration dates of used certificates.])
 ARG_ENABL_SET([led],            [enable plugin to control LEDs on IKEv2 activity using the Linux kernel LED subsystem.])
 ARG_ENABL_SET([duplicheck],     [advanced duplicate checking plugin using liveness checks.])
@@ -293,7 +300,7 @@ if test x$tnc_imc = xtrue -o x$tnc_imv = xtrue -o x$tnccs_11 = xtrue -o x$tnccs_
 	tnc_tnccs=true;
 fi
 
-if test x$imc_test = xtrue -o x$imv_test = xtrue -o x$imc_scanner = xtrue -o x$imv_scanner = xtrue -o x$imc_attestation = xtrue -o x$imv_attestation = xtrue; then
+if test x$imc_test = xtrue -o x$imv_test = xtrue -o x$imc_scanner = xtrue -o x$imv_scanner = xtrue -o x$imc_os = xtrue -o x$imv_os = xtrue -o x$imc_attestation = xtrue -o x$imv_attestation = xtrue; then
 	imcv=true;
 fi
 
@@ -410,6 +417,8 @@ dnl check if we can cancel threads
 AC_CHECK_FUNCS(pthread_cancel)
 dnl check if native rwlocks are available
 AC_CHECK_FUNCS(pthread_rwlock_init)
+dnl check if pthread spinlocks are available
+AC_CHECK_FUNCS(pthread_spin_init)
 dnl check if we have POSIX semaphore functions, including timed-wait
 AC_CHECK_FUNCS(sem_timedwait)
 LIBS=$saved_LIBS
@@ -627,9 +636,10 @@ if test x$axis2c = xtrue; then
 	AC_SUBST(axis2c_LIBS)
 fi
 
-if test x$imc_attestation = xtrue -o x$imv_attestation = xtrue; then
+if test x$tss = xtrousers; then
 	AC_HAVE_LIBRARY([tspi],[LIBS="$LIBS"],[AC_MSG_ERROR([TrouSerS library libtspi not found])])
 	AC_CHECK_HEADER([trousers/tss.h],,[AC_MSG_ERROR([TrouSerS header trousers/tss.h not found!])])
+	AC_DEFINE([TSS_TROUSERS], [], [use TrouSerS library libtspi as TSS implementation])
 fi
 
 if test x$dumm = xtrue; then
@@ -639,27 +649,37 @@ if test x$dumm = xtrue; then
 	AC_CHECK_PROGS(RUBY, ruby)
 	AC_MSG_CHECKING([for Ruby header files])
 	if test -n "$RUBY"; then
-		RUBYDIR=`($RUBY -rmkmf -e 'print Config::CONFIG[["archdir"]] || $archdir') 2>/dev/null`
-		if test -n "$RUBYDIR"; then
-			dirs="$RUBYDIR"
-			RUBYINCLUDE=none
-			for i in $dirs; do
-				if test -r $i/ruby.h; then
-					AC_MSG_RESULT([$i])
-					RUBYINCLUDE="-I$i"
-					break;
-				fi
-			done
-			if test x"$RUBYINCLUDE" = xnone; then
-				AC_MSG_ERROR([ruby.h not found])
+		RUBYINCLUDE=
+		RUBYDIR=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG[["rubyhdrdir"]] || ""') 2>/dev/null`
+		if test -n "$RUBYDIR" -a -r "$RUBYDIR/ruby.h"; then
+			RUBYARCH=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG[["arch"]] || ""') 2>/dev/null`
+			if test -n "$RUBYARCH"; then
+				AC_MSG_RESULT([$RUBYDIR])
+				RUBYINCLUDE="-I$RUBYDIR -I$RUBYDIR/$RUBYARCH"
 			fi
-			AC_SUBST(RUBYINCLUDE)
 		else
-			AC_MSG_ERROR([unable to determine ruby configuration])
+			RUBYDIR=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG[["archdir"]] || ""') 2>/dev/null`
+			if test -n "$RUBYDIR" -a -r "$RUBYDIR/ruby.h"; then
+				AC_MSG_RESULT([$RUBYDIR])
+				RUBYINCLUDE="-I$RUBYDIR"
+			fi
+		fi
+		if test -z "$RUBYINCLUDE"; then
+			AC_MSG_ERROR([ruby.h not found])
 		fi
+		AC_SUBST(RUBYINCLUDE)
 	else
 		AC_MSG_ERROR([don't know how to run ruby])
 	fi
+	AC_MSG_CHECKING([for libruby])
+	saved_LIBS=$LIBS
+	LIBS=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG[["LIBRUBYARG_SHARED"]] || ""') 2>/dev/null`
+	AC_TRY_LINK_FUNC(ruby_init,
+		[AC_MSG_RESULT([$LIBS]); RUBYLIB=$LIBS],
+		[AC_MSG_ERROR([not found])])
+	AC_SUBST(RUBYLIB)
+	AC_CHECK_FUNCS(rb_errinfo)
+	LIBS=$saved_LIBS
 fi
 
 if test x$fast = xtrue; then
@@ -871,6 +891,7 @@ ADD_PLUGIN([sha1],                 [s charon openac scepclient pki scripts medsr
 ADD_PLUGIN([sha2],                 [s charon openac scepclient pki scripts medsrv attest nm])
 ADD_PLUGIN([md4],                  [s charon openac manager scepclient pki nm])
 ADD_PLUGIN([md5],                  [s charon openac scepclient pki scripts attest nm])
+ADD_PLUGIN([rdrand],               [s charon openac scepclient pki scripts medsrv attest nm])
 ADD_PLUGIN([random],               [s charon openac scepclient pki scripts medsrv attest nm])
 ADD_PLUGIN([nonce],                [s charon nm])
 ADD_PLUGIN([x509],                 [s charon openac scepclient pki scripts attest nm])
@@ -878,6 +899,7 @@ ADD_PLUGIN([revocation],           [s charon nm])
 ADD_PLUGIN([constraints],          [s charon nm])
 ADD_PLUGIN([pubkey],               [s charon])
 ADD_PLUGIN([pkcs1],                [s charon openac scepclient pki scripts manager medsrv attest nm])
+ADD_PLUGIN([pkcs7],                [s scepclient pki])
 ADD_PLUGIN([pkcs8],                [s charon openac scepclient pki scripts manager medsrv attest nm])
 ADD_PLUGIN([pgp],                  [s charon])
 ADD_PLUGIN([dnskey],               [s charon])
@@ -946,6 +968,8 @@ ADD_PLUGIN([android],              [c charon])
 ADD_PLUGIN([android-log],          [c charon])
 ADD_PLUGIN([ha],                   [c charon])
 ADD_PLUGIN([whitelist],            [c charon])
+ADD_PLUGIN([lookip],               [c charon])
+ADD_PLUGIN([error-notify],         [c charon])
 ADD_PLUGIN([certexpire],           [c charon])
 ADD_PLUGIN([led],                  [c charon])
 ADD_PLUGIN([duplicheck],           [c charon])
@@ -993,6 +1017,7 @@ AM_CONDITIONAL(USE_SHA1, test x$sha1 = xtrue)
 AM_CONDITIONAL(USE_SHA2, test x$sha2 = xtrue)
 AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue)
 AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue)
+AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue)
 AM_CONDITIONAL(USE_RANDOM, test x$random = xtrue)
 AM_CONDITIONAL(USE_NONCE, test x$nonce = xtrue)
 AM_CONDITIONAL(USE_X509, test x$x509 = xtrue)
@@ -1000,6 +1025,7 @@ AM_CONDITIONAL(USE_REVOCATION, test x$revocation = xtrue)
 AM_CONDITIONAL(USE_CONSTRAINTS, test x$constraints = xtrue)
 AM_CONDITIONAL(USE_PUBKEY, test x$pubkey = xtrue)
 AM_CONDITIONAL(USE_PKCS1, test x$pkcs1 = xtrue)
+AM_CONDITIONAL(USE_PKCS7, test x$pkcs7 = xtrue)
 AM_CONDITIONAL(USE_PKCS8, test x$pkcs8 = xtrue)
 AM_CONDITIONAL(USE_PGP, test x$pgp = xtrue)
 AM_CONDITIONAL(USE_DNSKEY, test x$dnskey = xtrue)
@@ -1036,6 +1062,8 @@ AM_CONDITIONAL(USE_UNIT_TESTS, test x$unit_tester = xtrue)
 AM_CONDITIONAL(USE_LOAD_TESTER, test x$load_tester = xtrue)
 AM_CONDITIONAL(USE_HA, test x$ha = xtrue)
 AM_CONDITIONAL(USE_WHITELIST, test x$whitelist = xtrue)
+AM_CONDITIONAL(USE_LOOKIP, test x$lookip = xtrue)
+AM_CONDITIONAL(USE_ERROR_NOTIFY, test x$error_notify = xtrue)
 AM_CONDITIONAL(USE_CERTEXPIRE, test x$certexpire = xtrue)
 AM_CONDITIONAL(USE_LED, test x$led = xtrue)
 AM_CONDITIONAL(USE_DUPLICHECK, test x$duplicheck = xtrue)
@@ -1074,6 +1102,8 @@ AM_CONDITIONAL(USE_IMC_TEST, test x$imc_test = xtrue)
 AM_CONDITIONAL(USE_IMV_TEST, test x$imv_test = xtrue)
 AM_CONDITIONAL(USE_IMC_SCANNER, test x$imc_scanner = xtrue)
 AM_CONDITIONAL(USE_IMV_SCANNER, test x$imv_scanner = xtrue)
+AM_CONDITIONAL(USE_IMC_OS, test x$imc_os = xtrue)
+AM_CONDITIONAL(USE_IMV_OS, test x$imv_os = xtrue)
 AM_CONDITIONAL(USE_IMC_ATTESTATION, test x$imc_attestation = xtrue)
 AM_CONDITIONAL(USE_IMV_ATTESTATION, test x$imv_attestation = xtrue)
 AM_CONDITIONAL(USE_SOCKET_DEFAULT, test x$socket_default = xtrue)
@@ -1126,6 +1156,7 @@ AM_CONDITIONAL(USE_TLS, test x$tls = xtrue)
 AM_CONDITIONAL(USE_RADIUS, test x$radius = xtrue)
 AM_CONDITIONAL(USE_IMCV, test x$imcv = xtrue)
 AM_CONDITIONAL(USE_PTS, test x$pts = xtrue)
+AM_CONDITIONAL(USE_TROUSERS, test x$tss = xtrousers)
 AM_CONDITIONAL(MONOLITHIC, test x$monolithic = xtrue)
 
 dnl ==============================
@@ -1170,6 +1201,7 @@ AC_OUTPUT(
 	src/libstrongswan/plugins/sha2/Makefile
 	src/libstrongswan/plugins/fips_prf/Makefile
 	src/libstrongswan/plugins/gmp/Makefile
+	src/libstrongswan/plugins/rdrand/Makefile
 	src/libstrongswan/plugins/random/Makefile
 	src/libstrongswan/plugins/nonce/Makefile
 	src/libstrongswan/plugins/hmac/Makefile
@@ -1179,6 +1211,7 @@ AC_OUTPUT(
 	src/libstrongswan/plugins/constraints/Makefile
 	src/libstrongswan/plugins/pubkey/Makefile
 	src/libstrongswan/plugins/pkcs1/Makefile
+	src/libstrongswan/plugins/pkcs7/Makefile
 	src/libstrongswan/plugins/pkcs8/Makefile
 	src/libstrongswan/plugins/pgp/Makefile
 	src/libstrongswan/plugins/dnskey/Makefile
@@ -1220,6 +1253,8 @@ AC_OUTPUT(
 	src/libimcv/plugins/imv_test/Makefile
 	src/libimcv/plugins/imc_scanner/Makefile
 	src/libimcv/plugins/imv_scanner/Makefile
+	src/libimcv/plugins/imc_os/Makefile
+	src/libimcv/plugins/imv_os/Makefile
 	src/charon/Makefile
 	src/charon-nm/Makefile
 	src/libcharon/Makefile
@@ -1264,6 +1299,8 @@ AC_OUTPUT(
 	src/libcharon/plugins/uci/Makefile
 	src/libcharon/plugins/ha/Makefile
 	src/libcharon/plugins/whitelist/Makefile
+	src/libcharon/plugins/lookip/Makefile
+	src/libcharon/plugins/error_notify/Makefile
 	src/libcharon/plugins/certexpire/Makefile
 	src/libcharon/plugins/led/Makefile
 	src/libcharon/plugins/duplicheck/Makefile
diff --git a/depcomp b/depcomp
index df8eea7e4..bd0ac0895 100755
--- a/depcomp
+++ b/depcomp
@@ -1,10 +1,10 @@
 #! /bin/sh
 # depcomp - compile a program generating dependencies as side-effects
 
-scriptversion=2009-04-28.21; # UTC
+scriptversion=2011-12-04.11; # UTC
 
-# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006, 2007, 2009 Free
-# Software Foundation, Inc.
+# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006, 2007, 2009, 2010,
+# 2011 Free Software Foundation, Inc.
 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -44,7 +44,7 @@ Environment variables:
   object      Object file output by `PROGRAMS ARGS'.
   DEPDIR      directory where to store dependencies.
   depfile     Dependency file to output.
-  tmpdepfile  Temporary file to use when outputing dependencies.
+  tmpdepfile  Temporary file to use when outputting dependencies.
   libtool     Whether libtool is used (yes/no).
 
 Report bugs to <bug-automake@gnu.org>.
@@ -90,10 +90,18 @@ if test "$depmode" = msvcmsys; then
    # This is just like msvisualcpp but w/o cygpath translation.
    # Just convert the backslash-escaped backslashes to single forward
    # slashes to satisfy depend.m4
-   cygpath_u="sed s,\\\\\\\\,/,g"
+   cygpath_u='sed s,\\\\,/,g'
    depmode=msvisualcpp
 fi
 
+if test "$depmode" = msvc7msys; then
+   # This is just like msvc7 but w/o cygpath translation.
+   # Just convert the backslash-escaped backslashes to single forward
+   # slashes to satisfy depend.m4
+   cygpath_u='sed s,\\\\,/,g'
+   depmode=msvc7
+fi
+
 case "$depmode" in
 gcc3)
 ## gcc 3 implements dependency tracking that does exactly what
@@ -158,10 +166,12 @@ gcc)
 ' < "$tmpdepfile" |
 ## Some versions of gcc put a space before the `:'.  On the theory
 ## that the space means something, we add a space to the output as
-## well.
+## well.  hp depmode also adds that space, but also prefixes the VPATH
+## to the object.  Take care to not repeat it in the output.
 ## Some versions of the HPUX 10.20 sed can't process this invocation
 ## correctly.  Breaking it into two sed invocations is a workaround.
-    sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
+    sed -e 's/^\\$//' -e '/^$/d' -e "s|.*$object$||" -e '/:$/d' \
+      | sed -e 's/$/ :/' >> "$depfile"
   rm -f "$tmpdepfile"
   ;;
 
@@ -405,6 +415,52 @@ tru64)
    rm -f "$tmpdepfile"
    ;;
 
+msvc7)
+  if test "$libtool" = yes; then
+    showIncludes=-Wc,-showIncludes
+  else
+    showIncludes=-showIncludes
+  fi
+  "$@" $showIncludes > "$tmpdepfile"
+  stat=$?
+  grep -v '^Note: including file: ' "$tmpdepfile"
+  if test "$stat" = 0; then :
+  else
+    rm -f "$tmpdepfile"
+    exit $stat
+  fi
+  rm -f "$depfile"
+  echo "$object : \\" > "$depfile"
+  # The first sed program below extracts the file names and escapes
+  # backslashes for cygpath.  The second sed program outputs the file
+  # name when reading, but also accumulates all include files in the
+  # hold buffer in order to output them again at the end.  This only
+  # works with sed implementations that can handle large buffers.
+  sed < "$tmpdepfile" -n '
+/^Note: including file:  *\(.*\)/ {
+  s//\1/
+  s/\\/\\\\/g
+  p
+}' | $cygpath_u | sort -u | sed -n '
+s/ /\\ /g
+s/\(.*\)/	\1 \\/p
+s/.\(.*\) \\/\1:/
+H
+$ {
+  s/.*/	/
+  G
+  p
+}' >> "$depfile"
+  rm -f "$tmpdepfile"
+  ;;
+
+msvc7msys)
+  # This case exists only to let depend.m4 do its work.  It works by
+  # looking at the text of this script.  This case will never be run,
+  # since it is checked for above.
+  exit 1
+  ;;
+
 #nosideeffect)
   # This comment above is used by automake to tell side-effect
   # dependency tracking mechanisms from slower ones.
@@ -503,7 +559,9 @@ makedepend)
   touch "$tmpdepfile"
   ${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@"
   rm -f "$depfile"
-  cat < "$tmpdepfile" > "$depfile"
+  # makedepend may prepend the VPATH from the source file name to the object.
+  # No need to regex-escape $object, excess matching of '.' is harmless.
+  sed "s|^.*\($object *:\)|\1|" "$tmpdepfile" > "$depfile"
   sed '1,2d' "$tmpdepfile" | tr ' ' '
 ' | \
 ## Some versions of the HPUX 10.20 sed can't process this invocation
diff --git a/init/Makefile.in b/init/Makefile.in
index f8e21d34f..7d7346e0c 100644
--- a/init/Makefile.in
+++ b/init/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -114,6 +114,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -141,6 +142,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -168,6 +170,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -180,6 +183,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -233,7 +237,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -529,10 +532,15 @@ install-am: all-am
 
 installcheck: installcheck-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/init/systemd/Makefile.in b/init/systemd/Makefile.in
index e9130bffb..def76088a 100644
--- a/init/systemd/Makefile.in
+++ b/init/systemd/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -75,6 +75,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(systemdsystemunitdir)"
 DATA = $(systemdsystemunit_DATA)
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -97,6 +103,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -124,6 +131,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -151,6 +159,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -163,6 +172,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -216,7 +226,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -322,9 +331,7 @@ uninstall-systemdsystemunitDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(systemdsystemunit_DATA)'; test -n "$(systemdsystemunitdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(systemdsystemunitdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(systemdsystemunitdir)" && rm -f $$files
+	dir='$(DESTDIR)$(systemdsystemunitdir)'; $(am__uninstall_files_from_dir)
 tags: TAGS
 TAGS:
 
@@ -379,10 +386,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/install-sh b/install-sh
index 6781b987b..a9244eb07 100755
--- a/install-sh
+++ b/install-sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 # install - install a program, script, or datafile
 
-scriptversion=2009-04-28.21; # UTC
+scriptversion=2011-01-19.21; # UTC
 
 # This originates from X11R5 (mit/util/scripts/install.sh), which was
 # later released in X11R6 (xc/config/util/install.sh) with the
@@ -156,6 +156,10 @@ while test $# -ne 0; do
     -s) stripcmd=$stripprog;;
 
     -t) dst_arg=$2
+	# Protect names problematic for `test' and other utilities.
+	case $dst_arg in
+	  -* | [=\(\)!]) dst_arg=./$dst_arg;;
+	esac
 	shift;;
 
     -T) no_target_directory=true;;
@@ -186,6 +190,10 @@ if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
     fi
     shift # arg
     dst_arg=$arg
+    # Protect names problematic for `test' and other utilities.
+    case $dst_arg in
+      -* | [=\(\)!]) dst_arg=./$dst_arg;;
+    esac
   done
 fi
 
@@ -200,7 +208,11 @@ if test $# -eq 0; then
 fi
 
 if test -z "$dir_arg"; then
-  trap '(exit $?); exit' 1 2 13 15
+  do_exit='(exit $ret); exit $ret'
+  trap "ret=129; $do_exit" 1
+  trap "ret=130; $do_exit" 2
+  trap "ret=141; $do_exit" 13
+  trap "ret=143; $do_exit" 15
 
   # Set umask so as not to create temps with too-generous modes.
   # However, 'strip' requires both read and write access to temps.
@@ -228,9 +240,9 @@ fi
 
 for src
 do
-  # Protect names starting with `-'.
+  # Protect names problematic for `test' and other utilities.
   case $src in
-    -*) src=./$src;;
+    -* | [=\(\)!]) src=./$src;;
   esac
 
   if test -n "$dir_arg"; then
@@ -252,12 +264,7 @@ do
       echo "$0: no destination specified." >&2
       exit 1
     fi
-
     dst=$dst_arg
-    # Protect names starting with `-'.
-    case $dst in
-      -*) dst=./$dst;;
-    esac
 
     # If destination is a directory, append the input filename; won't work
     # if double slashes aren't ignored.
@@ -385,7 +392,7 @@ do
 
       case $dstdir in
 	/*) prefix='/';;
-	-*) prefix='./';;
+	[-=\(\)!]*) prefix='./';;
 	*)  prefix='';;
       esac
 
@@ -403,7 +410,7 @@ do
 
       for d
       do
-	test -z "$d" && continue
+	test X"$d" = X && continue
 
 	prefix=$prefix$d
 	if test -d "$prefix"; then
diff --git a/ltmain.sh b/ltmain.sh
index 7ed280bc9..c2852d856 100755..100644
--- a/ltmain.sh
+++ b/ltmain.sh
@@ -1,9 +1,9 @@
-# Generated from ltmain.m4sh.
 
-# ltmain.sh (GNU libtool) 2.2.6b
+# libtool (GNU libtool) 2.4.2
 # Written by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
 
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006, 2007 2008 Free Software Foundation, Inc.
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006,
+# 2007, 2008, 2009, 2010, 2011 Free Software Foundation, Inc.
 # This is free software; see the source for copying conditions.  There is NO
 # warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 
@@ -32,50 +32,57 @@
 #
 # Provide generalized library-building support services.
 #
-#     --config             show all configuration variables
-#     --debug              enable verbose shell tracing
-# -n, --dry-run            display commands without modifying any files
-#     --features           display basic configuration information and exit
-#     --mode=MODE          use operation mode MODE
-#     --preserve-dup-deps  don't remove duplicate dependency libraries
-#     --quiet, --silent    don't print informational messages
-#     --tag=TAG            use configuration variables from tag TAG
-# -v, --verbose            print informational messages (default)
-#     --version            print version information
-# -h, --help               print short or long help message
+#       --config             show all configuration variables
+#       --debug              enable verbose shell tracing
+#   -n, --dry-run            display commands without modifying any files
+#       --features           display basic configuration information and exit
+#       --mode=MODE          use operation mode MODE
+#       --preserve-dup-deps  don't remove duplicate dependency libraries
+#       --quiet, --silent    don't print informational messages
+#       --no-quiet, --no-silent
+#                            print informational messages (default)
+#       --no-warn            don't display warning messages
+#       --tag=TAG            use configuration variables from tag TAG
+#   -v, --verbose            print more informational messages than default
+#       --no-verbose         don't print the extra informational messages
+#       --version            print version information
+#   -h, --help, --help-all   print short, long, or detailed help message
 #
 # MODE must be one of the following:
 #
-#       clean              remove files from the build directory
-#       compile            compile a source file into a libtool object
-#       execute            automatically set library path, then run a program
-#       finish             complete the installation of libtool libraries
-#       install            install libraries or executables
-#       link               create a library or an executable
-#       uninstall          remove libraries from an installed directory
+#         clean              remove files from the build directory
+#         compile            compile a source file into a libtool object
+#         execute            automatically set library path, then run a program
+#         finish             complete the installation of libtool libraries
+#         install            install libraries or executables
+#         link               create a library or an executable
+#         uninstall          remove libraries from an installed directory
 #
-# MODE-ARGS vary depending on the MODE.
+# MODE-ARGS vary depending on the MODE.  When passed as first option,
+# `--mode=MODE' may be abbreviated as `MODE' or a unique abbreviation of that.
 # Try `$progname --help --mode=MODE' for a more detailed description of MODE.
 #
 # When reporting a bug, please describe a test case to reproduce it and
 # include the following information:
 #
-#       host-triplet:	$host
-#       shell:		$SHELL
-#       compiler:		$LTCC
-#       compiler flags:		$LTCFLAGS
-#       linker:		$LD (gnu? $with_gnu_ld)
-#       $progname:		(GNU libtool) 2.2.6b Debian-2.2.6b-2ubuntu1
-#       automake:		$automake_version
-#       autoconf:		$autoconf_version
+#         host-triplet:	$host
+#         shell:		$SHELL
+#         compiler:		$LTCC
+#         compiler flags:		$LTCFLAGS
+#         linker:		$LD (gnu? $with_gnu_ld)
+#         $progname:	(GNU libtool) 2.4.2 Debian-2.4.2-1ubuntu1
+#         automake:	$automake_version
+#         autoconf:	$autoconf_version
 #
 # Report bugs to <bug-libtool@gnu.org>.
+# GNU libtool home page: <http://www.gnu.org/software/libtool/>.
+# General help using GNU software: <http://www.gnu.org/gethelp/>.
 
-PROGRAM=ltmain.sh
+PROGRAM=libtool
 PACKAGE=libtool
-VERSION="2.2.6b Debian-2.2.6b-2ubuntu1"
+VERSION="2.4.2 Debian-2.4.2-1ubuntu1"
 TIMESTAMP=""
-package_revision=1.3017
+package_revision=1.3337
 
 # Be Bourne compatible
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
@@ -91,10 +98,15 @@ fi
 BIN_SH=xpg4; export BIN_SH # for Tru64
 DUALCASE=1; export DUALCASE # for MKS sh
 
+# A function that is used when there is no print builtin or printf.
+func_fallback_echo ()
+{
+  eval 'cat <<_LTECHO_EOF
+$1
+_LTECHO_EOF'
+}
+
 # NLS nuisances: We save the old values to restore during execute mode.
-# Only set LANG and LC_ALL to C if already set.
-# These must not be set unconditionally because not all systems understand
-# e.g. LANG=C (notably SCO).
 lt_user_locale=
 lt_safe_locale=
 for lt_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES
@@ -107,24 +119,28 @@ do
 	  lt_safe_locale=\"$lt_var=C; \$lt_safe_locale\"
 	fi"
 done
+LC_ALL=C
+LANGUAGE=C
+export LANGUAGE LC_ALL
 
 $lt_unset CDPATH
 
 
+# Work around backward compatibility issue on IRIX 6.5. On IRIX 6.4+, sh
+# is ksh but when the shell is invoked as "sh" and the current value of
+# the _XPG environment variable is not equal to 1 (one), the special
+# positional parameter $0, within a function call, is the name of the
+# function.
+progpath="$0"
 
 
 
 : ${CP="cp -f"}
-: ${ECHO="echo"}
-: ${EGREP="/bin/grep -E"}
-: ${FGREP="/bin/grep -F"}
-: ${GREP="/bin/grep"}
-: ${LN_S="ln -s"}
+test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'}
 : ${MAKE="make"}
 : ${MKDIR="mkdir"}
 : ${MV="mv -f"}
 : ${RM="rm -f"}
-: ${SED="/bin/sed"}
 : ${SHELL="${CONFIG_SHELL-/bin/sh}"}
 : ${Xsed="$SED -e 1s/^X//"}
 
@@ -144,6 +160,27 @@ IFS=" 	$lt_nl"
 dirname="s,/[^/]*$,,"
 basename="s,^.*/,,"
 
+# func_dirname file append nondir_replacement
+# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
+# otherwise set result to NONDIR_REPLACEMENT.
+func_dirname ()
+{
+    func_dirname_result=`$ECHO "${1}" | $SED "$dirname"`
+    if test "X$func_dirname_result" = "X${1}"; then
+      func_dirname_result="${3}"
+    else
+      func_dirname_result="$func_dirname_result${2}"
+    fi
+} # func_dirname may be replaced by extended shell implementation
+
+
+# func_basename file
+func_basename ()
+{
+    func_basename_result=`$ECHO "${1}" | $SED "$basename"`
+} # func_basename may be replaced by extended shell implementation
+
+
 # func_dirname_and_basename file append nondir_replacement
 # perform func_basename and func_dirname in a single function
 # call:
@@ -158,33 +195,183 @@ basename="s,^.*/,,"
 # those functions but instead duplicate the functionality here.
 func_dirname_and_basename ()
 {
-  # Extract subdirectory from the argument.
-  func_dirname_result=`$ECHO "X${1}" | $Xsed -e "$dirname"`
-  if test "X$func_dirname_result" = "X${1}"; then
-    func_dirname_result="${3}"
-  else
-    func_dirname_result="$func_dirname_result${2}"
-  fi
-  func_basename_result=`$ECHO "X${1}" | $Xsed -e "$basename"`
+    # Extract subdirectory from the argument.
+    func_dirname_result=`$ECHO "${1}" | $SED -e "$dirname"`
+    if test "X$func_dirname_result" = "X${1}"; then
+      func_dirname_result="${3}"
+    else
+      func_dirname_result="$func_dirname_result${2}"
+    fi
+    func_basename_result=`$ECHO "${1}" | $SED -e "$basename"`
+} # func_dirname_and_basename may be replaced by extended shell implementation
+
+
+# func_stripname prefix suffix name
+# strip PREFIX and SUFFIX off of NAME.
+# PREFIX and SUFFIX must not contain globbing or regex special
+# characters, hashes, percent signs, but SUFFIX may contain a leading
+# dot (in which case that matches only a dot).
+# func_strip_suffix prefix name
+func_stripname ()
+{
+    case ${2} in
+      .*) func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%\\\\${2}\$%%"`;;
+      *)  func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%${2}\$%%"`;;
+    esac
+} # func_stripname may be replaced by extended shell implementation
+
+
+# These SED scripts presuppose an absolute path with a trailing slash.
+pathcar='s,^/\([^/]*\).*$,\1,'
+pathcdr='s,^/[^/]*,,'
+removedotparts=':dotsl
+		s@/\./@/@g
+		t dotsl
+		s,/\.$,/,'
+collapseslashes='s@/\{1,\}@/@g'
+finalslash='s,/*$,/,'
+
+# func_normal_abspath PATH
+# Remove doubled-up and trailing slashes, "." path components,
+# and cancel out any ".." path components in PATH after making
+# it an absolute path.
+#             value returned in "$func_normal_abspath_result"
+func_normal_abspath ()
+{
+  # Start from root dir and reassemble the path.
+  func_normal_abspath_result=
+  func_normal_abspath_tpath=$1
+  func_normal_abspath_altnamespace=
+  case $func_normal_abspath_tpath in
+    "")
+      # Empty path, that just means $cwd.
+      func_stripname '' '/' "`pwd`"
+      func_normal_abspath_result=$func_stripname_result
+      return
+    ;;
+    # The next three entries are used to spot a run of precisely
+    # two leading slashes without using negated character classes;
+    # we take advantage of case's first-match behaviour.
+    ///*)
+      # Unusual form of absolute path, do nothing.
+    ;;
+    //*)
+      # Not necessarily an ordinary path; POSIX reserves leading '//'
+      # and for example Cygwin uses it to access remote file shares
+      # over CIFS/SMB, so we conserve a leading double slash if found.
+      func_normal_abspath_altnamespace=/
+    ;;
+    /*)
+      # Absolute path, do nothing.
+    ;;
+    *)
+      # Relative path, prepend $cwd.
+      func_normal_abspath_tpath=`pwd`/$func_normal_abspath_tpath
+    ;;
+  esac
+  # Cancel out all the simple stuff to save iterations.  We also want
+  # the path to end with a slash for ease of parsing, so make sure
+  # there is one (and only one) here.
+  func_normal_abspath_tpath=`$ECHO "$func_normal_abspath_tpath" | $SED \
+        -e "$removedotparts" -e "$collapseslashes" -e "$finalslash"`
+  while :; do
+    # Processed it all yet?
+    if test "$func_normal_abspath_tpath" = / ; then
+      # If we ascended to the root using ".." the result may be empty now.
+      if test -z "$func_normal_abspath_result" ; then
+        func_normal_abspath_result=/
+      fi
+      break
+    fi
+    func_normal_abspath_tcomponent=`$ECHO "$func_normal_abspath_tpath" | $SED \
+        -e "$pathcar"`
+    func_normal_abspath_tpath=`$ECHO "$func_normal_abspath_tpath" | $SED \
+        -e "$pathcdr"`
+    # Figure out what to do with it
+    case $func_normal_abspath_tcomponent in
+      "")
+        # Trailing empty path component, ignore it.
+      ;;
+      ..)
+        # Parent dir; strip last assembled component from result.
+        func_dirname "$func_normal_abspath_result"
+        func_normal_abspath_result=$func_dirname_result
+      ;;
+      *)
+        # Actual path component, append it.
+        func_normal_abspath_result=$func_normal_abspath_result/$func_normal_abspath_tcomponent
+      ;;
+    esac
+  done
+  # Restore leading double-slash if one was found on entry.
+  func_normal_abspath_result=$func_normal_abspath_altnamespace$func_normal_abspath_result
 }
 
-# Generated shell functions inserted here.
+# func_relative_path SRCDIR DSTDIR
+# generates a relative path from SRCDIR to DSTDIR, with a trailing
+# slash if non-empty, suitable for immediately appending a filename
+# without needing to append a separator.
+#             value returned in "$func_relative_path_result"
+func_relative_path ()
+{
+  func_relative_path_result=
+  func_normal_abspath "$1"
+  func_relative_path_tlibdir=$func_normal_abspath_result
+  func_normal_abspath "$2"
+  func_relative_path_tbindir=$func_normal_abspath_result
+
+  # Ascend the tree starting from libdir
+  while :; do
+    # check if we have found a prefix of bindir
+    case $func_relative_path_tbindir in
+      $func_relative_path_tlibdir)
+        # found an exact match
+        func_relative_path_tcancelled=
+        break
+        ;;
+      $func_relative_path_tlibdir*)
+        # found a matching prefix
+        func_stripname "$func_relative_path_tlibdir" '' "$func_relative_path_tbindir"
+        func_relative_path_tcancelled=$func_stripname_result
+        if test -z "$func_relative_path_result"; then
+          func_relative_path_result=.
+        fi
+        break
+        ;;
+      *)
+        func_dirname $func_relative_path_tlibdir
+        func_relative_path_tlibdir=${func_dirname_result}
+        if test "x$func_relative_path_tlibdir" = x ; then
+          # Have to descend all the way to the root!
+          func_relative_path_result=../$func_relative_path_result
+          func_relative_path_tcancelled=$func_relative_path_tbindir
+          break
+        fi
+        func_relative_path_result=../$func_relative_path_result
+        ;;
+    esac
+  done
 
-# Work around backward compatibility issue on IRIX 6.5. On IRIX 6.4+, sh
-# is ksh but when the shell is invoked as "sh" and the current value of
-# the _XPG environment variable is not equal to 1 (one), the special
-# positional parameter $0, within a function call, is the name of the
-# function.
-progpath="$0"
+  # Now calculate path; take care to avoid doubling-up slashes.
+  func_stripname '' '/' "$func_relative_path_result"
+  func_relative_path_result=$func_stripname_result
+  func_stripname '/' '/' "$func_relative_path_tcancelled"
+  if test "x$func_stripname_result" != x ; then
+    func_relative_path_result=${func_relative_path_result}/${func_stripname_result}
+  fi
+
+  # Normalisation. If bindir is libdir, return empty string,
+  # else relative path ending with a slash; either way, target
+  # file name can be directly appended.
+  if test ! -z "$func_relative_path_result"; then
+    func_stripname './' '' "$func_relative_path_result/"
+    func_relative_path_result=$func_stripname_result
+  fi
+}
 
 # The name of this program:
-# In the unlikely event $progname began with a '-', it would play havoc with
-# func_echo (imagine progname=-n), so we prepend ./ in that case:
 func_dirname_and_basename "$progpath"
 progname=$func_basename_result
-case $progname in
-  -*) progname=./$progname ;;
-esac
 
 # Make sure we have an absolute path for reexecution:
 case $progpath in
@@ -196,7 +383,7 @@ case $progpath in
      ;;
   *)
      save_IFS="$IFS"
-     IFS=:
+     IFS=${PATH_SEPARATOR-:}
      for progdir in $PATH; do
        IFS="$save_IFS"
        test -x "$progdir/$progname" && break
@@ -215,6 +402,15 @@ sed_quote_subst='s/\([`"$\\]\)/\\\1/g'
 # Same as above, but do not quote variable references.
 double_quote_subst='s/\(["`\\]\)/\\\1/g'
 
+# Sed substitution that turns a string into a regex matching for the
+# string literally.
+sed_make_literal_regex='s,[].[^$\\*\/],\\&,g'
+
+# Sed substitution that converts a w32 file name or path
+# which contains forward slashes, into one that contains
+# (escaped) backslashes.  A very naive implementation.
+lt_sed_naive_backslashify='s|\\\\*|\\|g;s|/|\\|g;s|\\|\\\\|g'
+
 # Re-`\' parameter expansions in output of double_quote_subst that were
 # `\'-ed in input to the same.  If an odd number of `\' preceded a '$'
 # in input to double_quote_subst, that '$' was protected from expansion.
@@ -243,7 +439,7 @@ opt_warning=:
 # name if it has been set yet.
 func_echo ()
 {
-    $ECHO "$progname${mode+: }$mode: $*"
+    $ECHO "$progname: ${opt_mode+$opt_mode: }$*"
 }
 
 # func_verbose arg...
@@ -258,18 +454,25 @@ func_verbose ()
     :
 }
 
+# func_echo_all arg...
+# Invoke $ECHO with all args, space-separated.
+func_echo_all ()
+{
+    $ECHO "$*"
+}
+
 # func_error arg...
 # Echo program name prefixed message to standard error.
 func_error ()
 {
-    $ECHO "$progname${mode+: }$mode: "${1+"$@"} 1>&2
+    $ECHO "$progname: ${opt_mode+$opt_mode: }"${1+"$@"} 1>&2
 }
 
 # func_warning arg...
 # Echo program name prefixed warning message to standard error.
 func_warning ()
 {
-    $opt_warning && $ECHO "$progname${mode+: }$mode: warning: "${1+"$@"} 1>&2
+    $opt_warning && $ECHO "$progname: ${opt_mode+$opt_mode: }warning: "${1+"$@"} 1>&2
 
     # bash bug again:
     :
@@ -326,9 +529,9 @@ func_mkdir_p ()
         case $my_directory_path in */*) ;; *) break ;; esac
 
         # ...otherwise throw away the child directory and loop
-        my_directory_path=`$ECHO "X$my_directory_path" | $Xsed -e "$dirname"`
+        my_directory_path=`$ECHO "$my_directory_path" | $SED -e "$dirname"`
       done
-      my_dir_list=`$ECHO "X$my_dir_list" | $Xsed -e 's,:*$,,'`
+      my_dir_list=`$ECHO "$my_dir_list" | $SED 's,:*$,,'`
 
       save_mkdir_p_IFS="$IFS"; IFS=':'
       for my_dir in $my_dir_list; do
@@ -378,7 +581,7 @@ func_mktempdir ()
         func_fatal_error "cannot create temporary directory \`$my_tmpdir'"
     fi
 
-    $ECHO "X$my_tmpdir" | $Xsed
+    $ECHO "$my_tmpdir"
 }
 
 
@@ -392,7 +595,7 @@ func_quote_for_eval ()
 {
     case $1 in
       *[\\\`\"\$]*)
-	func_quote_for_eval_unquoted_result=`$ECHO "X$1" | $Xsed -e "$sed_quote_subst"` ;;
+	func_quote_for_eval_unquoted_result=`$ECHO "$1" | $SED "$sed_quote_subst"` ;;
       *)
         func_quote_for_eval_unquoted_result="$1" ;;
     esac
@@ -419,7 +622,7 @@ func_quote_for_expand ()
 {
     case $1 in
       *[\\\`\"]*)
-	my_arg=`$ECHO "X$1" | $Xsed \
+	my_arg=`$ECHO "$1" | $SED \
 	    -e "$double_quote_subst" -e "$sed_double_backslash"` ;;
       *)
         my_arg="$1" ;;
@@ -488,15 +691,39 @@ func_show_eval_locale ()
     fi
 }
 
-
-
+# func_tr_sh
+# Turn $1 into a string suitable for a shell variable name.
+# Result is stored in $func_tr_sh_result.  All characters
+# not in the set a-zA-Z0-9_ are replaced with '_'. Further,
+# if $1 begins with a digit, a '_' is prepended as well.
+func_tr_sh ()
+{
+  case $1 in
+  [0-9]* | *[!a-zA-Z0-9_]*)
+    func_tr_sh_result=`$ECHO "$1" | $SED 's/^\([0-9]\)/_\1/; s/[^a-zA-Z0-9_]/_/g'`
+    ;;
+  * )
+    func_tr_sh_result=$1
+    ;;
+  esac
+}
 
 
 # func_version
 # Echo version message to standard output and exit.
 func_version ()
 {
-    $SED -n '/^# '$PROGRAM' (GNU /,/# warranty; / {
+    $opt_debug
+
+    $SED -n '/(C)/!b go
+	:more
+	/\./!{
+	  N
+	  s/\n# / /
+	  b more
+	}
+	:go
+	/^# '$PROGRAM' (GNU /,/# warranty; / {
         s/^# //
 	s/^# *$//
         s/\((C)\)[ 0-9,-]*\( [1-9][0-9]*\)/\1\2/
@@ -509,22 +736,28 @@ func_version ()
 # Echo short help message to standard output and exit.
 func_usage ()
 {
-    $SED -n '/^# Usage:/,/# -h/ {
+    $opt_debug
+
+    $SED -n '/^# Usage:/,/^#  *.*--help/ {
         s/^# //
 	s/^# *$//
 	s/\$progname/'$progname'/
 	p
     }' < "$progpath"
-    $ECHO
+    echo
     $ECHO "run \`$progname --help | more' for full usage"
     exit $?
 }
 
-# func_help
-# Echo long help message to standard output and exit.
+# func_help [NOEXIT]
+# Echo long help message to standard output and exit,
+# unless 'noexit' is passed as argument.
 func_help ()
 {
+    $opt_debug
+
     $SED -n '/^# Usage:/,/# Report bugs to/ {
+	:print
         s/^# //
 	s/^# *$//
 	s*\$progname*'$progname'*
@@ -534,11 +767,18 @@ func_help ()
 	s*\$LTCFLAGS*'"$LTCFLAGS"'*
 	s*\$LD*'"$LD"'*
 	s/\$with_gnu_ld/'"$with_gnu_ld"'/
-	s/\$automake_version/'"`(automake --version) 2>/dev/null |$SED 1q`"'/
-	s/\$autoconf_version/'"`(autoconf --version) 2>/dev/null |$SED 1q`"'/
+	s/\$automake_version/'"`(${AUTOMAKE-automake} --version) 2>/dev/null |$SED 1q`"'/
+	s/\$autoconf_version/'"`(${AUTOCONF-autoconf} --version) 2>/dev/null |$SED 1q`"'/
 	p
-     }' < "$progpath"
-    exit $?
+	d
+     }
+     /^# .* home page:/b print
+     /^# General help using/b print
+     ' < "$progpath"
+    ret=$?
+    if test -z "$1"; then
+      exit $ret
+    fi
 }
 
 # func_missing_arg argname
@@ -546,63 +786,106 @@ func_help ()
 # exit_cmd.
 func_missing_arg ()
 {
-    func_error "missing argument for $1"
+    $opt_debug
+
+    func_error "missing argument for $1."
     exit_cmd=exit
 }
 
-exit_cmd=:
 
+# func_split_short_opt shortopt
+# Set func_split_short_opt_name and func_split_short_opt_arg shell
+# variables after splitting SHORTOPT after the 2nd character.
+func_split_short_opt ()
+{
+    my_sed_short_opt='1s/^\(..\).*$/\1/;q'
+    my_sed_short_rest='1s/^..\(.*\)$/\1/;q'
 
+    func_split_short_opt_name=`$ECHO "$1" | $SED "$my_sed_short_opt"`
+    func_split_short_opt_arg=`$ECHO "$1" | $SED "$my_sed_short_rest"`
+} # func_split_short_opt may be replaced by extended shell implementation
+
+
+# func_split_long_opt longopt
+# Set func_split_long_opt_name and func_split_long_opt_arg shell
+# variables after splitting LONGOPT at the `=' sign.
+func_split_long_opt ()
+{
+    my_sed_long_opt='1s/^\(--[^=]*\)=.*/\1/;q'
+    my_sed_long_arg='1s/^--[^=]*=//'
+
+    func_split_long_opt_name=`$ECHO "$1" | $SED "$my_sed_long_opt"`
+    func_split_long_opt_arg=`$ECHO "$1" | $SED "$my_sed_long_arg"`
+} # func_split_long_opt may be replaced by extended shell implementation
+
+exit_cmd=:
 
 
 
-# Check that we have a working $ECHO.
-if test "X$1" = X--no-reexec; then
-  # Discard the --no-reexec flag, and continue.
-  shift
-elif test "X$1" = X--fallback-echo; then
-  # Avoid inline document here, it may be left over
-  :
-elif test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t'; then
-  # Yippee, $ECHO works!
-  :
-else
-  # Restart under the correct shell, and then maybe $ECHO will work.
-  exec $SHELL "$progpath" --no-reexec ${1+"$@"}
-fi
 
-if test "X$1" = X--fallback-echo; then
-  # used as fallback echo
-  shift
-  cat <<EOF
-$*
-EOF
-  exit $EXIT_SUCCESS
-fi
 
 magic="%%%MAGIC variable%%%"
 magic_exe="%%%MAGIC EXE variable%%%"
 
 # Global variables.
-# $mode is unset
 nonopt=
-execute_dlfiles=
 preserve_args=
 lo2o="s/\\.lo\$/.${objext}/"
 o2lo="s/\\.${objext}\$/.lo/"
 extracted_archives=
 extracted_serial=0
 
-opt_dry_run=false
-opt_duplicate_deps=false
-opt_silent=false
-opt_debug=:
-
 # If this variable is set in any of the actions, the command in it
 # will be execed at the end.  This prevents here-documents from being
 # left over by shells.
 exec_cmd=
 
+# func_append var value
+# Append VALUE to the end of shell variable VAR.
+func_append ()
+{
+    eval "${1}=\$${1}\${2}"
+} # func_append may be replaced by extended shell implementation
+
+# func_append_quoted var value
+# Quote VALUE and append to the end of shell variable VAR, separated
+# by a space.
+func_append_quoted ()
+{
+    func_quote_for_eval "${2}"
+    eval "${1}=\$${1}\\ \$func_quote_for_eval_result"
+} # func_append_quoted may be replaced by extended shell implementation
+
+
+# func_arith arithmetic-term...
+func_arith ()
+{
+    func_arith_result=`expr "${@}"`
+} # func_arith may be replaced by extended shell implementation
+
+
+# func_len string
+# STRING may not start with a hyphen.
+func_len ()
+{
+    func_len_result=`expr "${1}" : ".*" 2>/dev/null || echo $max_cmd_len`
+} # func_len may be replaced by extended shell implementation
+
+
+# func_lo2o object
+func_lo2o ()
+{
+    func_lo2o_result=`$ECHO "${1}" | $SED "$lo2o"`
+} # func_lo2o may be replaced by extended shell implementation
+
+
+# func_xform libobj-or-source
+func_xform ()
+{
+    func_xform_result=`$ECHO "${1}" | $SED 's/\.[^.]*$/.lo/'`
+} # func_xform may be replaced by extended shell implementation
+
+
 # func_fatal_configuration arg...
 # Echo program name prefixed message to standard error, followed by
 # a configuration failure hint, and exit.
@@ -636,16 +919,16 @@ func_config ()
 # Display the features supported by this script.
 func_features ()
 {
-    $ECHO "host: $host"
+    echo "host: $host"
     if test "$build_libtool_libs" = yes; then
-      $ECHO "enable shared libraries"
+      echo "enable shared libraries"
     else
-      $ECHO "disable shared libraries"
+      echo "disable shared libraries"
     fi
     if test "$build_old_libs" = yes; then
-      $ECHO "enable static libraries"
+      echo "enable static libraries"
     else
-      $ECHO "disable static libraries"
+      echo "disable static libraries"
     fi
 
     exit $?
@@ -692,117 +975,209 @@ func_enable_tag ()
   esac
 }
 
-# Parse options once, thoroughly.  This comes as soon as possible in
-# the script to make things like `libtool --version' happen quickly.
+# func_check_version_match
+# Ensure that we are using m4 macros, and libtool script from the same
+# release of libtool.
+func_check_version_match ()
 {
+  if test "$package_revision" != "$macro_revision"; then
+    if test "$VERSION" != "$macro_version"; then
+      if test -z "$macro_version"; then
+        cat >&2 <<_LT_EOF
+$progname: Version mismatch error.  This is $PACKAGE $VERSION, but the
+$progname: definition of this LT_INIT comes from an older release.
+$progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION
+$progname: and run autoconf again.
+_LT_EOF
+      else
+        cat >&2 <<_LT_EOF
+$progname: Version mismatch error.  This is $PACKAGE $VERSION, but the
+$progname: definition of this LT_INIT comes from $PACKAGE $macro_version.
+$progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION
+$progname: and run autoconf again.
+_LT_EOF
+      fi
+    else
+      cat >&2 <<_LT_EOF
+$progname: Version mismatch error.  This is $PACKAGE $VERSION, revision $package_revision,
+$progname: but the definition of this LT_INIT comes from revision $macro_revision.
+$progname: You should recreate aclocal.m4 with macros from revision $package_revision
+$progname: of $PACKAGE $VERSION and run autoconf again.
+_LT_EOF
+    fi
+
+    exit $EXIT_MISMATCH
+  fi
+}
+
+
+# Shorthand for --mode=foo, only valid as the first argument
+case $1 in
+clean|clea|cle|cl)
+  shift; set dummy --mode clean ${1+"$@"}; shift
+  ;;
+compile|compil|compi|comp|com|co|c)
+  shift; set dummy --mode compile ${1+"$@"}; shift
+  ;;
+execute|execut|execu|exec|exe|ex|e)
+  shift; set dummy --mode execute ${1+"$@"}; shift
+  ;;
+finish|finis|fini|fin|fi|f)
+  shift; set dummy --mode finish ${1+"$@"}; shift
+  ;;
+install|instal|insta|inst|ins|in|i)
+  shift; set dummy --mode install ${1+"$@"}; shift
+  ;;
+link|lin|li|l)
+  shift; set dummy --mode link ${1+"$@"}; shift
+  ;;
+uninstall|uninstal|uninsta|uninst|unins|unin|uni|un|u)
+  shift; set dummy --mode uninstall ${1+"$@"}; shift
+  ;;
+esac
+
 
-  # Shorthand for --mode=foo, only valid as the first argument
-  case $1 in
-  clean|clea|cle|cl)
-    shift; set dummy --mode clean ${1+"$@"}; shift
-    ;;
-  compile|compil|compi|comp|com|co|c)
-    shift; set dummy --mode compile ${1+"$@"}; shift
-    ;;
-  execute|execut|execu|exec|exe|ex|e)
-    shift; set dummy --mode execute ${1+"$@"}; shift
-    ;;
-  finish|finis|fini|fin|fi|f)
-    shift; set dummy --mode finish ${1+"$@"}; shift
-    ;;
-  install|instal|insta|inst|ins|in|i)
-    shift; set dummy --mode install ${1+"$@"}; shift
-    ;;
-  link|lin|li|l)
-    shift; set dummy --mode link ${1+"$@"}; shift
-    ;;
-  uninstall|uninstal|uninsta|uninst|unins|unin|uni|un|u)
-    shift; set dummy --mode uninstall ${1+"$@"}; shift
-    ;;
-  esac
 
-  # Parse non-mode specific arguments:
-  while test "$#" -gt 0; do
+# Option defaults:
+opt_debug=:
+opt_dry_run=false
+opt_config=false
+opt_preserve_dup_deps=false
+opt_features=false
+opt_finish=false
+opt_help=false
+opt_help_all=false
+opt_silent=:
+opt_warning=:
+opt_verbose=:
+opt_silent=false
+opt_verbose=false
+
+
+# Parse options once, thoroughly.  This comes as soon as possible in the
+# script to make things like `--version' happen as quickly as we can.
+{
+  # this just eases exit handling
+  while test $# -gt 0; do
     opt="$1"
     shift
-
     case $opt in
-      --config)		func_config					;;
-
-      --debug)		preserve_args="$preserve_args $opt"
+      --debug|-x)	opt_debug='set -x'
 			func_echo "enabling shell trace mode"
-			opt_debug='set -x'
 			$opt_debug
 			;;
-
-      -dlopen)		test "$#" -eq 0 && func_missing_arg "$opt" && break
-			execute_dlfiles="$execute_dlfiles $1"
-			shift
+      --dry-run|--dryrun|-n)
+			opt_dry_run=:
 			;;
-
-      --dry-run | -n)	opt_dry_run=:					;;
-      --features)       func_features					;;
-      --finish)		mode="finish"					;;
-
-      --mode)		test "$#" -eq 0 && func_missing_arg "$opt" && break
-			case $1 in
-			  # Valid mode arguments:
-			  clean)	;;
-			  compile)	;;
-			  execute)	;;
-			  finish)	;;
-			  install)	;;
-			  link)		;;
-			  relink)	;;
-			  uninstall)	;;
-
-			  # Catch anything else as an error
-			  *) func_error "invalid argument for $opt"
-			     exit_cmd=exit
-			     break
-			     ;;
-		        esac
-
-			mode="$1"
+      --config)
+			opt_config=:
+func_config
+			;;
+      --dlopen|-dlopen)
+			optarg="$1"
+			opt_dlopen="${opt_dlopen+$opt_dlopen
+}$optarg"
 			shift
 			;;
-
       --preserve-dup-deps)
-			opt_duplicate_deps=:				;;
-
-      --quiet|--silent)	preserve_args="$preserve_args $opt"
-			opt_silent=:
+			opt_preserve_dup_deps=:
 			;;
-
-      --verbose| -v)	preserve_args="$preserve_args $opt"
+      --features)
+			opt_features=:
+func_features
+			;;
+      --finish)
+			opt_finish=:
+set dummy --mode finish ${1+"$@"}; shift
+			;;
+      --help)
+			opt_help=:
+			;;
+      --help-all)
+			opt_help_all=:
+opt_help=': help-all'
+			;;
+      --mode)
+			test $# = 0 && func_missing_arg $opt && break
+			optarg="$1"
+			opt_mode="$optarg"
+case $optarg in
+  # Valid mode arguments:
+  clean|compile|execute|finish|install|link|relink|uninstall) ;;
+
+  # Catch anything else as an error
+  *) func_error "invalid argument for $opt"
+     exit_cmd=exit
+     break
+     ;;
+esac
+			shift
+			;;
+      --no-silent|--no-quiet)
 			opt_silent=false
+func_append preserve_args " $opt"
 			;;
-
-      --tag)		test "$#" -eq 0 && func_missing_arg "$opt" && break
-			preserve_args="$preserve_args $opt $1"
-			func_enable_tag "$1"	# tagname is set here
+      --no-warning|--no-warn)
+			opt_warning=false
+func_append preserve_args " $opt"
+			;;
+      --no-verbose)
+			opt_verbose=false
+func_append preserve_args " $opt"
+			;;
+      --silent|--quiet)
+			opt_silent=:
+func_append preserve_args " $opt"
+        opt_verbose=false
+			;;
+      --verbose|-v)
+			opt_verbose=:
+func_append preserve_args " $opt"
+opt_silent=false
+			;;
+      --tag)
+			test $# = 0 && func_missing_arg $opt && break
+			optarg="$1"
+			opt_tag="$optarg"
+func_append preserve_args " $opt $optarg"
+func_enable_tag "$optarg"
 			shift
 			;;
 
+      -\?|-h)		func_usage				;;
+      --help)		func_help				;;
+      --version)	func_version				;;
+
       # Separate optargs to long options:
-      -dlopen=*|--mode=*|--tag=*)
-			func_opt_split "$opt"
-			set dummy "$func_opt_split_opt" "$func_opt_split_arg" ${1+"$@"}
+      --*=*)
+			func_split_long_opt "$opt"
+			set dummy "$func_split_long_opt_name" "$func_split_long_opt_arg" ${1+"$@"}
 			shift
 			;;
 
-      -\?|-h)		func_usage					;;
-      --help)		opt_help=:					;;
-      --version)	func_version					;;
-
-      -*)		func_fatal_help "unrecognized option \`$opt'"	;;
-
-      *)		nonopt="$opt"
-			break
+      # Separate non-argument short options:
+      -\?*|-h*|-n*|-v*)
+			func_split_short_opt "$opt"
+			set dummy "$func_split_short_opt_name" "-$func_split_short_opt_arg" ${1+"$@"}
+			shift
 			;;
+
+      --)		break					;;
+      -*)		func_fatal_help "unrecognized option \`$opt'" ;;
+      *)		set dummy "$opt" ${1+"$@"};	shift; break  ;;
     esac
   done
 
+  # Validate options:
+
+  # save first non-option argument
+  if test "$#" -gt 0; then
+    nonopt="$opt"
+    shift
+  fi
+
+  # preserve --debug
+  test "$opt_debug" = : || func_append preserve_args " --debug"
 
   case $host in
     *cygwin* | *mingw* | *pw32* | *cegcc*)
@@ -810,82 +1185,44 @@ func_enable_tag ()
       opt_duplicate_compiler_generated_deps=:
       ;;
     *)
-      opt_duplicate_compiler_generated_deps=$opt_duplicate_deps
+      opt_duplicate_compiler_generated_deps=$opt_preserve_dup_deps
       ;;
   esac
 
-  # Having warned about all mis-specified options, bail out if
-  # anything was wrong.
-  $exit_cmd $EXIT_FAILURE
-}
+  $opt_help || {
+    # Sanity checks first:
+    func_check_version_match
 
-# func_check_version_match
-# Ensure that we are using m4 macros, and libtool script from the same
-# release of libtool.
-func_check_version_match ()
-{
-  if test "$package_revision" != "$macro_revision"; then
-    if test "$VERSION" != "$macro_version"; then
-      if test -z "$macro_version"; then
-        cat >&2 <<_LT_EOF
-$progname: Version mismatch error.  This is $PACKAGE $VERSION, but the
-$progname: definition of this LT_INIT comes from an older release.
-$progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION
-$progname: and run autoconf again.
-_LT_EOF
-      else
-        cat >&2 <<_LT_EOF
-$progname: Version mismatch error.  This is $PACKAGE $VERSION, but the
-$progname: definition of this LT_INIT comes from $PACKAGE $macro_version.
-$progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION
-$progname: and run autoconf again.
-_LT_EOF
-      fi
-    else
-      cat >&2 <<_LT_EOF
-$progname: Version mismatch error.  This is $PACKAGE $VERSION, revision $package_revision,
-$progname: but the definition of this LT_INIT comes from revision $macro_revision.
-$progname: You should recreate aclocal.m4 with macros from revision $package_revision
-$progname: of $PACKAGE $VERSION and run autoconf again.
-_LT_EOF
+    if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then
+      func_fatal_configuration "not configured to build any kind of library"
     fi
 
-    exit $EXIT_MISMATCH
-  fi
-}
-
-
-## ----------- ##
-##    Main.    ##
-## ----------- ##
-
-$opt_help || {
-  # Sanity checks first:
-  func_check_version_match
+    # Darwin sucks
+    eval std_shrext=\"$shrext_cmds\"
 
-  if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then
-    func_fatal_configuration "not configured to build any kind of library"
-  fi
+    # Only execute mode is allowed to have -dlopen flags.
+    if test -n "$opt_dlopen" && test "$opt_mode" != execute; then
+      func_error "unrecognized option \`-dlopen'"
+      $ECHO "$help" 1>&2
+      exit $EXIT_FAILURE
+    fi
 
-  test -z "$mode" && func_fatal_error "error: you must specify a MODE."
+    # Change the help message to a mode-specific one.
+    generic_help="$help"
+    help="Try \`$progname --help --mode=$opt_mode' for more information."
+  }
 
 
-  # Darwin sucks
-  eval std_shrext=\"$shrext_cmds\"
+  # Bail if the options were screwed
+  $exit_cmd $EXIT_FAILURE
+}
 
 
-  # Only execute mode is allowed to have -dlopen flags.
-  if test -n "$execute_dlfiles" && test "$mode" != execute; then
-    func_error "unrecognized option \`-dlopen'"
-    $ECHO "$help" 1>&2
-    exit $EXIT_FAILURE
-  fi
 
-  # Change the help message to a mode-specific one.
-  generic_help="$help"
-  help="Try \`$progname --help --mode=$mode' for more information."
-}
 
+## ----------- ##
+##    Main.    ##
+## ----------- ##
 
 # func_lalib_p file
 # True iff FILE is a libtool `.la' library or `.lo' object file.
@@ -950,12 +1287,9 @@ func_ltwrapper_executable_p ()
 # temporary ltwrapper_script.
 func_ltwrapper_scriptname ()
 {
-    func_ltwrapper_scriptname_result=""
-    if func_ltwrapper_executable_p "$1"; then
-	func_dirname_and_basename "$1" "" "."
-	func_stripname '' '.exe' "$func_basename_result"
-	func_ltwrapper_scriptname_result="$func_dirname_result/$objdir/${func_stripname_result}_ltshwrapper"
-    fi
+    func_dirname_and_basename "$1" "" "."
+    func_stripname '' '.exe' "$func_basename_result"
+    func_ltwrapper_scriptname_result="$func_dirname_result/$objdir/${func_stripname_result}_ltshwrapper"
 }
 
 # func_ltwrapper_p file
@@ -1001,6 +1335,37 @@ func_source ()
 }
 
 
+# func_resolve_sysroot PATH
+# Replace a leading = in PATH with a sysroot.  Store the result into
+# func_resolve_sysroot_result
+func_resolve_sysroot ()
+{
+  func_resolve_sysroot_result=$1
+  case $func_resolve_sysroot_result in
+  =*)
+    func_stripname '=' '' "$func_resolve_sysroot_result"
+    func_resolve_sysroot_result=$lt_sysroot$func_stripname_result
+    ;;
+  esac
+}
+
+# func_replace_sysroot PATH
+# If PATH begins with the sysroot, replace it with = and
+# store the result into func_replace_sysroot_result.
+func_replace_sysroot ()
+{
+  case "$lt_sysroot:$1" in
+  ?*:"$lt_sysroot"*)
+    func_stripname "$lt_sysroot" '' "$1"
+    func_replace_sysroot_result="=$func_stripname_result"
+    ;;
+  *)
+    # Including no sysroot.
+    func_replace_sysroot_result=$1
+    ;;
+  esac
+}
+
 # func_infer_tag arg
 # Infer tagged configuration to use if any are available and
 # if one wasn't chosen via the "--tag" command line option.
@@ -1013,13 +1378,15 @@ func_infer_tag ()
     if test -n "$available_tags" && test -z "$tagname"; then
       CC_quoted=
       for arg in $CC; do
-        func_quote_for_eval "$arg"
-	CC_quoted="$CC_quoted $func_quote_for_eval_result"
+	func_append_quoted CC_quoted "$arg"
       done
+      CC_expanded=`func_echo_all $CC`
+      CC_quoted_expanded=`func_echo_all $CC_quoted`
       case $@ in
       # Blanks in the command may have been stripped by the calling shell,
       # but not from the CC environment variable when configure was run.
-      " $CC "* | "$CC "* | " `$ECHO $CC` "* | "`$ECHO $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$ECHO $CC_quoted` "* | "`$ECHO $CC_quoted` "*) ;;
+      " $CC "* | "$CC "* | " $CC_expanded "* | "$CC_expanded "* | \
+      " $CC_quoted"* | "$CC_quoted "* | " $CC_quoted_expanded "* | "$CC_quoted_expanded "*) ;;
       # Blanks at the start of $base_compile will cause this to fail
       # if we don't check for them as well.
       *)
@@ -1030,11 +1397,13 @@ func_infer_tag ()
 	    CC_quoted=
 	    for arg in $CC; do
 	      # Double-quote args containing other shell metacharacters.
-	      func_quote_for_eval "$arg"
-	      CC_quoted="$CC_quoted $func_quote_for_eval_result"
+	      func_append_quoted CC_quoted "$arg"
 	    done
+	    CC_expanded=`func_echo_all $CC`
+	    CC_quoted_expanded=`func_echo_all $CC_quoted`
 	    case "$@ " in
-	      " $CC "* | "$CC "* | " `$ECHO $CC` "* | "`$ECHO $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$ECHO $CC_quoted` "* | "`$ECHO $CC_quoted` "*)
+	    " $CC "* | "$CC "* | " $CC_expanded "* | "$CC_expanded "* | \
+	    " $CC_quoted"* | "$CC_quoted "* | " $CC_quoted_expanded "* | "$CC_quoted_expanded "*)
 	      # The compiler in the base compile command matches
 	      # the one in the tagged configuration.
 	      # Assume this is the tagged configuration we want.
@@ -1097,6 +1466,486 @@ EOF
     }
 }
 
+
+##################################################
+# FILE NAME AND PATH CONVERSION HELPER FUNCTIONS #
+##################################################
+
+# func_convert_core_file_wine_to_w32 ARG
+# Helper function used by file name conversion functions when $build is *nix,
+# and $host is mingw, cygwin, or some other w32 environment. Relies on a
+# correctly configured wine environment available, with the winepath program
+# in $build's $PATH.
+#
+# ARG is the $build file name to be converted to w32 format.
+# Result is available in $func_convert_core_file_wine_to_w32_result, and will
+# be empty on error (or when ARG is empty)
+func_convert_core_file_wine_to_w32 ()
+{
+  $opt_debug
+  func_convert_core_file_wine_to_w32_result="$1"
+  if test -n "$1"; then
+    # Unfortunately, winepath does not exit with a non-zero error code, so we
+    # are forced to check the contents of stdout. On the other hand, if the
+    # command is not found, the shell will set an exit code of 127 and print
+    # *an error message* to stdout. So we must check for both error code of
+    # zero AND non-empty stdout, which explains the odd construction:
+    func_convert_core_file_wine_to_w32_tmp=`winepath -w "$1" 2>/dev/null`
+    if test "$?" -eq 0 && test -n "${func_convert_core_file_wine_to_w32_tmp}"; then
+      func_convert_core_file_wine_to_w32_result=`$ECHO "$func_convert_core_file_wine_to_w32_tmp" |
+        $SED -e "$lt_sed_naive_backslashify"`
+    else
+      func_convert_core_file_wine_to_w32_result=
+    fi
+  fi
+}
+# end: func_convert_core_file_wine_to_w32
+
+
+# func_convert_core_path_wine_to_w32 ARG
+# Helper function used by path conversion functions when $build is *nix, and
+# $host is mingw, cygwin, or some other w32 environment. Relies on a correctly
+# configured wine environment available, with the winepath program in $build's
+# $PATH. Assumes ARG has no leading or trailing path separator characters.
+#
+# ARG is path to be converted from $build format to win32.
+# Result is available in $func_convert_core_path_wine_to_w32_result.
+# Unconvertible file (directory) names in ARG are skipped; if no directory names
+# are convertible, then the result may be empty.
+func_convert_core_path_wine_to_w32 ()
+{
+  $opt_debug
+  # unfortunately, winepath doesn't convert paths, only file names
+  func_convert_core_path_wine_to_w32_result=""
+  if test -n "$1"; then
+    oldIFS=$IFS
+    IFS=:
+    for func_convert_core_path_wine_to_w32_f in $1; do
+      IFS=$oldIFS
+      func_convert_core_file_wine_to_w32 "$func_convert_core_path_wine_to_w32_f"
+      if test -n "$func_convert_core_file_wine_to_w32_result" ; then
+        if test -z "$func_convert_core_path_wine_to_w32_result"; then
+          func_convert_core_path_wine_to_w32_result="$func_convert_core_file_wine_to_w32_result"
+        else
+          func_append func_convert_core_path_wine_to_w32_result ";$func_convert_core_file_wine_to_w32_result"
+        fi
+      fi
+    done
+    IFS=$oldIFS
+  fi
+}
+# end: func_convert_core_path_wine_to_w32
+
+
+# func_cygpath ARGS...
+# Wrapper around calling the cygpath program via LT_CYGPATH. This is used when
+# when (1) $build is *nix and Cygwin is hosted via a wine environment; or (2)
+# $build is MSYS and $host is Cygwin, or (3) $build is Cygwin. In case (1) or
+# (2), returns the Cygwin file name or path in func_cygpath_result (input
+# file name or path is assumed to be in w32 format, as previously converted
+# from $build's *nix or MSYS format). In case (3), returns the w32 file name
+# or path in func_cygpath_result (input file name or path is assumed to be in
+# Cygwin format). Returns an empty string on error.
+#
+# ARGS are passed to cygpath, with the last one being the file name or path to
+# be converted.
+#
+# Specify the absolute *nix (or w32) name to cygpath in the LT_CYGPATH
+# environment variable; do not put it in $PATH.
+func_cygpath ()
+{
+  $opt_debug
+  if test -n "$LT_CYGPATH" && test -f "$LT_CYGPATH"; then
+    func_cygpath_result=`$LT_CYGPATH "$@" 2>/dev/null`
+    if test "$?" -ne 0; then
+      # on failure, ensure result is empty
+      func_cygpath_result=
+    fi
+  else
+    func_cygpath_result=
+    func_error "LT_CYGPATH is empty or specifies non-existent file: \`$LT_CYGPATH'"
+  fi
+}
+#end: func_cygpath
+
+
+# func_convert_core_msys_to_w32 ARG
+# Convert file name or path ARG from MSYS format to w32 format.  Return
+# result in func_convert_core_msys_to_w32_result.
+func_convert_core_msys_to_w32 ()
+{
+  $opt_debug
+  # awkward: cmd appends spaces to result
+  func_convert_core_msys_to_w32_result=`( cmd //c echo "$1" ) 2>/dev/null |
+    $SED -e 's/[ ]*$//' -e "$lt_sed_naive_backslashify"`
+}
+#end: func_convert_core_msys_to_w32
+
+
+# func_convert_file_check ARG1 ARG2
+# Verify that ARG1 (a file name in $build format) was converted to $host
+# format in ARG2. Otherwise, emit an error message, but continue (resetting
+# func_to_host_file_result to ARG1).
+func_convert_file_check ()
+{
+  $opt_debug
+  if test -z "$2" && test -n "$1" ; then
+    func_error "Could not determine host file name corresponding to"
+    func_error "  \`$1'"
+    func_error "Continuing, but uninstalled executables may not work."
+    # Fallback:
+    func_to_host_file_result="$1"
+  fi
+}
+# end func_convert_file_check
+
+
+# func_convert_path_check FROM_PATHSEP TO_PATHSEP FROM_PATH TO_PATH
+# Verify that FROM_PATH (a path in $build format) was converted to $host
+# format in TO_PATH. Otherwise, emit an error message, but continue, resetting
+# func_to_host_file_result to a simplistic fallback value (see below).
+func_convert_path_check ()
+{
+  $opt_debug
+  if test -z "$4" && test -n "$3"; then
+    func_error "Could not determine the host path corresponding to"
+    func_error "  \`$3'"
+    func_error "Continuing, but uninstalled executables may not work."
+    # Fallback.  This is a deliberately simplistic "conversion" and
+    # should not be "improved".  See libtool.info.
+    if test "x$1" != "x$2"; then
+      lt_replace_pathsep_chars="s|$1|$2|g"
+      func_to_host_path_result=`echo "$3" |
+        $SED -e "$lt_replace_pathsep_chars"`
+    else
+      func_to_host_path_result="$3"
+    fi
+  fi
+}
+# end func_convert_path_check
+
+
+# func_convert_path_front_back_pathsep FRONTPAT BACKPAT REPL ORIG
+# Modifies func_to_host_path_result by prepending REPL if ORIG matches FRONTPAT
+# and appending REPL if ORIG matches BACKPAT.
+func_convert_path_front_back_pathsep ()
+{
+  $opt_debug
+  case $4 in
+  $1 ) func_to_host_path_result="$3$func_to_host_path_result"
+    ;;
+  esac
+  case $4 in
+  $2 ) func_append func_to_host_path_result "$3"
+    ;;
+  esac
+}
+# end func_convert_path_front_back_pathsep
+
+
+##################################################
+# $build to $host FILE NAME CONVERSION FUNCTIONS #
+##################################################
+# invoked via `$to_host_file_cmd ARG'
+#
+# In each case, ARG is the path to be converted from $build to $host format.
+# Result will be available in $func_to_host_file_result.
+
+
+# func_to_host_file ARG
+# Converts the file name ARG from $build format to $host format. Return result
+# in func_to_host_file_result.
+func_to_host_file ()
+{
+  $opt_debug
+  $to_host_file_cmd "$1"
+}
+# end func_to_host_file
+
+
+# func_to_tool_file ARG LAZY
+# converts the file name ARG from $build format to toolchain format. Return
+# result in func_to_tool_file_result.  If the conversion in use is listed
+# in (the comma separated) LAZY, no conversion takes place.
+func_to_tool_file ()
+{
+  $opt_debug
+  case ,$2, in
+    *,"$to_tool_file_cmd",*)
+      func_to_tool_file_result=$1
+      ;;
+    *)
+      $to_tool_file_cmd "$1"
+      func_to_tool_file_result=$func_to_host_file_result
+      ;;
+  esac
+}
+# end func_to_tool_file
+
+
+# func_convert_file_noop ARG
+# Copy ARG to func_to_host_file_result.
+func_convert_file_noop ()
+{
+  func_to_host_file_result="$1"
+}
+# end func_convert_file_noop
+
+
+# func_convert_file_msys_to_w32 ARG
+# Convert file name ARG from (mingw) MSYS to (mingw) w32 format; automatic
+# conversion to w32 is not available inside the cwrapper.  Returns result in
+# func_to_host_file_result.
+func_convert_file_msys_to_w32 ()
+{
+  $opt_debug
+  func_to_host_file_result="$1"
+  if test -n "$1"; then
+    func_convert_core_msys_to_w32 "$1"
+    func_to_host_file_result="$func_convert_core_msys_to_w32_result"
+  fi
+  func_convert_file_check "$1" "$func_to_host_file_result"
+}
+# end func_convert_file_msys_to_w32
+
+
+# func_convert_file_cygwin_to_w32 ARG
+# Convert file name ARG from Cygwin to w32 format.  Returns result in
+# func_to_host_file_result.
+func_convert_file_cygwin_to_w32 ()
+{
+  $opt_debug
+  func_to_host_file_result="$1"
+  if test -n "$1"; then
+    # because $build is cygwin, we call "the" cygpath in $PATH; no need to use
+    # LT_CYGPATH in this case.
+    func_to_host_file_result=`cygpath -m "$1"`
+  fi
+  func_convert_file_check "$1" "$func_to_host_file_result"
+}
+# end func_convert_file_cygwin_to_w32
+
+
+# func_convert_file_nix_to_w32 ARG
+# Convert file name ARG from *nix to w32 format.  Requires a wine environment
+# and a working winepath. Returns result in func_to_host_file_result.
+func_convert_file_nix_to_w32 ()
+{
+  $opt_debug
+  func_to_host_file_result="$1"
+  if test -n "$1"; then
+    func_convert_core_file_wine_to_w32 "$1"
+    func_to_host_file_result="$func_convert_core_file_wine_to_w32_result"
+  fi
+  func_convert_file_check "$1" "$func_to_host_file_result"
+}
+# end func_convert_file_nix_to_w32
+
+
+# func_convert_file_msys_to_cygwin ARG
+# Convert file name ARG from MSYS to Cygwin format.  Requires LT_CYGPATH set.
+# Returns result in func_to_host_file_result.
+func_convert_file_msys_to_cygwin ()
+{
+  $opt_debug
+  func_to_host_file_result="$1"
+  if test -n "$1"; then
+    func_convert_core_msys_to_w32 "$1"
+    func_cygpath -u "$func_convert_core_msys_to_w32_result"
+    func_to_host_file_result="$func_cygpath_result"
+  fi
+  func_convert_file_check "$1" "$func_to_host_file_result"
+}
+# end func_convert_file_msys_to_cygwin
+
+
+# func_convert_file_nix_to_cygwin ARG
+# Convert file name ARG from *nix to Cygwin format.  Requires Cygwin installed
+# in a wine environment, working winepath, and LT_CYGPATH set.  Returns result
+# in func_to_host_file_result.
+func_convert_file_nix_to_cygwin ()
+{
+  $opt_debug
+  func_to_host_file_result="$1"
+  if test -n "$1"; then
+    # convert from *nix to w32, then use cygpath to convert from w32 to cygwin.
+    func_convert_core_file_wine_to_w32 "$1"
+    func_cygpath -u "$func_convert_core_file_wine_to_w32_result"
+    func_to_host_file_result="$func_cygpath_result"
+  fi
+  func_convert_file_check "$1" "$func_to_host_file_result"
+}
+# end func_convert_file_nix_to_cygwin
+
+
+#############################################
+# $build to $host PATH CONVERSION FUNCTIONS #
+#############################################
+# invoked via `$to_host_path_cmd ARG'
+#
+# In each case, ARG is the path to be converted from $build to $host format.
+# The result will be available in $func_to_host_path_result.
+#
+# Path separators are also converted from $build format to $host format.  If
+# ARG begins or ends with a path separator character, it is preserved (but
+# converted to $host format) on output.
+#
+# All path conversion functions are named using the following convention:
+#   file name conversion function    : func_convert_file_X_to_Y ()
+#   path conversion function         : func_convert_path_X_to_Y ()
+# where, for any given $build/$host combination the 'X_to_Y' value is the
+# same.  If conversion functions are added for new $build/$host combinations,
+# the two new functions must follow this pattern, or func_init_to_host_path_cmd
+# will break.
+
+
+# func_init_to_host_path_cmd
+# Ensures that function "pointer" variable $to_host_path_cmd is set to the
+# appropriate value, based on the value of $to_host_file_cmd.
+to_host_path_cmd=
+func_init_to_host_path_cmd ()
+{
+  $opt_debug
+  if test -z "$to_host_path_cmd"; then
+    func_stripname 'func_convert_file_' '' "$to_host_file_cmd"
+    to_host_path_cmd="func_convert_path_${func_stripname_result}"
+  fi
+}
+
+
+# func_to_host_path ARG
+# Converts the path ARG from $build format to $host format. Return result
+# in func_to_host_path_result.
+func_to_host_path ()
+{
+  $opt_debug
+  func_init_to_host_path_cmd
+  $to_host_path_cmd "$1"
+}
+# end func_to_host_path
+
+
+# func_convert_path_noop ARG
+# Copy ARG to func_to_host_path_result.
+func_convert_path_noop ()
+{
+  func_to_host_path_result="$1"
+}
+# end func_convert_path_noop
+
+
+# func_convert_path_msys_to_w32 ARG
+# Convert path ARG from (mingw) MSYS to (mingw) w32 format; automatic
+# conversion to w32 is not available inside the cwrapper.  Returns result in
+# func_to_host_path_result.
+func_convert_path_msys_to_w32 ()
+{
+  $opt_debug
+  func_to_host_path_result="$1"
+  if test -n "$1"; then
+    # Remove leading and trailing path separator characters from ARG.  MSYS
+    # behavior is inconsistent here; cygpath turns them into '.;' and ';.';
+    # and winepath ignores them completely.
+    func_stripname : : "$1"
+    func_to_host_path_tmp1=$func_stripname_result
+    func_convert_core_msys_to_w32 "$func_to_host_path_tmp1"
+    func_to_host_path_result="$func_convert_core_msys_to_w32_result"
+    func_convert_path_check : ";" \
+      "$func_to_host_path_tmp1" "$func_to_host_path_result"
+    func_convert_path_front_back_pathsep ":*" "*:" ";" "$1"
+  fi
+}
+# end func_convert_path_msys_to_w32
+
+
+# func_convert_path_cygwin_to_w32 ARG
+# Convert path ARG from Cygwin to w32 format.  Returns result in
+# func_to_host_file_result.
+func_convert_path_cygwin_to_w32 ()
+{
+  $opt_debug
+  func_to_host_path_result="$1"
+  if test -n "$1"; then
+    # See func_convert_path_msys_to_w32:
+    func_stripname : : "$1"
+    func_to_host_path_tmp1=$func_stripname_result
+    func_to_host_path_result=`cygpath -m -p "$func_to_host_path_tmp1"`
+    func_convert_path_check : ";" \
+      "$func_to_host_path_tmp1" "$func_to_host_path_result"
+    func_convert_path_front_back_pathsep ":*" "*:" ";" "$1"
+  fi
+}
+# end func_convert_path_cygwin_to_w32
+
+
+# func_convert_path_nix_to_w32 ARG
+# Convert path ARG from *nix to w32 format.  Requires a wine environment and
+# a working winepath.  Returns result in func_to_host_file_result.
+func_convert_path_nix_to_w32 ()
+{
+  $opt_debug
+  func_to_host_path_result="$1"
+  if test -n "$1"; then
+    # See func_convert_path_msys_to_w32:
+    func_stripname : : "$1"
+    func_to_host_path_tmp1=$func_stripname_result
+    func_convert_core_path_wine_to_w32 "$func_to_host_path_tmp1"
+    func_to_host_path_result="$func_convert_core_path_wine_to_w32_result"
+    func_convert_path_check : ";" \
+      "$func_to_host_path_tmp1" "$func_to_host_path_result"
+    func_convert_path_front_back_pathsep ":*" "*:" ";" "$1"
+  fi
+}
+# end func_convert_path_nix_to_w32
+
+
+# func_convert_path_msys_to_cygwin ARG
+# Convert path ARG from MSYS to Cygwin format.  Requires LT_CYGPATH set.
+# Returns result in func_to_host_file_result.
+func_convert_path_msys_to_cygwin ()
+{
+  $opt_debug
+  func_to_host_path_result="$1"
+  if test -n "$1"; then
+    # See func_convert_path_msys_to_w32:
+    func_stripname : : "$1"
+    func_to_host_path_tmp1=$func_stripname_result
+    func_convert_core_msys_to_w32 "$func_to_host_path_tmp1"
+    func_cygpath -u -p "$func_convert_core_msys_to_w32_result"
+    func_to_host_path_result="$func_cygpath_result"
+    func_convert_path_check : : \
+      "$func_to_host_path_tmp1" "$func_to_host_path_result"
+    func_convert_path_front_back_pathsep ":*" "*:" : "$1"
+  fi
+}
+# end func_convert_path_msys_to_cygwin
+
+
+# func_convert_path_nix_to_cygwin ARG
+# Convert path ARG from *nix to Cygwin format.  Requires Cygwin installed in a
+# a wine environment, working winepath, and LT_CYGPATH set.  Returns result in
+# func_to_host_file_result.
+func_convert_path_nix_to_cygwin ()
+{
+  $opt_debug
+  func_to_host_path_result="$1"
+  if test -n "$1"; then
+    # Remove leading and trailing path separator characters from
+    # ARG. msys behavior is inconsistent here, cygpath turns them
+    # into '.;' and ';.', and winepath ignores them completely.
+    func_stripname : : "$1"
+    func_to_host_path_tmp1=$func_stripname_result
+    func_convert_core_path_wine_to_w32 "$func_to_host_path_tmp1"
+    func_cygpath -u -p "$func_convert_core_path_wine_to_w32_result"
+    func_to_host_path_result="$func_cygpath_result"
+    func_convert_path_check : : \
+      "$func_to_host_path_tmp1" "$func_to_host_path_result"
+    func_convert_path_front_back_pathsep ":*" "*:" : "$1"
+  fi
+}
+# end func_convert_path_nix_to_cygwin
+
+
 # func_mode_compile arg...
 func_mode_compile ()
 {
@@ -1137,12 +1986,12 @@ func_mode_compile ()
 	  ;;
 
 	-pie | -fpie | -fPIE)
-          pie_flag="$pie_flag $arg"
+          func_append pie_flag " $arg"
 	  continue
 	  ;;
 
 	-shared | -static | -prefer-pic | -prefer-non-pic)
-	  later="$later $arg"
+	  func_append later " $arg"
 	  continue
 	  ;;
 
@@ -1163,15 +2012,14 @@ func_mode_compile ()
 	  save_ifs="$IFS"; IFS=','
 	  for arg in $args; do
 	    IFS="$save_ifs"
-	    func_quote_for_eval "$arg"
-	    lastarg="$lastarg $func_quote_for_eval_result"
+	    func_append_quoted lastarg "$arg"
 	  done
 	  IFS="$save_ifs"
 	  func_stripname ' ' '' "$lastarg"
 	  lastarg=$func_stripname_result
 
 	  # Add the arguments to base_compile.
-	  base_compile="$base_compile $lastarg"
+	  func_append base_compile " $lastarg"
 	  continue
 	  ;;
 
@@ -1187,8 +2035,7 @@ func_mode_compile ()
       esac    #  case $arg_mode
 
       # Aesthetically quote the previous argument.
-      func_quote_for_eval "$lastarg"
-      base_compile="$base_compile $func_quote_for_eval_result"
+      func_append_quoted base_compile "$lastarg"
     done # for arg
 
     case $arg_mode in
@@ -1213,7 +2060,7 @@ func_mode_compile ()
     *.[cCFSifmso] | \
     *.ada | *.adb | *.ads | *.asm | \
     *.c++ | *.cc | *.ii | *.class | *.cpp | *.cxx | \
-    *.[fF][09]? | *.for | *.java | *.obj | *.sx)
+    *.[fF][09]? | *.for | *.java | *.go | *.obj | *.sx | *.cu | *.cup)
       func_xform "$libobj"
       libobj=$func_xform_result
       ;;
@@ -1288,7 +2135,7 @@ func_mode_compile ()
     # Calculate the filename of the output object if compiler does
     # not support -o with -c
     if test "$compiler_c_o" = no; then
-      output_obj=`$ECHO "X$srcfile" | $Xsed -e 's%^.*/%%' -e 's%\.[^.]*$%%'`.${objext}
+      output_obj=`$ECHO "$srcfile" | $SED 's%^.*/%%; s%\.[^.]*$%%'`.${objext}
       lockfile="$output_obj.lock"
     else
       output_obj=
@@ -1319,17 +2166,16 @@ compiler."
 	$opt_dry_run || $RM $removelist
 	exit $EXIT_FAILURE
       fi
-      removelist="$removelist $output_obj"
+      func_append removelist " $output_obj"
       $ECHO "$srcfile" > "$lockfile"
     fi
 
     $opt_dry_run || $RM $removelist
-    removelist="$removelist $lockfile"
+    func_append removelist " $lockfile"
     trap '$opt_dry_run || $RM $removelist; exit $EXIT_FAILURE' 1 2 15
 
-    if test -n "$fix_srcfile_path"; then
-      eval srcfile=\"$fix_srcfile_path\"
-    fi
+    func_to_tool_file "$srcfile" func_convert_file_msys_to_w32
+    srcfile=$func_to_tool_file_result
     func_quote_for_eval "$srcfile"
     qsrcfile=$func_quote_for_eval_result
 
@@ -1349,7 +2195,7 @@ compiler."
 
       if test -z "$output_obj"; then
 	# Place PIC objects in $objdir
-	command="$command -o $lobj"
+	func_append command " -o $lobj"
       fi
 
       func_show_eval_locale "$command"	\
@@ -1396,11 +2242,11 @@ compiler."
 	command="$base_compile $qsrcfile $pic_flag"
       fi
       if test "$compiler_c_o" = yes; then
-	command="$command -o $obj"
+	func_append command " -o $obj"
       fi
 
       # Suppress compiler output if we already did a PIC compilation.
-      command="$command$suppress_output"
+      func_append command "$suppress_output"
       func_show_eval_locale "$command" \
         '$opt_dry_run || $RM $removelist; exit $EXIT_FAILURE'
 
@@ -1445,13 +2291,13 @@ compiler."
 }
 
 $opt_help || {
-test "$mode" = compile && func_mode_compile ${1+"$@"}
+  test "$opt_mode" = compile && func_mode_compile ${1+"$@"}
 }
 
 func_mode_help ()
 {
     # We need to display help for each of the modes.
-    case $mode in
+    case $opt_mode in
       "")
         # Generic help is extracted from the usage comments
         # at the start of this file.
@@ -1482,10 +2328,11 @@ This mode accepts the following additional options:
 
   -o OUTPUT-FILE    set the output file name to OUTPUT-FILE
   -no-suppress      do not suppress compiler output for multiple passes
-  -prefer-pic       try to building PIC objects only
-  -prefer-non-pic   try to building non-PIC objects only
+  -prefer-pic       try to build PIC objects only
+  -prefer-non-pic   try to build non-PIC objects only
   -shared           do not build a \`.o' file suitable for static linking
   -static           only build a \`.o' file suitable for static linking
+  -Wc,FLAG          pass FLAG directly to the compiler
 
 COMPILE-COMMAND is a command to be used in creating a \`standard' object file
 from the given SOURCEFILE.
@@ -1538,7 +2385,7 @@ either the \`install' or \`cp' program.
 
 The following components of INSTALL-COMMAND are treated specially:
 
-  -inst-prefix PREFIX-DIR  Use PREFIX-DIR as a staging area for installation
+  -inst-prefix-dir PREFIX-DIR  Use PREFIX-DIR as a staging area for installation
 
 The rest of the components are interpreted as arguments to that command (only
 BSD-compatible install options are recognized)."
@@ -1558,6 +2405,8 @@ The following components of LINK-COMMAND are treated specially:
 
   -all-static       do not do any dynamic linking at all
   -avoid-version    do not add a version suffix if possible
+  -bindir BINDIR    specify path to binaries directory (for systems where
+                    libraries must be found in the PATH setting at runtime)
   -dlopen FILE      \`-dlpreopen' FILE if it cannot be dlopened at runtime
   -dlpreopen FILE   link in FILE and add its symbols to lt_preloaded_symbols
   -export-dynamic   allow symbols from OUTPUT-FILE to be resolved with dlsym(3)
@@ -1586,6 +2435,11 @@ The following components of LINK-COMMAND are treated specially:
   -version-info CURRENT[:REVISION[:AGE]]
                     specify library version info [each variable defaults to 0]
   -weak LIBNAME     declare that the target provides the LIBNAME interface
+  -Wc,FLAG
+  -Xcompiler FLAG   pass linker-specific FLAG directly to the compiler
+  -Wl,FLAG
+  -Xlinker FLAG     pass linker-specific FLAG directly to the linker
+  -XCClinker FLAG   pass link-specific FLAG to the compiler driver (CC)
 
 All other options (arguments beginning with \`-') are ignored.
 
@@ -1619,18 +2473,44 @@ Otherwise, only FILE itself is deleted using RM."
         ;;
 
       *)
-        func_fatal_help "invalid operation mode \`$mode'"
+        func_fatal_help "invalid operation mode \`$opt_mode'"
         ;;
     esac
 
-    $ECHO
+    echo
     $ECHO "Try \`$progname --help' for more information about other modes."
-
-    exit $?
 }
 
-  # Now that we've collected a possible --mode arg, show help if necessary
-  $opt_help && func_mode_help
+# Now that we've collected a possible --mode arg, show help if necessary
+if $opt_help; then
+  if test "$opt_help" = :; then
+    func_mode_help
+  else
+    {
+      func_help noexit
+      for opt_mode in compile link execute install finish uninstall clean; do
+	func_mode_help
+      done
+    } | sed -n '1p; 2,$s/^Usage:/  or: /p'
+    {
+      func_help noexit
+      for opt_mode in compile link execute install finish uninstall clean; do
+	echo
+	func_mode_help
+      done
+    } |
+    sed '1d
+      /^When reporting/,/^Report/{
+	H
+	d
+      }
+      $x
+      /information about other modes/d
+      /more detailed .*MODE/d
+      s/^Usage:.*--mode=\([^ ]*\) .*/Description of \1 mode:/'
+  fi
+  exit $?
+fi
 
 
 # func_mode_execute arg...
@@ -1643,13 +2523,16 @@ func_mode_execute ()
       func_fatal_help "you must specify a COMMAND"
 
     # Handle -dlopen flags immediately.
-    for file in $execute_dlfiles; do
+    for file in $opt_dlopen; do
       test -f "$file" \
 	|| func_fatal_help "\`$file' is not a file"
 
       dir=
       case $file in
       *.la)
+	func_resolve_sysroot "$file"
+	file=$func_resolve_sysroot_result
+
 	# Check to see that this really is a libtool archive.
 	func_lalib_unsafe_p "$file" \
 	  || func_fatal_help "\`$lib' is not a valid libtool archive"
@@ -1671,7 +2554,7 @@ func_mode_execute ()
 	dir="$func_dirname_result"
 
 	if test -f "$dir/$objdir/$dlname"; then
-	  dir="$dir/$objdir"
+	  func_append dir "/$objdir"
 	else
 	  if test ! -f "$dir/$dlname"; then
 	    func_fatal_error "cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'"
@@ -1712,7 +2595,7 @@ func_mode_execute ()
     for file
     do
       case $file in
-      -*) ;;
+      -* | *.la | *.lo ) ;;
       *)
 	# Do a test to see if this is really a libtool program.
 	if func_ltwrapper_script_p "$file"; then
@@ -1728,8 +2611,7 @@ func_mode_execute ()
 	;;
       esac
       # Quote arguments (to preserve shell metacharacters).
-      func_quote_for_eval "$file"
-      args="$args $func_quote_for_eval_result"
+      func_append_quoted args "$file"
     done
 
     if test "X$opt_dry_run" = Xfalse; then
@@ -1754,29 +2636,66 @@ func_mode_execute ()
       # Display what would be done.
       if test -n "$shlibpath_var"; then
 	eval "\$ECHO \"\$shlibpath_var=\$$shlibpath_var\""
-	$ECHO "export $shlibpath_var"
+	echo "export $shlibpath_var"
       fi
       $ECHO "$cmd$args"
       exit $EXIT_SUCCESS
     fi
 }
 
-test "$mode" = execute && func_mode_execute ${1+"$@"}
+test "$opt_mode" = execute && func_mode_execute ${1+"$@"}
 
 
 # func_mode_finish arg...
 func_mode_finish ()
 {
     $opt_debug
-    libdirs="$nonopt"
+    libs=
+    libdirs=
     admincmds=
 
-    if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then
-      for dir
-      do
-	libdirs="$libdirs $dir"
-      done
+    for opt in "$nonopt" ${1+"$@"}
+    do
+      if test -d "$opt"; then
+	func_append libdirs " $opt"
 
+      elif test -f "$opt"; then
+	if func_lalib_unsafe_p "$opt"; then
+	  func_append libs " $opt"
+	else
+	  func_warning "\`$opt' is not a valid libtool archive"
+	fi
+
+      else
+	func_fatal_error "invalid argument \`$opt'"
+      fi
+    done
+
+    if test -n "$libs"; then
+      if test -n "$lt_sysroot"; then
+        sysroot_regex=`$ECHO "$lt_sysroot" | $SED "$sed_make_literal_regex"`
+        sysroot_cmd="s/\([ ']\)$sysroot_regex/\1/g;"
+      else
+        sysroot_cmd=
+      fi
+
+      # Remove sysroot references
+      if $opt_dry_run; then
+        for lib in $libs; do
+          echo "removing references to $lt_sysroot and \`=' prefixes from $lib"
+        done
+      else
+        tmpdir=`func_mktempdir`
+        for lib in $libs; do
+	  sed -e "${sysroot_cmd} s/\([ ']-[LR]\)=/\1/g; s/\([ ']\)=/\1/g" $lib \
+	    > $tmpdir/tmp-la
+	  mv -f $tmpdir/tmp-la $lib
+	done
+        ${RM}r "$tmpdir"
+      fi
+    fi
+
+    if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then
       for libdir in $libdirs; do
 	if test -n "$finish_cmds"; then
 	  # Do each command in the finish commands.
@@ -1786,7 +2705,7 @@ func_mode_finish ()
 	if test -n "$finish_eval"; then
 	  # Do the single finish_eval.
 	  eval cmds=\"$finish_eval\"
-	  $opt_dry_run || eval "$cmds" || admincmds="$admincmds
+	  $opt_dry_run || eval "$cmds" || func_append admincmds "
        $cmds"
 	fi
       done
@@ -1795,53 +2714,55 @@ func_mode_finish ()
     # Exit here if they wanted silent mode.
     $opt_silent && exit $EXIT_SUCCESS
 
-    $ECHO "X----------------------------------------------------------------------" | $Xsed
-    $ECHO "Libraries have been installed in:"
-    for libdir in $libdirs; do
-      $ECHO "   $libdir"
-    done
-    $ECHO
-    $ECHO "If you ever happen to want to link against installed libraries"
-    $ECHO "in a given directory, LIBDIR, you must either use libtool, and"
-    $ECHO "specify the full pathname of the library, or use the \`-LLIBDIR'"
-    $ECHO "flag during linking and do at least one of the following:"
-    if test -n "$shlibpath_var"; then
-      $ECHO "   - add LIBDIR to the \`$shlibpath_var' environment variable"
-      $ECHO "     during execution"
-    fi
-    if test -n "$runpath_var"; then
-      $ECHO "   - add LIBDIR to the \`$runpath_var' environment variable"
-      $ECHO "     during linking"
-    fi
-    if test -n "$hardcode_libdir_flag_spec"; then
-      libdir=LIBDIR
-      eval flag=\"$hardcode_libdir_flag_spec\"
+    if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then
+      echo "----------------------------------------------------------------------"
+      echo "Libraries have been installed in:"
+      for libdir in $libdirs; do
+	$ECHO "   $libdir"
+      done
+      echo
+      echo "If you ever happen to want to link against installed libraries"
+      echo "in a given directory, LIBDIR, you must either use libtool, and"
+      echo "specify the full pathname of the library, or use the \`-LLIBDIR'"
+      echo "flag during linking and do at least one of the following:"
+      if test -n "$shlibpath_var"; then
+	echo "   - add LIBDIR to the \`$shlibpath_var' environment variable"
+	echo "     during execution"
+      fi
+      if test -n "$runpath_var"; then
+	echo "   - add LIBDIR to the \`$runpath_var' environment variable"
+	echo "     during linking"
+      fi
+      if test -n "$hardcode_libdir_flag_spec"; then
+	libdir=LIBDIR
+	eval flag=\"$hardcode_libdir_flag_spec\"
 
-      $ECHO "   - use the \`$flag' linker flag"
-    fi
-    if test -n "$admincmds"; then
-      $ECHO "   - have your system administrator run these commands:$admincmds"
-    fi
-    if test -f /etc/ld.so.conf; then
-      $ECHO "   - have your system administrator add LIBDIR to \`/etc/ld.so.conf'"
-    fi
-    $ECHO
+	$ECHO "   - use the \`$flag' linker flag"
+      fi
+      if test -n "$admincmds"; then
+	$ECHO "   - have your system administrator run these commands:$admincmds"
+      fi
+      if test -f /etc/ld.so.conf; then
+	echo "   - have your system administrator add LIBDIR to \`/etc/ld.so.conf'"
+      fi
+      echo
 
-    $ECHO "See any operating system documentation about shared libraries for"
-    case $host in
-      solaris2.[6789]|solaris2.1[0-9])
-        $ECHO "more information, such as the ld(1), crle(1) and ld.so(8) manual"
-	$ECHO "pages."
-	;;
-      *)
-        $ECHO "more information, such as the ld(1) and ld.so(8) manual pages."
-        ;;
-    esac
-    $ECHO "X----------------------------------------------------------------------" | $Xsed
+      echo "See any operating system documentation about shared libraries for"
+      case $host in
+	solaris2.[6789]|solaris2.1[0-9])
+	  echo "more information, such as the ld(1), crle(1) and ld.so(8) manual"
+	  echo "pages."
+	  ;;
+	*)
+	  echo "more information, such as the ld(1) and ld.so(8) manual pages."
+	  ;;
+      esac
+      echo "----------------------------------------------------------------------"
+    fi
     exit $EXIT_SUCCESS
 }
 
-test "$mode" = finish && func_mode_finish ${1+"$@"}
+test "$opt_mode" = finish && func_mode_finish ${1+"$@"}
 
 
 # func_mode_install arg...
@@ -1852,7 +2773,7 @@ func_mode_install ()
     # install_prog (especially on Windows NT).
     if test "$nonopt" = "$SHELL" || test "$nonopt" = /bin/sh ||
        # Allow the use of GNU shtool's install command.
-       $ECHO "X$nonopt" | $GREP shtool >/dev/null; then
+       case $nonopt in *shtool*) :;; *) false;; esac; then
       # Aesthetically quote it.
       func_quote_for_eval "$nonopt"
       install_prog="$func_quote_for_eval_result "
@@ -1866,7 +2787,12 @@ func_mode_install ()
     # The real first argument should be the name of the installation program.
     # Aesthetically quote it.
     func_quote_for_eval "$arg"
-    install_prog="$install_prog$func_quote_for_eval_result"
+    func_append install_prog "$func_quote_for_eval_result"
+    install_shared_prog=$install_prog
+    case " $install_prog " in
+      *[\\\ /]cp\ *) install_cp=: ;;
+      *) install_cp=false ;;
+    esac
 
     # We need to accept at least all the BSD install flags.
     dest=
@@ -1876,10 +2802,12 @@ func_mode_install ()
     install_type=
     isdir=no
     stripme=
+    no_mode=:
     for arg
     do
+      arg2=
       if test -n "$dest"; then
-	files="$files $dest"
+	func_append files " $dest"
 	dest=$arg
 	continue
       fi
@@ -1887,10 +2815,9 @@ func_mode_install ()
       case $arg in
       -d) isdir=yes ;;
       -f)
-	case " $install_prog " in
-	*[\\\ /]cp\ *) ;;
-	*) prev=$arg ;;
-	esac
+	if $install_cp; then :; else
+	  prev=$arg
+	fi
 	;;
       -g | -m | -o)
 	prev=$arg
@@ -1904,6 +2831,10 @@ func_mode_install ()
       *)
 	# If the previous option needed an argument, then skip it.
 	if test -n "$prev"; then
+	  if test "x$prev" = x-m && test -n "$install_override_mode"; then
+	    arg2=$install_override_mode
+	    no_mode=false
+	  fi
 	  prev=
 	else
 	  dest=$arg
@@ -1914,7 +2845,11 @@ func_mode_install ()
 
       # Aesthetically quote the argument.
       func_quote_for_eval "$arg"
-      install_prog="$install_prog $func_quote_for_eval_result"
+      func_append install_prog " $func_quote_for_eval_result"
+      if test -n "$arg2"; then
+	func_quote_for_eval "$arg2"
+      fi
+      func_append install_shared_prog " $func_quote_for_eval_result"
     done
 
     test -z "$install_prog" && \
@@ -1923,6 +2858,13 @@ func_mode_install ()
     test -n "$prev" && \
       func_fatal_help "the \`$prev' option requires an argument"
 
+    if test -n "$install_override_mode" && $no_mode; then
+      if $install_cp; then :; else
+	func_quote_for_eval "$install_override_mode"
+	func_append install_shared_prog " -m $func_quote_for_eval_result"
+      fi
+    fi
+
     if test -z "$files"; then
       if test -z "$dest"; then
 	func_fatal_help "no file or destination specified"
@@ -1977,10 +2919,13 @@ func_mode_install ()
       case $file in
       *.$libext)
 	# Do the static libraries later.
-	staticlibs="$staticlibs $file"
+	func_append staticlibs " $file"
 	;;
 
       *.la)
+	func_resolve_sysroot "$file"
+	file=$func_resolve_sysroot_result
+
 	# Check to see that this really is a libtool archive.
 	func_lalib_unsafe_p "$file" \
 	  || func_fatal_help "\`$file' is not a valid libtool archive"
@@ -1994,23 +2939,23 @@ func_mode_install ()
 	if test "X$destdir" = "X$libdir"; then
 	  case "$current_libdirs " in
 	  *" $libdir "*) ;;
-	  *) current_libdirs="$current_libdirs $libdir" ;;
+	  *) func_append current_libdirs " $libdir" ;;
 	  esac
 	else
 	  # Note the libdir as a future libdir.
 	  case "$future_libdirs " in
 	  *" $libdir "*) ;;
-	  *) future_libdirs="$future_libdirs $libdir" ;;
+	  *) func_append future_libdirs " $libdir" ;;
 	  esac
 	fi
 
 	func_dirname "$file" "/" ""
 	dir="$func_dirname_result"
-	dir="$dir$objdir"
+	func_append dir "$objdir"
 
 	if test -n "$relink_command"; then
 	  # Determine the prefix the user has applied to our future dir.
-	  inst_prefix_dir=`$ECHO "X$destdir" | $Xsed -e "s%$libdir\$%%"`
+	  inst_prefix_dir=`$ECHO "$destdir" | $SED -e "s%$libdir\$%%"`
 
 	  # Don't allow the user to place us outside of our expected
 	  # location b/c this prevents finding dependent libraries that
@@ -2023,9 +2968,9 @@ func_mode_install ()
 
 	  if test -n "$inst_prefix_dir"; then
 	    # Stick the inst_prefix_dir data into the link command.
-	    relink_command=`$ECHO "X$relink_command" | $Xsed -e "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%"`
+	    relink_command=`$ECHO "$relink_command" | $SED "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%"`
 	  else
-	    relink_command=`$ECHO "X$relink_command" | $Xsed -e "s%@inst_prefix_dir@%%"`
+	    relink_command=`$ECHO "$relink_command" | $SED "s%@inst_prefix_dir@%%"`
 	  fi
 
 	  func_warning "relinking \`$file'"
@@ -2043,7 +2988,7 @@ func_mode_install ()
 	  test -n "$relink_command" && srcname="$realname"T
 
 	  # Install the shared library and build the symlinks.
-	  func_show_eval "$install_prog $dir/$srcname $destdir/$realname" \
+	  func_show_eval "$install_shared_prog $dir/$srcname $destdir/$realname" \
 	      'exit $?'
 	  tstripme="$stripme"
 	  case $host_os in
@@ -2083,7 +3028,7 @@ func_mode_install ()
 	func_show_eval "$install_prog $instname $destdir/$name" 'exit $?'
 
 	# Maybe install the static library, too.
-	test -n "$old_library" && staticlibs="$staticlibs $dir/$old_library"
+	test -n "$old_library" && func_append staticlibs " $dir/$old_library"
 	;;
 
       *.lo)
@@ -2183,7 +3128,7 @@ func_mode_install ()
 	    if test -f "$lib"; then
 	      func_source "$lib"
 	    fi
-	    libfile="$libdir/"`$ECHO "X$lib" | $Xsed -e 's%^.*/%%g'` ### testsuite: skip nested quoting test
+	    libfile="$libdir/"`$ECHO "$lib" | $SED 's%^.*/%%g'` ### testsuite: skip nested quoting test
 	    if test -n "$libdir" && test ! -f "$libfile"; then
 	      func_warning "\`$lib' has not been installed in \`$libdir'"
 	      finalize=no
@@ -2202,7 +3147,7 @@ func_mode_install ()
 		file="$func_basename_result"
 	        outputname="$tmpdir/$file"
 	        # Replace the output file specification.
-	        relink_command=`$ECHO "X$relink_command" | $Xsed -e 's%@OUTPUT@%'"$outputname"'%g'`
+	        relink_command=`$ECHO "$relink_command" | $SED 's%@OUTPUT@%'"$outputname"'%g'`
 
 	        $opt_silent || {
 	          func_quote_for_expand "$relink_command"
@@ -2221,7 +3166,7 @@ func_mode_install ()
 	    }
 	  else
 	    # Install the binary that we compiled earlier.
-	    file=`$ECHO "X$file$stripped_ext" | $Xsed -e "s%\([^/]*\)$%$objdir/\1%"`
+	    file=`$ECHO "$file$stripped_ext" | $SED "s%\([^/]*\)$%$objdir/\1%"`
 	  fi
 	fi
 
@@ -2257,11 +3202,13 @@ func_mode_install ()
 
       # Set up the ranlib parameters.
       oldlib="$destdir/$name"
+      func_to_tool_file "$oldlib" func_convert_file_msys_to_w32
+      tool_oldlib=$func_to_tool_file_result
 
       func_show_eval "$install_prog \$file \$oldlib" 'exit $?'
 
       if test -n "$stripme" && test -n "$old_striplib"; then
-	func_show_eval "$old_striplib $oldlib" 'exit $?'
+	func_show_eval "$old_striplib $tool_oldlib" 'exit $?'
       fi
 
       # Do each command in the postinstall commands.
@@ -2280,7 +3227,7 @@ func_mode_install ()
     fi
 }
 
-test "$mode" = install && func_mode_install ${1+"$@"}
+test "$opt_mode" = install && func_mode_install ${1+"$@"}
 
 
 # func_generate_dlsyms outputname originator pic_p
@@ -2323,6 +3270,22 @@ func_generate_dlsyms ()
 extern \"C\" {
 #endif
 
+#if defined(__GNUC__) && (((__GNUC__ == 4) && (__GNUC_MINOR__ >= 4)) || (__GNUC__ > 4))
+#pragma GCC diagnostic ignored \"-Wstrict-prototypes\"
+#endif
+
+/* Keep this code in sync between libtool.m4, ltmain, lt_system.h, and tests.  */
+#if defined(_WIN32) || defined(__CYGWIN__) || defined(_WIN32_WCE)
+/* DATA imports from DLLs on WIN32 con't be const, because runtime
+   relocations are performed -- see ld's documentation on pseudo-relocs.  */
+# define LT_DLSYM_CONST
+#elif defined(__osf__)
+/* This system does not cope well with relocations in const data.  */
+# define LT_DLSYM_CONST
+#else
+# define LT_DLSYM_CONST const
+#endif
+
 /* External symbol declarations for the compiler. */\
 "
 
@@ -2332,10 +3295,11 @@ extern \"C\" {
 	  $opt_dry_run || echo ': @PROGRAM@ ' > "$nlist"
 
 	  # Add our own program objects to the symbol list.
-	  progfiles=`$ECHO "X$objs$old_deplibs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+	  progfiles=`$ECHO "$objs$old_deplibs" | $SP2NL | $SED "$lo2o" | $NL2SP`
 	  for progfile in $progfiles; do
-	    func_verbose "extracting global C symbols from \`$progfile'"
-	    $opt_dry_run || eval "$NM $progfile | $global_symbol_pipe >> '$nlist'"
+	    func_to_tool_file "$progfile" func_convert_file_msys_to_w32
+	    func_verbose "extracting global C symbols from \`$func_to_tool_file_result'"
+	    $opt_dry_run || eval "$NM $func_to_tool_file_result | $global_symbol_pipe >> '$nlist'"
 	  done
 
 	  if test -n "$exclude_expsyms"; then
@@ -2371,7 +3335,7 @@ extern \"C\" {
 	      eval '$GREP -f "$output_objdir/$outputname.exp" < "$nlist" > "$nlist"T'
 	      eval '$MV "$nlist"T "$nlist"'
 	      case $host in
-	        *cygwin | *mingw* | *cegcc* )
+	        *cygwin* | *mingw* | *cegcc* )
 	          eval "echo EXPORTS "'> "$output_objdir/$outputname.def"'
 	          eval 'cat "$nlist" >> "$output_objdir/$outputname.def"'
 	          ;;
@@ -2384,10 +3348,52 @@ extern \"C\" {
 	  func_verbose "extracting global C symbols from \`$dlprefile'"
 	  func_basename "$dlprefile"
 	  name="$func_basename_result"
-	  $opt_dry_run || {
-	    eval '$ECHO ": $name " >> "$nlist"'
-	    eval "$NM $dlprefile 2>/dev/null | $global_symbol_pipe >> '$nlist'"
-	  }
+          case $host in
+	    *cygwin* | *mingw* | *cegcc* )
+	      # if an import library, we need to obtain dlname
+	      if func_win32_import_lib_p "$dlprefile"; then
+	        func_tr_sh "$dlprefile"
+	        eval "curr_lafile=\$libfile_$func_tr_sh_result"
+	        dlprefile_dlbasename=""
+	        if test -n "$curr_lafile" && func_lalib_p "$curr_lafile"; then
+	          # Use subshell, to avoid clobbering current variable values
+	          dlprefile_dlname=`source "$curr_lafile" && echo "$dlname"`
+	          if test -n "$dlprefile_dlname" ; then
+	            func_basename "$dlprefile_dlname"
+	            dlprefile_dlbasename="$func_basename_result"
+	          else
+	            # no lafile. user explicitly requested -dlpreopen <import library>.
+	            $sharedlib_from_linklib_cmd "$dlprefile"
+	            dlprefile_dlbasename=$sharedlib_from_linklib_result
+	          fi
+	        fi
+	        $opt_dry_run || {
+	          if test -n "$dlprefile_dlbasename" ; then
+	            eval '$ECHO ": $dlprefile_dlbasename" >> "$nlist"'
+	          else
+	            func_warning "Could not compute DLL name from $name"
+	            eval '$ECHO ": $name " >> "$nlist"'
+	          fi
+	          func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32
+	          eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe |
+	            $SED -e '/I __imp/d' -e 's/I __nm_/D /;s/_nm__//' >> '$nlist'"
+	        }
+	      else # not an import lib
+	        $opt_dry_run || {
+	          eval '$ECHO ": $name " >> "$nlist"'
+	          func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32
+	          eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe >> '$nlist'"
+	        }
+	      fi
+	    ;;
+	    *)
+	      $opt_dry_run || {
+	        eval '$ECHO ": $name " >> "$nlist"'
+	        func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32
+	        eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe >> '$nlist'"
+	      }
+	    ;;
+          esac
 	done
 
 	$opt_dry_run || {
@@ -2415,36 +3421,19 @@ extern \"C\" {
 	  if test -f "$nlist"S; then
 	    eval "$global_symbol_to_cdecl"' < "$nlist"S >> "$output_objdir/$my_dlsyms"'
 	  else
-	    $ECHO '/* NONE */' >> "$output_objdir/$my_dlsyms"
+	    echo '/* NONE */' >> "$output_objdir/$my_dlsyms"
 	  fi
 
-	  $ECHO >> "$output_objdir/$my_dlsyms" "\
+	  echo >> "$output_objdir/$my_dlsyms" "\
 
 /* The mapping between symbol names and symbols.  */
 typedef struct {
   const char *name;
   void *address;
 } lt_dlsymlist;
-"
-	  case $host in
-	  *cygwin* | *mingw* | *cegcc* )
-	    $ECHO >> "$output_objdir/$my_dlsyms" "\
-/* DATA imports from DLLs on WIN32 con't be const, because
-   runtime relocations are performed -- see ld's documentation
-   on pseudo-relocs.  */"
-	    lt_dlsym_const= ;;
-	  *osf5*)
-	    echo >> "$output_objdir/$my_dlsyms" "\
-/* This system does not cope well with relocations in const data */"
-	    lt_dlsym_const= ;;
-	  *)
-	    lt_dlsym_const=const ;;
-	  esac
-
-	  $ECHO >> "$output_objdir/$my_dlsyms" "\
-extern $lt_dlsym_const lt_dlsymlist
+extern LT_DLSYM_CONST lt_dlsymlist
 lt_${my_prefix}_LTX_preloaded_symbols[];
-$lt_dlsym_const lt_dlsymlist
+LT_DLSYM_CONST lt_dlsymlist
 lt_${my_prefix}_LTX_preloaded_symbols[] =
 {\
   { \"$my_originator\", (void *) 0 },"
@@ -2457,7 +3446,7 @@ lt_${my_prefix}_LTX_preloaded_symbols[] =
 	    eval "$global_symbol_to_c_name_address_lib_prefix" < "$nlist" >> "$output_objdir/$my_dlsyms"
 	    ;;
 	  esac
-	  $ECHO >> "$output_objdir/$my_dlsyms" "\
+	  echo >> "$output_objdir/$my_dlsyms" "\
   {0, (void *) 0}
 };
 
@@ -2484,7 +3473,7 @@ static const void *lt_preloaded_setup() {
 	  # linked before any other PIC object.  But we must not use
 	  # pic_flag when linking with -static.  The problem exists in
 	  # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1.
-	  *-*-freebsd2*|*-*-freebsd3.0*|*-*-freebsdelf3.0*)
+	  *-*-freebsd2.*|*-*-freebsd3.0*|*-*-freebsdelf3.0*)
 	    pic_flag_for_symtable=" $pic_flag -DFREEBSD_WORKAROUND" ;;
 	  *-*-hpux*)
 	    pic_flag_for_symtable=" $pic_flag"  ;;
@@ -2500,7 +3489,7 @@ static const void *lt_preloaded_setup() {
 	for arg in $LTCFLAGS; do
 	  case $arg in
 	  -pie | -fpie | -fPIE) ;;
-	  *) symtab_cflags="$symtab_cflags $arg" ;;
+	  *) func_append symtab_cflags " $arg" ;;
 	  esac
 	done
 
@@ -2515,16 +3504,16 @@ static const void *lt_preloaded_setup() {
 	case $host in
 	*cygwin* | *mingw* | *cegcc* )
 	  if test -f "$output_objdir/$my_outputname.def"; then
-	    compile_command=`$ECHO "X$compile_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"`
-	    finalize_command=`$ECHO "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"`
+	    compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"`
+	    finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"`
 	  else
-	    compile_command=`$ECHO "X$compile_command" | $Xsed -e "s%@SYMFILE@%$symfileobj%"`
-	    finalize_command=`$ECHO "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$symfileobj%"`
+	    compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$symfileobj%"`
+	    finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$symfileobj%"`
 	  fi
 	  ;;
 	*)
-	  compile_command=`$ECHO "X$compile_command" | $Xsed -e "s%@SYMFILE@%$symfileobj%"`
-	  finalize_command=`$ECHO "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$symfileobj%"`
+	  compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$symfileobj%"`
+	  finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$symfileobj%"`
 	  ;;
 	esac
 	;;
@@ -2538,8 +3527,8 @@ static const void *lt_preloaded_setup() {
       # really was required.
 
       # Nullify the symbol file.
-      compile_command=`$ECHO "X$compile_command" | $Xsed -e "s% @SYMFILE@%%"`
-      finalize_command=`$ECHO "X$finalize_command" | $Xsed -e "s% @SYMFILE@%%"`
+      compile_command=`$ECHO "$compile_command" | $SED "s% @SYMFILE@%%"`
+      finalize_command=`$ECHO "$finalize_command" | $SED "s% @SYMFILE@%%"`
     fi
 }
 
@@ -2549,6 +3538,7 @@ static const void *lt_preloaded_setup() {
 # Need a lot of goo to handle *both* DLLs and import libs
 # Has to be a shell function in order to 'eat' the argument
 # that is supplied when $file_magic_command is called.
+# Despite the name, also deal with 64 bit binaries.
 func_win32_libid ()
 {
   $opt_debug
@@ -2559,9 +3549,11 @@ func_win32_libid ()
     win32_libid_type="x86 archive import"
     ;;
   *ar\ archive*) # could be an import, or static
+    # Keep the egrep pattern in sync with the one in _LT_CHECK_MAGIC_METHOD.
     if eval $OBJDUMP -f $1 | $SED -e '10q' 2>/dev/null |
-       $EGREP 'file format pe-i386(.*architecture: i386)?' >/dev/null ; then
-      win32_nmres=`eval $NM -f posix -A $1 |
+       $EGREP 'file format (pei*-i386(.*architecture: i386)?|pe-arm-wince|pe-x86-64)' >/dev/null; then
+      func_to_tool_file "$1" func_convert_file_msys_to_w32
+      win32_nmres=`eval $NM -f posix -A \"$func_to_tool_file_result\" |
 	$SED -n -e '
 	    1,100{
 		/ I /{
@@ -2590,6 +3582,131 @@ func_win32_libid ()
   $ECHO "$win32_libid_type"
 }
 
+# func_cygming_dll_for_implib ARG
+#
+# Platform-specific function to extract the
+# name of the DLL associated with the specified
+# import library ARG.
+# Invoked by eval'ing the libtool variable
+#    $sharedlib_from_linklib_cmd
+# Result is available in the variable
+#    $sharedlib_from_linklib_result
+func_cygming_dll_for_implib ()
+{
+  $opt_debug
+  sharedlib_from_linklib_result=`$DLLTOOL --identify-strict --identify "$1"`
+}
+
+# func_cygming_dll_for_implib_fallback_core SECTION_NAME LIBNAMEs
+#
+# The is the core of a fallback implementation of a
+# platform-specific function to extract the name of the
+# DLL associated with the specified import library LIBNAME.
+#
+# SECTION_NAME is either .idata$6 or .idata$7, depending
+# on the platform and compiler that created the implib.
+#
+# Echos the name of the DLL associated with the
+# specified import library.
+func_cygming_dll_for_implib_fallback_core ()
+{
+  $opt_debug
+  match_literal=`$ECHO "$1" | $SED "$sed_make_literal_regex"`
+  $OBJDUMP -s --section "$1" "$2" 2>/dev/null |
+    $SED '/^Contents of section '"$match_literal"':/{
+      # Place marker at beginning of archive member dllname section
+      s/.*/====MARK====/
+      p
+      d
+    }
+    # These lines can sometimes be longer than 43 characters, but
+    # are always uninteresting
+    /:[	 ]*file format pe[i]\{,1\}-/d
+    /^In archive [^:]*:/d
+    # Ensure marker is printed
+    /^====MARK====/p
+    # Remove all lines with less than 43 characters
+    /^.\{43\}/!d
+    # From remaining lines, remove first 43 characters
+    s/^.\{43\}//' |
+    $SED -n '
+      # Join marker and all lines until next marker into a single line
+      /^====MARK====/ b para
+      H
+      $ b para
+      b
+      :para
+      x
+      s/\n//g
+      # Remove the marker
+      s/^====MARK====//
+      # Remove trailing dots and whitespace
+      s/[\. \t]*$//
+      # Print
+      /./p' |
+    # we now have a list, one entry per line, of the stringified
+    # contents of the appropriate section of all members of the
+    # archive which possess that section. Heuristic: eliminate
+    # all those which have a first or second character that is
+    # a '.' (that is, objdump's representation of an unprintable
+    # character.) This should work for all archives with less than
+    # 0x302f exports -- but will fail for DLLs whose name actually
+    # begins with a literal '.' or a single character followed by
+    # a '.'.
+    #
+    # Of those that remain, print the first one.
+    $SED -e '/^\./d;/^.\./d;q'
+}
+
+# func_cygming_gnu_implib_p ARG
+# This predicate returns with zero status (TRUE) if
+# ARG is a GNU/binutils-style import library. Returns
+# with nonzero status (FALSE) otherwise.
+func_cygming_gnu_implib_p ()
+{
+  $opt_debug
+  func_to_tool_file "$1" func_convert_file_msys_to_w32
+  func_cygming_gnu_implib_tmp=`$NM "$func_to_tool_file_result" | eval "$global_symbol_pipe" | $EGREP ' (_head_[A-Za-z0-9_]+_[ad]l*|[A-Za-z0-9_]+_[ad]l*_iname)$'`
+  test -n "$func_cygming_gnu_implib_tmp"
+}
+
+# func_cygming_ms_implib_p ARG
+# This predicate returns with zero status (TRUE) if
+# ARG is an MS-style import library. Returns
+# with nonzero status (FALSE) otherwise.
+func_cygming_ms_implib_p ()
+{
+  $opt_debug
+  func_to_tool_file "$1" func_convert_file_msys_to_w32
+  func_cygming_ms_implib_tmp=`$NM "$func_to_tool_file_result" | eval "$global_symbol_pipe" | $GREP '_NULL_IMPORT_DESCRIPTOR'`
+  test -n "$func_cygming_ms_implib_tmp"
+}
+
+# func_cygming_dll_for_implib_fallback ARG
+# Platform-specific function to extract the
+# name of the DLL associated with the specified
+# import library ARG.
+#
+# This fallback implementation is for use when $DLLTOOL
+# does not support the --identify-strict option.
+# Invoked by eval'ing the libtool variable
+#    $sharedlib_from_linklib_cmd
+# Result is available in the variable
+#    $sharedlib_from_linklib_result
+func_cygming_dll_for_implib_fallback ()
+{
+  $opt_debug
+  if func_cygming_gnu_implib_p "$1" ; then
+    # binutils import library
+    sharedlib_from_linklib_result=`func_cygming_dll_for_implib_fallback_core '.idata$7' "$1"`
+  elif func_cygming_ms_implib_p "$1" ; then
+    # ms-generated import library
+    sharedlib_from_linklib_result=`func_cygming_dll_for_implib_fallback_core '.idata$6' "$1"`
+  else
+    # unknown
+    sharedlib_from_linklib_result=""
+  fi
+}
 
 
 # func_extract_an_archive dir oldlib
@@ -2598,7 +3715,18 @@ func_extract_an_archive ()
     $opt_debug
     f_ex_an_ar_dir="$1"; shift
     f_ex_an_ar_oldlib="$1"
-    func_show_eval "(cd \$f_ex_an_ar_dir && $AR x \"\$f_ex_an_ar_oldlib\")" 'exit $?'
+    if test "$lock_old_archive_extraction" = yes; then
+      lockfile=$f_ex_an_ar_oldlib.lock
+      until $opt_dry_run || ln "$progpath" "$lockfile" 2>/dev/null; do
+	func_echo "Waiting for $lockfile to be removed"
+	sleep 2
+      done
+    fi
+    func_show_eval "(cd \$f_ex_an_ar_dir && $AR x \"\$f_ex_an_ar_oldlib\")" \
+		   'stat=$?; rm -f "$lockfile"; exit $stat'
+    if test "$lock_old_archive_extraction" = yes; then
+      $opt_dry_run || rm -f "$lockfile"
+    fi
     if ($AR t "$f_ex_an_ar_oldlib" | sort | sort -uc >/dev/null 2>&1); then
      :
     else
@@ -2669,7 +3797,7 @@ func_extract_archives ()
 	    darwin_file=
 	    darwin_files=
 	    for darwin_file in $darwin_filelist; do
-	      darwin_files=`find unfat-$$ -name $darwin_file -print | $NL2SP`
+	      darwin_files=`find unfat-$$ -name $darwin_file -print | sort | $NL2SP`
 	      $LIPO -create -output "$darwin_file" $darwin_files
 	    done # $darwin_filelist
 	    $RM -rf unfat-$$
@@ -2684,25 +3812,30 @@ func_extract_archives ()
         func_extract_an_archive "$my_xdir" "$my_xabs"
 	;;
       esac
-      my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP`
+      my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | sort | $NL2SP`
     done
 
     func_extract_archives_result="$my_oldobjs"
 }
 
 
-
-# func_emit_wrapper_part1 [arg=no]
+# func_emit_wrapper [arg=no]
 #
-# Emit the first part of a libtool wrapper script on stdout.
-# For more information, see the description associated with
-# func_emit_wrapper(), below.
-func_emit_wrapper_part1 ()
+# Emit a libtool wrapper script on stdout.
+# Don't directly open a file because we may want to
+# incorporate the script contents within a cygwin/mingw
+# wrapper executable.  Must ONLY be called from within
+# func_mode_link because it depends on a number of variables
+# set therein.
+#
+# ARG is the value that the WRAPPER_SCRIPT_BELONGS_IN_OBJDIR
+# variable will take.  If 'yes', then the emitted script
+# will assume that the directory in which it is stored is
+# the $objdir directory.  This is a cygwin/mingw-specific
+# behavior.
+func_emit_wrapper ()
 {
-	func_emit_wrapper_part1_arg1=no
-	if test -n "$1" ; then
-	  func_emit_wrapper_part1_arg1=$1
-	fi
+	func_emit_wrapper_arg1=${1-no}
 
 	$ECHO "\
 #! $SHELL
@@ -2718,7 +3851,6 @@ func_emit_wrapper_part1 ()
 
 # Sed substitution that helps us do robust quoting.  It backslashifies
 # metacharacters that are still active within double-quoted strings.
-Xsed='${SED} -e 1s/^X//'
 sed_quote_subst='$sed_quote_subst'
 
 # Be Bourne compatible
@@ -2749,31 +3881,135 @@ if test \"\$libtool_install_magic\" = \"$magic\"; then
 else
   # When we are sourced in execute mode, \$file and \$ECHO are already set.
   if test \"\$libtool_execute_magic\" != \"$magic\"; then
-    ECHO=\"$qecho\"
-    file=\"\$0\"
-    # Make sure echo works.
-    if test \"X\$1\" = X--no-reexec; then
-      # Discard the --no-reexec flag, and continue.
-      shift
-    elif test \"X\`{ \$ECHO '\t'; } 2>/dev/null\`\" = 'X\t'; then
-      # Yippee, \$ECHO works!
-      :
-    else
-      # Restart under the correct shell, and then maybe \$ECHO will work.
-      exec $SHELL \"\$0\" --no-reexec \${1+\"\$@\"}
-    fi
-  fi\
+    file=\"\$0\""
+
+    qECHO=`$ECHO "$ECHO" | $SED "$sed_quote_subst"`
+    $ECHO "\
+
+# A function that is used when there is no print builtin or printf.
+func_fallback_echo ()
+{
+  eval 'cat <<_LTECHO_EOF
+\$1
+_LTECHO_EOF'
+}
+    ECHO=\"$qECHO\"
+  fi
+
+# Very basic option parsing. These options are (a) specific to
+# the libtool wrapper, (b) are identical between the wrapper
+# /script/ and the wrapper /executable/ which is used only on
+# windows platforms, and (c) all begin with the string "--lt-"
+# (application programs are unlikely to have options which match
+# this pattern).
+#
+# There are only two supported options: --lt-debug and
+# --lt-dump-script. There is, deliberately, no --lt-help.
+#
+# The first argument to this parsing function should be the
+# script's $0 value, followed by "$@".
+lt_option_debug=
+func_parse_lt_options ()
+{
+  lt_script_arg0=\$0
+  shift
+  for lt_opt
+  do
+    case \"\$lt_opt\" in
+    --lt-debug) lt_option_debug=1 ;;
+    --lt-dump-script)
+        lt_dump_D=\`\$ECHO \"X\$lt_script_arg0\" | $SED -e 's/^X//' -e 's%/[^/]*$%%'\`
+        test \"X\$lt_dump_D\" = \"X\$lt_script_arg0\" && lt_dump_D=.
+        lt_dump_F=\`\$ECHO \"X\$lt_script_arg0\" | $SED -e 's/^X//' -e 's%^.*/%%'\`
+        cat \"\$lt_dump_D/\$lt_dump_F\"
+        exit 0
+      ;;
+    --lt-*)
+        \$ECHO \"Unrecognized --lt- option: '\$lt_opt'\" 1>&2
+        exit 1
+      ;;
+    esac
+  done
+
+  # Print the debug banner immediately:
+  if test -n \"\$lt_option_debug\"; then
+    echo \"${outputname}:${output}:\${LINENO}: libtool wrapper (GNU $PACKAGE$TIMESTAMP) $VERSION\" 1>&2
+  fi
+}
+
+# Used when --lt-debug. Prints its arguments to stdout
+# (redirection is the responsibility of the caller)
+func_lt_dump_args ()
+{
+  lt_dump_args_N=1;
+  for lt_arg
+  do
+    \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[\$lt_dump_args_N]: \$lt_arg\"
+    lt_dump_args_N=\`expr \$lt_dump_args_N + 1\`
+  done
+}
+
+# Core function for launching the target application
+func_exec_program_core ()
+{
 "
-	$ECHO "\
+  case $host in
+  # Backslashes separate directories on plain windows
+  *-*-mingw | *-*-os2* | *-cegcc*)
+    $ECHO "\
+      if test -n \"\$lt_option_debug\"; then
+        \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[0]: \$progdir\\\\\$program\" 1>&2
+        func_lt_dump_args \${1+\"\$@\"} 1>&2
+      fi
+      exec \"\$progdir\\\\\$program\" \${1+\"\$@\"}
+"
+    ;;
+
+  *)
+    $ECHO "\
+      if test -n \"\$lt_option_debug\"; then
+        \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[0]: \$progdir/\$program\" 1>&2
+        func_lt_dump_args \${1+\"\$@\"} 1>&2
+      fi
+      exec \"\$progdir/\$program\" \${1+\"\$@\"}
+"
+    ;;
+  esac
+  $ECHO "\
+      \$ECHO \"\$0: cannot exec \$program \$*\" 1>&2
+      exit 1
+}
+
+# A function to encapsulate launching the target application
+# Strips options in the --lt-* namespace from \$@ and
+# launches target application with the remaining arguments.
+func_exec_program ()
+{
+  case \" \$* \" in
+  *\\ --lt-*)
+    for lt_wr_arg
+    do
+      case \$lt_wr_arg in
+      --lt-*) ;;
+      *) set x \"\$@\" \"\$lt_wr_arg\"; shift;;
+      esac
+      shift
+    done ;;
+  esac
+  func_exec_program_core \${1+\"\$@\"}
+}
+
+  # Parse options
+  func_parse_lt_options \"\$0\" \${1+\"\$@\"}
 
   # Find the directory that this script lives in.
-  thisdir=\`\$ECHO \"X\$file\" | \$Xsed -e 's%/[^/]*$%%'\`
+  thisdir=\`\$ECHO \"\$file\" | $SED 's%/[^/]*$%%'\`
   test \"x\$thisdir\" = \"x\$file\" && thisdir=.
 
   # Follow symbolic links until we get to the real thisdir.
-  file=\`ls -ld \"\$file\" | ${SED} -n 's/.*-> //p'\`
+  file=\`ls -ld \"\$file\" | $SED -n 's/.*-> //p'\`
   while test -n \"\$file\"; do
-    destdir=\`\$ECHO \"X\$file\" | \$Xsed -e 's%/[^/]*\$%%'\`
+    destdir=\`\$ECHO \"\$file\" | $SED 's%/[^/]*\$%%'\`
 
     # If there was a directory component, then change thisdir.
     if test \"x\$destdir\" != \"x\$file\"; then
@@ -2783,30 +4019,13 @@ else
       esac
     fi
 
-    file=\`\$ECHO \"X\$file\" | \$Xsed -e 's%^.*/%%'\`
-    file=\`ls -ld \"\$thisdir/\$file\" | ${SED} -n 's/.*-> //p'\`
+    file=\`\$ECHO \"\$file\" | $SED 's%^.*/%%'\`
+    file=\`ls -ld \"\$thisdir/\$file\" | $SED -n 's/.*-> //p'\`
   done
-"
-}
-# end: func_emit_wrapper_part1
-
-# func_emit_wrapper_part2 [arg=no]
-#
-# Emit the second part of a libtool wrapper script on stdout.
-# For more information, see the description associated with
-# func_emit_wrapper(), below.
-func_emit_wrapper_part2 ()
-{
-	func_emit_wrapper_part2_arg1=no
-	if test -n "$1" ; then
-	  func_emit_wrapper_part2_arg1=$1
-	fi
-
-	$ECHO "\
 
   # Usually 'no', except on cygwin/mingw when embedded into
   # the cwrapper.
-  WRAPPER_SCRIPT_BELONGS_IN_OBJDIR=$func_emit_wrapper_part2_arg1
+  WRAPPER_SCRIPT_BELONGS_IN_OBJDIR=$func_emit_wrapper_arg1
   if test \"\$WRAPPER_SCRIPT_BELONGS_IN_OBJDIR\" = \"yes\"; then
     # special case for '.'
     if test \"\$thisdir\" = \".\"; then
@@ -2814,7 +4033,7 @@ func_emit_wrapper_part2 ()
     fi
     # remove .libs from thisdir
     case \"\$thisdir\" in
-    *[\\\\/]$objdir ) thisdir=\`\$ECHO \"X\$thisdir\" | \$Xsed -e 's%[\\\\/][^\\\\/]*$%%'\` ;;
+    *[\\\\/]$objdir ) thisdir=\`\$ECHO \"\$thisdir\" | $SED 's%[\\\\/][^\\\\/]*$%%'\` ;;
     $objdir )   thisdir=. ;;
     esac
   fi
@@ -2869,6 +4088,18 @@ func_emit_wrapper_part2 ()
 
   if test -f \"\$progdir/\$program\"; then"
 
+	# fixup the dll searchpath if we need to.
+	#
+	# Fix the DLL searchpath if we need to.  Do this before prepending
+	# to shlibpath, because on Windows, both are PATH and uninstalled
+	# libraries must come first.
+	if test -n "$dllsearchpath"; then
+	  $ECHO "\
+    # Add the dll search path components to the executable PATH
+    PATH=$dllsearchpath:\$PATH
+"
+	fi
+
 	# Export our shlibpath_var if we have one.
 	if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then
 	  $ECHO "\
@@ -2877,254 +4108,29 @@ func_emit_wrapper_part2 ()
 
     # Some systems cannot cope with colon-terminated $shlibpath_var
     # The second colon is a workaround for a bug in BeOS R4 sed
-    $shlibpath_var=\`\$ECHO \"X\$$shlibpath_var\" | \$Xsed -e 's/::*\$//'\`
+    $shlibpath_var=\`\$ECHO \"\$$shlibpath_var\" | $SED 's/::*\$//'\`
 
     export $shlibpath_var
 "
 	fi
 
-	# fixup the dll searchpath if we need to.
-	if test -n "$dllsearchpath"; then
-	  $ECHO "\
-    # Add the dll search path components to the executable PATH
-    PATH=$dllsearchpath:\$PATH
-"
-	fi
-
 	$ECHO "\
     if test \"\$libtool_execute_magic\" != \"$magic\"; then
       # Run the actual program with our arguments.
-"
-	case $host in
-	# Backslashes separate directories on plain windows
-	*-*-mingw | *-*-os2* | *-cegcc*)
-	  $ECHO "\
-      exec \"\$progdir\\\\\$program\" \${1+\"\$@\"}
-"
-	  ;;
-
-	*)
-	  $ECHO "\
-      exec \"\$progdir/\$program\" \${1+\"\$@\"}
-"
-	  ;;
-	esac
-	$ECHO "\
-      \$ECHO \"\$0: cannot exec \$program \$*\" 1>&2
-      exit 1
+      func_exec_program \${1+\"\$@\"}
     fi
   else
     # The program doesn't exist.
     \$ECHO \"\$0: error: \\\`\$progdir/\$program' does not exist\" 1>&2
     \$ECHO \"This script is just a wrapper for \$program.\" 1>&2
-    $ECHO \"See the $PACKAGE documentation for more information.\" 1>&2
+    \$ECHO \"See the $PACKAGE documentation for more information.\" 1>&2
     exit 1
   fi
 fi\
 "
 }
-# end: func_emit_wrapper_part2
-
-
-# func_emit_wrapper [arg=no]
-#
-# Emit a libtool wrapper script on stdout.
-# Don't directly open a file because we may want to
-# incorporate the script contents within a cygwin/mingw
-# wrapper executable.  Must ONLY be called from within
-# func_mode_link because it depends on a number of variables
-# set therein.
-#
-# ARG is the value that the WRAPPER_SCRIPT_BELONGS_IN_OBJDIR
-# variable will take.  If 'yes', then the emitted script
-# will assume that the directory in which it is stored is
-# the $objdir directory.  This is a cygwin/mingw-specific
-# behavior.
-func_emit_wrapper ()
-{
-	func_emit_wrapper_arg1=no
-	if test -n "$1" ; then
-	  func_emit_wrapper_arg1=$1
-	fi
-
-	# split this up so that func_emit_cwrapperexe_src
-	# can call each part independently.
-	func_emit_wrapper_part1 "${func_emit_wrapper_arg1}"
-	func_emit_wrapper_part2 "${func_emit_wrapper_arg1}"
-}
 
 
-# func_to_host_path arg
-#
-# Convert paths to host format when used with build tools.
-# Intended for use with "native" mingw (where libtool itself
-# is running under the msys shell), or in the following cross-
-# build environments:
-#    $build          $host
-#    mingw (msys)    mingw  [e.g. native]
-#    cygwin          mingw
-#    *nix + wine     mingw
-# where wine is equipped with the `winepath' executable.
-# In the native mingw case, the (msys) shell automatically
-# converts paths for any non-msys applications it launches,
-# but that facility isn't available from inside the cwrapper.
-# Similar accommodations are necessary for $host mingw and
-# $build cygwin.  Calling this function does no harm for other
-# $host/$build combinations not listed above.
-#
-# ARG is the path (on $build) that should be converted to
-# the proper representation for $host. The result is stored
-# in $func_to_host_path_result.
-func_to_host_path ()
-{
-  func_to_host_path_result="$1"
-  if test -n "$1" ; then
-    case $host in
-      *mingw* )
-        lt_sed_naive_backslashify='s|\\\\*|\\|g;s|/|\\|g;s|\\|\\\\|g'
-        case $build in
-          *mingw* ) # actually, msys
-            # awkward: cmd appends spaces to result
-            lt_sed_strip_trailing_spaces="s/[ ]*\$//"
-            func_to_host_path_tmp1=`( cmd //c echo "$1" |\
-              $SED -e "$lt_sed_strip_trailing_spaces" ) 2>/dev/null || echo ""`
-            func_to_host_path_result=`echo "$func_to_host_path_tmp1" |\
-              $SED -e "$lt_sed_naive_backslashify"`
-            ;;
-          *cygwin* )
-            func_to_host_path_tmp1=`cygpath -w "$1"`
-            func_to_host_path_result=`echo "$func_to_host_path_tmp1" |\
-              $SED -e "$lt_sed_naive_backslashify"`
-            ;;
-          * )
-            # Unfortunately, winepath does not exit with a non-zero
-            # error code, so we are forced to check the contents of
-            # stdout. On the other hand, if the command is not
-            # found, the shell will set an exit code of 127 and print
-            # *an error message* to stdout. So we must check for both
-            # error code of zero AND non-empty stdout, which explains
-            # the odd construction:
-            func_to_host_path_tmp1=`winepath -w "$1" 2>/dev/null`
-            if test "$?" -eq 0 && test -n "${func_to_host_path_tmp1}"; then
-              func_to_host_path_result=`echo "$func_to_host_path_tmp1" |\
-                $SED -e "$lt_sed_naive_backslashify"`
-            else
-              # Allow warning below.
-              func_to_host_path_result=""
-            fi
-            ;;
-        esac
-        if test -z "$func_to_host_path_result" ; then
-          func_error "Could not determine host path corresponding to"
-          func_error "  '$1'"
-          func_error "Continuing, but uninstalled executables may not work."
-          # Fallback:
-          func_to_host_path_result="$1"
-        fi
-        ;;
-    esac
-  fi
-}
-# end: func_to_host_path
-
-# func_to_host_pathlist arg
-#
-# Convert pathlists to host format when used with build tools.
-# See func_to_host_path(), above. This function supports the
-# following $build/$host combinations (but does no harm for
-# combinations not listed here):
-#    $build          $host
-#    mingw (msys)    mingw  [e.g. native]
-#    cygwin          mingw
-#    *nix + wine     mingw
-#
-# Path separators are also converted from $build format to
-# $host format. If ARG begins or ends with a path separator
-# character, it is preserved (but converted to $host format)
-# on output.
-#
-# ARG is a pathlist (on $build) that should be converted to
-# the proper representation on $host. The result is stored
-# in $func_to_host_pathlist_result.
-func_to_host_pathlist ()
-{
-  func_to_host_pathlist_result="$1"
-  if test -n "$1" ; then
-    case $host in
-      *mingw* )
-        lt_sed_naive_backslashify='s|\\\\*|\\|g;s|/|\\|g;s|\\|\\\\|g'
-        # Remove leading and trailing path separator characters from
-        # ARG. msys behavior is inconsistent here, cygpath turns them
-        # into '.;' and ';.', and winepath ignores them completely.
-        func_to_host_pathlist_tmp2="$1"
-        # Once set for this call, this variable should not be
-        # reassigned. It is used in tha fallback case.
-        func_to_host_pathlist_tmp1=`echo "$func_to_host_pathlist_tmp2" |\
-          $SED -e 's|^:*||' -e 's|:*$||'`
-        case $build in
-          *mingw* ) # Actually, msys.
-            # Awkward: cmd appends spaces to result.
-            lt_sed_strip_trailing_spaces="s/[ ]*\$//"
-            func_to_host_pathlist_tmp2=`( cmd //c echo "$func_to_host_pathlist_tmp1" |\
-              $SED -e "$lt_sed_strip_trailing_spaces" ) 2>/dev/null || echo ""`
-            func_to_host_pathlist_result=`echo "$func_to_host_pathlist_tmp2" |\
-              $SED -e "$lt_sed_naive_backslashify"`
-            ;;
-          *cygwin* )
-            func_to_host_pathlist_tmp2=`cygpath -w -p "$func_to_host_pathlist_tmp1"`
-            func_to_host_pathlist_result=`echo "$func_to_host_pathlist_tmp2" |\
-              $SED -e "$lt_sed_naive_backslashify"`
-            ;;
-          * )
-            # unfortunately, winepath doesn't convert pathlists
-            func_to_host_pathlist_result=""
-            func_to_host_pathlist_oldIFS=$IFS
-            IFS=:
-            for func_to_host_pathlist_f in $func_to_host_pathlist_tmp1 ; do
-              IFS=$func_to_host_pathlist_oldIFS
-              if test -n "$func_to_host_pathlist_f" ; then
-                func_to_host_path "$func_to_host_pathlist_f"
-                if test -n "$func_to_host_path_result" ; then
-                  if test -z "$func_to_host_pathlist_result" ; then
-                    func_to_host_pathlist_result="$func_to_host_path_result"
-                  else
-                    func_to_host_pathlist_result="$func_to_host_pathlist_result;$func_to_host_path_result"
-                  fi
-                fi
-              fi
-              IFS=:
-            done
-            IFS=$func_to_host_pathlist_oldIFS
-            ;;
-        esac
-        if test -z "$func_to_host_pathlist_result" ; then
-          func_error "Could not determine the host path(s) corresponding to"
-          func_error "  '$1'"
-          func_error "Continuing, but uninstalled executables may not work."
-          # Fallback. This may break if $1 contains DOS-style drive
-          # specifications. The fix is not to complicate the expression
-          # below, but for the user to provide a working wine installation
-          # with winepath so that path translation in the cross-to-mingw
-          # case works properly.
-          lt_replace_pathsep_nix_to_dos="s|:|;|g"
-          func_to_host_pathlist_result=`echo "$func_to_host_pathlist_tmp1" |\
-            $SED -e "$lt_replace_pathsep_nix_to_dos"`
-        fi
-        # Now, add the leading and trailing path separators back
-        case "$1" in
-          :* ) func_to_host_pathlist_result=";$func_to_host_pathlist_result"
-            ;;
-        esac
-        case "$1" in
-          *: ) func_to_host_pathlist_result="$func_to_host_pathlist_result;"
-            ;;
-        esac
-        ;;
-    esac
-  fi
-}
-# end: func_to_host_pathlist
-
 # func_emit_cwrapperexe_src
 # emit the source code for a wrapper executable on stdout
 # Must ONLY be called from within func_mode_link because
@@ -3141,31 +4147,23 @@ func_emit_cwrapperexe_src ()
 
    This wrapper executable should never be moved out of the build directory.
    If it is, it will not operate correctly.
-
-   Currently, it simply execs the wrapper *script* "$SHELL $output",
-   but could eventually absorb all of the scripts functionality and
-   exec $objdir/$outputname directly.
 */
 EOF
 	    cat <<"EOF"
+#ifdef _MSC_VER
+# define _CRT_SECURE_NO_DEPRECATE 1
+#endif
 #include <stdio.h>
 #include <stdlib.h>
 #ifdef _MSC_VER
 # include <direct.h>
 # include <process.h>
 # include <io.h>
-# define setmode _setmode
 #else
 # include <unistd.h>
 # include <stdint.h>
 # ifdef __CYGWIN__
 #  include <io.h>
-#  define HAVE_SETENV
-#  ifdef __STRICT_ANSI__
-char *realpath (const char *, char *);
-int putenv (char *);
-int setenv (const char *, const char *, int);
-#  endif
 # endif
 #endif
 #include <malloc.h>
@@ -3177,6 +4175,44 @@ int setenv (const char *, const char *, int);
 #include <fcntl.h>
 #include <sys/stat.h>
 
+/* declarations of non-ANSI functions */
+#if defined(__MINGW32__)
+# ifdef __STRICT_ANSI__
+int _putenv (const char *);
+# endif
+#elif defined(__CYGWIN__)
+# ifdef __STRICT_ANSI__
+char *realpath (const char *, char *);
+int putenv (char *);
+int setenv (const char *, const char *, int);
+# endif
+/* #elif defined (other platforms) ... */
+#endif
+
+/* portability defines, excluding path handling macros */
+#if defined(_MSC_VER)
+# define setmode _setmode
+# define stat    _stat
+# define chmod   _chmod
+# define getcwd  _getcwd
+# define putenv  _putenv
+# define S_IXUSR _S_IEXEC
+# ifndef _INTPTR_T_DEFINED
+#  define _INTPTR_T_DEFINED
+#  define intptr_t int
+# endif
+#elif defined(__MINGW32__)
+# define setmode _setmode
+# define stat    _stat
+# define chmod   _chmod
+# define getcwd  _getcwd
+# define putenv  _putenv
+#elif defined(__CYGWIN__)
+# define HAVE_SETENV
+# define FOPEN_WB "wb"
+/* #elif defined (other platforms) ... */
+#endif
+
 #if defined(PATH_MAX)
 # define LT_PATHMAX PATH_MAX
 #elif defined(MAXPATHLEN)
@@ -3192,14 +4228,7 @@ int setenv (const char *, const char *, int);
 # define S_IXGRP 0
 #endif
 
-#ifdef _MSC_VER
-# define S_IXUSR _S_IEXEC
-# define stat _stat
-# ifndef _INTPTR_T_DEFINED
-#  define intptr_t int
-# endif
-#endif
-
+/* path handling portability macros */
 #ifndef DIR_SEPARATOR
 # define DIR_SEPARATOR '/'
 # define PATH_SEPARATOR ':'
@@ -3230,10 +4259,6 @@ int setenv (const char *, const char *, int);
 # define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR_2)
 #endif /* PATH_SEPARATOR_2 */
 
-#ifdef __CYGWIN__
-# define FOPEN_WB "wb"
-#endif
-
 #ifndef FOPEN_WB
 # define FOPEN_WB "w"
 #endif
@@ -3246,22 +4271,13 @@ int setenv (const char *, const char *, int);
   if (stale) { free ((void *) stale); stale = 0; } \
 } while (0)
 
-#undef LTWRAPPER_DEBUGPRINTF
-#if defined DEBUGWRAPPER
-# define LTWRAPPER_DEBUGPRINTF(args) ltwrapper_debugprintf args
-static void
-ltwrapper_debugprintf (const char *fmt, ...)
-{
-    va_list args;
-    va_start (args, fmt);
-    (void) vfprintf (stderr, fmt, args);
-    va_end (args);
-}
+#if defined(LT_DEBUGWRAPPER)
+static int lt_debug = 1;
 #else
-# define LTWRAPPER_DEBUGPRINTF(args)
+static int lt_debug = 0;
 #endif
 
-const char *program_name = NULL;
+const char *program_name = "libtool-wrapper"; /* in case xstrdup fails */
 
 void *xmalloc (size_t num);
 char *xstrdup (const char *string);
@@ -3271,41 +4287,27 @@ char *chase_symlinks (const char *pathspec);
 int make_executable (const char *path);
 int check_executable (const char *path);
 char *strendzap (char *str, const char *pat);
-void lt_fatal (const char *message, ...);
+void lt_debugprintf (const char *file, int line, const char *fmt, ...);
+void lt_fatal (const char *file, int line, const char *message, ...);
+static const char *nonnull (const char *s);
+static const char *nonempty (const char *s);
 void lt_setenv (const char *name, const char *value);
 char *lt_extend_str (const char *orig_value, const char *add, int to_end);
-void lt_opt_process_env_set (const char *arg);
-void lt_opt_process_env_prepend (const char *arg);
-void lt_opt_process_env_append (const char *arg);
-int lt_split_name_value (const char *arg, char** name, char** value);
 void lt_update_exe_path (const char *name, const char *value);
 void lt_update_lib_path (const char *name, const char *value);
-
-static const char *script_text_part1 =
+char **prepare_spawn (char **argv);
+void lt_dump_script (FILE *f);
 EOF
 
-	    func_emit_wrapper_part1 yes |
-	        $SED -e 's/\([\\"]\)/\\\1/g' \
-	             -e 's/^/  "/' -e 's/$/\\n"/'
-	    echo ";"
 	    cat <<EOF
-
-static const char *script_text_part2 =
-EOF
-	    func_emit_wrapper_part2 yes |
-	        $SED -e 's/\([\\"]\)/\\\1/g' \
-	             -e 's/^/  "/' -e 's/$/\\n"/'
-	    echo ";"
-
-	    cat <<EOF
-const char * MAGIC_EXE = "$magic_exe";
+volatile const char * MAGIC_EXE = "$magic_exe";
 const char * LIB_PATH_VARNAME = "$shlibpath_var";
 EOF
 
 	    if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then
-              func_to_host_pathlist "$temp_rpath"
+              func_to_host_path "$temp_rpath"
 	      cat <<EOF
-const char * LIB_PATH_VALUE   = "$func_to_host_pathlist_result";
+const char * LIB_PATH_VALUE   = "$func_to_host_path_result";
 EOF
 	    else
 	      cat <<"EOF"
@@ -3314,10 +4316,10 @@ EOF
 	    fi
 
 	    if test -n "$dllsearchpath"; then
-              func_to_host_pathlist "$dllsearchpath:"
+              func_to_host_path "$dllsearchpath:"
 	      cat <<EOF
 const char * EXE_PATH_VARNAME = "PATH";
-const char * EXE_PATH_VALUE   = "$func_to_host_pathlist_result";
+const char * EXE_PATH_VALUE   = "$func_to_host_path_result";
 EOF
 	    else
 	      cat <<"EOF"
@@ -3340,24 +4342,10 @@ EOF
 	    cat <<"EOF"
 
 #define LTWRAPPER_OPTION_PREFIX         "--lt-"
-#define LTWRAPPER_OPTION_PREFIX_LENGTH  5
 
-static const size_t opt_prefix_len         = LTWRAPPER_OPTION_PREFIX_LENGTH;
 static const char *ltwrapper_option_prefix = LTWRAPPER_OPTION_PREFIX;
-
 static const char *dumpscript_opt       = LTWRAPPER_OPTION_PREFIX "dump-script";
-
-static const size_t env_set_opt_len     = LTWRAPPER_OPTION_PREFIX_LENGTH + 7;
-static const char *env_set_opt          = LTWRAPPER_OPTION_PREFIX "env-set";
-  /* argument is putenv-style "foo=bar", value of foo is set to bar */
-
-static const size_t env_prepend_opt_len = LTWRAPPER_OPTION_PREFIX_LENGTH + 11;
-static const char *env_prepend_opt      = LTWRAPPER_OPTION_PREFIX "env-prepend";
-  /* argument is putenv-style "foo=bar", new value of foo is bar${foo} */
-
-static const size_t env_append_opt_len  = LTWRAPPER_OPTION_PREFIX_LENGTH + 10;
-static const char *env_append_opt       = LTWRAPPER_OPTION_PREFIX "env-append";
-  /* argument is putenv-style "foo=bar", new value of foo is ${foo}bar */
+static const char *debug_opt            = LTWRAPPER_OPTION_PREFIX "debug";
 
 int
 main (int argc, char *argv[])
@@ -3374,10 +4362,13 @@ main (int argc, char *argv[])
   int i;
 
   program_name = (char *) xstrdup (base_name (argv[0]));
-  LTWRAPPER_DEBUGPRINTF (("(main) argv[0]      : %s\n", argv[0]));
-  LTWRAPPER_DEBUGPRINTF (("(main) program_name : %s\n", program_name));
+  newargz = XMALLOC (char *, argc + 1);
 
-  /* very simple arg parsing; don't want to rely on getopt */
+  /* very simple arg parsing; don't want to rely on getopt
+   * also, copy all non cwrapper options to newargz, except
+   * argz[0], which is handled differently
+   */
+  newargc=0;
   for (i = 1; i < argc; i++)
     {
       if (strcmp (argv[i], dumpscript_opt) == 0)
@@ -3391,25 +4382,57 @@ EOF
 	      esac
 
 	    cat <<"EOF"
-	  printf ("%s", script_text_part1);
-	  printf ("%s", script_text_part2);
+	  lt_dump_script (stdout);
 	  return 0;
 	}
+      if (strcmp (argv[i], debug_opt) == 0)
+	{
+          lt_debug = 1;
+          continue;
+	}
+      if (strcmp (argv[i], ltwrapper_option_prefix) == 0)
+        {
+          /* however, if there is an option in the LTWRAPPER_OPTION_PREFIX
+             namespace, but it is not one of the ones we know about and
+             have already dealt with, above (inluding dump-script), then
+             report an error. Otherwise, targets might begin to believe
+             they are allowed to use options in the LTWRAPPER_OPTION_PREFIX
+             namespace. The first time any user complains about this, we'll
+             need to make LTWRAPPER_OPTION_PREFIX a configure-time option
+             or a configure.ac-settable value.
+           */
+          lt_fatal (__FILE__, __LINE__,
+		    "unrecognized %s option: '%s'",
+                    ltwrapper_option_prefix, argv[i]);
+        }
+      /* otherwise ... */
+      newargz[++newargc] = xstrdup (argv[i]);
     }
+  newargz[++newargc] = NULL;
+
+EOF
+	    cat <<EOF
+  /* The GNU banner must be the first non-error debug message */
+  lt_debugprintf (__FILE__, __LINE__, "libtool wrapper (GNU $PACKAGE$TIMESTAMP) $VERSION\n");
+EOF
+	    cat <<"EOF"
+  lt_debugprintf (__FILE__, __LINE__, "(main) argv[0]: %s\n", argv[0]);
+  lt_debugprintf (__FILE__, __LINE__, "(main) program_name: %s\n", program_name);
 
-  newargz = XMALLOC (char *, argc + 1);
   tmp_pathspec = find_executable (argv[0]);
   if (tmp_pathspec == NULL)
-    lt_fatal ("Couldn't find %s", argv[0]);
-  LTWRAPPER_DEBUGPRINTF (("(main) found exe (before symlink chase) at : %s\n",
-			  tmp_pathspec));
+    lt_fatal (__FILE__, __LINE__, "couldn't find %s", argv[0]);
+  lt_debugprintf (__FILE__, __LINE__,
+                  "(main) found exe (before symlink chase) at: %s\n",
+		  tmp_pathspec);
 
   actual_cwrapper_path = chase_symlinks (tmp_pathspec);
-  LTWRAPPER_DEBUGPRINTF (("(main) found exe (after symlink chase) at : %s\n",
-			  actual_cwrapper_path));
+  lt_debugprintf (__FILE__, __LINE__,
+                  "(main) found exe (after symlink chase) at: %s\n",
+		  actual_cwrapper_path);
   XFREE (tmp_pathspec);
 
-  actual_cwrapper_name = xstrdup( base_name (actual_cwrapper_path));
+  actual_cwrapper_name = xstrdup (base_name (actual_cwrapper_path));
   strendzap (actual_cwrapper_path, actual_cwrapper_name);
 
   /* wrapper name transforms */
@@ -3427,8 +4450,9 @@ EOF
   target_name = tmp_pathspec;
   tmp_pathspec = 0;
 
-  LTWRAPPER_DEBUGPRINTF (("(main) libtool target name: %s\n",
-			  target_name));
+  lt_debugprintf (__FILE__, __LINE__,
+		  "(main) libtool target name: %s\n",
+		  target_name);
 EOF
 
 	    cat <<EOF
@@ -3478,80 +4502,19 @@ EOF
 
   lt_setenv ("BIN_SH", "xpg4"); /* for Tru64 */
   lt_setenv ("DUALCASE", "1");  /* for MSK sh */
-  lt_update_lib_path (LIB_PATH_VARNAME, LIB_PATH_VALUE);
+  /* Update the DLL searchpath.  EXE_PATH_VALUE ($dllsearchpath) must
+     be prepended before (that is, appear after) LIB_PATH_VALUE ($temp_rpath)
+     because on Windows, both *_VARNAMEs are PATH but uninstalled
+     libraries must come first. */
   lt_update_exe_path (EXE_PATH_VARNAME, EXE_PATH_VALUE);
+  lt_update_lib_path (LIB_PATH_VARNAME, LIB_PATH_VALUE);
 
-  newargc=0;
-  for (i = 1; i < argc; i++)
-    {
-      if (strncmp (argv[i], env_set_opt, env_set_opt_len) == 0)
-        {
-          if (argv[i][env_set_opt_len] == '=')
-            {
-              const char *p = argv[i] + env_set_opt_len + 1;
-              lt_opt_process_env_set (p);
-            }
-          else if (argv[i][env_set_opt_len] == '\0' && i + 1 < argc)
-            {
-              lt_opt_process_env_set (argv[++i]); /* don't copy */
-            }
-          else
-            lt_fatal ("%s missing required argument", env_set_opt);
-          continue;
-        }
-      if (strncmp (argv[i], env_prepend_opt, env_prepend_opt_len) == 0)
-        {
-          if (argv[i][env_prepend_opt_len] == '=')
-            {
-              const char *p = argv[i] + env_prepend_opt_len + 1;
-              lt_opt_process_env_prepend (p);
-            }
-          else if (argv[i][env_prepend_opt_len] == '\0' && i + 1 < argc)
-            {
-              lt_opt_process_env_prepend (argv[++i]); /* don't copy */
-            }
-          else
-            lt_fatal ("%s missing required argument", env_prepend_opt);
-          continue;
-        }
-      if (strncmp (argv[i], env_append_opt, env_append_opt_len) == 0)
-        {
-          if (argv[i][env_append_opt_len] == '=')
-            {
-              const char *p = argv[i] + env_append_opt_len + 1;
-              lt_opt_process_env_append (p);
-            }
-          else if (argv[i][env_append_opt_len] == '\0' && i + 1 < argc)
-            {
-              lt_opt_process_env_append (argv[++i]); /* don't copy */
-            }
-          else
-            lt_fatal ("%s missing required argument", env_append_opt);
-          continue;
-        }
-      if (strncmp (argv[i], ltwrapper_option_prefix, opt_prefix_len) == 0)
-        {
-          /* however, if there is an option in the LTWRAPPER_OPTION_PREFIX
-             namespace, but it is not one of the ones we know about and
-             have already dealt with, above (inluding dump-script), then
-             report an error. Otherwise, targets might begin to believe
-             they are allowed to use options in the LTWRAPPER_OPTION_PREFIX
-             namespace. The first time any user complains about this, we'll
-             need to make LTWRAPPER_OPTION_PREFIX a configure-time option
-             or a configure.ac-settable value.
-           */
-          lt_fatal ("Unrecognized option in %s namespace: '%s'",
-                    ltwrapper_option_prefix, argv[i]);
-        }
-      /* otherwise ... */
-      newargz[++newargc] = xstrdup (argv[i]);
-    }
-  newargz[++newargc] = NULL;
-
-  LTWRAPPER_DEBUGPRINTF     (("(main) lt_argv_zero : %s\n", (lt_argv_zero ? lt_argv_zero : "<NULL>")));
+  lt_debugprintf (__FILE__, __LINE__, "(main) lt_argv_zero: %s\n",
+		  nonnull (lt_argv_zero));
   for (i = 0; i < newargc; i++)
     {
-      LTWRAPPER_DEBUGPRINTF (("(main) newargz[%d]   : %s\n", i, (newargz[i] ? newargz[i] : "<NULL>")));
+      lt_debugprintf (__FILE__, __LINE__, "(main) newargz[%d]: %s\n",
+		      i, nonnull (newargz[i]));
     }
 
 EOF
@@ -3560,11 +4523,14 @@ EOF
 	      mingw*)
 		cat <<"EOF"
   /* execv doesn't actually work on mingw as expected on unix */
+  newargz = prepare_spawn (newargz);
   rval = _spawnv (_P_WAIT, lt_argv_zero, (const char * const *) newargz);
   if (rval == -1)
     {
       /* failed to start process */
-      LTWRAPPER_DEBUGPRINTF (("(main) failed to launch target \"%s\": errno = %d\n", lt_argv_zero, errno));
+      lt_debugprintf (__FILE__, __LINE__,
+		      "(main) failed to launch target \"%s\": %s\n",
+		      lt_argv_zero, nonnull (strerror (errno)));
       return 127;
     }
   return rval;
@@ -3586,7 +4552,7 @@ xmalloc (size_t num)
 {
   void *p = (void *) malloc (num);
   if (!p)
-    lt_fatal ("Memory exhausted");
+    lt_fatal (__FILE__, __LINE__, "memory exhausted");
 
   return p;
 }
@@ -3620,8 +4586,8 @@ check_executable (const char *path)
 {
   struct stat st;
 
-  LTWRAPPER_DEBUGPRINTF (("(check_executable)  : %s\n",
-			  path ? (*path ? path : "EMPTY!") : "NULL!"));
+  lt_debugprintf (__FILE__, __LINE__, "(check_executable): %s\n",
+                  nonempty (path));
   if ((!path) || (!*path))
     return 0;
 
@@ -3638,8 +4604,8 @@ make_executable (const char *path)
   int rval = 0;
   struct stat st;
 
-  LTWRAPPER_DEBUGPRINTF (("(make_executable)   : %s\n",
-			  path ? (*path ? path : "EMPTY!") : "NULL!"));
+  lt_debugprintf (__FILE__, __LINE__, "(make_executable): %s\n",
+                  nonempty (path));
   if ((!path) || (!*path))
     return 0;
 
@@ -3665,8 +4631,8 @@ find_executable (const char *wrapper)
   int tmp_len;
   char *concat_name;
 
-  LTWRAPPER_DEBUGPRINTF (("(find_executable)   : %s\n",
-			  wrapper ? (*wrapper ? wrapper : "EMPTY!") : "NULL!"));
+  lt_debugprintf (__FILE__, __LINE__, "(find_executable): %s\n",
+                  nonempty (wrapper));
 
   if ((wrapper == NULL) || (*wrapper == '\0'))
     return NULL;
@@ -3719,7 +4685,8 @@ find_executable (const char *wrapper)
 		{
 		  /* empty path: current directory */
 		  if (getcwd (tmp, LT_PATHMAX) == NULL)
-		    lt_fatal ("getcwd failed");
+		    lt_fatal (__FILE__, __LINE__, "getcwd failed: %s",
+                              nonnull (strerror (errno)));
 		  tmp_len = strlen (tmp);
 		  concat_name =
 		    XMALLOC (char, tmp_len + 1 + strlen (wrapper) + 1);
@@ -3744,7 +4711,8 @@ find_executable (const char *wrapper)
     }
   /* Relative path | not found in path: prepend cwd */
   if (getcwd (tmp, LT_PATHMAX) == NULL)
-    lt_fatal ("getcwd failed");
+    lt_fatal (__FILE__, __LINE__, "getcwd failed: %s",
+              nonnull (strerror (errno)));
   tmp_len = strlen (tmp);
   concat_name = XMALLOC (char, tmp_len + 1 + strlen (wrapper) + 1);
   memcpy (concat_name, tmp, tmp_len);
@@ -3770,8 +4738,9 @@ chase_symlinks (const char *pathspec)
   int has_symlinks = 0;
   while (strlen (tmp_pathspec) && !has_symlinks)
     {
-      LTWRAPPER_DEBUGPRINTF (("checking path component for symlinks: %s\n",
-			      tmp_pathspec));
+      lt_debugprintf (__FILE__, __LINE__,
+		      "checking path component for symlinks: %s\n",
+		      tmp_pathspec);
       if (lstat (tmp_pathspec, &s) == 0)
 	{
 	  if (S_ISLNK (s.st_mode) != 0)
@@ -3793,8 +4762,9 @@ chase_symlinks (const char *pathspec)
 	}
       else
 	{
-	  char *errstr = strerror (errno);
-	  lt_fatal ("Error accessing file %s (%s)", tmp_pathspec, errstr);
+	  lt_fatal (__FILE__, __LINE__,
+		    "error accessing file \"%s\": %s",
+		    tmp_pathspec, nonnull (strerror (errno)));
 	}
     }
   XFREE (tmp_pathspec);
@@ -3807,7 +4777,8 @@ chase_symlinks (const char *pathspec)
   tmp_pathspec = realpath (pathspec, buf);
   if (tmp_pathspec == 0)
     {
-      lt_fatal ("Could not follow symlinks for %s", pathspec);
+      lt_fatal (__FILE__, __LINE__,
+		"could not follow symlinks for %s", pathspec);
     }
   return xstrdup (tmp_pathspec);
 #endif
@@ -3833,11 +4804,25 @@ strendzap (char *str, const char *pat)
   return str;
 }
 
+void
+lt_debugprintf (const char *file, int line, const char *fmt, ...)
+{
+  va_list args;
+  if (lt_debug)
+    {
+      (void) fprintf (stderr, "%s:%s:%d: ", program_name, file, line);
+      va_start (args, fmt);
+      (void) vfprintf (stderr, fmt, args);
+      va_end (args);
+    }
+}
+
 static void
-lt_error_core (int exit_status, const char *mode,
+lt_error_core (int exit_status, const char *file,
+	       int line, const char *mode,
 	       const char *message, va_list ap)
 {
-  fprintf (stderr, "%s: %s: ", program_name, mode);
+  fprintf (stderr, "%s:%s:%d: %s: ", program_name, file, line, mode);
   vfprintf (stderr, message, ap);
   fprintf (stderr, ".\n");
 
@@ -3846,20 +4831,32 @@ lt_error_core (int exit_status, const char *mode,
 }
 
 void
-lt_fatal (const char *message, ...)
+lt_fatal (const char *file, int line, const char *message, ...)
 {
   va_list ap;
   va_start (ap, message);
-  lt_error_core (EXIT_FAILURE, "FATAL", message, ap);
+  lt_error_core (EXIT_FAILURE, file, line, "FATAL", message, ap);
   va_end (ap);
 }
 
+static const char *
+nonnull (const char *s)
+{
+  return s ? s : "(null)";
+}
+
+static const char *
+nonempty (const char *s)
+{
+  return (s && !*s) ? "(empty)" : nonnull (s);
+}
+
 void
 lt_setenv (const char *name, const char *value)
 {
-  LTWRAPPER_DEBUGPRINTF (("(lt_setenv) setting '%s' to '%s'\n",
-                          (name ? name : "<NULL>"),
-                          (value ? value : "<NULL>")));
+  lt_debugprintf (__FILE__, __LINE__,
+		  "(lt_setenv) setting '%s' to '%s'\n",
+                  nonnull (name), nonnull (value));
   {
 #ifdef HAVE_SETENV
     /* always make a copy, for consistency with !HAVE_SETENV */
@@ -3904,95 +4901,12 @@ lt_extend_str (const char *orig_value, const char *add, int to_end)
   return new_value;
 }
 
-int
-lt_split_name_value (const char *arg, char** name, char** value)
-{
-  const char *p;
-  int len;
-  if (!arg || !*arg)
-    return 1;
-
-  p = strchr (arg, (int)'=');
-
-  if (!p)
-    return 1;
-
-  *value = xstrdup (++p);
-
-  len = strlen (arg) - strlen (*value);
-  *name = XMALLOC (char, len);
-  strncpy (*name, arg, len-1);
-  (*name)[len - 1] = '\0';
-
-  return 0;
-}
-
-void
-lt_opt_process_env_set (const char *arg)
-{
-  char *name = NULL;
-  char *value = NULL;
-
-  if (lt_split_name_value (arg, &name, &value) != 0)
-    {
-      XFREE (name);
-      XFREE (value);
-      lt_fatal ("bad argument for %s: '%s'", env_set_opt, arg);
-    }
-
-  lt_setenv (name, value);
-  XFREE (name);
-  XFREE (value);
-}
-
-void
-lt_opt_process_env_prepend (const char *arg)
-{
-  char *name = NULL;
-  char *value = NULL;
-  char *new_value = NULL;
-
-  if (lt_split_name_value (arg, &name, &value) != 0)
-    {
-      XFREE (name);
-      XFREE (value);
-      lt_fatal ("bad argument for %s: '%s'", env_prepend_opt, arg);
-    }
-
-  new_value = lt_extend_str (getenv (name), value, 0);
-  lt_setenv (name, new_value);
-  XFREE (new_value);
-  XFREE (name);
-  XFREE (value);
-}
-
-void
-lt_opt_process_env_append (const char *arg)
-{
-  char *name = NULL;
-  char *value = NULL;
-  char *new_value = NULL;
-
-  if (lt_split_name_value (arg, &name, &value) != 0)
-    {
-      XFREE (name);
-      XFREE (value);
-      lt_fatal ("bad argument for %s: '%s'", env_append_opt, arg);
-    }
-
-  new_value = lt_extend_str (getenv (name), value, 1);
-  lt_setenv (name, new_value);
-  XFREE (new_value);
-  XFREE (name);
-  XFREE (value);
-}
-
 void
 lt_update_exe_path (const char *name, const char *value)
 {
-  LTWRAPPER_DEBUGPRINTF (("(lt_update_exe_path) modifying '%s' by prepending '%s'\n",
-                          (name ? name : "<NULL>"),
-                          (value ? value : "<NULL>")));
+  lt_debugprintf (__FILE__, __LINE__,
+		  "(lt_update_exe_path) modifying '%s' by prepending '%s'\n",
+                  nonnull (name), nonnull (value));
 
   if (name && *name && value && *value)
     {
@@ -4011,9 +4925,9 @@ lt_update_exe_path (const char *name, const char *value)
 void
 lt_update_lib_path (const char *name, const char *value)
 {
-  LTWRAPPER_DEBUGPRINTF (("(lt_update_lib_path) modifying '%s' by prepending '%s'\n",
-                          (name ? name : "<NULL>"),
-                          (value ? value : "<NULL>")));
+  lt_debugprintf (__FILE__, __LINE__,
+		  "(lt_update_lib_path) modifying '%s' by prepending '%s'\n",
+                  nonnull (name), nonnull (value));
 
   if (name && *name && value && *value)
     {
@@ -4023,11 +4937,158 @@ lt_update_lib_path (const char *name, const char *value)
     }
 }
 
+EOF
+	    case $host_os in
+	      mingw*)
+		cat <<"EOF"
+
+/* Prepares an argument vector before calling spawn().
+   Note that spawn() does not by itself call the command interpreter
+     (getenv ("COMSPEC") != NULL ? getenv ("COMSPEC") :
+      ({ OSVERSIONINFO v; v.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
+         GetVersionEx(&v);
+         v.dwPlatformId == VER_PLATFORM_WIN32_NT;
+      }) ? "cmd.exe" : "command.com").
+   Instead it simply concatenates the arguments, separated by ' ', and calls
+   CreateProcess().  We must quote the arguments since Win32 CreateProcess()
+   interprets characters like ' ', '\t', '\\', '"' (but not '<' and '>') in a
+   special way:
+   - Space and tab are interpreted as delimiters. They are not treated as
+     delimiters if they are surrounded by double quotes: "...".
+   - Unescaped double quotes are removed from the input. Their only effect is
+     that within double quotes, space and tab are treated like normal
+     characters.
+   - Backslashes not followed by double quotes are not special.
+   - But 2*n+1 backslashes followed by a double quote become
+     n backslashes followed by a double quote (n >= 0):
+       \" -> "
+       \\\" -> \"
+       \\\\\" -> \\"
+ */
+#define SHELL_SPECIAL_CHARS "\"\\ \001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037"
+#define SHELL_SPACE_CHARS " \001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037"
+char **
+prepare_spawn (char **argv)
+{
+  size_t argc;
+  char **new_argv;
+  size_t i;
+
+  /* Count number of arguments.  */
+  for (argc = 0; argv[argc] != NULL; argc++)
+    ;
+
+  /* Allocate new argument vector.  */
+  new_argv = XMALLOC (char *, argc + 1);
+
+  /* Put quoted arguments into the new argument vector.  */
+  for (i = 0; i < argc; i++)
+    {
+      const char *string = argv[i];
 
+      if (string[0] == '\0')
+	new_argv[i] = xstrdup ("\"\"");
+      else if (strpbrk (string, SHELL_SPECIAL_CHARS) != NULL)
+	{
+	  int quote_around = (strpbrk (string, SHELL_SPACE_CHARS) != NULL);
+	  size_t length;
+	  unsigned int backslashes;
+	  const char *s;
+	  char *quoted_string;
+	  char *p;
+
+	  length = 0;
+	  backslashes = 0;
+	  if (quote_around)
+	    length++;
+	  for (s = string; *s != '\0'; s++)
+	    {
+	      char c = *s;
+	      if (c == '"')
+		length += backslashes + 1;
+	      length++;
+	      if (c == '\\')
+		backslashes++;
+	      else
+		backslashes = 0;
+	    }
+	  if (quote_around)
+	    length += backslashes + 1;
+
+	  quoted_string = XMALLOC (char, length + 1);
+
+	  p = quoted_string;
+	  backslashes = 0;
+	  if (quote_around)
+	    *p++ = '"';
+	  for (s = string; *s != '\0'; s++)
+	    {
+	      char c = *s;
+	      if (c == '"')
+		{
+		  unsigned int j;
+		  for (j = backslashes + 1; j > 0; j--)
+		    *p++ = '\\';
+		}
+	      *p++ = c;
+	      if (c == '\\')
+		backslashes++;
+	      else
+		backslashes = 0;
+	    }
+	  if (quote_around)
+	    {
+	      unsigned int j;
+	      for (j = backslashes; j > 0; j--)
+		*p++ = '\\';
+	      *p++ = '"';
+	    }
+	  *p = '\0';
+
+	  new_argv[i] = quoted_string;
+	}
+      else
+	new_argv[i] = (char *) string;
+    }
+  new_argv[argc] = NULL;
+
+  return new_argv;
+}
+EOF
+		;;
+	    esac
+
+            cat <<"EOF"
+void lt_dump_script (FILE* f)
+{
+EOF
+	    func_emit_wrapper yes |
+	      $SED -n -e '
+s/^\(.\{79\}\)\(..*\)/\1\
+\2/
+h
+s/\([\\"]\)/\\\1/g
+s/$/\\n/
+s/\([^\n]*\).*/  fputs ("\1", f);/p
+g
+D'
+            cat <<"EOF"
+}
 EOF
 }
 # end: func_emit_cwrapperexe_src
 
+# func_win32_import_lib_p ARG
+# True if ARG is an import lib, as indicated by $file_magic_cmd
+func_win32_import_lib_p ()
+{
+    $opt_debug
+    case `eval $file_magic_cmd \"\$1\" 2>/dev/null | $SED -e 10q` in
+    *import*) : ;;
+    *) false ;;
+    esac
+}
+
 # func_mode_link arg...
 func_mode_link ()
 {
@@ -4072,6 +5133,7 @@ func_mode_link ()
     new_inherited_linker_flags=
 
     avoid_version=no
+    bindir=
     dlfiles=
     dlprefiles=
     dlself=no
@@ -4164,6 +5226,11 @@ func_mode_link ()
 	esac
 
 	case $prev in
+	bindir)
+	  bindir="$arg"
+	  prev=
+	  continue
+	  ;;
 	dlfiles|dlprefiles)
 	  if test "$preload" = no; then
 	    # Add the symbol object into the linking commands.
@@ -4195,9 +5262,9 @@ func_mode_link ()
 	    ;;
 	  *)
 	    if test "$prev" = dlfiles; then
-	      dlfiles="$dlfiles $arg"
+	      func_append dlfiles " $arg"
 	    else
-	      dlprefiles="$dlprefiles $arg"
+	      func_append dlprefiles " $arg"
 	    fi
 	    prev=
 	    continue
@@ -4221,7 +5288,7 @@ func_mode_link ()
 	    *-*-darwin*)
 	      case "$deplibs " in
 		*" $qarg.ltframework "*) ;;
-		*) deplibs="$deplibs $qarg.ltframework" # this is fixed later
+		*) func_append deplibs " $qarg.ltframework" # this is fixed later
 		   ;;
 	      esac
 	      ;;
@@ -4240,7 +5307,7 @@ func_mode_link ()
 	    moreargs=
 	    for fil in `cat "$save_arg"`
 	    do
-#	      moreargs="$moreargs $fil"
+#	      func_append moreargs " $fil"
 	      arg=$fil
 	      # A libtool-controlled object.
 
@@ -4269,7 +5336,7 @@ func_mode_link ()
 
 		  if test "$prev" = dlfiles; then
 		    if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
-		      dlfiles="$dlfiles $pic_object"
+		      func_append dlfiles " $pic_object"
 		      prev=
 		      continue
 		    else
@@ -4281,7 +5348,7 @@ func_mode_link ()
 		  # CHECK ME:  I think I busted this.  -Ossama
 		  if test "$prev" = dlprefiles; then
 		    # Preload the old-style object.
-		    dlprefiles="$dlprefiles $pic_object"
+		    func_append dlprefiles " $pic_object"
 		    prev=
 		  fi
 
@@ -4351,12 +5418,12 @@ func_mode_link ()
 	  if test "$prev" = rpath; then
 	    case "$rpath " in
 	    *" $arg "*) ;;
-	    *) rpath="$rpath $arg" ;;
+	    *) func_append rpath " $arg" ;;
 	    esac
 	  else
 	    case "$xrpath " in
 	    *" $arg "*) ;;
-	    *) xrpath="$xrpath $arg" ;;
+	    *) func_append xrpath " $arg" ;;
 	    esac
 	  fi
 	  prev=
@@ -4368,28 +5435,28 @@ func_mode_link ()
 	  continue
 	  ;;
 	weak)
-	  weak_libs="$weak_libs $arg"
+	  func_append weak_libs " $arg"
 	  prev=
 	  continue
 	  ;;
 	xcclinker)
-	  linker_flags="$linker_flags $qarg"
-	  compiler_flags="$compiler_flags $qarg"
+	  func_append linker_flags " $qarg"
+	  func_append compiler_flags " $qarg"
 	  prev=
 	  func_append compile_command " $qarg"
 	  func_append finalize_command " $qarg"
 	  continue
 	  ;;
 	xcompiler)
-	  compiler_flags="$compiler_flags $qarg"
+	  func_append compiler_flags " $qarg"
 	  prev=
 	  func_append compile_command " $qarg"
 	  func_append finalize_command " $qarg"
 	  continue
 	  ;;
 	xlinker)
-	  linker_flags="$linker_flags $qarg"
-	  compiler_flags="$compiler_flags $wl$qarg"
+	  func_append linker_flags " $qarg"
+	  func_append compiler_flags " $wl$qarg"
 	  prev=
 	  func_append compile_command " $wl$qarg"
 	  func_append finalize_command " $wl$qarg"
@@ -4425,6 +5492,11 @@ func_mode_link ()
 	continue
 	;;
 
+      -bindir)
+	prev=bindir
+	continue
+	;;
+
       -dlopen)
 	prev=dlfiles
 	continue
@@ -4475,15 +5547,16 @@ func_mode_link ()
 	;;
 
       -L*)
-	func_stripname '-L' '' "$arg"
-	dir=$func_stripname_result
-	if test -z "$dir"; then
+	func_stripname "-L" '' "$arg"
+	if test -z "$func_stripname_result"; then
 	  if test "$#" -gt 0; then
 	    func_fatal_error "require no space between \`-L' and \`$1'"
 	  else
 	    func_fatal_error "need path for \`-L' option"
 	  fi
 	fi
+	func_resolve_sysroot "$func_stripname_result"
+	dir=$func_resolve_sysroot_result
 	# We need an absolute path.
 	case $dir in
 	[\\/]* | [A-Za-z]:[\\/]*) ;;
@@ -4495,24 +5568,30 @@ func_mode_link ()
 	  ;;
 	esac
 	case "$deplibs " in
-	*" -L$dir "*) ;;
+	*" -L$dir "* | *" $arg "*)
+	  # Will only happen for absolute or sysroot arguments
+	  ;;
 	*)
-	  deplibs="$deplibs -L$dir"
-	  lib_search_path="$lib_search_path $dir"
+	  # Preserve sysroot, but never include relative directories
+	  case $dir in
+	    [\\/]* | [A-Za-z]:[\\/]* | =*) func_append deplibs " $arg" ;;
+	    *) func_append deplibs " -L$dir" ;;
+	  esac
+	  func_append lib_search_path " $dir"
 	  ;;
 	esac
 	case $host in
 	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*)
-	  testbindir=`$ECHO "X$dir" | $Xsed -e 's*/lib$*/bin*'`
+	  testbindir=`$ECHO "$dir" | $SED 's*/lib$*/bin*'`
 	  case :$dllsearchpath: in
 	  *":$dir:"*) ;;
 	  ::) dllsearchpath=$dir;;
-	  *) dllsearchpath="$dllsearchpath:$dir";;
+	  *) func_append dllsearchpath ":$dir";;
 	  esac
 	  case :$dllsearchpath: in
 	  *":$testbindir:"*) ;;
 	  ::) dllsearchpath=$testbindir;;
-	  *) dllsearchpath="$dllsearchpath:$testbindir";;
+	  *) func_append dllsearchpath ":$testbindir";;
 	  esac
 	  ;;
 	esac
@@ -4522,7 +5601,7 @@ func_mode_link ()
       -l*)
 	if test "X$arg" = "X-lc" || test "X$arg" = "X-lm"; then
 	  case $host in
-	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-beos* | *-cegcc*)
+	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-beos* | *-cegcc* | *-*-haiku*)
 	    # These systems don't actually have a C or math library (as such)
 	    continue
 	    ;;
@@ -4536,7 +5615,7 @@ func_mode_link ()
 	    ;;
 	  *-*-rhapsody* | *-*-darwin1.[012])
 	    # Rhapsody C and math libraries are in the System framework
-	    deplibs="$deplibs System.ltframework"
+	    func_append deplibs " System.ltframework"
 	    continue
 	    ;;
 	  *-*-sco3.2v5* | *-*-sco5v6*)
@@ -4556,7 +5635,7 @@ func_mode_link ()
 	   ;;
 	 esac
 	fi
-	deplibs="$deplibs $arg"
+	func_append deplibs " $arg"
 	continue
 	;;
 
@@ -4568,21 +5647,22 @@ func_mode_link ()
       # Tru64 UNIX uses -model [arg] to determine the layout of C++
       # classes, name mangling, and exception handling.
       # Darwin uses the -arch flag to determine output architecture.
-      -model|-arch|-isysroot)
-	compiler_flags="$compiler_flags $arg"
+      -model|-arch|-isysroot|--sysroot)
+	func_append compiler_flags " $arg"
 	func_append compile_command " $arg"
 	func_append finalize_command " $arg"
 	prev=xcompiler
 	continue
 	;;
 
-      -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads)
-	compiler_flags="$compiler_flags $arg"
+      -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \
+      |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*)
+	func_append compiler_flags " $arg"
 	func_append compile_command " $arg"
 	func_append finalize_command " $arg"
 	case "$new_inherited_linker_flags " in
 	    *" $arg "*) ;;
-	    * ) new_inherited_linker_flags="$new_inherited_linker_flags $arg" ;;
+	    * ) func_append new_inherited_linker_flags " $arg" ;;
 	esac
 	continue
 	;;
@@ -4649,13 +5729,17 @@ func_mode_link ()
 	# We need an absolute path.
 	case $dir in
 	[\\/]* | [A-Za-z]:[\\/]*) ;;
+	=*)
+	  func_stripname '=' '' "$dir"
+	  dir=$lt_sysroot$func_stripname_result
+	  ;;
 	*)
 	  func_fatal_error "only absolute run-paths are allowed"
 	  ;;
 	esac
 	case "$xrpath " in
 	*" $dir "*) ;;
-	*) xrpath="$xrpath $dir" ;;
+	*) func_append xrpath " $dir" ;;
 	esac
 	continue
 	;;
@@ -4708,8 +5792,8 @@ func_mode_link ()
 	for flag in $args; do
 	  IFS="$save_ifs"
           func_quote_for_eval "$flag"
-	  arg="$arg $wl$func_quote_for_eval_result"
-	  compiler_flags="$compiler_flags $func_quote_for_eval_result"
+	  func_append arg " $func_quote_for_eval_result"
+	  func_append compiler_flags " $func_quote_for_eval_result"
 	done
 	IFS="$save_ifs"
 	func_stripname ' ' '' "$arg"
@@ -4724,9 +5808,9 @@ func_mode_link ()
 	for flag in $args; do
 	  IFS="$save_ifs"
           func_quote_for_eval "$flag"
-	  arg="$arg $wl$func_quote_for_eval_result"
-	  compiler_flags="$compiler_flags $wl$func_quote_for_eval_result"
-	  linker_flags="$linker_flags $func_quote_for_eval_result"
+	  func_append arg " $wl$func_quote_for_eval_result"
+	  func_append compiler_flags " $wl$func_quote_for_eval_result"
+	  func_append linker_flags " $func_quote_for_eval_result"
 	done
 	IFS="$save_ifs"
 	func_stripname ' ' '' "$arg"
@@ -4754,23 +5838,27 @@ func_mode_link ()
 	arg="$func_quote_for_eval_result"
 	;;
 
-      # -64, -mips[0-9] enable 64-bit mode on the SGI compiler
-      # -r[0-9][0-9]* specifies the processor on the SGI compiler
-      # -xarch=*, -xtarget=* enable 64-bit mode on the Sun compiler
-      # +DA*, +DD* enable 64-bit mode on the HP compiler
-      # -q* pass through compiler args for the IBM compiler
-      # -m*, -t[45]*, -txscale* pass through architecture-specific
-      # compiler args for GCC
-      # -F/path gives path to uninstalled frameworks, gcc on darwin
-      # -p, -pg, --coverage, -fprofile-* pass through profiling flag for GCC
-      # @file GCC response files
+      # Flags to be passed through unchanged, with rationale:
+      # -64, -mips[0-9]      enable 64-bit mode for the SGI compiler
+      # -r[0-9][0-9]*        specify processor for the SGI compiler
+      # -xarch=*, -xtarget=* enable 64-bit mode for the Sun compiler
+      # +DA*, +DD*           enable 64-bit mode for the HP compiler
+      # -q*                  compiler args for the IBM compiler
+      # -m*, -t[45]*, -txscale* architecture-specific flags for GCC
+      # -F/path              path to uninstalled frameworks, gcc on darwin
+      # -p, -pg, --coverage, -fprofile-*  profiling flags for GCC
+      # @file                GCC response files
+      # -tp=*                Portland pgcc target processor selection
+      # --sysroot=*          for sysroot support
+      # -O*, -flto*, -fwhopr*, -fuse-linker-plugin GCC link-time optimization
       -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \
-      -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*)
+      -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*|-tp=*|--sysroot=*| \
+      -O*|-flto*|-fwhopr*|-fuse-linker-plugin)
         func_quote_for_eval "$arg"
 	arg="$func_quote_for_eval_result"
         func_append compile_command " $arg"
         func_append finalize_command " $arg"
-        compiler_flags="$compiler_flags $arg"
+        func_append compiler_flags " $arg"
         continue
         ;;
 
@@ -4782,7 +5870,7 @@ func_mode_link ()
 
       *.$objext)
 	# A standard object.
-	objs="$objs $arg"
+	func_append objs " $arg"
 	;;
 
       *.lo)
@@ -4813,7 +5901,7 @@ func_mode_link ()
 
 	    if test "$prev" = dlfiles; then
 	      if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
-		dlfiles="$dlfiles $pic_object"
+		func_append dlfiles " $pic_object"
 		prev=
 		continue
 	      else
@@ -4825,7 +5913,7 @@ func_mode_link ()
 	    # CHECK ME:  I think I busted this.  -Ossama
 	    if test "$prev" = dlprefiles; then
 	      # Preload the old-style object.
-	      dlprefiles="$dlprefiles $pic_object"
+	      func_append dlprefiles " $pic_object"
 	      prev=
 	    fi
 
@@ -4870,24 +5958,25 @@ func_mode_link ()
 
       *.$libext)
 	# An archive.
-	deplibs="$deplibs $arg"
-	old_deplibs="$old_deplibs $arg"
+	func_append deplibs " $arg"
+	func_append old_deplibs " $arg"
 	continue
 	;;
 
       *.la)
 	# A libtool-controlled library.
 
+	func_resolve_sysroot "$arg"
 	if test "$prev" = dlfiles; then
 	  # This library was specified with -dlopen.
-	  dlfiles="$dlfiles $arg"
+	  func_append dlfiles " $func_resolve_sysroot_result"
 	  prev=
 	elif test "$prev" = dlprefiles; then
 	  # The library was specified with -dlpreopen.
-	  dlprefiles="$dlprefiles $arg"
+	  func_append dlprefiles " $func_resolve_sysroot_result"
 	  prev=
 	else
-	  deplibs="$deplibs $arg"
+	  func_append deplibs " $func_resolve_sysroot_result"
 	fi
 	continue
 	;;
@@ -4925,7 +6014,7 @@ func_mode_link ()
 
     if test -n "$shlibpath_var"; then
       # get the directories listed in $shlibpath_var
-      eval shlib_search_path=\`\$ECHO \"X\${$shlibpath_var}\" \| \$Xsed -e \'s/:/ /g\'\`
+      eval shlib_search_path=\`\$ECHO \"\${$shlibpath_var}\" \| \$SED \'s/:/ /g\'\`
     else
       shlib_search_path=
     fi
@@ -4934,6 +6023,8 @@ func_mode_link ()
 
     func_dirname "$output" "/" ""
     output_objdir="$func_dirname_result$objdir"
+    func_to_tool_file "$output_objdir/"
+    tool_output_objdir=$func_to_tool_file_result
     # Create the object directory.
     func_mkdir_p "$output_objdir"
 
@@ -4954,12 +6045,12 @@ func_mode_link ()
     # Find all interdependent deplibs by searching for libraries
     # that are linked more than once (e.g. -la -lb -la)
     for deplib in $deplibs; do
-      if $opt_duplicate_deps ; then
+      if $opt_preserve_dup_deps ; then
 	case "$libs " in
-	*" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	*" $deplib "*) func_append specialdeplibs " $deplib" ;;
 	esac
       fi
-      libs="$libs $deplib"
+      func_append libs " $deplib"
     done
 
     if test "$linkmode" = lib; then
@@ -4972,9 +6063,9 @@ func_mode_link ()
       if $opt_duplicate_compiler_generated_deps; then
 	for pre_post_dep in $predeps $postdeps; do
 	  case "$pre_post_deps " in
-	  *" $pre_post_dep "*) specialdeplibs="$specialdeplibs $pre_post_deps" ;;
+	  *" $pre_post_dep "*) func_append specialdeplibs " $pre_post_deps" ;;
 	  esac
-	  pre_post_deps="$pre_post_deps $pre_post_dep"
+	  func_append pre_post_deps " $pre_post_dep"
 	done
       fi
       pre_post_deps=
@@ -5044,17 +6135,19 @@ func_mode_link ()
 	for lib in $dlprefiles; do
 	  # Ignore non-libtool-libs
 	  dependency_libs=
+	  func_resolve_sysroot "$lib"
 	  case $lib in
-	  *.la)	func_source "$lib" ;;
+	  *.la)	func_source "$func_resolve_sysroot_result" ;;
 	  esac
 
 	  # Collect preopened libtool deplibs, except any this library
 	  # has declared as weak libs
 	  for deplib in $dependency_libs; do
-            deplib_base=`$ECHO "X$deplib" | $Xsed -e "$basename"`
+	    func_basename "$deplib"
+            deplib_base=$func_basename_result
 	    case " $weak_libs " in
 	    *" $deplib_base "*) ;;
-	    *) deplibs="$deplibs $deplib" ;;
+	    *) func_append deplibs " $deplib" ;;
 	    esac
 	  done
 	done
@@ -5070,16 +6163,17 @@ func_mode_link ()
 	lib=
 	found=no
 	case $deplib in
-	-mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads)
+	-mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \
+        |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*)
 	  if test "$linkmode,$pass" = "prog,link"; then
 	    compile_deplibs="$deplib $compile_deplibs"
 	    finalize_deplibs="$deplib $finalize_deplibs"
 	  else
-	    compiler_flags="$compiler_flags $deplib"
+	    func_append compiler_flags " $deplib"
 	    if test "$linkmode" = lib ; then
 		case "$new_inherited_linker_flags " in
 		    *" $deplib "*) ;;
-		    * ) new_inherited_linker_flags="$new_inherited_linker_flags $deplib" ;;
+		    * ) func_append new_inherited_linker_flags " $deplib" ;;
 		esac
 	    fi
 	  fi
@@ -5164,7 +6258,7 @@ func_mode_link ()
 	    if test "$linkmode" = lib ; then
 		case "$new_inherited_linker_flags " in
 		    *" $deplib "*) ;;
-		    * ) new_inherited_linker_flags="$new_inherited_linker_flags $deplib" ;;
+		    * ) func_append new_inherited_linker_flags " $deplib" ;;
 		esac
 	    fi
 	  fi
@@ -5177,7 +6271,8 @@ func_mode_link ()
 	    test "$pass" = conv && continue
 	    newdependency_libs="$deplib $newdependency_libs"
 	    func_stripname '-L' '' "$deplib"
-	    newlib_search_path="$newlib_search_path $func_stripname_result"
+	    func_resolve_sysroot "$func_stripname_result"
+	    func_append newlib_search_path " $func_resolve_sysroot_result"
 	    ;;
 	  prog)
 	    if test "$pass" = conv; then
@@ -5191,7 +6286,8 @@ func_mode_link ()
 	      finalize_deplibs="$deplib $finalize_deplibs"
 	    fi
 	    func_stripname '-L' '' "$deplib"
-	    newlib_search_path="$newlib_search_path $func_stripname_result"
+	    func_resolve_sysroot "$func_stripname_result"
+	    func_append newlib_search_path " $func_resolve_sysroot_result"
 	    ;;
 	  *)
 	    func_warning "\`-L' is ignored for archives/objects"
@@ -5202,17 +6298,21 @@ func_mode_link ()
 	-R*)
 	  if test "$pass" = link; then
 	    func_stripname '-R' '' "$deplib"
-	    dir=$func_stripname_result
+	    func_resolve_sysroot "$func_stripname_result"
+	    dir=$func_resolve_sysroot_result
 	    # Make sure the xrpath contains only unique directories.
 	    case "$xrpath " in
 	    *" $dir "*) ;;
-	    *) xrpath="$xrpath $dir" ;;
+	    *) func_append xrpath " $dir" ;;
 	    esac
 	  fi
 	  deplibs="$deplib $deplibs"
 	  continue
 	  ;;
-	*.la) lib="$deplib" ;;
+	*.la)
+	  func_resolve_sysroot "$deplib"
+	  lib=$func_resolve_sysroot_result
+	  ;;
 	*.$libext)
 	  if test "$pass" = conv; then
 	    deplibs="$deplib $deplibs"
@@ -5230,7 +6330,7 @@ func_mode_link ()
 		match_pattern*)
 		  set dummy $deplibs_check_method; shift
 		  match_pattern_regex=`expr "$deplibs_check_method" : "$1 \(.*\)"`
-		  if eval "\$ECHO \"X$deplib\"" 2>/dev/null | $Xsed -e 10q \
+		  if eval "\$ECHO \"$deplib\"" 2>/dev/null | $SED 10q \
 		    | $EGREP "$match_pattern_regex" > /dev/null; then
 		    valid_a_lib=yes
 		  fi
@@ -5240,15 +6340,15 @@ func_mode_link ()
 		;;
 	      esac
 	      if test "$valid_a_lib" != yes; then
-		$ECHO
+		echo
 		$ECHO "*** Warning: Trying to link with static lib archive $deplib."
-		$ECHO "*** I have the capability to make that library automatically link in when"
-		$ECHO "*** you link to this library.  But I can only do this if you have a"
-		$ECHO "*** shared version of the library, which you do not appear to have"
-		$ECHO "*** because the file extensions .$libext of this argument makes me believe"
-		$ECHO "*** that it is just a static archive that I should not use here."
+		echo "*** I have the capability to make that library automatically link in when"
+		echo "*** you link to this library.  But I can only do this if you have a"
+		echo "*** shared version of the library, which you do not appear to have"
+		echo "*** because the file extensions .$libext of this argument makes me believe"
+		echo "*** that it is just a static archive that I should not use here."
 	      else
-		$ECHO
+		echo
 		$ECHO "*** Warning: Linking the shared library $output against the"
 		$ECHO "*** static library $deplib is not portable!"
 		deplibs="$deplib $deplibs"
@@ -5275,11 +6375,11 @@ func_mode_link ()
 	    if test "$pass" = dlpreopen || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then
 	      # If there is no dlopen support or we're linking statically,
 	      # we need to preload.
-	      newdlprefiles="$newdlprefiles $deplib"
+	      func_append newdlprefiles " $deplib"
 	      compile_deplibs="$deplib $compile_deplibs"
 	      finalize_deplibs="$deplib $finalize_deplibs"
 	    else
-	      newdlfiles="$newdlfiles $deplib"
+	      func_append newdlfiles " $deplib"
 	    fi
 	  fi
 	  continue
@@ -5321,20 +6421,20 @@ func_mode_link ()
 
 	# Convert "-framework foo" to "foo.ltframework"
 	if test -n "$inherited_linker_flags"; then
-	  tmp_inherited_linker_flags=`$ECHO "X$inherited_linker_flags" | $Xsed -e 's/-framework \([^ $]*\)/\1.ltframework/g'`
+	  tmp_inherited_linker_flags=`$ECHO "$inherited_linker_flags" | $SED 's/-framework \([^ $]*\)/\1.ltframework/g'`
 	  for tmp_inherited_linker_flag in $tmp_inherited_linker_flags; do
 	    case " $new_inherited_linker_flags " in
 	      *" $tmp_inherited_linker_flag "*) ;;
-	      *) new_inherited_linker_flags="$new_inherited_linker_flags $tmp_inherited_linker_flag";;
+	      *) func_append new_inherited_linker_flags " $tmp_inherited_linker_flag";;
 	    esac
 	  done
 	fi
-	dependency_libs=`$ECHO "X $dependency_libs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
+	dependency_libs=`$ECHO " $dependency_libs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
 	if test "$linkmode,$pass" = "lib,link" ||
 	   test "$linkmode,$pass" = "prog,scan" ||
 	   { test "$linkmode" != prog && test "$linkmode" != lib; }; then
-	  test -n "$dlopen" && dlfiles="$dlfiles $dlopen"
-	  test -n "$dlpreopen" && dlprefiles="$dlprefiles $dlpreopen"
+	  test -n "$dlopen" && func_append dlfiles " $dlopen"
+	  test -n "$dlpreopen" && func_append dlprefiles " $dlpreopen"
 	fi
 
 	if test "$pass" = conv; then
@@ -5345,17 +6445,17 @@ func_mode_link ()
 	      func_fatal_error "cannot find name of link library for \`$lib'"
 	    fi
 	    # It is a libtool convenience library, so add in its objects.
-	    convenience="$convenience $ladir/$objdir/$old_library"
-	    old_convenience="$old_convenience $ladir/$objdir/$old_library"
+	    func_append convenience " $ladir/$objdir/$old_library"
+	    func_append old_convenience " $ladir/$objdir/$old_library"
 	    tmp_libs=
 	    for deplib in $dependency_libs; do
 	      deplibs="$deplib $deplibs"
-	      if $opt_duplicate_deps ; then
+	      if $opt_preserve_dup_deps ; then
 		case "$tmp_libs " in
-		*" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+		*" $deplib "*) func_append specialdeplibs " $deplib" ;;
 		esac
 	      fi
-	      tmp_libs="$tmp_libs $deplib"
+	      func_append tmp_libs " $deplib"
 	    done
 	  elif test "$linkmode" != prog && test "$linkmode" != lib; then
 	    func_fatal_error "\`$lib' is not a convenience library"
@@ -5366,9 +6466,15 @@ func_mode_link ()
 
 	# Get the name of the library we link against.
 	linklib=
-	for l in $old_library $library_names; do
-	  linklib="$l"
-	done
+	if test -n "$old_library" &&
+	   { test "$prefer_static_libs" = yes ||
+	     test "$prefer_static_libs,$installed" = "built,no"; }; then
+	  linklib=$old_library
+	else
+	  for l in $old_library $library_names; do
+	    linklib="$l"
+	  done
+	fi
 	if test -z "$linklib"; then
 	  func_fatal_error "cannot find name of link library for \`$lib'"
 	fi
@@ -5385,9 +6491,9 @@ func_mode_link ()
 	    # statically, we need to preload.  We also need to preload any
 	    # dependent libraries so libltdl's deplib preloader doesn't
 	    # bomb out in the load deplibs phase.
-	    dlprefiles="$dlprefiles $lib $dependency_libs"
+	    func_append dlprefiles " $lib $dependency_libs"
 	  else
-	    newdlfiles="$newdlfiles $lib"
+	    func_append newdlfiles " $lib"
 	  fi
 	  continue
 	fi # $pass = dlopen
@@ -5409,14 +6515,14 @@ func_mode_link ()
 
 	# Find the relevant object directory and library name.
 	if test "X$installed" = Xyes; then
-	  if test ! -f "$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then
+	  if test ! -f "$lt_sysroot$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then
 	    func_warning "library \`$lib' was moved."
 	    dir="$ladir"
 	    absdir="$abs_ladir"
 	    libdir="$abs_ladir"
 	  else
-	    dir="$libdir"
-	    absdir="$libdir"
+	    dir="$lt_sysroot$libdir"
+	    absdir="$lt_sysroot$libdir"
 	  fi
 	  test "X$hardcode_automatic" = Xyes && avoidtemprpath=yes
 	else
@@ -5424,12 +6530,12 @@ func_mode_link ()
 	    dir="$ladir"
 	    absdir="$abs_ladir"
 	    # Remove this search path later
-	    notinst_path="$notinst_path $abs_ladir"
+	    func_append notinst_path " $abs_ladir"
 	  else
 	    dir="$ladir/$objdir"
 	    absdir="$abs_ladir/$objdir"
 	    # Remove this search path later
-	    notinst_path="$notinst_path $abs_ladir"
+	    func_append notinst_path " $abs_ladir"
 	  fi
 	fi # $installed = yes
 	func_stripname 'lib' '.la' "$laname"
@@ -5440,20 +6546,46 @@ func_mode_link ()
 	  if test -z "$libdir" && test "$linkmode" = prog; then
 	    func_fatal_error "only libraries may -dlpreopen a convenience library: \`$lib'"
 	  fi
-	  # Prefer using a static library (so that no silly _DYNAMIC symbols
-	  # are required to link).
-	  if test -n "$old_library"; then
-	    newdlprefiles="$newdlprefiles $dir/$old_library"
-	    # Keep a list of preopened convenience libraries to check
-	    # that they are being used correctly in the link pass.
-	    test -z "$libdir" && \
-		dlpreconveniencelibs="$dlpreconveniencelibs $dir/$old_library"
-	  # Otherwise, use the dlname, so that lt_dlopen finds it.
-	  elif test -n "$dlname"; then
-	    newdlprefiles="$newdlprefiles $dir/$dlname"
-	  else
-	    newdlprefiles="$newdlprefiles $dir/$linklib"
-	  fi
+	  case "$host" in
+	    # special handling for platforms with PE-DLLs.
+	    *cygwin* | *mingw* | *cegcc* )
+	      # Linker will automatically link against shared library if both
+	      # static and shared are present.  Therefore, ensure we extract
+	      # symbols from the import library if a shared library is present
+	      # (otherwise, the dlopen module name will be incorrect).  We do
+	      # this by putting the import library name into $newdlprefiles.
+	      # We recover the dlopen module name by 'saving' the la file
+	      # name in a special purpose variable, and (later) extracting the
+	      # dlname from the la file.
+	      if test -n "$dlname"; then
+	        func_tr_sh "$dir/$linklib"
+	        eval "libfile_$func_tr_sh_result=\$abs_ladir/\$laname"
+	        func_append newdlprefiles " $dir/$linklib"
+	      else
+	        func_append newdlprefiles " $dir/$old_library"
+	        # Keep a list of preopened convenience libraries to check
+	        # that they are being used correctly in the link pass.
+	        test -z "$libdir" && \
+	          func_append dlpreconveniencelibs " $dir/$old_library"
+	      fi
+	    ;;
+	    * )
+	      # Prefer using a static library (so that no silly _DYNAMIC symbols
+	      # are required to link).
+	      if test -n "$old_library"; then
+	        func_append newdlprefiles " $dir/$old_library"
+	        # Keep a list of preopened convenience libraries to check
+	        # that they are being used correctly in the link pass.
+	        test -z "$libdir" && \
+	          func_append dlpreconveniencelibs " $dir/$old_library"
+	      # Otherwise, use the dlname, so that lt_dlopen finds it.
+	      elif test -n "$dlname"; then
+	        func_append newdlprefiles " $dir/$dlname"
+	      else
+	        func_append newdlprefiles " $dir/$linklib"
+	      fi
+	    ;;
+	  esac
 	fi # $pass = dlpreopen
 
 	if test -z "$libdir"; then
@@ -5471,7 +6603,7 @@ func_mode_link ()
 
 
 	if test "$linkmode" = prog && test "$pass" != link; then
-	  newlib_search_path="$newlib_search_path $ladir"
+	  func_append newlib_search_path " $ladir"
 	  deplibs="$lib $deplibs"
 
 	  linkalldeplibs=no
@@ -5484,7 +6616,8 @@ func_mode_link ()
 	  for deplib in $dependency_libs; do
 	    case $deplib in
 	    -L*) func_stripname '-L' '' "$deplib"
-	         newlib_search_path="$newlib_search_path $func_stripname_result"
+	         func_resolve_sysroot "$func_stripname_result"
+	         func_append newlib_search_path " $func_resolve_sysroot_result"
 		 ;;
 	    esac
 	    # Need to link against all dependency_libs?
@@ -5495,12 +6628,12 @@ func_mode_link ()
 	      # or/and link against static libraries
 	      newdependency_libs="$deplib $newdependency_libs"
 	    fi
-	    if $opt_duplicate_deps ; then
+	    if $opt_preserve_dup_deps ; then
 	      case "$tmp_libs " in
-	      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	      *" $deplib "*) func_append specialdeplibs " $deplib" ;;
 	      esac
 	    fi
-	    tmp_libs="$tmp_libs $deplib"
+	    func_append tmp_libs " $deplib"
 	  done # for deplib
 	  continue
 	fi # $linkmode = prog...
@@ -5515,7 +6648,7 @@ func_mode_link ()
 	      # Make sure the rpath contains only unique directories.
 	      case "$temp_rpath:" in
 	      *"$absdir:"*) ;;
-	      *) temp_rpath="$temp_rpath$absdir:" ;;
+	      *) func_append temp_rpath "$absdir:" ;;
 	      esac
 	    fi
 
@@ -5527,7 +6660,7 @@ func_mode_link ()
 	    *)
 	      case "$compile_rpath " in
 	      *" $absdir "*) ;;
-	      *) compile_rpath="$compile_rpath $absdir"
+	      *) func_append compile_rpath " $absdir" ;;
 	      esac
 	      ;;
 	    esac
@@ -5536,7 +6669,7 @@ func_mode_link ()
 	    *)
 	      case "$finalize_rpath " in
 	      *" $libdir "*) ;;
-	      *) finalize_rpath="$finalize_rpath $libdir"
+	      *) func_append finalize_rpath " $libdir" ;;
 	      esac
 	      ;;
 	    esac
@@ -5561,12 +6694,12 @@ func_mode_link ()
 	  case $host in
 	  *cygwin* | *mingw* | *cegcc*)
 	      # No point in relinking DLLs because paths are not encoded
-	      notinst_deplibs="$notinst_deplibs $lib"
+	      func_append notinst_deplibs " $lib"
 	      need_relink=no
 	    ;;
 	  *)
 	    if test "$installed" = no; then
-	      notinst_deplibs="$notinst_deplibs $lib"
+	      func_append notinst_deplibs " $lib"
 	      need_relink=yes
 	    fi
 	    ;;
@@ -5583,7 +6716,7 @@ func_mode_link ()
 	    fi
 	  done
 	  if test -z "$dlopenmodule" && test "$shouldnotlink" = yes && test "$pass" = link; then
-	    $ECHO
+	    echo
 	    if test "$linkmode" = prog; then
 	      $ECHO "*** Warning: Linking the executable $output against the loadable module"
 	    else
@@ -5601,7 +6734,7 @@ func_mode_link ()
 	    *)
 	      case "$compile_rpath " in
 	      *" $absdir "*) ;;
-	      *) compile_rpath="$compile_rpath $absdir"
+	      *) func_append compile_rpath " $absdir" ;;
 	      esac
 	      ;;
 	    esac
@@ -5610,7 +6743,7 @@ func_mode_link ()
 	    *)
 	      case "$finalize_rpath " in
 	      *" $libdir "*) ;;
-	      *) finalize_rpath="$finalize_rpath $libdir"
+	      *) func_append finalize_rpath " $libdir" ;;
 	      esac
 	      ;;
 	    esac
@@ -5664,7 +6797,7 @@ func_mode_link ()
 	    linklib=$newlib
 	  fi # test -n "$old_archive_from_expsyms_cmds"
 
-	  if test "$linkmode" = prog || test "$mode" != relink; then
+	  if test "$linkmode" = prog || test "$opt_mode" != relink; then
 	    add_shlibpath=
 	    add_dir=
 	    add=
@@ -5686,9 +6819,9 @@ func_mode_link ()
 		      if test "X$dlopenmodule" != "X$lib"; then
 			$ECHO "*** Warning: lib $linklib is a module, not a shared library"
 			if test -z "$old_library" ; then
-			  $ECHO
-			  $ECHO "*** And there doesn't seem to be a static archive available"
-			  $ECHO "*** The link will probably fail, sorry"
+			  echo
+			  echo "*** And there doesn't seem to be a static archive available"
+			  echo "*** The link will probably fail, sorry"
 			else
 			  add="$dir/$old_library"
 			fi
@@ -5715,12 +6848,12 @@ func_mode_link ()
 	         test "$hardcode_direct_absolute" = no; then
 		add="$dir/$linklib"
 	      elif test "$hardcode_minus_L" = yes; then
-		add_dir="-L$dir"
+		add_dir="-L$absdir"
 		# Try looking first in the location we're being installed to.
 		if test -n "$inst_prefix_dir"; then
 		  case $libdir in
 		    [\\/]*)
-		      add_dir="$add_dir -L$inst_prefix_dir$libdir"
+		      func_append add_dir " -L$inst_prefix_dir$libdir"
 		      ;;
 		  esac
 		fi
@@ -5742,7 +6875,7 @@ func_mode_link ()
 	    if test -n "$add_shlibpath"; then
 	      case :$compile_shlibpath: in
 	      *":$add_shlibpath:"*) ;;
-	      *) compile_shlibpath="$compile_shlibpath$add_shlibpath:" ;;
+	      *) func_append compile_shlibpath "$add_shlibpath:" ;;
 	      esac
 	    fi
 	    if test "$linkmode" = prog; then
@@ -5756,13 +6889,13 @@ func_mode_link ()
 		 test "$hardcode_shlibpath_var" = yes; then
 		case :$finalize_shlibpath: in
 		*":$libdir:"*) ;;
-		*) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
+		*) func_append finalize_shlibpath "$libdir:" ;;
 		esac
 	      fi
 	    fi
 	  fi
 
-	  if test "$linkmode" = prog || test "$mode" = relink; then
+	  if test "$linkmode" = prog || test "$opt_mode" = relink; then
 	    add_shlibpath=
 	    add_dir=
 	    add=
@@ -5776,7 +6909,7 @@ func_mode_link ()
 	    elif test "$hardcode_shlibpath_var" = yes; then
 	      case :$finalize_shlibpath: in
 	      *":$libdir:"*) ;;
-	      *) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
+	      *) func_append finalize_shlibpath "$libdir:" ;;
 	      esac
 	      add="-l$name"
 	    elif test "$hardcode_automatic" = yes; then
@@ -5793,7 +6926,7 @@ func_mode_link ()
 	      if test -n "$inst_prefix_dir"; then
 		case $libdir in
 		  [\\/]*)
-		    add_dir="$add_dir -L$inst_prefix_dir$libdir"
+		    func_append add_dir " -L$inst_prefix_dir$libdir"
 		    ;;
 		esac
 	      fi
@@ -5828,21 +6961,21 @@ func_mode_link ()
 
 	    # Just print a warning and add the library to dependency_libs so
 	    # that the program can be linked against the static library.
-	    $ECHO
+	    echo
 	    $ECHO "*** Warning: This system can not link to static lib archive $lib."
-	    $ECHO "*** I have the capability to make that library automatically link in when"
-	    $ECHO "*** you link to this library.  But I can only do this if you have a"
-	    $ECHO "*** shared version of the library, which you do not appear to have."
+	    echo "*** I have the capability to make that library automatically link in when"
+	    echo "*** you link to this library.  But I can only do this if you have a"
+	    echo "*** shared version of the library, which you do not appear to have."
 	    if test "$module" = yes; then
-	      $ECHO "*** But as you try to build a module library, libtool will still create "
-	      $ECHO "*** a static module, that should work as long as the dlopening application"
-	      $ECHO "*** is linked with the -dlopen flag to resolve symbols at runtime."
+	      echo "*** But as you try to build a module library, libtool will still create "
+	      echo "*** a static module, that should work as long as the dlopening application"
+	      echo "*** is linked with the -dlopen flag to resolve symbols at runtime."
 	      if test -z "$global_symbol_pipe"; then
-		$ECHO
-		$ECHO "*** However, this would only work if libtool was able to extract symbol"
-		$ECHO "*** lists from a program, using \`nm' or equivalent, but libtool could"
-		$ECHO "*** not find such a program.  So, this module is probably useless."
-		$ECHO "*** \`nm' from GNU binutils and a full rebuild may help."
+		echo
+		echo "*** However, this would only work if libtool was able to extract symbol"
+		echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
+		echo "*** not find such a program.  So, this module is probably useless."
+		echo "*** \`nm' from GNU binutils and a full rebuild may help."
 	      fi
 	      if test "$build_old_libs" = no; then
 		build_libtool_libs=module
@@ -5870,27 +7003,33 @@ func_mode_link ()
 	           temp_xrpath=$func_stripname_result
 		   case " $xrpath " in
 		   *" $temp_xrpath "*) ;;
-		   *) xrpath="$xrpath $temp_xrpath";;
+		   *) func_append xrpath " $temp_xrpath";;
 		   esac;;
-	      *) temp_deplibs="$temp_deplibs $libdir";;
+	      *) func_append temp_deplibs " $libdir";;
 	      esac
 	    done
 	    dependency_libs="$temp_deplibs"
 	  fi
 
-	  newlib_search_path="$newlib_search_path $absdir"
+	  func_append newlib_search_path " $absdir"
 	  # Link against this library
 	  test "$link_static" = no && newdependency_libs="$abs_ladir/$laname $newdependency_libs"
 	  # ... and its dependency_libs
 	  tmp_libs=
 	  for deplib in $dependency_libs; do
 	    newdependency_libs="$deplib $newdependency_libs"
-	    if $opt_duplicate_deps ; then
+	    case $deplib in
+              -L*) func_stripname '-L' '' "$deplib"
+                   func_resolve_sysroot "$func_stripname_result";;
+              *) func_resolve_sysroot "$deplib" ;;
+            esac
+	    if $opt_preserve_dup_deps ; then
 	      case "$tmp_libs " in
-	      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	      *" $func_resolve_sysroot_result "*)
+                func_append specialdeplibs " $func_resolve_sysroot_result" ;;
 	      esac
 	    fi
-	    tmp_libs="$tmp_libs $deplib"
+	    func_append tmp_libs " $func_resolve_sysroot_result"
 	  done
 
 	  if test "$link_all_deplibs" != no; then
@@ -5900,8 +7039,10 @@ func_mode_link ()
 	      case $deplib in
 	      -L*) path="$deplib" ;;
 	      *.la)
+	        func_resolve_sysroot "$deplib"
+	        deplib=$func_resolve_sysroot_result
 	        func_dirname "$deplib" "" "."
-		dir="$func_dirname_result"
+		dir=$func_dirname_result
 		# We need an absolute path.
 		case $dir in
 		[\\/]* | [A-Za-z]:[\\/]*) absdir="$dir" ;;
@@ -5928,8 +7069,8 @@ func_mode_link ()
                       if test -z "$darwin_install_name"; then
                           darwin_install_name=`${OTOOL64} -L $depdepl  | awk '{if (NR == 2) {print $1;exit}}'`
                       fi
-		      compiler_flags="$compiler_flags ${wl}-dylib_file ${wl}${darwin_install_name}:${depdepl}"
-		      linker_flags="$linker_flags -dylib_file ${darwin_install_name}:${depdepl}"
+		      func_append compiler_flags " ${wl}-dylib_file ${wl}${darwin_install_name}:${depdepl}"
+		      func_append linker_flags " -dylib_file ${darwin_install_name}:${depdepl}"
 		      path=
 		    fi
 		  fi
@@ -5962,7 +7103,7 @@ func_mode_link ()
 	  compile_deplibs="$new_inherited_linker_flags $compile_deplibs"
 	  finalize_deplibs="$new_inherited_linker_flags $finalize_deplibs"
 	else
-	  compiler_flags="$compiler_flags "`$ECHO "X $new_inherited_linker_flags" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
+	  compiler_flags="$compiler_flags "`$ECHO " $new_inherited_linker_flags" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
 	fi
       fi
       dependency_libs="$newdependency_libs"
@@ -5979,7 +7120,7 @@ func_mode_link ()
 	  for dir in $newlib_search_path; do
 	    case "$lib_search_path " in
 	    *" $dir "*) ;;
-	    *) lib_search_path="$lib_search_path $dir" ;;
+	    *) func_append lib_search_path " $dir" ;;
 	    esac
 	  done
 	  newlib_search_path=
@@ -6037,10 +7178,10 @@ func_mode_link ()
 	    -L*)
 	      case " $tmp_libs " in
 	      *" $deplib "*) ;;
-	      *) tmp_libs="$tmp_libs $deplib" ;;
+	      *) func_append tmp_libs " $deplib" ;;
 	      esac
 	      ;;
-	    *) tmp_libs="$tmp_libs $deplib" ;;
+	    *) func_append tmp_libs " $deplib" ;;
 	    esac
 	  done
 	  eval $var=\"$tmp_libs\"
@@ -6056,7 +7197,7 @@ func_mode_link ()
 	  ;;
 	esac
 	if test -n "$i" ; then
-	  tmp_libs="$tmp_libs $i"
+	  func_append tmp_libs " $i"
 	fi
       done
       dependency_libs=$tmp_libs
@@ -6097,7 +7238,7 @@ func_mode_link ()
       # Now set the variables for building old libraries.
       build_libtool_libs=no
       oldlibs="$output"
-      objs="$objs$old_deplibs"
+      func_append objs "$old_deplibs"
       ;;
 
     lib)
@@ -6130,10 +7271,10 @@ func_mode_link ()
 	if test "$deplibs_check_method" != pass_all; then
 	  func_fatal_error "cannot build libtool library \`$output' from non-libtool objects on this host:$objs"
 	else
-	  $ECHO
+	  echo
 	  $ECHO "*** Warning: Linking the shared library $output against the non-libtool"
 	  $ECHO "*** objects $objs is not portable!"
-	  libobjs="$libobjs $objs"
+	  func_append libobjs " $objs"
 	fi
       fi
 
@@ -6192,13 +7333,14 @@ func_mode_link ()
 	  # which has an extra 1 added just for fun
 	  #
 	  case $version_type in
+	  # correct linux to gnu/linux during the next big refactor
 	  darwin|linux|osf|windows|none)
 	    func_arith $number_major + $number_minor
 	    current=$func_arith_result
 	    age="$number_minor"
 	    revision="$number_revision"
 	    ;;
-	  freebsd-aout|freebsd-elf|sunos)
+	  freebsd-aout|freebsd-elf|qnx|sunos)
 	    current="$number_major"
 	    revision="$number_minor"
 	    age="0"
@@ -6311,7 +7453,7 @@ func_mode_link ()
 	  versuffix="$major.$revision"
 	  ;;
 
-	linux)
+	linux) # correct to gnu/linux during the next big refactor
 	  func_arith $current - $age
 	  major=.$func_arith_result
 	  versuffix="$major.$age.$revision"
@@ -6334,7 +7476,7 @@ func_mode_link ()
 	  done
 
 	  # Make executables depend on our current version.
-	  verstring="$verstring:${current}.0"
+	  func_append verstring ":${current}.0"
 	  ;;
 
 	qnx)
@@ -6402,10 +7544,10 @@ func_mode_link ()
       fi
 
       func_generate_dlsyms "$libname" "$libname" "yes"
-      libobjs="$libobjs $symfileobj"
+      func_append libobjs " $symfileobj"
       test "X$libobjs" = "X " && libobjs=
 
-      if test "$mode" != relink; then
+      if test "$opt_mode" != relink; then
 	# Remove our outputs, but don't remove object files since they
 	# may have been created when compiling PIC objects.
 	removelist=
@@ -6421,7 +7563,7 @@ func_mode_link ()
 		   continue
 		 fi
 	       fi
-	       removelist="$removelist $p"
+	       func_append removelist " $p"
 	       ;;
 	    *) ;;
 	  esac
@@ -6432,27 +7574,28 @@ func_mode_link ()
 
       # Now set the variables for building old libraries.
       if test "$build_old_libs" = yes && test "$build_libtool_libs" != convenience ; then
-	oldlibs="$oldlibs $output_objdir/$libname.$libext"
+	func_append oldlibs " $output_objdir/$libname.$libext"
 
 	# Transform .lo files to .o files.
-	oldobjs="$objs "`$ECHO "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}'$/d' -e "$lo2o" | $NL2SP`
+	oldobjs="$objs "`$ECHO "$libobjs" | $SP2NL | $SED "/\.${libext}$/d; $lo2o" | $NL2SP`
       fi
 
       # Eliminate all temporary directories.
       #for path in $notinst_path; do
-      #	lib_search_path=`$ECHO "X$lib_search_path " | $Xsed -e "s% $path % %g"`
-      #	deplibs=`$ECHO "X$deplibs " | $Xsed -e "s% -L$path % %g"`
-      #	dependency_libs=`$ECHO "X$dependency_libs " | $Xsed -e "s% -L$path % %g"`
+      #	lib_search_path=`$ECHO "$lib_search_path " | $SED "s% $path % %g"`
+      #	deplibs=`$ECHO "$deplibs " | $SED "s% -L$path % %g"`
+      #	dependency_libs=`$ECHO "$dependency_libs " | $SED "s% -L$path % %g"`
       #done
 
       if test -n "$xrpath"; then
 	# If the user specified any rpath flags, then add them.
 	temp_xrpath=
 	for libdir in $xrpath; do
-	  temp_xrpath="$temp_xrpath -R$libdir"
+	  func_replace_sysroot "$libdir"
+	  func_append temp_xrpath " -R$func_replace_sysroot_result"
 	  case "$finalize_rpath " in
 	  *" $libdir "*) ;;
-	  *) finalize_rpath="$finalize_rpath $libdir" ;;
+	  *) func_append finalize_rpath " $libdir" ;;
 	  esac
 	done
 	if test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes; then
@@ -6466,7 +7609,7 @@ func_mode_link ()
       for lib in $old_dlfiles; do
 	case " $dlprefiles $dlfiles " in
 	*" $lib "*) ;;
-	*) dlfiles="$dlfiles $lib" ;;
+	*) func_append dlfiles " $lib" ;;
 	esac
       done
 
@@ -6476,19 +7619,19 @@ func_mode_link ()
       for lib in $old_dlprefiles; do
 	case "$dlprefiles " in
 	*" $lib "*) ;;
-	*) dlprefiles="$dlprefiles $lib" ;;
+	*) func_append dlprefiles " $lib" ;;
 	esac
       done
 
       if test "$build_libtool_libs" = yes; then
 	if test -n "$rpath"; then
 	  case $host in
-	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos* | *-cegcc*)
+	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos* | *-cegcc* | *-*-haiku*)
 	    # these systems don't actually have a c library (as such)!
 	    ;;
 	  *-*-rhapsody* | *-*-darwin1.[012])
 	    # Rhapsody C library is in the System framework
-	    deplibs="$deplibs System.ltframework"
+	    func_append deplibs " System.ltframework"
 	    ;;
 	  *-*-netbsd*)
 	    # Don't link with libc until the a.out ld.so is fixed.
@@ -6505,7 +7648,7 @@ func_mode_link ()
 	  *)
 	    # Add libc to deplibs on all other systems if necessary.
 	    if test "$build_libtool_need_lc" = "yes"; then
-	      deplibs="$deplibs -lc"
+	      func_append deplibs " -lc"
 	    fi
 	    ;;
 	  esac
@@ -6554,7 +7697,7 @@ EOF
 		if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
 		  case " $predeps $postdeps " in
 		  *" $i "*)
-		    newdeplibs="$newdeplibs $i"
+		    func_append newdeplibs " $i"
 		    i=""
 		    ;;
 		  esac
@@ -6565,21 +7708,21 @@ EOF
 		  set dummy $deplib_matches; shift
 		  deplib_match=$1
 		  if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
-		    newdeplibs="$newdeplibs $i"
+		    func_append newdeplibs " $i"
 		  else
 		    droppeddeps=yes
-		    $ECHO
+		    echo
 		    $ECHO "*** Warning: dynamic linker does not accept needed library $i."
-		    $ECHO "*** I have the capability to make that library automatically link in when"
-		    $ECHO "*** you link to this library.  But I can only do this if you have a"
-		    $ECHO "*** shared version of the library, which I believe you do not have"
-		    $ECHO "*** because a test_compile did reveal that the linker did not use it for"
-		    $ECHO "*** its dynamic dependency list that programs get resolved with at runtime."
+		    echo "*** I have the capability to make that library automatically link in when"
+		    echo "*** you link to this library.  But I can only do this if you have a"
+		    echo "*** shared version of the library, which I believe you do not have"
+		    echo "*** because a test_compile did reveal that the linker did not use it for"
+		    echo "*** its dynamic dependency list that programs get resolved with at runtime."
 		  fi
 		fi
 		;;
 	      *)
-		newdeplibs="$newdeplibs $i"
+		func_append newdeplibs " $i"
 		;;
 	      esac
 	    done
@@ -6597,7 +7740,7 @@ EOF
 		  if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
 		    case " $predeps $postdeps " in
 		    *" $i "*)
-		      newdeplibs="$newdeplibs $i"
+		      func_append newdeplibs " $i"
 		      i=""
 		      ;;
 		    esac
@@ -6608,29 +7751,29 @@ EOF
 		    set dummy $deplib_matches; shift
 		    deplib_match=$1
 		    if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
-		      newdeplibs="$newdeplibs $i"
+		      func_append newdeplibs " $i"
 		    else
 		      droppeddeps=yes
-		      $ECHO
+		      echo
 		      $ECHO "*** Warning: dynamic linker does not accept needed library $i."
-		      $ECHO "*** I have the capability to make that library automatically link in when"
-		      $ECHO "*** you link to this library.  But I can only do this if you have a"
-		      $ECHO "*** shared version of the library, which you do not appear to have"
-		      $ECHO "*** because a test_compile did reveal that the linker did not use this one"
-		      $ECHO "*** as a dynamic dependency that programs can get resolved with at runtime."
+		      echo "*** I have the capability to make that library automatically link in when"
+		      echo "*** you link to this library.  But I can only do this if you have a"
+		      echo "*** shared version of the library, which you do not appear to have"
+		      echo "*** because a test_compile did reveal that the linker did not use this one"
+		      echo "*** as a dynamic dependency that programs can get resolved with at runtime."
 		    fi
 		  fi
 		else
 		  droppeddeps=yes
-		  $ECHO
+		  echo
 		  $ECHO "*** Warning!  Library $i is needed by this library but I was not able to"
-		  $ECHO "*** make it link in!  You will probably need to install it or some"
-		  $ECHO "*** library that it depends on before this library will be fully"
-		  $ECHO "*** functional.  Installing it before continuing would be even better."
+		  echo "*** make it link in!  You will probably need to install it or some"
+		  echo "*** library that it depends on before this library will be fully"
+		  echo "*** functional.  Installing it before continuing would be even better."
 		fi
 		;;
 	      *)
-		newdeplibs="$newdeplibs $i"
+		func_append newdeplibs " $i"
 		;;
 	      esac
 	    done
@@ -6647,15 +7790,27 @@ EOF
 	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
 		case " $predeps $postdeps " in
 		*" $a_deplib "*)
-		  newdeplibs="$newdeplibs $a_deplib"
+		  func_append newdeplibs " $a_deplib"
 		  a_deplib=""
 		  ;;
 		esac
 	      fi
 	      if test -n "$a_deplib" ; then
 		libname=`eval "\\$ECHO \"$libname_spec\""`
+		if test -n "$file_magic_glob"; then
+		  libnameglob=`func_echo_all "$libname" | $SED -e $file_magic_glob`
+		else
+		  libnameglob=$libname
+		fi
+		test "$want_nocaseglob" = yes && nocaseglob=`shopt -p nocaseglob`
 		for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
-		  potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
+		  if test "$want_nocaseglob" = yes; then
+		    shopt -s nocaseglob
+		    potential_libs=`ls $i/$libnameglob[.-]* 2>/dev/null`
+		    $nocaseglob
+		  else
+		    potential_libs=`ls $i/$libnameglob[.-]* 2>/dev/null`
+		  fi
 		  for potent_lib in $potential_libs; do
 		      # Follow soft links.
 		      if ls -lLd "$potent_lib" 2>/dev/null |
@@ -6672,13 +7827,13 @@ EOF
 			potliblink=`ls -ld $potlib | ${SED} 's/.* -> //'`
 			case $potliblink in
 			[\\/]* | [A-Za-z]:[\\/]*) potlib="$potliblink";;
-			*) potlib=`$ECHO "X$potlib" | $Xsed -e 's,[^/]*$,,'`"$potliblink";;
+			*) potlib=`$ECHO "$potlib" | $SED 's,[^/]*$,,'`"$potliblink";;
 			esac
 		      done
 		      if eval $file_magic_cmd \"\$potlib\" 2>/dev/null |
 			 $SED -e 10q |
 			 $EGREP "$file_magic_regex" > /dev/null; then
-			newdeplibs="$newdeplibs $a_deplib"
+			func_append newdeplibs " $a_deplib"
 			a_deplib=""
 			break 2
 		      fi
@@ -6687,12 +7842,12 @@ EOF
 	      fi
 	      if test -n "$a_deplib" ; then
 		droppeddeps=yes
-		$ECHO
+		echo
 		$ECHO "*** Warning: linker path does not have real file for library $a_deplib."
-		$ECHO "*** I have the capability to make that library automatically link in when"
-		$ECHO "*** you link to this library.  But I can only do this if you have a"
-		$ECHO "*** shared version of the library, which you do not appear to have"
-		$ECHO "*** because I did check the linker path looking for a file starting"
+		echo "*** I have the capability to make that library automatically link in when"
+		echo "*** you link to this library.  But I can only do this if you have a"
+		echo "*** shared version of the library, which you do not appear to have"
+		echo "*** because I did check the linker path looking for a file starting"
 		if test -z "$potlib" ; then
 		  $ECHO "*** with $libname but no candidates were found. (...for file magic test)"
 		else
@@ -6703,7 +7858,7 @@ EOF
 	      ;;
 	    *)
 	      # Add a -L argument.
-	      newdeplibs="$newdeplibs $a_deplib"
+	      func_append newdeplibs " $a_deplib"
 	      ;;
 	    esac
 	  done # Gone through all deplibs.
@@ -6719,7 +7874,7 @@ EOF
 	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
 		case " $predeps $postdeps " in
 		*" $a_deplib "*)
-		  newdeplibs="$newdeplibs $a_deplib"
+		  func_append newdeplibs " $a_deplib"
 		  a_deplib=""
 		  ;;
 		esac
@@ -6730,9 +7885,9 @@ EOF
 		  potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
 		  for potent_lib in $potential_libs; do
 		    potlib="$potent_lib" # see symlink-check above in file_magic test
-		    if eval "\$ECHO \"X$potent_lib\"" 2>/dev/null | $Xsed -e 10q | \
+		    if eval "\$ECHO \"$potent_lib\"" 2>/dev/null | $SED 10q | \
 		       $EGREP "$match_pattern_regex" > /dev/null; then
-		      newdeplibs="$newdeplibs $a_deplib"
+		      func_append newdeplibs " $a_deplib"
 		      a_deplib=""
 		      break 2
 		    fi
@@ -6741,12 +7896,12 @@ EOF
 	      fi
 	      if test -n "$a_deplib" ; then
 		droppeddeps=yes
-		$ECHO
+		echo
 		$ECHO "*** Warning: linker path does not have real file for library $a_deplib."
-		$ECHO "*** I have the capability to make that library automatically link in when"
-		$ECHO "*** you link to this library.  But I can only do this if you have a"
-		$ECHO "*** shared version of the library, which you do not appear to have"
-		$ECHO "*** because I did check the linker path looking for a file starting"
+		echo "*** I have the capability to make that library automatically link in when"
+		echo "*** you link to this library.  But I can only do this if you have a"
+		echo "*** shared version of the library, which you do not appear to have"
+		echo "*** because I did check the linker path looking for a file starting"
 		if test -z "$potlib" ; then
 		  $ECHO "*** with $libname but no candidates were found. (...for regex pattern test)"
 		else
@@ -6757,32 +7912,32 @@ EOF
 	      ;;
 	    *)
 	      # Add a -L argument.
-	      newdeplibs="$newdeplibs $a_deplib"
+	      func_append newdeplibs " $a_deplib"
 	      ;;
 	    esac
 	  done # Gone through all deplibs.
 	  ;;
 	none | unknown | *)
 	  newdeplibs=""
-	  tmp_deplibs=`$ECHO "X $deplibs" | $Xsed \
-	      -e 's/ -lc$//' -e 's/ -[LR][^ ]*//g'`
+	  tmp_deplibs=`$ECHO " $deplibs" | $SED 's/ -lc$//; s/ -[LR][^ ]*//g'`
 	  if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
 	    for i in $predeps $postdeps ; do
 	      # can't use Xsed below, because $i might contain '/'
-	      tmp_deplibs=`$ECHO "X $tmp_deplibs" | $Xsed -e "s,$i,,"`
+	      tmp_deplibs=`$ECHO " $tmp_deplibs" | $SED "s,$i,,"`
 	    done
 	  fi
-	  if $ECHO "X $tmp_deplibs" | $Xsed -e 's/[	 ]//g' |
-	     $GREP . >/dev/null; then
-	    $ECHO
+	  case $tmp_deplibs in
+	  *[!\	\ ]*)
+	    echo
 	    if test "X$deplibs_check_method" = "Xnone"; then
-	      $ECHO "*** Warning: inter-library dependencies are not supported in this platform."
+	      echo "*** Warning: inter-library dependencies are not supported in this platform."
 	    else
-	      $ECHO "*** Warning: inter-library dependencies are not known to be supported."
+	      echo "*** Warning: inter-library dependencies are not known to be supported."
 	    fi
-	    $ECHO "*** All declared inter-library dependencies are being dropped."
+	    echo "*** All declared inter-library dependencies are being dropped."
 	    droppeddeps=yes
-	  fi
+	    ;;
+	  esac
 	  ;;
 	esac
 	versuffix=$versuffix_save
@@ -6794,23 +7949,23 @@ EOF
 	case $host in
 	*-*-rhapsody* | *-*-darwin1.[012])
 	  # On Rhapsody replace the C library with the System framework
-	  newdeplibs=`$ECHO "X $newdeplibs" | $Xsed -e 's/ -lc / System.ltframework /'`
+	  newdeplibs=`$ECHO " $newdeplibs" | $SED 's/ -lc / System.ltframework /'`
 	  ;;
 	esac
 
 	if test "$droppeddeps" = yes; then
 	  if test "$module" = yes; then
-	    $ECHO
-	    $ECHO "*** Warning: libtool could not satisfy all declared inter-library"
+	    echo
+	    echo "*** Warning: libtool could not satisfy all declared inter-library"
 	    $ECHO "*** dependencies of module $libname.  Therefore, libtool will create"
-	    $ECHO "*** a static module, that should work as long as the dlopening"
-	    $ECHO "*** application is linked with the -dlopen flag."
+	    echo "*** a static module, that should work as long as the dlopening"
+	    echo "*** application is linked with the -dlopen flag."
 	    if test -z "$global_symbol_pipe"; then
-	      $ECHO
-	      $ECHO "*** However, this would only work if libtool was able to extract symbol"
-	      $ECHO "*** lists from a program, using \`nm' or equivalent, but libtool could"
-	      $ECHO "*** not find such a program.  So, this module is probably useless."
-	      $ECHO "*** \`nm' from GNU binutils and a full rebuild may help."
+	      echo
+	      echo "*** However, this would only work if libtool was able to extract symbol"
+	      echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
+	      echo "*** not find such a program.  So, this module is probably useless."
+	      echo "*** \`nm' from GNU binutils and a full rebuild may help."
 	    fi
 	    if test "$build_old_libs" = no; then
 	      oldlibs="$output_objdir/$libname.$libext"
@@ -6820,16 +7975,16 @@ EOF
 	      build_libtool_libs=no
 	    fi
 	  else
-	    $ECHO "*** The inter-library dependencies that have been dropped here will be"
-	    $ECHO "*** automatically added whenever a program is linked with this library"
-	    $ECHO "*** or is declared to -dlopen it."
+	    echo "*** The inter-library dependencies that have been dropped here will be"
+	    echo "*** automatically added whenever a program is linked with this library"
+	    echo "*** or is declared to -dlopen it."
 
 	    if test "$allow_undefined" = no; then
-	      $ECHO
-	      $ECHO "*** Since this library must not contain undefined symbols,"
-	      $ECHO "*** because either the platform does not support them or"
-	      $ECHO "*** it was explicitly requested with -no-undefined,"
-	      $ECHO "*** libtool will only create a static version of it."
+	      echo
+	      echo "*** Since this library must not contain undefined symbols,"
+	      echo "*** because either the platform does not support them or"
+	      echo "*** it was explicitly requested with -no-undefined,"
+	      echo "*** libtool will only create a static version of it."
 	      if test "$build_old_libs" = no; then
 		oldlibs="$output_objdir/$libname.$libext"
 		build_libtool_libs=module
@@ -6846,9 +8001,9 @@ EOF
       # Time to change all our "foo.ltframework" stuff back to "-framework foo"
       case $host in
 	*-*-darwin*)
-	  newdeplibs=`$ECHO "X $newdeplibs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
-	  new_inherited_linker_flags=`$ECHO "X $new_inherited_linker_flags" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
-	  deplibs=`$ECHO "X $deplibs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
+	  newdeplibs=`$ECHO " $newdeplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
+	  new_inherited_linker_flags=`$ECHO " $new_inherited_linker_flags" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
+	  deplibs=`$ECHO " $deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
 	  ;;
       esac
 
@@ -6861,7 +8016,7 @@ EOF
 	*)
 	  case " $deplibs " in
 	  *" -L$path/$objdir "*)
-	    new_libs="$new_libs -L$path/$objdir" ;;
+	    func_append new_libs " -L$path/$objdir" ;;
 	  esac
 	  ;;
 	esac
@@ -6871,10 +8026,10 @@ EOF
 	-L*)
 	  case " $new_libs " in
 	  *" $deplib "*) ;;
-	  *) new_libs="$new_libs $deplib" ;;
+	  *) func_append new_libs " $deplib" ;;
 	  esac
 	  ;;
-	*) new_libs="$new_libs $deplib" ;;
+	*) func_append new_libs " $deplib" ;;
 	esac
       done
       deplibs="$new_libs"
@@ -6886,15 +8041,22 @@ EOF
 
       # Test again, we may have decided not to build it any more
       if test "$build_libtool_libs" = yes; then
+	# Remove ${wl} instances when linking with ld.
+	# FIXME: should test the right _cmds variable.
+	case $archive_cmds in
+	  *\$LD\ *) wl= ;;
+        esac
 	if test "$hardcode_into_libs" = yes; then
 	  # Hardcode the library paths
 	  hardcode_libdirs=
 	  dep_rpath=
 	  rpath="$finalize_rpath"
-	  test "$mode" != relink && rpath="$compile_rpath$rpath"
+	  test "$opt_mode" != relink && rpath="$compile_rpath$rpath"
 	  for libdir in $rpath; do
 	    if test -n "$hardcode_libdir_flag_spec"; then
 	      if test -n "$hardcode_libdir_separator"; then
+		func_replace_sysroot "$libdir"
+		libdir=$func_replace_sysroot_result
 		if test -z "$hardcode_libdirs"; then
 		  hardcode_libdirs="$libdir"
 		else
@@ -6903,18 +8065,18 @@ EOF
 		  *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
 		    ;;
 		  *)
-		    hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		    func_append hardcode_libdirs "$hardcode_libdir_separator$libdir"
 		    ;;
 		  esac
 		fi
 	      else
 		eval flag=\"$hardcode_libdir_flag_spec\"
-		dep_rpath="$dep_rpath $flag"
+		func_append dep_rpath " $flag"
 	      fi
 	    elif test -n "$runpath_var"; then
 	      case "$perm_rpath " in
 	      *" $libdir "*) ;;
-	      *) perm_rpath="$perm_rpath $libdir" ;;
+	      *) func_append perm_rpath " $libdir" ;;
 	      esac
 	    fi
 	  done
@@ -6922,17 +8084,13 @@ EOF
 	  if test -n "$hardcode_libdir_separator" &&
 	     test -n "$hardcode_libdirs"; then
 	    libdir="$hardcode_libdirs"
-	    if test -n "$hardcode_libdir_flag_spec_ld"; then
-	      eval dep_rpath=\"$hardcode_libdir_flag_spec_ld\"
-	    else
-	      eval dep_rpath=\"$hardcode_libdir_flag_spec\"
-	    fi
+	    eval "dep_rpath=\"$hardcode_libdir_flag_spec\""
 	  fi
 	  if test -n "$runpath_var" && test -n "$perm_rpath"; then
 	    # We should set the runpath_var.
 	    rpath=
 	    for dir in $perm_rpath; do
-	      rpath="$rpath$dir:"
+	      func_append rpath "$dir:"
 	    done
 	    eval "$runpath_var='$rpath\$$runpath_var'; export $runpath_var"
 	  fi
@@ -6940,7 +8098,7 @@ EOF
 	fi
 
 	shlibpath="$finalize_shlibpath"
-	test "$mode" != relink && shlibpath="$compile_shlibpath$shlibpath"
+	test "$opt_mode" != relink && shlibpath="$compile_shlibpath$shlibpath"
 	if test -n "$shlibpath"; then
 	  eval "$shlibpath_var='$shlibpath\$$shlibpath_var'; export $shlibpath_var"
 	fi
@@ -6966,18 +8124,18 @@ EOF
 	linknames=
 	for link
 	do
-	  linknames="$linknames $link"
+	  func_append linknames " $link"
 	done
 
 	# Use standard objects if they are pic
-	test -z "$pic_flag" && libobjs=`$ECHO "X$libobjs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+	test -z "$pic_flag" && libobjs=`$ECHO "$libobjs" | $SP2NL | $SED "$lo2o" | $NL2SP`
 	test "X$libobjs" = "X " && libobjs=
 
 	delfiles=
 	if test -n "$export_symbols" && test -n "$include_expsyms"; then
 	  $opt_dry_run || cp "$export_symbols" "$output_objdir/$libname.uexp"
 	  export_symbols="$output_objdir/$libname.uexp"
-	  delfiles="$delfiles $export_symbols"
+	  func_append delfiles " $export_symbols"
 	fi
 
 	orig_export_symbols=
@@ -7008,13 +8166,45 @@ EOF
 	    $opt_dry_run || $RM $export_symbols
 	    cmds=$export_symbols_cmds
 	    save_ifs="$IFS"; IFS='~'
-	    for cmd in $cmds; do
+	    for cmd1 in $cmds; do
 	      IFS="$save_ifs"
-	      eval cmd=\"$cmd\"
-	      func_len " $cmd"
-	      len=$func_len_result
-	      if test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then
+	      # Take the normal branch if the nm_file_list_spec branch
+	      # doesn't work or if tool conversion is not needed.
+	      case $nm_file_list_spec~$to_tool_file_cmd in
+		*~func_convert_file_noop | *~func_convert_file_msys_to_w32 | ~*)
+		  try_normal_branch=yes
+		  eval cmd=\"$cmd1\"
+		  func_len " $cmd"
+		  len=$func_len_result
+		  ;;
+		*)
+		  try_normal_branch=no
+		  ;;
+	      esac
+	      if test "$try_normal_branch" = yes \
+		 && { test "$len" -lt "$max_cmd_len" \
+		      || test "$max_cmd_len" -le -1; }
+	      then
+		func_show_eval "$cmd" 'exit $?'
+		skipped_export=false
+	      elif test -n "$nm_file_list_spec"; then
+		func_basename "$output"
+		output_la=$func_basename_result
+		save_libobjs=$libobjs
+		save_output=$output
+		output=${output_objdir}/${output_la}.nm
+		func_to_tool_file "$output"
+		libobjs=$nm_file_list_spec$func_to_tool_file_result
+		func_append delfiles " $output"
+		func_verbose "creating $NM input file list: $output"
+		for obj in $save_libobjs; do
+		  func_to_tool_file "$obj"
+		  $ECHO "$func_to_tool_file_result"
+		done > "$output"
+		eval cmd=\"$cmd1\"
 		func_show_eval "$cmd" 'exit $?'
+		output=$save_output
+		libobjs=$save_libobjs
 		skipped_export=false
 	      else
 		# The command line is too long to execute in one step.
@@ -7036,7 +8226,7 @@ EOF
 	if test -n "$export_symbols" && test -n "$include_expsyms"; then
 	  tmp_export_symbols="$export_symbols"
 	  test -n "$orig_export_symbols" && tmp_export_symbols="$orig_export_symbols"
-	  $opt_dry_run || eval '$ECHO "X$include_expsyms" | $Xsed | $SP2NL >> "$tmp_export_symbols"'
+	  $opt_dry_run || eval '$ECHO "$include_expsyms" | $SP2NL >> "$tmp_export_symbols"'
 	fi
 
 	if test "X$skipped_export" != "X:" && test -n "$orig_export_symbols"; then
@@ -7048,7 +8238,7 @@ EOF
 	  # global variables. join(1) would be nice here, but unfortunately
 	  # isn't a blessed tool.
 	  $opt_dry_run || $SED -e '/[ ,]DATA/!d;s,\(.*\)\([ \,].*\),s|^\1$|\1\2|,' < $export_symbols > $output_objdir/$libname.filter
-	  delfiles="$delfiles $export_symbols $output_objdir/$libname.filter"
+	  func_append delfiles " $export_symbols $output_objdir/$libname.filter"
 	  export_symbols=$output_objdir/$libname.def
 	  $opt_dry_run || $SED -f $output_objdir/$libname.filter < $orig_export_symbols > $export_symbols
 	fi
@@ -7058,7 +8248,7 @@ EOF
 	  case " $convenience " in
 	  *" $test_deplib "*) ;;
 	  *)
-	    tmp_deplibs="$tmp_deplibs $test_deplib"
+	    func_append tmp_deplibs " $test_deplib"
 	    ;;
 	  esac
 	done
@@ -7078,21 +8268,21 @@ EOF
 	    test "X$libobjs" = "X " && libobjs=
 	  else
 	    gentop="$output_objdir/${outputname}x"
-	    generated="$generated $gentop"
+	    func_append generated " $gentop"
 
 	    func_extract_archives $gentop $convenience
-	    libobjs="$libobjs $func_extract_archives_result"
+	    func_append libobjs " $func_extract_archives_result"
 	    test "X$libobjs" = "X " && libobjs=
 	  fi
 	fi
 
 	if test "$thread_safe" = yes && test -n "$thread_safe_flag_spec"; then
 	  eval flag=\"$thread_safe_flag_spec\"
-	  linker_flags="$linker_flags $flag"
+	  func_append linker_flags " $flag"
 	fi
 
 	# Make a backup of the uninstalled library when relinking
-	if test "$mode" = relink; then
+	if test "$opt_mode" = relink; then
 	  $opt_dry_run || eval '(cd $output_objdir && $RM ${realname}U && $MV $realname ${realname}U)' || exit $?
 	fi
 
@@ -7137,7 +8327,8 @@ EOF
 	    save_libobjs=$libobjs
 	  fi
 	  save_output=$output
-	  output_la=`$ECHO "X$output" | $Xsed -e "$basename"`
+	  func_basename "$output"
+	  output_la=$func_basename_result
 
 	  # Clear the reloadable object creation command queue and
 	  # initialize k to one.
@@ -7150,13 +8341,16 @@ EOF
 	  if test -n "$save_libobjs" && test "X$skipped_export" != "X:" && test "$with_gnu_ld" = yes; then
 	    output=${output_objdir}/${output_la}.lnkscript
 	    func_verbose "creating GNU ld script: $output"
-	    $ECHO 'INPUT (' > $output
+	    echo 'INPUT (' > $output
 	    for obj in $save_libobjs
 	    do
-	      $ECHO "$obj" >> $output
+	      func_to_tool_file "$obj"
+	      $ECHO "$func_to_tool_file_result" >> $output
 	    done
-	    $ECHO ')' >> $output
-	    delfiles="$delfiles $output"
+	    echo ')' >> $output
+	    func_append delfiles " $output"
+	    func_to_tool_file "$output"
+	    output=$func_to_tool_file_result
 	  elif test -n "$save_libobjs" && test "X$skipped_export" != "X:" && test "X$file_list_spec" != X; then
 	    output=${output_objdir}/${output_la}.lnk
 	    func_verbose "creating linker input file list: $output"
@@ -7170,10 +8364,12 @@ EOF
 	    fi
 	    for obj
 	    do
-	      $ECHO "$obj" >> $output
+	      func_to_tool_file "$obj"
+	      $ECHO "$func_to_tool_file_result" >> $output
 	    done
-	    delfiles="$delfiles $output"
-	    output=$firstobj\"$file_list_spec$output\"
+	    func_append delfiles " $output"
+	    func_to_tool_file "$output"
+	    output=$firstobj\"$file_list_spec$func_to_tool_file_result\"
 	  else
 	    if test -n "$save_libobjs"; then
 	      func_verbose "creating reloadable object files..."
@@ -7197,17 +8393,19 @@ EOF
 		  # command to the queue.
 		  if test "$k" -eq 1 ; then
 		    # The first file doesn't have a previous command to add.
-		    eval concat_cmds=\"$reload_cmds $objlist $last_robj\"
+		    reload_objs=$objlist
+		    eval concat_cmds=\"$reload_cmds\"
 		  else
 		    # All subsequent reloadable object files will link in
 		    # the last one created.
-		    eval concat_cmds=\"\$concat_cmds~$reload_cmds $objlist $last_robj~\$RM $last_robj\"
+		    reload_objs="$objlist $last_robj"
+		    eval concat_cmds=\"\$concat_cmds~$reload_cmds~\$RM $last_robj\"
 		  fi
 		  last_robj=$output_objdir/$output_la-${k}.$objext
 		  func_arith $k + 1
 		  k=$func_arith_result
 		  output=$output_objdir/$output_la-${k}.$objext
-		  objlist=$obj
+		  objlist=" $obj"
 		  func_len " $last_robj"
 		  func_arith $len0 + $func_len_result
 		  len=$func_arith_result
@@ -7217,11 +8415,12 @@ EOF
 	      # reloadable object file.  All subsequent reloadable object
 	      # files will link in the last one created.
 	      test -z "$concat_cmds" || concat_cmds=$concat_cmds~
-	      eval concat_cmds=\"\${concat_cmds}$reload_cmds $objlist $last_robj\"
+	      reload_objs="$objlist $last_robj"
+	      eval concat_cmds=\"\${concat_cmds}$reload_cmds\"
 	      if test -n "$last_robj"; then
 	        eval concat_cmds=\"\${concat_cmds}~\$RM $last_robj\"
 	      fi
-	      delfiles="$delfiles $output"
+	      func_append delfiles " $output"
 
 	    else
 	      output=
@@ -7255,7 +8454,7 @@ EOF
 		lt_exit=$?
 
 		# Restore the uninstalled library and exit
-		if test "$mode" = relink; then
+		if test "$opt_mode" = relink; then
 		  ( cd "$output_objdir" && \
 		    $RM "${realname}T" && \
 		    $MV "${realname}U" "$realname" )
@@ -7276,7 +8475,7 @@ EOF
 	    if test -n "$export_symbols" && test -n "$include_expsyms"; then
 	      tmp_export_symbols="$export_symbols"
 	      test -n "$orig_export_symbols" && tmp_export_symbols="$orig_export_symbols"
-	      $opt_dry_run || eval '$ECHO "X$include_expsyms" | $Xsed | $SP2NL >> "$tmp_export_symbols"'
+	      $opt_dry_run || eval '$ECHO "$include_expsyms" | $SP2NL >> "$tmp_export_symbols"'
 	    fi
 
 	    if test -n "$orig_export_symbols"; then
@@ -7288,7 +8487,7 @@ EOF
 	      # global variables. join(1) would be nice here, but unfortunately
 	      # isn't a blessed tool.
 	      $opt_dry_run || $SED -e '/[ ,]DATA/!d;s,\(.*\)\([ \,].*\),s|^\1$|\1\2|,' < $export_symbols > $output_objdir/$libname.filter
-	      delfiles="$delfiles $export_symbols $output_objdir/$libname.filter"
+	      func_append delfiles " $export_symbols $output_objdir/$libname.filter"
 	      export_symbols=$output_objdir/$libname.def
 	      $opt_dry_run || $SED -f $output_objdir/$libname.filter < $orig_export_symbols > $export_symbols
 	    fi
@@ -7329,10 +8528,10 @@ EOF
 	# Add any objects from preloaded convenience libraries
 	if test -n "$dlprefiles"; then
 	  gentop="$output_objdir/${outputname}x"
-	  generated="$generated $gentop"
+	  func_append generated " $gentop"
 
 	  func_extract_archives $gentop $dlprefiles
-	  libobjs="$libobjs $func_extract_archives_result"
+	  func_append libobjs " $func_extract_archives_result"
 	  test "X$libobjs" = "X " && libobjs=
 	fi
 
@@ -7348,7 +8547,7 @@ EOF
 	    lt_exit=$?
 
 	    # Restore the uninstalled library and exit
-	    if test "$mode" = relink; then
+	    if test "$opt_mode" = relink; then
 	      ( cd "$output_objdir" && \
 	        $RM "${realname}T" && \
 		$MV "${realname}U" "$realname" )
@@ -7360,7 +8559,7 @@ EOF
 	IFS="$save_ifs"
 
 	# Restore the uninstalled library and exit
-	if test "$mode" = relink; then
+	if test "$opt_mode" = relink; then
 	  $opt_dry_run || eval '(cd $output_objdir && $RM ${realname}T && $MV $realname ${realname}T && $MV ${realname}U $realname)' || exit $?
 
 	  if test -n "$convenience"; then
@@ -7441,18 +8640,21 @@ EOF
       if test -n "$convenience"; then
 	if test -n "$whole_archive_flag_spec"; then
 	  eval tmp_whole_archive_flags=\"$whole_archive_flag_spec\"
-	  reload_conv_objs=$reload_objs\ `$ECHO "X$tmp_whole_archive_flags" | $Xsed -e 's|,| |g'`
+	  reload_conv_objs=$reload_objs\ `$ECHO "$tmp_whole_archive_flags" | $SED 's|,| |g'`
 	else
 	  gentop="$output_objdir/${obj}x"
-	  generated="$generated $gentop"
+	  func_append generated " $gentop"
 
 	  func_extract_archives $gentop $convenience
 	  reload_conv_objs="$reload_objs $func_extract_archives_result"
 	fi
       fi
 
+      # If we're not building shared, we need to use non_pic_objs
+      test "$build_libtool_libs" != yes && libobjs="$non_pic_objects"
+
       # Create the old-style object.
-      reload_objs="$objs$old_deplibs "`$ECHO "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}$'/d' -e '/\.lib$/d' -e "$lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test
+      reload_objs="$objs$old_deplibs "`$ECHO "$libobjs" | $SP2NL | $SED "/\.${libext}$/d; /\.lib$/d; $lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test
 
       output="$obj"
       func_execute_cmds "$reload_cmds" 'exit $?'
@@ -7512,8 +8714,8 @@ EOF
       case $host in
       *-*-rhapsody* | *-*-darwin1.[012])
 	# On Rhapsody replace the C library is the System framework
-	compile_deplibs=`$ECHO "X $compile_deplibs" | $Xsed -e 's/ -lc / System.ltframework /'`
-	finalize_deplibs=`$ECHO "X $finalize_deplibs" | $Xsed -e 's/ -lc / System.ltframework /'`
+	compile_deplibs=`$ECHO " $compile_deplibs" | $SED 's/ -lc / System.ltframework /'`
+	finalize_deplibs=`$ECHO " $finalize_deplibs" | $SED 's/ -lc / System.ltframework /'`
 	;;
       esac
 
@@ -7524,14 +8726,14 @@ EOF
 	if test "$tagname" = CXX ; then
 	  case ${MACOSX_DEPLOYMENT_TARGET-10.0} in
 	    10.[0123])
-	      compile_command="$compile_command ${wl}-bind_at_load"
-	      finalize_command="$finalize_command ${wl}-bind_at_load"
+	      func_append compile_command " ${wl}-bind_at_load"
+	      func_append finalize_command " ${wl}-bind_at_load"
 	    ;;
 	  esac
 	fi
 	# Time to change all our "foo.ltframework" stuff back to "-framework foo"
-	compile_deplibs=`$ECHO "X $compile_deplibs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
-	finalize_deplibs=`$ECHO "X $finalize_deplibs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
+	compile_deplibs=`$ECHO " $compile_deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
+	finalize_deplibs=`$ECHO " $finalize_deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
 	;;
       esac
 
@@ -7545,7 +8747,7 @@ EOF
 	*)
 	  case " $compile_deplibs " in
 	  *" -L$path/$objdir "*)
-	    new_libs="$new_libs -L$path/$objdir" ;;
+	    func_append new_libs " -L$path/$objdir" ;;
 	  esac
 	  ;;
 	esac
@@ -7555,17 +8757,17 @@ EOF
 	-L*)
 	  case " $new_libs " in
 	  *" $deplib "*) ;;
-	  *) new_libs="$new_libs $deplib" ;;
+	  *) func_append new_libs " $deplib" ;;
 	  esac
 	  ;;
-	*) new_libs="$new_libs $deplib" ;;
+	*) func_append new_libs " $deplib" ;;
 	esac
       done
       compile_deplibs="$new_libs"
 
 
-      compile_command="$compile_command $compile_deplibs"
-      finalize_command="$finalize_command $finalize_deplibs"
+      func_append compile_command " $compile_deplibs"
+      func_append finalize_command " $finalize_deplibs"
 
       if test -n "$rpath$xrpath"; then
 	# If the user specified any rpath flags, then add them.
@@ -7573,7 +8775,7 @@ EOF
 	  # This is the magic to use -rpath.
 	  case "$finalize_rpath " in
 	  *" $libdir "*) ;;
-	  *) finalize_rpath="$finalize_rpath $libdir" ;;
+	  *) func_append finalize_rpath " $libdir" ;;
 	  esac
 	done
       fi
@@ -7592,18 +8794,18 @@ EOF
 	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
 		;;
 	      *)
-		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		func_append hardcode_libdirs "$hardcode_libdir_separator$libdir"
 		;;
 	      esac
 	    fi
 	  else
 	    eval flag=\"$hardcode_libdir_flag_spec\"
-	    rpath="$rpath $flag"
+	    func_append rpath " $flag"
 	  fi
 	elif test -n "$runpath_var"; then
 	  case "$perm_rpath " in
 	  *" $libdir "*) ;;
-	  *) perm_rpath="$perm_rpath $libdir" ;;
+	  *) func_append perm_rpath " $libdir" ;;
 	  esac
 	fi
 	case $host in
@@ -7612,12 +8814,12 @@ EOF
 	  case :$dllsearchpath: in
 	  *":$libdir:"*) ;;
 	  ::) dllsearchpath=$libdir;;
-	  *) dllsearchpath="$dllsearchpath:$libdir";;
+	  *) func_append dllsearchpath ":$libdir";;
 	  esac
 	  case :$dllsearchpath: in
 	  *":$testbindir:"*) ;;
 	  ::) dllsearchpath=$testbindir;;
-	  *) dllsearchpath="$dllsearchpath:$testbindir";;
+	  *) func_append dllsearchpath ":$testbindir";;
 	  esac
 	  ;;
 	esac
@@ -7643,18 +8845,18 @@ EOF
 	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
 		;;
 	      *)
-		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		func_append hardcode_libdirs "$hardcode_libdir_separator$libdir"
 		;;
 	      esac
 	    fi
 	  else
 	    eval flag=\"$hardcode_libdir_flag_spec\"
-	    rpath="$rpath $flag"
+	    func_append rpath " $flag"
 	  fi
 	elif test -n "$runpath_var"; then
 	  case "$finalize_perm_rpath " in
 	  *" $libdir "*) ;;
-	  *) finalize_perm_rpath="$finalize_perm_rpath $libdir" ;;
+	  *) func_append finalize_perm_rpath " $libdir" ;;
 	  esac
 	fi
       done
@@ -7668,8 +8870,8 @@ EOF
 
       if test -n "$libobjs" && test "$build_old_libs" = yes; then
 	# Transform all the library objects into standard objects.
-	compile_command=`$ECHO "X$compile_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
-	finalize_command=`$ECHO "X$finalize_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+	compile_command=`$ECHO "$compile_command" | $SP2NL | $SED "$lo2o" | $NL2SP`
+	finalize_command=`$ECHO "$finalize_command" | $SP2NL | $SED "$lo2o" | $NL2SP`
       fi
 
       func_generate_dlsyms "$outputname" "@PROGRAM@" "no"
@@ -7681,15 +8883,15 @@ EOF
 
       wrappers_required=yes
       case $host in
+      *cegcc* | *mingw32ce*)
+        # Disable wrappers for cegcc and mingw32ce hosts, we are cross compiling anyway.
+        wrappers_required=no
+        ;;
       *cygwin* | *mingw* )
         if test "$build_libtool_libs" != yes; then
           wrappers_required=no
         fi
         ;;
-      *cegcc)
-        # Disable wrappers for cegcc, we are cross compiling anyway.
-        wrappers_required=no
-        ;;
       *)
         if test "$need_relink" = no || test "$build_libtool_libs" != yes; then
           wrappers_required=no
@@ -7698,13 +8900,19 @@ EOF
       esac
       if test "$wrappers_required" = no; then
 	# Replace the output file specification.
-	compile_command=`$ECHO "X$compile_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
+	compile_command=`$ECHO "$compile_command" | $SED 's%@OUTPUT@%'"$output"'%g'`
 	link_command="$compile_command$compile_rpath"
 
 	# We have no uninstalled library dependencies, so finalize right now.
 	exit_status=0
 	func_show_eval "$link_command" 'exit_status=$?'
 
+	if test -n "$postlink_cmds"; then
+	  func_to_tool_file "$output"
+	  postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'`
+	  func_execute_cmds "$postlink_cmds" 'exit $?'
+	fi
+
 	# Delete the generated files.
 	if test -f "$output_objdir/${outputname}S.${objext}"; then
 	  func_show_eval '$RM "$output_objdir/${outputname}S.${objext}"'
@@ -7727,7 +8935,7 @@ EOF
 	  # We should set the runpath_var.
 	  rpath=
 	  for dir in $perm_rpath; do
-	    rpath="$rpath$dir:"
+	    func_append rpath "$dir:"
 	  done
 	  compile_var="$runpath_var=\"$rpath\$$runpath_var\" "
 	fi
@@ -7735,7 +8943,7 @@ EOF
 	  # We should set the runpath_var.
 	  rpath=
 	  for dir in $finalize_perm_rpath; do
-	    rpath="$rpath$dir:"
+	    func_append rpath "$dir:"
 	  done
 	  finalize_var="$runpath_var=\"$rpath\$$runpath_var\" "
 	fi
@@ -7745,11 +8953,18 @@ EOF
 	# We don't need to create a wrapper script.
 	link_command="$compile_var$compile_command$compile_rpath"
 	# Replace the output file specification.
-	link_command=`$ECHO "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
+	link_command=`$ECHO "$link_command" | $SED 's%@OUTPUT@%'"$output"'%g'`
 	# Delete the old output file.
 	$opt_dry_run || $RM $output
 	# Link the executable and exit
 	func_show_eval "$link_command" 'exit $?'
+
+	if test -n "$postlink_cmds"; then
+	  func_to_tool_file "$output"
+	  postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'`
+	  func_execute_cmds "$postlink_cmds" 'exit $?'
+	fi
+
 	exit $EXIT_SUCCESS
       fi
 
@@ -7764,7 +8979,7 @@ EOF
 	if test "$fast_install" != no; then
 	  link_command="$finalize_var$compile_command$finalize_rpath"
 	  if test "$fast_install" = yes; then
-	    relink_command=`$ECHO "X$compile_var$compile_command$compile_rpath" | $Xsed -e 's%@OUTPUT@%\$progdir/\$file%g'`
+	    relink_command=`$ECHO "$compile_var$compile_command$compile_rpath" | $SED 's%@OUTPUT@%\$progdir/\$file%g'`
 	  else
 	    # fast_install is set to needless
 	    relink_command=
@@ -7776,13 +8991,19 @@ EOF
       fi
 
       # Replace the output file specification.
-      link_command=`$ECHO "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'`
+      link_command=`$ECHO "$link_command" | $SED 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'`
 
       # Delete the old output files.
       $opt_dry_run || $RM $output $output_objdir/$outputname $output_objdir/lt-$outputname
 
       func_show_eval "$link_command" 'exit $?'
 
+      if test -n "$postlink_cmds"; then
+	func_to_tool_file "$output_objdir/$outputname"
+	postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'`
+	func_execute_cmds "$postlink_cmds" 'exit $?'
+      fi
+
       # Now create the wrapper script.
       func_verbose "creating $output"
 
@@ -7800,18 +9021,7 @@ EOF
 	  fi
 	done
 	relink_command="(cd `pwd`; $relink_command)"
-	relink_command=`$ECHO "X$relink_command" | $Xsed -e "$sed_quote_subst"`
-      fi
-
-      # Quote $ECHO for shipping.
-      if test "X$ECHO" = "X$SHELL $progpath --fallback-echo"; then
-	case $progpath in
-	[\\/]* | [A-Za-z]:[\\/]*) qecho="$SHELL $progpath --fallback-echo";;
-	*) qecho="$SHELL `pwd`/$progpath --fallback-echo";;
-	esac
-	qecho=`$ECHO "X$qecho" | $Xsed -e "$sed_quote_subst"`
-      else
-	qecho=`$ECHO "X$ECHO" | $Xsed -e "$sed_quote_subst"`
+	relink_command=`$ECHO "$relink_command" | $SED "$sed_quote_subst"`
       fi
 
       # Only actually do things if not in dry run mode.
@@ -7891,7 +9101,7 @@ EOF
 	else
 	  oldobjs="$old_deplibs $non_pic_objects"
 	  if test "$preload" = yes && test -f "$symfileobj"; then
-	    oldobjs="$oldobjs $symfileobj"
+	    func_append oldobjs " $symfileobj"
 	  fi
 	fi
 	addlibs="$old_convenience"
@@ -7899,10 +9109,10 @@ EOF
 
       if test -n "$addlibs"; then
 	gentop="$output_objdir/${outputname}x"
-	generated="$generated $gentop"
+	func_append generated " $gentop"
 
 	func_extract_archives $gentop $addlibs
-	oldobjs="$oldobjs $func_extract_archives_result"
+	func_append oldobjs " $func_extract_archives_result"
       fi
 
       # Do each command in the archive commands.
@@ -7913,10 +9123,10 @@ EOF
 	# Add any objects from preloaded convenience libraries
 	if test -n "$dlprefiles"; then
 	  gentop="$output_objdir/${outputname}x"
-	  generated="$generated $gentop"
+	  func_append generated " $gentop"
 
 	  func_extract_archives $gentop $dlprefiles
-	  oldobjs="$oldobjs $func_extract_archives_result"
+	  func_append oldobjs " $func_extract_archives_result"
 	fi
 
 	# POSIX demands no paths to be encoded in archives.  We have
@@ -7932,9 +9142,9 @@ EOF
 	    done | sort | sort -uc >/dev/null 2>&1); then
 	  :
 	else
-	  $ECHO "copying selected object files to avoid basename conflicts..."
+	  echo "copying selected object files to avoid basename conflicts..."
 	  gentop="$output_objdir/${outputname}x"
-	  generated="$generated $gentop"
+	  func_append generated " $gentop"
 	  func_mkdir_p "$gentop"
 	  save_oldobjs=$oldobjs
 	  oldobjs=
@@ -7958,18 +9168,30 @@ EOF
 		esac
 	      done
 	      func_show_eval "ln $obj $gentop/$newobj || cp $obj $gentop/$newobj"
-	      oldobjs="$oldobjs $gentop/$newobj"
+	      func_append oldobjs " $gentop/$newobj"
 	      ;;
-	    *) oldobjs="$oldobjs $obj" ;;
+	    *) func_append oldobjs " $obj" ;;
 	    esac
 	  done
 	fi
+	func_to_tool_file "$oldlib" func_convert_file_msys_to_w32
+	tool_oldlib=$func_to_tool_file_result
 	eval cmds=\"$old_archive_cmds\"
 
 	func_len " $cmds"
 	len=$func_len_result
 	if test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then
 	  cmds=$old_archive_cmds
+	elif test -n "$archiver_list_spec"; then
+	  func_verbose "using command file archive linking..."
+	  for obj in $oldobjs
+	  do
+	    func_to_tool_file "$obj"
+	    $ECHO "$func_to_tool_file_result"
+	  done > $output_objdir/$libname.libcmd
+	  func_to_tool_file "$output_objdir/$libname.libcmd"
+	  oldobjs=" $archiver_list_spec$func_to_tool_file_result"
+	  cmds=$old_archive_cmds
 	else
 	  # the command line is too long to link in one step, link in parts
 	  func_verbose "using piecewise archive linking..."
@@ -8043,7 +9265,7 @@ EOF
       done
       # Quote the link command for shipping.
       relink_command="(cd `pwd`; $SHELL $progpath $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)"
-      relink_command=`$ECHO "X$relink_command" | $Xsed -e "$sed_quote_subst"`
+      relink_command=`$ECHO "$relink_command" | $SED "$sed_quote_subst"`
       if test "$hardcode_automatic" = yes ; then
 	relink_command=
       fi
@@ -8063,12 +9285,23 @@ EOF
 	      *.la)
 		func_basename "$deplib"
 		name="$func_basename_result"
-		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
+		func_resolve_sysroot "$deplib"
+		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $func_resolve_sysroot_result`
 		test -z "$libdir" && \
 		  func_fatal_error "\`$deplib' is not a valid libtool archive"
-		newdependency_libs="$newdependency_libs $libdir/$name"
+		func_append newdependency_libs " ${lt_sysroot:+=}$libdir/$name"
+		;;
+	      -L*)
+		func_stripname -L '' "$deplib"
+		func_replace_sysroot "$func_stripname_result"
+		func_append newdependency_libs " -L$func_replace_sysroot_result"
+		;;
+	      -R*)
+		func_stripname -R '' "$deplib"
+		func_replace_sysroot "$func_stripname_result"
+		func_append newdependency_libs " -R$func_replace_sysroot_result"
 		;;
-	      *) newdependency_libs="$newdependency_libs $deplib" ;;
+	      *) func_append newdependency_libs " $deplib" ;;
 	      esac
 	    done
 	    dependency_libs="$newdependency_libs"
@@ -8082,9 +9315,9 @@ EOF
 		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
 		test -z "$libdir" && \
 		  func_fatal_error "\`$lib' is not a valid libtool archive"
-		newdlfiles="$newdlfiles $libdir/$name"
+		func_append newdlfiles " ${lt_sysroot:+=}$libdir/$name"
 		;;
-	      *) newdlfiles="$newdlfiles $lib" ;;
+	      *) func_append newdlfiles " $lib" ;;
 	      esac
 	    done
 	    dlfiles="$newdlfiles"
@@ -8101,7 +9334,7 @@ EOF
 		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
 		test -z "$libdir" && \
 		  func_fatal_error "\`$lib' is not a valid libtool archive"
-		newdlprefiles="$newdlprefiles $libdir/$name"
+		func_append newdlprefiles " ${lt_sysroot:+=}$libdir/$name"
 		;;
 	      esac
 	    done
@@ -8113,7 +9346,7 @@ EOF
 		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
 		*) abs=`pwd`"/$lib" ;;
 	      esac
-	      newdlfiles="$newdlfiles $abs"
+	      func_append newdlfiles " $abs"
 	    done
 	    dlfiles="$newdlfiles"
 	    newdlprefiles=
@@ -8122,15 +9355,33 @@ EOF
 		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
 		*) abs=`pwd`"/$lib" ;;
 	      esac
-	      newdlprefiles="$newdlprefiles $abs"
+	      func_append newdlprefiles " $abs"
 	    done
 	    dlprefiles="$newdlprefiles"
 	  fi
 	  $RM $output
 	  # place dlname in correct position for cygwin
+	  # In fact, it would be nice if we could use this code for all target
+	  # systems that can't hard-code library paths into their executables
+	  # and that have no shared library path variable independent of PATH,
+	  # but it turns out we can't easily determine that from inspecting
+	  # libtool variables, so we have to hard-code the OSs to which it
+	  # applies here; at the moment, that means platforms that use the PE
+	  # object format with DLL files.  See the long comment at the top of
+	  # tests/bindir.at for full details.
 	  tdlname=$dlname
 	  case $host,$output,$installed,$module,$dlname in
-	    *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll | *cegcc*,*lai,yes,no,*.dll) tdlname=../bin/$dlname ;;
+	    *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll | *cegcc*,*lai,yes,no,*.dll)
+	      # If a -bindir argument was supplied, place the dll there.
+	      if test "x$bindir" != x ;
+	      then
+		func_relative_path "$install_libdir" "$bindir"
+		tdlname=$func_relative_path_result$dlname
+	      else
+		# Otherwise fall back on heuristic.
+		tdlname=../bin/$dlname
+	      fi
+	      ;;
 	  esac
 	  $ECHO > $output "\
 # $outputname - a libtool library file
@@ -8189,7 +9440,7 @@ relink_command=\"$relink_command\""
     exit $EXIT_SUCCESS
 }
 
-{ test "$mode" = link || test "$mode" = relink; } &&
+{ test "$opt_mode" = link || test "$opt_mode" = relink; } &&
     func_mode_link ${1+"$@"}
 
 
@@ -8209,9 +9460,9 @@ func_mode_uninstall ()
     for arg
     do
       case $arg in
-      -f) RM="$RM $arg"; rmforce=yes ;;
-      -*) RM="$RM $arg" ;;
-      *) files="$files $arg" ;;
+      -f) func_append RM " $arg"; rmforce=yes ;;
+      -*) func_append RM " $arg" ;;
+      *) func_append files " $arg" ;;
       esac
     done
 
@@ -8220,24 +9471,23 @@ func_mode_uninstall ()
 
     rmdirs=
 
-    origobjdir="$objdir"
     for file in $files; do
       func_dirname "$file" "" "."
       dir="$func_dirname_result"
       if test "X$dir" = X.; then
-	objdir="$origobjdir"
+	odir="$objdir"
       else
-	objdir="$dir/$origobjdir"
+	odir="$dir/$objdir"
       fi
       func_basename "$file"
       name="$func_basename_result"
-      test "$mode" = uninstall && objdir="$dir"
+      test "$opt_mode" = uninstall && odir="$dir"
 
-      # Remember objdir for removal later, being careful to avoid duplicates
-      if test "$mode" = clean; then
+      # Remember odir for removal later, being careful to avoid duplicates
+      if test "$opt_mode" = clean; then
 	case " $rmdirs " in
-	  *" $objdir "*) ;;
-	  *) rmdirs="$rmdirs $objdir" ;;
+	  *" $odir "*) ;;
+	  *) func_append rmdirs " $odir" ;;
 	esac
       fi
 
@@ -8263,18 +9513,17 @@ func_mode_uninstall ()
 
 	  # Delete the libtool libraries and symlinks.
 	  for n in $library_names; do
-	    rmfiles="$rmfiles $objdir/$n"
+	    func_append rmfiles " $odir/$n"
 	  done
-	  test -n "$old_library" && rmfiles="$rmfiles $objdir/$old_library"
+	  test -n "$old_library" && func_append rmfiles " $odir/$old_library"
 
-	  case "$mode" in
+	  case "$opt_mode" in
 	  clean)
-	    case "  $library_names " in
-	    # "  " in the beginning catches empty $dlname
+	    case " $library_names " in
 	    *" $dlname "*) ;;
-	    *) rmfiles="$rmfiles $objdir/$dlname" ;;
+	    *) test -n "$dlname" && func_append rmfiles " $odir/$dlname" ;;
 	    esac
-	    test -n "$libdir" && rmfiles="$rmfiles $objdir/$name $objdir/${name}i"
+	    test -n "$libdir" && func_append rmfiles " $odir/$name $odir/${name}i"
 	    ;;
 	  uninstall)
 	    if test -n "$library_names"; then
@@ -8302,19 +9551,19 @@ func_mode_uninstall ()
 	  # Add PIC object to the list of files to remove.
 	  if test -n "$pic_object" &&
 	     test "$pic_object" != none; then
-	    rmfiles="$rmfiles $dir/$pic_object"
+	    func_append rmfiles " $dir/$pic_object"
 	  fi
 
 	  # Add non-PIC object to the list of files to remove.
 	  if test -n "$non_pic_object" &&
 	     test "$non_pic_object" != none; then
-	    rmfiles="$rmfiles $dir/$non_pic_object"
+	    func_append rmfiles " $dir/$non_pic_object"
 	  fi
 	fi
 	;;
 
       *)
-	if test "$mode" = clean ; then
+	if test "$opt_mode" = clean ; then
 	  noexename=$name
 	  case $file in
 	  *.exe)
@@ -8324,7 +9573,7 @@ func_mode_uninstall ()
 	    noexename=$func_stripname_result
 	    # $file with .exe has already been added to rmfiles,
 	    # add $file without .exe
-	    rmfiles="$rmfiles $file"
+	    func_append rmfiles " $file"
 	    ;;
 	  esac
 	  # Do a test to see if this is a libtool program.
@@ -8333,7 +9582,7 @@ func_mode_uninstall ()
 	      func_ltwrapper_scriptname "$file"
 	      relink_command=
 	      func_source $func_ltwrapper_scriptname_result
-	      rmfiles="$rmfiles $func_ltwrapper_scriptname_result"
+	      func_append rmfiles " $func_ltwrapper_scriptname_result"
 	    else
 	      relink_command=
 	      func_source $dir/$noexename
@@ -8341,12 +9590,12 @@ func_mode_uninstall ()
 
 	    # note $name still contains .exe if it was in $file originally
 	    # as does the version of $file that was added into $rmfiles
-	    rmfiles="$rmfiles $objdir/$name $objdir/${name}S.${objext}"
+	    func_append rmfiles " $odir/$name $odir/${name}S.${objext}"
 	    if test "$fast_install" = yes && test -n "$relink_command"; then
-	      rmfiles="$rmfiles $objdir/lt-$name"
+	      func_append rmfiles " $odir/lt-$name"
 	    fi
 	    if test "X$noexename" != "X$name" ; then
-	      rmfiles="$rmfiles $objdir/lt-${noexename}.c"
+	      func_append rmfiles " $odir/lt-${noexename}.c"
 	    fi
 	  fi
 	fi
@@ -8354,7 +9603,6 @@ func_mode_uninstall ()
       esac
       func_show_eval "$RM $rmfiles" 'exit_status=1'
     done
-    objdir="$origobjdir"
 
     # Try to remove the ${objdir}s in the directories where we deleted files
     for dir in $rmdirs; do
@@ -8366,16 +9614,16 @@ func_mode_uninstall ()
     exit $exit_status
 }
 
-{ test "$mode" = uninstall || test "$mode" = clean; } &&
+{ test "$opt_mode" = uninstall || test "$opt_mode" = clean; } &&
     func_mode_uninstall ${1+"$@"}
 
-test -z "$mode" && {
+test -z "$opt_mode" && {
   help="$generic_help"
   func_fatal_help "you must specify a MODE"
 }
 
 test -z "$exec_cmd" && \
-  func_fatal_help "invalid operation mode \`$mode'"
+  func_fatal_help "invalid operation mode \`$opt_mode'"
 
 if test -n "$exec_cmd"; then
   eval exec "$exec_cmd"
diff --git a/m4/config/libtool.m4 b/m4/config/libtool.m4
index a3fee5360..828104cfd 100644
--- a/m4/config/libtool.m4
+++ b/m4/config/libtool.m4
@@ -1,7 +1,8 @@
 # libtool.m4 - Configure libtool for the host system. -*-Autoconf-*-
 #
 #   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
-#                 2006, 2007, 2008 Free Software Foundation, Inc.
+#                 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+#                 Foundation, Inc.
 #   Written by Gordon Matzigkeit, 1996
 #
 # This file is free software; the Free Software Foundation gives
@@ -10,7 +11,8 @@
 
 m4_define([_LT_COPYING], [dnl
 #   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
-#                 2006, 2007, 2008 Free Software Foundation, Inc.
+#                 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+#                 Foundation, Inc.
 #   Written by Gordon Matzigkeit, 1996
 #
 #   This file is part of GNU Libtool.
@@ -37,7 +39,7 @@ m4_define([_LT_COPYING], [dnl
 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 ])
 
-# serial 56 LT_INIT
+# serial 57 LT_INIT
 
 
 # LT_PREREQ(VERSION)
@@ -66,6 +68,7 @@ esac
 # ------------------
 AC_DEFUN([LT_INIT],
 [AC_PREREQ([2.58])dnl We use AC_INCLUDES_DEFAULT
+AC_REQUIRE([AC_CONFIG_AUX_DIR_DEFAULT])dnl
 AC_BEFORE([$0], [LT_LANG])dnl
 AC_BEFORE([$0], [LT_OUTPUT])dnl
 AC_BEFORE([$0], [LTDL_INIT])dnl
@@ -82,6 +85,8 @@ AC_REQUIRE([LTVERSION_VERSION])dnl
 AC_REQUIRE([LTOBSOLETE_VERSION])dnl
 m4_require([_LT_PROG_LTMAIN])dnl
 
+_LT_SHELL_INIT([SHELL=${CONFIG_SHELL-/bin/sh}])
+
 dnl Parse OPTIONS
 _LT_SET_OPTIONS([$0], [$1])
 
@@ -118,7 +123,7 @@ m4_defun([_LT_CC_BASENAME],
     *) break;;
   esac
 done
-cc_basename=`$ECHO "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+cc_basename=`$ECHO "$cc_temp" | $SED "s%.*/%%; s%^$host_alias-%%"`
 ])
 
 
@@ -138,6 +143,11 @@ m4_defun([_LT_FILEUTILS_DEFAULTS],
 m4_defun([_LT_SETUP],
 [AC_REQUIRE([AC_CANONICAL_HOST])dnl
 AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+AC_REQUIRE([_LT_PREPARE_SED_QUOTE_VARS])dnl
+AC_REQUIRE([_LT_PROG_ECHO_BACKSLASH])dnl
+
+_LT_DECL([], [PATH_SEPARATOR], [1], [The PATH separator for the build system])dnl
+dnl
 _LT_DECL([], [host_alias], [0], [The host system])dnl
 _LT_DECL([], [host], [0])dnl
 _LT_DECL([], [host_os], [0])dnl
@@ -160,10 +170,13 @@ _LT_DECL([], [exeext], [0], [Executable file suffix (normally "")])dnl
 dnl
 m4_require([_LT_FILEUTILS_DEFAULTS])dnl
 m4_require([_LT_CHECK_SHELL_FEATURES])dnl
+m4_require([_LT_PATH_CONVERSION_FUNCTIONS])dnl
 m4_require([_LT_CMD_RELOAD])dnl
 m4_require([_LT_CHECK_MAGIC_METHOD])dnl
+m4_require([_LT_CHECK_SHAREDLIB_FROM_LINKLIB])dnl
 m4_require([_LT_CMD_OLD_ARCHIVE])dnl
 m4_require([_LT_CMD_GLOBAL_SYMBOLS])dnl
+m4_require([_LT_WITH_SYSROOT])dnl
 
 _LT_CONFIG_LIBTOOL_INIT([
 # See if we are running on zsh, and set the options which allow our
@@ -179,7 +192,6 @@ fi
 _LT_CHECK_OBJDIR
 
 m4_require([_LT_TAG_COMPILER])dnl
-_LT_PROG_ECHO_BACKSLASH
 
 case $host_os in
 aix3*)
@@ -193,23 +205,6 @@ aix3*)
   ;;
 esac
 
-# Sed substitution that helps us do robust quoting.  It backslashifies
-# metacharacters that are still active within double-quoted strings.
-sed_quote_subst='s/\([["`$\\]]\)/\\\1/g'
-
-# Same as above, but do not quote variable references.
-double_quote_subst='s/\([["`\\]]\)/\\\1/g'
-
-# Sed substitution to delay expansion of an escaped shell variable in a
-# double_quote_subst'ed string.
-delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
-
-# Sed substitution to delay expansion of an escaped single quote.
-delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g'
-
-# Sed substitution to avoid accidental globbing in evaled expressions
-no_glob_subst='s/\*/\\\*/g'
-
 # Global variables:
 ofile=libtool
 can_build_shared=yes
@@ -250,6 +245,28 @@ _LT_CONFIG_COMMANDS
 ])# _LT_SETUP
 
 
+# _LT_PREPARE_SED_QUOTE_VARS
+# --------------------------
+# Define a few sed substitution that help us do robust quoting.
+m4_defun([_LT_PREPARE_SED_QUOTE_VARS],
+[# Backslashify metacharacters that are still active within
+# double-quoted strings.
+sed_quote_subst='s/\([["`$\\]]\)/\\\1/g'
+
+# Same as above, but do not quote variable references.
+double_quote_subst='s/\([["`\\]]\)/\\\1/g'
+
+# Sed substitution to delay expansion of an escaped shell variable in a
+# double_quote_subst'ed string.
+delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
+
+# Sed substitution to delay expansion of an escaped single quote.
+delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g'
+
+# Sed substitution to avoid accidental globbing in evaled expressions
+no_glob_subst='s/\*/\\\*/g'
+])
+
 # _LT_PROG_LTMAIN
 # ---------------
 # Note that this code is called both from `configure', and `config.status'
@@ -408,7 +425,7 @@ m4_define([_lt_decl_all_varnames],
 # declaration there will have the same value as in `configure'.  VARNAME
 # must have a single quote delimited value for this to work.
 m4_define([_LT_CONFIG_STATUS_DECLARE],
-[$1='`$ECHO "X$][$1" | $Xsed -e "$delay_single_quote_subst"`'])
+[$1='`$ECHO "$][$1" | $SED "$delay_single_quote_subst"`'])
 
 
 # _LT_CONFIG_STATUS_DECLARATIONS
@@ -418,7 +435,7 @@ m4_define([_LT_CONFIG_STATUS_DECLARE],
 # embedded single quotes properly.  In configure, this macro expands
 # each variable declared with _LT_DECL (and _LT_TAGDECL) into:
 #
-#    <var>='`$ECHO "X$<var>" | $Xsed -e "$delay_single_quote_subst"`'
+#    <var>='`$ECHO "$<var>" | $SED "$delay_single_quote_subst"`'
 m4_defun([_LT_CONFIG_STATUS_DECLARATIONS],
 [m4_foreach([_lt_var], m4_quote(lt_decl_all_varnames),
     [m4_n([_LT_CONFIG_STATUS_DECLARE(_lt_var)])])])
@@ -517,12 +534,20 @@ LTCC='$LTCC'
 LTCFLAGS='$LTCFLAGS'
 compiler='$compiler_DEFAULT'
 
+# A function that is used when there is no print builtin or printf.
+func_fallback_echo ()
+{
+  eval 'cat <<_LTECHO_EOF
+\$[]1
+_LTECHO_EOF'
+}
+
 # Quote evaled strings.
 for var in lt_decl_all_varnames([[ \
 ]], lt_decl_quote_varnames); do
-    case \`eval \\\\\$ECHO "X\\\\\$\$var"\` in
+    case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in
     *[[\\\\\\\`\\"\\\$]]*)
-      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"X\\\$\$var\\" | \\\$Xsed -e \\"\\\$sed_quote_subst\\"\\\`\\\\\\""
+      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED \\"\\\$sed_quote_subst\\"\\\`\\\\\\""
       ;;
     *)
       eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\""
@@ -533,9 +558,9 @@ done
 # Double-quote double-evaled strings.
 for var in lt_decl_all_varnames([[ \
 ]], lt_decl_dquote_varnames); do
-    case \`eval \\\\\$ECHO "X\\\\\$\$var"\` in
+    case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in
     *[[\\\\\\\`\\"\\\$]]*)
-      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"X\\\$\$var\\" | \\\$Xsed -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\""
+      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\""
       ;;
     *)
       eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\""
@@ -543,16 +568,38 @@ for var in lt_decl_all_varnames([[ \
     esac
 done
 
-# Fix-up fallback echo if it was mangled by the above quoting rules.
-case \$lt_ECHO in
-*'\\\[$]0 --fallback-echo"')dnl "
-  lt_ECHO=\`\$ECHO "X\$lt_ECHO" | \$Xsed -e 's/\\\\\\\\\\\\\\\[$]0 --fallback-echo"\[$]/\[$]0 --fallback-echo"/'\`
-  ;;
-esac
-
 _LT_OUTPUT_LIBTOOL_INIT
 ])
 
+# _LT_GENERATED_FILE_INIT(FILE, [COMMENT])
+# ------------------------------------
+# Generate a child script FILE with all initialization necessary to
+# reuse the environment learned by the parent script, and make the
+# file executable.  If COMMENT is supplied, it is inserted after the
+# `#!' sequence but before initialization text begins.  After this
+# macro, additional text can be appended to FILE to form the body of
+# the child script.  The macro ends with non-zero status if the
+# file could not be fully written (such as if the disk is full).
+m4_ifdef([AS_INIT_GENERATED],
+[m4_defun([_LT_GENERATED_FILE_INIT],[AS_INIT_GENERATED($@)])],
+[m4_defun([_LT_GENERATED_FILE_INIT],
+[m4_require([AS_PREPARE])]dnl
+[m4_pushdef([AS_MESSAGE_LOG_FD])]dnl
+[lt_write_fail=0
+cat >$1 <<_ASEOF || lt_write_fail=1
+#! $SHELL
+# Generated by $as_me.
+$2
+SHELL=\${CONFIG_SHELL-$SHELL}
+export SHELL
+_ASEOF
+cat >>$1 <<\_ASEOF || lt_write_fail=1
+AS_SHELL_SANITIZE
+_AS_PREPARE
+exec AS_MESSAGE_FD>&1
+_ASEOF
+test $lt_write_fail = 0 && chmod +x $1[]dnl
+m4_popdef([AS_MESSAGE_LOG_FD])])])# _LT_GENERATED_FILE_INIT
 
 # LT_OUTPUT
 # ---------
@@ -562,20 +609,11 @@ _LT_OUTPUT_LIBTOOL_INIT
 AC_DEFUN([LT_OUTPUT],
 [: ${CONFIG_LT=./config.lt}
 AC_MSG_NOTICE([creating $CONFIG_LT])
-cat >"$CONFIG_LT" <<_LTEOF
-#! $SHELL
-# Generated by $as_me.
-# Run this file to recreate a libtool stub with the current configuration.
-
-lt_cl_silent=false
-SHELL=\${CONFIG_SHELL-$SHELL}
-_LTEOF
+_LT_GENERATED_FILE_INIT(["$CONFIG_LT"],
+[# Run this file to recreate a libtool stub with the current configuration.])
 
 cat >>"$CONFIG_LT" <<\_LTEOF
-AS_SHELL_SANITIZE
-_AS_PREPARE
-
-exec AS_MESSAGE_FD>&1
+lt_cl_silent=false
 exec AS_MESSAGE_LOG_FD>>config.log
 {
   echo
@@ -601,7 +639,7 @@ m4_ifset([AC_PACKAGE_NAME], [AC_PACKAGE_NAME ])config.lt[]dnl
 m4_ifset([AC_PACKAGE_VERSION], [ AC_PACKAGE_VERSION])
 configured by $[0], generated by m4_PACKAGE_STRING.
 
-Copyright (C) 2008 Free Software Foundation, Inc.
+Copyright (C) 2011 Free Software Foundation, Inc.
 This config.lt script is free software; the Free Software Foundation
 gives unlimited permision to copy, distribute and modify it."
 
@@ -646,15 +684,13 @@ chmod +x "$CONFIG_LT"
 # appending to config.log, which fails on DOS, as config.log is still kept
 # open by configure.  Here we exec the FD to /dev/null, effectively closing
 # config.log, so it can be properly (re)opened and appended to by config.lt.
-if test "$no_create" != yes; then
-  lt_cl_success=:
-  test "$silent" = yes &&
-    lt_config_lt_args="$lt_config_lt_args --quiet"
-  exec AS_MESSAGE_LOG_FD>/dev/null
-  $SHELL "$CONFIG_LT" $lt_config_lt_args || lt_cl_success=false
-  exec AS_MESSAGE_LOG_FD>>config.log
-  $lt_cl_success || AS_EXIT(1)
-fi
+lt_cl_success=:
+test "$silent" = yes &&
+  lt_config_lt_args="$lt_config_lt_args --quiet"
+exec AS_MESSAGE_LOG_FD>/dev/null
+$SHELL "$CONFIG_LT" $lt_config_lt_args || lt_cl_success=false
+exec AS_MESSAGE_LOG_FD>>config.log
+$lt_cl_success || AS_EXIT(1)
 ])# LT_OUTPUT
 
 
@@ -717,15 +753,12 @@ _LT_EOF
   # if finds mixed CR/LF and LF-only lines.  Since sed operates in
   # text mode, it properly converts lines to CR/LF.  This bash problem
   # is reportedly fixed, but why not run on old versions too?
-  sed '/^# Generated shell functions inserted here/q' "$ltmain" >> "$cfgfile" \
-    || (rm -f "$cfgfile"; exit 1)
+  sed '$q' "$ltmain" >> "$cfgfile" \
+     || (rm -f "$cfgfile"; exit 1)
 
-  _LT_PROG_XSI_SHELLFNS
+  _LT_PROG_REPLACE_SHELLFNS
 
-  sed -n '/^# Generated shell functions inserted here/,$p' "$ltmain" >> "$cfgfile" \
-    || (rm -f "$cfgfile"; exit 1)
-
-  mv -f "$cfgfile" "$ofile" ||
+   mv -f "$cfgfile" "$ofile" ||
     (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
   chmod +x "$ofile"
 ],
@@ -770,6 +803,7 @@ AC_DEFUN([LT_LANG],
 m4_case([$1],
   [C],			[_LT_LANG(C)],
   [C++],		[_LT_LANG(CXX)],
+  [Go],			[_LT_LANG(GO)],
   [Java],		[_LT_LANG(GCJ)],
   [Fortran 77],		[_LT_LANG(F77)],
   [Fortran],		[_LT_LANG(FC)],
@@ -791,6 +825,31 @@ m4_defun([_LT_LANG],
 ])# _LT_LANG
 
 
+m4_ifndef([AC_PROG_GO], [
+############################################################
+# NOTE: This macro has been submitted for inclusion into   #
+#  GNU Autoconf as AC_PROG_GO.  When it is available in    #
+#  a released version of Autoconf we should remove this    #
+#  macro and use it instead.                               #
+############################################################
+m4_defun([AC_PROG_GO],
+[AC_LANG_PUSH(Go)dnl
+AC_ARG_VAR([GOC],     [Go compiler command])dnl
+AC_ARG_VAR([GOFLAGS], [Go compiler flags])dnl
+_AC_ARG_VAR_LDFLAGS()dnl
+AC_CHECK_TOOL(GOC, gccgo)
+if test -z "$GOC"; then
+  if test -n "$ac_tool_prefix"; then
+    AC_CHECK_PROG(GOC, [${ac_tool_prefix}gccgo], [${ac_tool_prefix}gccgo])
+  fi
+fi
+if test -z "$GOC"; then
+  AC_CHECK_PROG(GOC, gccgo, gccgo, false)
+fi
+])#m4_defun
+])#m4_ifndef
+
+
 # _LT_LANG_DEFAULT_CONFIG
 # -----------------------
 m4_defun([_LT_LANG_DEFAULT_CONFIG],
@@ -821,6 +880,10 @@ AC_PROVIDE_IFELSE([AC_PROG_GCJ],
        m4_ifdef([LT_PROG_GCJ],
 	[m4_define([LT_PROG_GCJ], defn([LT_PROG_GCJ])[LT_LANG(GCJ)])])])])])
 
+AC_PROVIDE_IFELSE([AC_PROG_GO],
+  [LT_LANG(GO)],
+  [m4_define([AC_PROG_GO], defn([AC_PROG_GO])[LT_LANG(GO)])])
+
 AC_PROVIDE_IFELSE([LT_PROG_RC],
   [LT_LANG(RC)],
   [m4_define([LT_PROG_RC], defn([LT_PROG_RC])[LT_LANG(RC)])])
@@ -831,11 +894,13 @@ AU_DEFUN([AC_LIBTOOL_CXX], [LT_LANG(C++)])
 AU_DEFUN([AC_LIBTOOL_F77], [LT_LANG(Fortran 77)])
 AU_DEFUN([AC_LIBTOOL_FC], [LT_LANG(Fortran)])
 AU_DEFUN([AC_LIBTOOL_GCJ], [LT_LANG(Java)])
+AU_DEFUN([AC_LIBTOOL_RC], [LT_LANG(Windows Resource)])
 dnl aclocal-1.4 backwards compatibility:
 dnl AC_DEFUN([AC_LIBTOOL_CXX], [])
 dnl AC_DEFUN([AC_LIBTOOL_F77], [])
 dnl AC_DEFUN([AC_LIBTOOL_FC], [])
 dnl AC_DEFUN([AC_LIBTOOL_GCJ], [])
+dnl AC_DEFUN([AC_LIBTOOL_RC], [])
 
 
 # _LT_TAG_COMPILER
@@ -921,7 +986,13 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
 	$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
 	  -dynamiclib -Wl,-single_module conftest.c 2>conftest.err
         _lt_result=$?
-	if test -f libconftest.dylib && test ! -s conftest.err && test $_lt_result = 0; then
+	# If there is a non-empty error log, and "single_module"
+	# appears in it, assume the flag caused a linker warning
+        if test -s conftest.err && $GREP single_module conftest.err; then
+	  cat conftest.err >&AS_MESSAGE_LOG_FD
+	# Otherwise, if the output was created with a 0 exit code from
+	# the compiler, it worked.
+	elif test -f libconftest.dylib && test $_lt_result -eq 0; then
 	  lt_cv_apple_cc_single_mod=yes
 	else
 	  cat conftest.err >&AS_MESSAGE_LOG_FD
@@ -929,6 +1000,7 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
 	rm -rf libconftest.dylib*
 	rm -f conftest.*
       fi])
+
     AC_CACHE_CHECK([for -exported_symbols_list linker flag],
       [lt_cv_ld_exported_symbols_list],
       [lt_cv_ld_exported_symbols_list=no
@@ -940,6 +1012,34 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
 	[lt_cv_ld_exported_symbols_list=no])
 	LDFLAGS="$save_LDFLAGS"
     ])
+
+    AC_CACHE_CHECK([for -force_load linker flag],[lt_cv_ld_force_load],
+      [lt_cv_ld_force_load=no
+      cat > conftest.c << _LT_EOF
+int forced_loaded() { return 2;}
+_LT_EOF
+      echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&AS_MESSAGE_LOG_FD
+      $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&AS_MESSAGE_LOG_FD
+      echo "$AR cru libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD
+      $AR cru libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD
+      echo "$RANLIB libconftest.a" >&AS_MESSAGE_LOG_FD
+      $RANLIB libconftest.a 2>&AS_MESSAGE_LOG_FD
+      cat > conftest.c << _LT_EOF
+int main() { return 0;}
+_LT_EOF
+      echo "$LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a" >&AS_MESSAGE_LOG_FD
+      $LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a 2>conftest.err
+      _lt_result=$?
+      if test -s conftest.err && $GREP force_load conftest.err; then
+	cat conftest.err >&AS_MESSAGE_LOG_FD
+      elif test -f conftest && test $_lt_result -eq 0 && $GREP forced_load conftest >/dev/null 2>&1 ; then
+	lt_cv_ld_force_load=yes
+      else
+	cat conftest.err >&AS_MESSAGE_LOG_FD
+      fi
+        rm -f conftest.err libconftest.a conftest conftest.c
+        rm -rf conftest.dSYM
+    ])
     case $host_os in
     rhapsody* | darwin1.[[012]])
       _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;;
@@ -967,7 +1067,7 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
     else
       _lt_dar_export_syms='~$NMEDIT -s $output_objdir/${libname}-symbols.expsym ${lib}'
     fi
-    if test "$DSYMUTIL" != ":"; then
+    if test "$DSYMUTIL" != ":" && test "$lt_cv_ld_force_load" = "no"; then
       _lt_dsymutil='~$DSYMUTIL $lib || :'
     else
       _lt_dsymutil=
@@ -977,8 +1077,8 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
 ])
 
 
-# _LT_DARWIN_LINKER_FEATURES
-# --------------------------
+# _LT_DARWIN_LINKER_FEATURES([TAG])
+# ---------------------------------
 # Checks for linker and compiler features on darwin
 m4_defun([_LT_DARWIN_LINKER_FEATURES],
 [
@@ -987,7 +1087,13 @@ m4_defun([_LT_DARWIN_LINKER_FEATURES],
   _LT_TAGVAR(hardcode_direct, $1)=no
   _LT_TAGVAR(hardcode_automatic, $1)=yes
   _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
-  _LT_TAGVAR(whole_archive_flag_spec, $1)=''
+  if test "$lt_cv_ld_force_load" = "yes"; then
+    _LT_TAGVAR(whole_archive_flag_spec, $1)='`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience ${wl}-force_load,$conv\"; done; func_echo_all \"$new_convenience\"`'
+    m4_case([$1], [F77], [_LT_TAGVAR(compiler_needs_object, $1)=yes],
+                  [FC],  [_LT_TAGVAR(compiler_needs_object, $1)=yes])
+  else
+    _LT_TAGVAR(whole_archive_flag_spec, $1)=''
+  fi
   _LT_TAGVAR(link_all_deplibs, $1)=yes
   _LT_TAGVAR(allow_undefined_flag, $1)="$_lt_dar_allow_undefined"
   case $cc_basename in
@@ -995,7 +1101,7 @@ m4_defun([_LT_DARWIN_LINKER_FEATURES],
      *) _lt_dar_can_shared=$GCC ;;
   esac
   if test "$_lt_dar_can_shared" = "yes"; then
-    output_verbose_link_cmd=echo
+    output_verbose_link_cmd=func_echo_all
     _LT_TAGVAR(archive_cmds, $1)="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
     _LT_TAGVAR(module_cmds, $1)="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
     _LT_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
@@ -1011,203 +1117,142 @@ m4_defun([_LT_DARWIN_LINKER_FEATURES],
   fi
 ])
 
-# _LT_SYS_MODULE_PATH_AIX
-# -----------------------
+# _LT_SYS_MODULE_PATH_AIX([TAGNAME])
+# ----------------------------------
 # Links a minimal program and checks the executable
 # for the system default hardcoded library path. In most cases,
 # this is /usr/lib:/lib, but when the MPI compilers are used
 # the location of the communication and MPI libs are included too.
 # If we don't find anything, use the default library path according
 # to the aix ld manual.
+# Store the results from the different compilers for each TAGNAME.
+# Allow to override them for all tags through lt_cv_aix_libpath.
 m4_defun([_LT_SYS_MODULE_PATH_AIX],
 [m4_require([_LT_DECL_SED])dnl
-AC_LINK_IFELSE(AC_LANG_PROGRAM,[
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-fi],[])
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+if test "${lt_cv_aix_libpath+set}" = set; then
+  aix_libpath=$lt_cv_aix_libpath
+else
+  AC_CACHE_VAL([_LT_TAGVAR([lt_cv_aix_libpath_], [$1])],
+  [AC_LINK_IFELSE([AC_LANG_PROGRAM],[
+  lt_aix_libpath_sed='[
+      /Import File Strings/,/^$/ {
+	  /^0/ {
+	      s/^0  *\([^ ]*\) *$/\1/
+	      p
+	  }
+      }]'
+  _LT_TAGVAR([lt_cv_aix_libpath_], [$1])=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+  # Check for a 64-bit object if we didn't find anything.
+  if test -z "$_LT_TAGVAR([lt_cv_aix_libpath_], [$1])"; then
+    _LT_TAGVAR([lt_cv_aix_libpath_], [$1])=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+  fi],[])
+  if test -z "$_LT_TAGVAR([lt_cv_aix_libpath_], [$1])"; then
+    _LT_TAGVAR([lt_cv_aix_libpath_], [$1])="/usr/lib:/lib"
+  fi
+  ])
+  aix_libpath=$_LT_TAGVAR([lt_cv_aix_libpath_], [$1])
+fi
 ])# _LT_SYS_MODULE_PATH_AIX
 
 
 # _LT_SHELL_INIT(ARG)
 # -------------------
 m4_define([_LT_SHELL_INIT],
-[ifdef([AC_DIVERSION_NOTICE],
-	     [AC_DIVERT_PUSH(AC_DIVERSION_NOTICE)],
-	 [AC_DIVERT_PUSH(NOTICE)])
-$1
-AC_DIVERT_POP
-])# _LT_SHELL_INIT
+[m4_divert_text([M4SH-INIT], [$1
+])])# _LT_SHELL_INIT
+
 
 
 # _LT_PROG_ECHO_BACKSLASH
 # -----------------------
-# Add some code to the start of the generated configure script which
-# will find an echo command which doesn't interpret backslashes.
+# Find how we can fake an echo command that does not interpret backslash.
+# In particular, with Autoconf 2.60 or later we add some code to the start
+# of the generated configure script which will find a shell with a builtin
+# printf (which we can use as an echo command).
 m4_defun([_LT_PROG_ECHO_BACKSLASH],
-[_LT_SHELL_INIT([
-# Check that we are running under the correct shell.
-SHELL=${CONFIG_SHELL-/bin/sh}
-
-case X$lt_ECHO in
-X*--fallback-echo)
-  # Remove one level of quotation (which was required for Make).
-  ECHO=`echo "$lt_ECHO" | sed 's,\\\\\[$]\\[$]0,'[$]0','`
-  ;;
-esac
-
-ECHO=${lt_ECHO-echo}
-if test "X[$]1" = X--no-reexec; then
-  # Discard the --no-reexec flag, and continue.
-  shift
-elif test "X[$]1" = X--fallback-echo; then
-  # Avoid inline document here, it may be left over
-  :
-elif test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' ; then
-  # Yippee, $ECHO works!
-  :
+[ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO
+ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO$ECHO
+
+AC_MSG_CHECKING([how to print strings])
+# Test print first, because it will be a builtin if present.
+if test "X`( print -r -- -n ) 2>/dev/null`" = X-n && \
+   test "X`print -r -- $ECHO 2>/dev/null`" = "X$ECHO"; then
+  ECHO='print -r --'
+elif test "X`printf %s $ECHO 2>/dev/null`" = "X$ECHO"; then
+  ECHO='printf %s\n'
 else
-  # Restart under the correct shell.
-  exec $SHELL "[$]0" --no-reexec ${1+"[$]@"}
-fi
-
-if test "X[$]1" = X--fallback-echo; then
-  # used as fallback echo
-  shift
-  cat <<_LT_EOF
-[$]*
-_LT_EOF
-  exit 0
+  # Use this function as a fallback that always works.
+  func_fallback_echo ()
+  {
+    eval 'cat <<_LTECHO_EOF
+$[]1
+_LTECHO_EOF'
+  }
+  ECHO='func_fallback_echo'
 fi
 
-# The HP-UX ksh and POSIX shell print the target directory to stdout
-# if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-
-if test -z "$lt_ECHO"; then
-  if test "X${echo_test_string+set}" != Xset; then
-    # find a string as large as possible, as long as the shell can cope with it
-    for cmd in 'sed 50q "[$]0"' 'sed 20q "[$]0"' 'sed 10q "[$]0"' 'sed 2q "[$]0"' 'echo test'; do
-      # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
-      if { echo_test_string=`eval $cmd`; } 2>/dev/null &&
-	 { test "X$echo_test_string" = "X$echo_test_string"; } 2>/dev/null
-      then
-        break
-      fi
-    done
-  fi
-
-  if test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' &&
-     echo_testing_string=`{ $ECHO "$echo_test_string"; } 2>/dev/null` &&
-     test "X$echo_testing_string" = "X$echo_test_string"; then
-    :
-  else
-    # The Solaris, AIX, and Digital Unix default echo programs unquote
-    # backslashes.  This makes it impossible to quote backslashes using
-    #   echo "$something" | sed 's/\\/\\\\/g'
-    #
-    # So, first we look for a working echo in the user's PATH.
-
-    lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-    for dir in $PATH /usr/ucb; do
-      IFS="$lt_save_ifs"
-      if (test -f $dir/echo || test -f $dir/echo$ac_exeext) &&
-         test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
-         echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` &&
-         test "X$echo_testing_string" = "X$echo_test_string"; then
-        ECHO="$dir/echo"
-        break
-      fi
-    done
-    IFS="$lt_save_ifs"
-
-    if test "X$ECHO" = Xecho; then
-      # We didn't find a better echo, so look for alternatives.
-      if test "X`{ print -r '\t'; } 2>/dev/null`" = 'X\t' &&
-         echo_testing_string=`{ print -r "$echo_test_string"; } 2>/dev/null` &&
-         test "X$echo_testing_string" = "X$echo_test_string"; then
-        # This shell has a builtin print -r that does the trick.
-        ECHO='print -r'
-      elif { test -f /bin/ksh || test -f /bin/ksh$ac_exeext; } &&
-	   test "X$CONFIG_SHELL" != X/bin/ksh; then
-        # If we have ksh, try running configure again with it.
-        ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh}
-        export ORIGINAL_CONFIG_SHELL
-        CONFIG_SHELL=/bin/ksh
-        export CONFIG_SHELL
-        exec $CONFIG_SHELL "[$]0" --no-reexec ${1+"[$]@"}
-      else
-        # Try using printf.
-        ECHO='printf %s\n'
-        if test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' &&
-	   echo_testing_string=`{ $ECHO "$echo_test_string"; } 2>/dev/null` &&
-	   test "X$echo_testing_string" = "X$echo_test_string"; then
-	  # Cool, printf works
-	  :
-        elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
-	     test "X$echo_testing_string" = 'X\t' &&
-	     echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
-	     test "X$echo_testing_string" = "X$echo_test_string"; then
-	  CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL
-	  export CONFIG_SHELL
-	  SHELL="$CONFIG_SHELL"
-	  export SHELL
-	  ECHO="$CONFIG_SHELL [$]0 --fallback-echo"
-        elif echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
-	     test "X$echo_testing_string" = 'X\t' &&
-	     echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
-	     test "X$echo_testing_string" = "X$echo_test_string"; then
-	  ECHO="$CONFIG_SHELL [$]0 --fallback-echo"
-        else
-	  # maybe with a smaller string...
-	  prev=:
-
-	  for cmd in 'echo test' 'sed 2q "[$]0"' 'sed 10q "[$]0"' 'sed 20q "[$]0"' 'sed 50q "[$]0"'; do
-	    if { test "X$echo_test_string" = "X`eval $cmd`"; } 2>/dev/null
-	    then
-	      break
-	    fi
-	    prev="$cmd"
-	  done
+# func_echo_all arg...
+# Invoke $ECHO with all args, space-separated.
+func_echo_all ()
+{
+    $ECHO "$*" 
+}
 
-	  if test "$prev" != 'sed 50q "[$]0"'; then
-	    echo_test_string=`eval $prev`
-	    export echo_test_string
-	    exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "[$]0" ${1+"[$]@"}
-	  else
-	    # Oops.  We lost completely, so just stick with echo.
-	    ECHO=echo
-	  fi
-        fi
-      fi
-    fi
-  fi
-fi
+case "$ECHO" in
+  printf*) AC_MSG_RESULT([printf]) ;;
+  print*) AC_MSG_RESULT([print -r]) ;;
+  *) AC_MSG_RESULT([cat]) ;;
+esac
 
-# Copy echo and quote the copy suitably for passing to libtool from
-# the Makefile, instead of quoting the original, which is used later.
-lt_ECHO=$ECHO
-if test "X$lt_ECHO" = "X$CONFIG_SHELL [$]0 --fallback-echo"; then
-   lt_ECHO="$CONFIG_SHELL \\\$\[$]0 --fallback-echo"
-fi
+m4_ifdef([_AS_DETECT_SUGGESTED],
+[_AS_DETECT_SUGGESTED([
+  test -n "${ZSH_VERSION+set}${BASH_VERSION+set}" || (
+    ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+    ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO
+    ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO$ECHO
+    PATH=/empty FPATH=/empty; export PATH FPATH
+    test "X`printf %s $ECHO`" = "X$ECHO" \
+      || test "X`print -r -- $ECHO`" = "X$ECHO" )])])
 
-AC_SUBST(lt_ECHO)
-])
 _LT_DECL([], [SHELL], [1], [Shell to use when invoking shell scripts])
-_LT_DECL([], [ECHO], [1],
-    [An echo program that does not interpret backslashes])
+_LT_DECL([], [ECHO], [1], [An echo program that protects backslashes])
 ])# _LT_PROG_ECHO_BACKSLASH
 
 
+# _LT_WITH_SYSROOT
+# ----------------
+AC_DEFUN([_LT_WITH_SYSROOT],
+[AC_MSG_CHECKING([for sysroot])
+AC_ARG_WITH([sysroot],
+[  --with-sysroot[=DIR] Search for dependent libraries within DIR
+                        (or the compiler's sysroot if not specified).],
+[], [with_sysroot=no])
+
+dnl lt_sysroot will always be passed unquoted.  We quote it here
+dnl in case the user passed a directory name.
+lt_sysroot=
+case ${with_sysroot} in #(
+ yes)
+   if test "$GCC" = yes; then
+     lt_sysroot=`$CC --print-sysroot 2>/dev/null`
+   fi
+   ;; #(
+ /*)
+   lt_sysroot=`echo "$with_sysroot" | sed -e "$sed_quote_subst"`
+   ;; #(
+ no|'')
+   ;; #(
+ *)
+   AC_MSG_RESULT([${with_sysroot}])
+   AC_MSG_ERROR([The sysroot must be an absolute path.])
+   ;;
+esac
+
+ AC_MSG_RESULT([${lt_sysroot:-no}])
+_LT_DECL([], [lt_sysroot], [0], [The root where to search for ]dnl
+[dependent libraries, and in which our libraries should be installed.])])
+
 # _LT_ENABLE_LOCK
 # ---------------
 m4_defun([_LT_ENABLE_LOCK],
@@ -1236,7 +1281,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '[#]line __oline__ "configure"' > conftest.$ac_ext
+  echo '[#]line '$LINENO' "configure"' > conftest.$ac_ext
   if AC_TRY_EVAL(ac_compile); then
     if test "$lt_cv_prog_gnu_ld" = yes; then
       case `/usr/bin/file conftest.$ac_objext` in
@@ -1329,14 +1374,27 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
     CFLAGS="$SAVE_CFLAGS"
   fi
   ;;
-sparc*-*solaris*)
+*-*solaris*)
   # Find out which ABI we are using.
   echo 'int i;' > conftest.$ac_ext
   if AC_TRY_EVAL(ac_compile); then
     case `/usr/bin/file conftest.o` in
     *64-bit*)
       case $lt_cv_prog_gnu_ld in
-      yes*) LD="${LD-ld} -m elf64_sparc" ;;
+      yes*)
+        case $host in
+        i?86-*-solaris*)
+          LD="${LD-ld} -m elf_x86_64"
+          ;;
+        sparc*-*-solaris*)
+          LD="${LD-ld} -m elf64_sparc"
+          ;;
+        esac
+        # GNU ld 2.21 introduced _sol2 emulations.  Use them if available.
+        if ${LD-ld} -V | grep _sol2 >/dev/null 2>&1; then
+          LD="${LD-ld}_sol2"
+        fi
+        ;;
       *)
 	if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
 	  LD="${LD-ld} -64"
@@ -1354,14 +1412,47 @@ need_locks="$enable_libtool_lock"
 ])# _LT_ENABLE_LOCK
 
 
+# _LT_PROG_AR
+# -----------
+m4_defun([_LT_PROG_AR],
+[AC_CHECK_TOOLS(AR, [ar], false)
+: ${AR=ar}
+: ${AR_FLAGS=cru}
+_LT_DECL([], [AR], [1], [The archiver])
+_LT_DECL([], [AR_FLAGS], [1], [Flags to create an archive])
+
+AC_CACHE_CHECK([for archiver @FILE support], [lt_cv_ar_at_file],
+  [lt_cv_ar_at_file=no
+   AC_COMPILE_IFELSE([AC_LANG_PROGRAM],
+     [echo conftest.$ac_objext > conftest.lst
+      lt_ar_try='$AR $AR_FLAGS libconftest.a @conftest.lst >&AS_MESSAGE_LOG_FD'
+      AC_TRY_EVAL([lt_ar_try])
+      if test "$ac_status" -eq 0; then
+	# Ensure the archiver fails upon bogus file names.
+	rm -f conftest.$ac_objext libconftest.a
+	AC_TRY_EVAL([lt_ar_try])
+	if test "$ac_status" -ne 0; then
+          lt_cv_ar_at_file=@
+        fi
+      fi
+      rm -f conftest.* libconftest.a
+     ])
+  ])
+
+if test "x$lt_cv_ar_at_file" = xno; then
+  archiver_list_spec=
+else
+  archiver_list_spec=$lt_cv_ar_at_file
+fi
+_LT_DECL([], [archiver_list_spec], [1],
+  [How to feed a file listing to the archiver])
+])# _LT_PROG_AR
+
+
 # _LT_CMD_OLD_ARCHIVE
 # -------------------
 m4_defun([_LT_CMD_OLD_ARCHIVE],
-[AC_CHECK_TOOL(AR, ar, false)
-test -z "$AR" && AR=ar
-test -z "$AR_FLAGS" && AR_FLAGS=cru
-_LT_DECL([], [AR], [1], [The archiver])
-_LT_DECL([], [AR_FLAGS], [1])
+[_LT_PROG_AR
 
 AC_CHECK_TOOL(STRIP, strip, :)
 test -z "$STRIP" && STRIP=:
@@ -1380,18 +1471,27 @@ old_postuninstall_cmds=
 if test -n "$RANLIB"; then
   case $host_os in
   openbsd*)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$tool_oldlib"
     ;;
   *)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$tool_oldlib"
     ;;
   esac
-  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$tool_oldlib"
 fi
+
+case $host_os in
+  darwin*)
+    lock_old_archive_extraction=yes ;;
+  *)
+    lock_old_archive_extraction=no ;;
+esac
 _LT_DECL([], [old_postinstall_cmds], [2])
 _LT_DECL([], [old_postuninstall_cmds], [2])
 _LT_TAGDECL([], [old_archive_cmds], [2],
     [Commands used to build an old-style archive])
+_LT_DECL([], [lock_old_archive_extraction], [0],
+    [Whether to use a lock for old archive extraction])
 ])# _LT_CMD_OLD_ARCHIVE
 
 
@@ -1416,15 +1516,15 @@ AC_CACHE_CHECK([$1], [$2],
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
+   (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&AS_MESSAGE_LOG_FD
-   echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
+   echo "$as_me:$LINENO: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
-     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' >conftest.exp
      $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
      if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
        $2=yes
@@ -1464,7 +1564,7 @@ AC_CACHE_CHECK([$1], [$2],
      if test -s conftest.err; then
        # Append any errors to the config.log.
        cat conftest.err 1>&AS_MESSAGE_LOG_FD
-       $ECHO "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
+       $ECHO "$_lt_linker_boilerplate" | $SED '/^$/d' > conftest.exp
        $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
        if diff conftest.exp conftest.er2 >/dev/null; then
          $2=yes
@@ -1527,6 +1627,11 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
     lt_cv_sys_max_cmd_len=8192;
     ;;
 
+  mint*)
+    # On MiNT this can take a long time and run out of memory.
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
   amigaos*)
     # On AmigaOS with pdksh, this test takes hours, literally.
     # So we just punt and use a minimum line length of 8192.
@@ -1552,6 +1657,11 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
     lt_cv_sys_max_cmd_len=196608
     ;;
 
+  os2*)
+    # The test takes a long time on OS/2.
+    lt_cv_sys_max_cmd_len=8192
+    ;;
+
   osf*)
     # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
     # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
@@ -1591,8 +1701,8 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
       # If test is not a shell built-in, we'll probably end up computing a
       # maximum length that is only half of the actual maximum length, but
       # we can't tell.
-      while { test "X"`$SHELL [$]0 --fallback-echo "X$teststring$teststring" 2>/dev/null` \
-	         = "XX$teststring$teststring"; } >/dev/null 2>&1 &&
+      while { test "X"`env echo "$teststring$teststring" 2>/dev/null` \
+	         = "X$teststring$teststring"; } >/dev/null 2>&1 &&
 	      test $i != 17 # 1/2 MB should be enough
       do
         i=`expr $i + 1`
@@ -1643,7 +1753,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-[#line __oline__ "configure"
+[#line $LINENO "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -1684,7 +1794,13 @@ else
 #  endif
 #endif
 
-void fnord() { int i=42;}
+/* When -fvisbility=hidden is used, assume the code has been annotated
+   correspondingly for the symbols needed.  */
+#if defined(__GNUC__) && (((__GNUC__ == 3) && (__GNUC_MINOR__ >= 3)) || (__GNUC__ > 3))
+int fnord () __attribute__((visibility("default")));
+#endif
+
+int fnord () { return 42; }
 int main ()
 {
   void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
@@ -1693,7 +1809,11 @@ int main ()
   if (self)
     {
       if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      else
+        {
+	  if (dlsym( self,"_fnord"))  status = $lt_dlneed_uscore;
+          else puts (dlerror ());
+	}
       /* dlclose (self); */
     }
   else
@@ -1869,16 +1989,16 @@ AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext],
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
+   (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&AS_MESSAGE_LOG_FD
-   echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
+   echo "$as_me:$LINENO: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
-     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' > out/conftest.exp
      $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
      if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
        _LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
@@ -2037,6 +2157,7 @@ m4_require([_LT_DECL_EGREP])dnl
 m4_require([_LT_FILEUTILS_DEFAULTS])dnl
 m4_require([_LT_DECL_OBJDUMP])dnl
 m4_require([_LT_DECL_SED])dnl
+m4_require([_LT_CHECK_SHELL_FEATURES])dnl
 AC_MSG_CHECKING([dynamic linker characteristics])
 m4_if([$1],
 	[], [
@@ -2045,16 +2166,23 @@ if test "$GCC" = yes; then
     darwin*) lt_awk_arg="/^libraries:/,/LR/" ;;
     *) lt_awk_arg="/^libraries:/" ;;
   esac
-  lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-  if $ECHO "$lt_search_path_spec" | $GREP ';' >/dev/null ; then
+  case $host_os in
+    mingw* | cegcc*) lt_sed_strip_eq="s,=\([[A-Za-z]]:\),\1,g" ;;
+    *) lt_sed_strip_eq="s,=/,/,g" ;;
+  esac
+  lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e $lt_sed_strip_eq`
+  case $lt_search_path_spec in
+  *\;*)
     # if the path contains ";" then we assume it to be the separator
     # otherwise default to the standard path separator (i.e. ":") - it is
     # assumed that no part of a normal pathname contains ";" but that should
     # okay in the real world where ";" in dirpaths is itself problematic.
-    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED -e 's/;/ /g'`
-  else
-    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-  fi
+    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED 's/;/ /g'`
+    ;;
+  *)
+    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED "s/$PATH_SEPARATOR/ /g"`
+    ;;
+  esac
   # Ok, now we have the path, separated by spaces, we can step through it
   # and add multilib dir if necessary.
   lt_tmp_lt_search_path_spec=
@@ -2067,7 +2195,7 @@ if test "$GCC" = yes; then
 	lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path"
     fi
   done
-  lt_search_path_spec=`$ECHO $lt_tmp_lt_search_path_spec | awk '
+  lt_search_path_spec=`$ECHO "$lt_tmp_lt_search_path_spec" | awk '
 BEGIN {RS=" "; FS="/|\n";} {
   lt_foo="";
   lt_count=0;
@@ -2087,7 +2215,13 @@ BEGIN {RS=" "; FS="/|\n";} {
   if (lt_foo != "") { lt_freq[[lt_foo]]++; }
   if (lt_freq[[lt_foo]] == 1) { print lt_foo; }
 }'`
-  sys_lib_search_path_spec=`$ECHO $lt_search_path_spec`
+  # AWK program above erroneously prepends '/' to C:/dos/paths
+  # for these hosts.
+  case $host_os in
+    mingw* | cegcc*) lt_search_path_spec=`$ECHO "$lt_search_path_spec" |\
+      $SED 's,/\([[A-Za-z]]:\),\1,g'` ;;
+  esac
+  sys_lib_search_path_spec=`$ECHO "$lt_search_path_spec" | $lt_NL2SP`
 else
   sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
 fi])
@@ -2113,7 +2247,7 @@ need_version=unknown
 
 case $host_os in
 aix3*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
   shlibpath_var=LIBPATH
 
@@ -2122,7 +2256,7 @@ aix3*)
   ;;
 
 aix[[4-9]]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   hardcode_into_libs=yes
@@ -2175,7 +2309,7 @@ amigaos*)
   m68k)
     library_names_spec='$libname.ixlibrary $libname.a'
     # Create ${libname}_ixlibrary.a entries in /sys/libs.
-    finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$ECHO "X$lib" | $Xsed -e '\''s%^.*/\([[^/]]*\)\.ixlibrary$%\1%'\''`; test $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+    finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`func_echo_all "$lib" | $SED '\''s%^.*/\([[^/]]*\)\.ixlibrary$%\1%'\''`; test $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
     ;;
   esac
   ;;
@@ -2187,7 +2321,7 @@ beos*)
   ;;
 
 bsdi[[45]]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
@@ -2206,8 +2340,9 @@ cygwin* | mingw* | pw32* | cegcc*)
   need_version=no
   need_lib_prefix=no
 
-  case $GCC,$host_os in
-  yes,cygwin* | yes,mingw* | yes,pw32* | yes,cegcc*)
+  case $GCC,$cc_basename in
+  yes,*)
+    # gcc
     library_names_spec='$libname.dll.a'
     # DLL is installed to $(libdir)/../bin by postinstall_cmds
     postinstall_cmds='base_file=`basename \${file}`~
@@ -2228,36 +2363,83 @@ cygwin* | mingw* | pw32* | cegcc*)
     cygwin*)
       # Cygwin DLLs use 'cyg' prefix rather than 'lib'
       soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
+m4_if([$1], [],[
+      sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/lib/w32api"])
       ;;
     mingw* | cegcc*)
       # MinGW DLLs use traditional 'lib' prefix
       soname_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec=`$CC -print-search-dirs | $GREP "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-      if $ECHO "$sys_lib_search_path_spec" | [$GREP ';[c-zC-Z]:/' >/dev/null]; then
-        # It is most probably a Windows format PATH printed by
-        # mingw gcc, but we are running on Cygwin. Gcc prints its search
-        # path with ; separators, and with drive letters. We can handle the
-        # drive letters (cygwin fileutils understands them), so leave them,
-        # especially as we might pass files found there to a mingw objdump,
-        # which wouldn't understand a cygwinified path. Ahh.
-        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-      else
-        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-      fi
       ;;
     pw32*)
       # pw32 DLLs use 'pw' prefix rather than 'lib'
       library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
       ;;
     esac
+    dynamic_linker='Win32 ld.exe'
+    ;;
+
+  *,cl*)
+    # Native MSVC
+    libname_spec='$name'
+    soname_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
+    library_names_spec='${libname}.dll.lib'
+
+    case $build_os in
+    mingw*)
+      sys_lib_search_path_spec=
+      lt_save_ifs=$IFS
+      IFS=';'
+      for lt_path in $LIB
+      do
+        IFS=$lt_save_ifs
+        # Let DOS variable expansion print the short 8.3 style file name.
+        lt_path=`cd "$lt_path" 2>/dev/null && cmd //C "for %i in (".") do @echo %~si"`
+        sys_lib_search_path_spec="$sys_lib_search_path_spec $lt_path"
+      done
+      IFS=$lt_save_ifs
+      # Convert to MSYS style.
+      sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | sed -e 's|\\\\|/|g' -e 's| \\([[a-zA-Z]]\\):| /\\1|g' -e 's|^ ||'`
+      ;;
+    cygwin*)
+      # Convert to unix form, then to dos form, then back to unix form
+      # but this time dos style (no spaces!) so that the unix form looks
+      # like /cygdrive/c/PROGRA~1:/cygdr...
+      sys_lib_search_path_spec=`cygpath --path --unix "$LIB"`
+      sys_lib_search_path_spec=`cygpath --path --dos "$sys_lib_search_path_spec" 2>/dev/null`
+      sys_lib_search_path_spec=`cygpath --path --unix "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"`
+      ;;
+    *)
+      sys_lib_search_path_spec="$LIB"
+      if $ECHO "$sys_lib_search_path_spec" | [$GREP ';[c-zC-Z]:/' >/dev/null]; then
+        # It is most probably a Windows format PATH.
+        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      # FIXME: find the short name or the path components, as spaces are
+      # common. (e.g. "Program Files" -> "PROGRA~1")
+      ;;
+    esac
+
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \${file}`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i; echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $RM \$dlpath'
+    shlibpath_overrides_runpath=yes
+    dynamic_linker='Win32 link.exe'
     ;;
 
   *)
+    # Assume MSVC wrapper
     library_names_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext} $libname.lib'
+    dynamic_linker='Win32 ld.exe'
     ;;
   esac
-  dynamic_linker='Win32 ld.exe'
   # FIXME: first we should search . and the directory the executable is in
   shlibpath_var=PATH
   ;;
@@ -2278,7 +2460,7 @@ m4_if([$1], [],[
   ;;
 
 dgux*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
@@ -2286,10 +2468,6 @@ dgux*)
   shlibpath_var=LD_LIBRARY_PATH
   ;;
 
-freebsd1*)
-  dynamic_linker=no
-  ;;
-
 freebsd* | dragonfly*)
   # DragonFly does not have aout.  When/if they implement a new
   # versioning mechanism, adjust this.
@@ -2297,7 +2475,7 @@ freebsd* | dragonfly*)
     objformat=`/usr/bin/objformat`
   else
     case $host_os in
-    freebsd[[123]]*) objformat=aout ;;
+    freebsd[[23]].*) objformat=aout ;;
     *) objformat=elf ;;
     esac
   fi
@@ -2315,7 +2493,7 @@ freebsd* | dragonfly*)
   esac
   shlibpath_var=LD_LIBRARY_PATH
   case $host_os in
-  freebsd2*)
+  freebsd2.*)
     shlibpath_overrides_runpath=yes
     ;;
   freebsd3.[[01]]* | freebsdelf3.[[01]]*)
@@ -2335,12 +2513,26 @@ freebsd* | dragonfly*)
   ;;
 
 gnu*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
+haiku*)
+  version_type=linux # correct to gnu/linux during the next big refactor
+  need_lib_prefix=no
+  need_version=no
+  dynamic_linker="$host_os runtime_loader"
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
   hardcode_into_libs=yes
   ;;
 
@@ -2386,12 +2578,14 @@ hpux9* | hpux10* | hpux11*)
     soname_spec='${libname}${release}${shared_ext}$major'
     ;;
   esac
-  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  # HP-UX runs *really* slowly unless shared libraries are mode 555, ...
   postinstall_cmds='chmod 555 $lib'
+  # or fails outright, so override atomically:
+  install_override_mode=555
   ;;
 
 interix[[3-9]]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
@@ -2407,7 +2601,7 @@ irix5* | irix6* | nonstopux*)
     nonstopux*) version_type=nonstopux ;;
     *)
 	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
+		version_type=linux # correct to gnu/linux during the next big refactor
 	else
 		version_type=irix
 	fi ;;
@@ -2444,9 +2638,9 @@ linux*oldld* | linux*aout* | linux*coff*)
   dynamic_linker=no
   ;;
 
-# This must be Linux ELF.
+# This must be glibc/ELF.
 linux* | k*bsd*-gnu | kopensolaris*-gnu)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -2454,16 +2648,21 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu)
   finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
   shlibpath_var=LD_LIBRARY_PATH
   shlibpath_overrides_runpath=no
+
   # Some binutils ld are patched to set DT_RUNPATH
-  save_LDFLAGS=$LDFLAGS
-  save_libdir=$libdir
-  eval "libdir=/foo; wl=\"$_LT_TAGVAR(lt_prog_compiler_wl, $1)\"; \
-       LDFLAGS=\"\$LDFLAGS $_LT_TAGVAR(hardcode_libdir_flag_spec, $1)\""
-  AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])],
-    [AS_IF([ ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null],
-       [shlibpath_overrides_runpath=yes])])
-  LDFLAGS=$save_LDFLAGS
-  libdir=$save_libdir
+  AC_CACHE_VAL([lt_cv_shlibpath_overrides_runpath],
+    [lt_cv_shlibpath_overrides_runpath=no
+    save_LDFLAGS=$LDFLAGS
+    save_libdir=$libdir
+    eval "libdir=/foo; wl=\"$_LT_TAGVAR(lt_prog_compiler_wl, $1)\"; \
+	 LDFLAGS=\"\$LDFLAGS $_LT_TAGVAR(hardcode_libdir_flag_spec, $1)\""
+    AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])],
+      [AS_IF([ ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null],
+	 [lt_cv_shlibpath_overrides_runpath=yes])])
+    LDFLAGS=$save_LDFLAGS
+    libdir=$save_libdir
+    ])
+  shlibpath_overrides_runpath=$lt_cv_shlibpath_overrides_runpath
 
   # This implies no fast_install, which is unacceptable.
   # Some rework will be needed to allow for fast_install
@@ -2472,7 +2671,7 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu)
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
     sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
   fi
 
@@ -2516,7 +2715,7 @@ netbsd*)
   ;;
 
 newsos6)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   shlibpath_var=LD_LIBRARY_PATH
   shlibpath_overrides_runpath=yes
@@ -2585,7 +2784,7 @@ rdos*)
   ;;
 
 solaris*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -2610,7 +2809,7 @@ sunos4*)
   ;;
 
 sysv4 | sysv4.3*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
@@ -2634,7 +2833,7 @@ sysv4 | sysv4.3*)
 
 sysv4*MP*)
   if test -d /usr/nec ;then
-    version_type=linux
+    version_type=linux # correct to gnu/linux during the next big refactor
     library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
     soname_spec='$libname${shared_ext}.$major'
     shlibpath_var=LD_LIBRARY_PATH
@@ -2665,7 +2864,7 @@ sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
 
 tpf*)
   # TPF is a cross-target only.  Preferred cross-host = GNU/Linux.
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -2675,7 +2874,7 @@ tpf*)
   ;;
 
 uts4*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
@@ -2717,6 +2916,8 @@ _LT_DECL([], [library_names_spec], [1],
     The last name is the one that the linker finds with -lNAME]])
 _LT_DECL([], [soname_spec], [1],
     [[The coded name of the library, if different from the real name]])
+_LT_DECL([], [install_override_mode], [1],
+    [Permission mode override for installation of shared libraries])
 _LT_DECL([], [postinstall_cmds], [2],
     [Command to use after installation of a shared archive])
 _LT_DECL([], [postuninstall_cmds], [2],
@@ -2829,6 +3030,7 @@ AC_REQUIRE([AC_CANONICAL_HOST])dnl
 AC_REQUIRE([AC_CANONICAL_BUILD])dnl
 m4_require([_LT_DECL_SED])dnl
 m4_require([_LT_DECL_EGREP])dnl
+m4_require([_LT_PROG_ECHO_BACKSLASH])dnl
 
 AC_ARG_WITH([gnu-ld],
     [AS_HELP_STRING([--with-gnu-ld],
@@ -2950,6 +3152,11 @@ case $reload_flag in
 esac
 reload_cmds='$LD$reload_flag -o $output$reload_objs'
 case $host_os in
+  cygwin* | mingw* | pw32* | cegcc*)
+    if test "$GCC" != yes; then
+      reload_cmds=false
+    fi
+    ;;
   darwin*)
     if test "$GCC" = yes; then
       reload_cmds='$LTCC $LTCFLAGS -nostdlib ${wl}-r -o $output$reload_objs'
@@ -2958,8 +3165,8 @@ case $host_os in
     fi
     ;;
 esac
-_LT_DECL([], [reload_flag], [1], [How to create reloadable object files])dnl
-_LT_DECL([], [reload_cmds], [2])dnl
+_LT_TAGDECL([], [reload_flag], [1], [How to create reloadable object files])dnl
+_LT_TAGDECL([], [reload_cmds], [2])dnl
 ])# _LT_CMD_RELOAD
 
 
@@ -3011,16 +3218,18 @@ mingw* | pw32*)
   # Base MSYS/MinGW do not provide the 'file' command needed by
   # func_win32_libid shell function, so use a weaker test based on 'objdump',
   # unless we find 'file', for example because we are cross-compiling.
-  if ( file / ) >/dev/null 2>&1; then
+  # func_win32_libid assumes BSD nm, so disallow it if using MS dumpbin.
+  if ( test "$lt_cv_nm_interface" = "BSD nm" && file / ) >/dev/null 2>&1; then
     lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
     lt_cv_file_magic_cmd='func_win32_libid'
   else
-    lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
+    # Keep this pattern in sync with the one in func_win32_libid.
+    lt_cv_deplibs_check_method='file_magic file format (pei*-i386(.*architecture: i386)?|pe-arm-wince|pe-x86-64)'
     lt_cv_file_magic_cmd='$OBJDUMP -f'
   fi
   ;;
 
-cegcc)
+cegcc*)
   # use the weaker test based on 'objdump'. See mingw*.
   lt_cv_deplibs_check_method='file_magic file format pe-arm-.*little(.*architecture: arm)?'
   lt_cv_file_magic_cmd='$OBJDUMP -f'
@@ -3050,6 +3259,10 @@ gnu*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
+haiku*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
 hpux10.20* | hpux11*)
   lt_cv_file_magic_cmd=/usr/bin/file
   case $host_cpu in
@@ -3058,11 +3271,11 @@ hpux10.20* | hpux11*)
     lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
     ;;
   hppa*64*)
-    [lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]']
+    [lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF[ -][0-9][0-9])(-bit)?( [LM]SB)? shared object( file)?[, -]* PA-RISC [0-9]\.[0-9]']
     lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl
     ;;
   *)
-    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|PA-RISC[[0-9]].[[0-9]]) shared library'
+    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|PA-RISC[[0-9]]\.[[0-9]]) shared library'
     lt_cv_file_magic_test_file=/usr/lib/libc.sl
     ;;
   esac
@@ -3083,7 +3296,7 @@ irix5* | irix6* | nonstopux*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-# This must be Linux ELF.
+# This must be glibc/ELF.
 linux* | k*bsd*-gnu | kopensolaris*-gnu)
   lt_cv_deplibs_check_method=pass_all
   ;;
@@ -3162,6 +3375,21 @@ tpf*)
   ;;
 esac
 ])
+
+file_magic_glob=
+want_nocaseglob=no
+if test "$build" = "$host"; then
+  case $host_os in
+  mingw* | pw32*)
+    if ( shopt | grep nocaseglob ) >/dev/null 2>&1; then
+      want_nocaseglob=yes
+    else
+      file_magic_glob=`echo aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ | $SED -e "s/\(..\)/s\/[[\1]]\/[[\1]]\/g;/g"`
+    fi
+    ;;
+  esac
+fi
+
 file_magic_cmd=$lt_cv_file_magic_cmd
 deplibs_check_method=$lt_cv_deplibs_check_method
 test -z "$deplibs_check_method" && deplibs_check_method=unknown
@@ -3169,7 +3397,11 @@ test -z "$deplibs_check_method" && deplibs_check_method=unknown
 _LT_DECL([], [deplibs_check_method], [1],
     [Method to check whether dependent libraries are shared objects])
 _LT_DECL([], [file_magic_cmd], [1],
-    [Command to use when deplibs_check_method == "file_magic"])
+    [Command to use when deplibs_check_method = "file_magic"])
+_LT_DECL([], [file_magic_glob], [1],
+    [How to find potential files when deplibs_check_method = "file_magic"])
+_LT_DECL([], [want_nocaseglob], [1],
+    [Find potential files using nocaseglob when deplibs_check_method = "file_magic"])
 ])# _LT_CHECK_MAGIC_METHOD
 
 
@@ -3226,7 +3458,19 @@ if test "$lt_cv_path_NM" != "no"; then
   NM="$lt_cv_path_NM"
 else
   # Didn't find any BSD compatible name lister, look for dumpbin.
-  AC_CHECK_TOOLS(DUMPBIN, ["dumpbin -symbols" "link -dump -symbols"], :)
+  if test -n "$DUMPBIN"; then :
+    # Let the user override the test.
+  else
+    AC_CHECK_TOOLS(DUMPBIN, [dumpbin "link -dump"], :)
+    case `$DUMPBIN -symbols /dev/null 2>&1 | sed '1q'` in
+    *COFF*)
+      DUMPBIN="$DUMPBIN -symbols"
+      ;;
+    *)
+      DUMPBIN=:
+      ;;
+    esac
+  fi
   AC_SUBST([DUMPBIN])
   if test "$DUMPBIN" != ":"; then
     NM="$DUMPBIN"
@@ -3239,13 +3483,13 @@ _LT_DECL([], [NM], [1], [A BSD- or MS-compatible name lister])dnl
 AC_CACHE_CHECK([the name lister ($NM) interface], [lt_cv_nm_interface],
   [lt_cv_nm_interface="BSD nm"
   echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:__oline__: $ac_compile\"" >&AS_MESSAGE_LOG_FD)
+  (eval echo "\"\$as_me:$LINENO: $ac_compile\"" >&AS_MESSAGE_LOG_FD)
   (eval "$ac_compile" 2>conftest.err)
   cat conftest.err >&AS_MESSAGE_LOG_FD
-  (eval echo "\"\$as_me:__oline__: $NM \\\"conftest.$ac_objext\\\"\"" >&AS_MESSAGE_LOG_FD)
+  (eval echo "\"\$as_me:$LINENO: $NM \\\"conftest.$ac_objext\\\"\"" >&AS_MESSAGE_LOG_FD)
   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
   cat conftest.err >&AS_MESSAGE_LOG_FD
-  (eval echo "\"\$as_me:__oline__: output\"" >&AS_MESSAGE_LOG_FD)
+  (eval echo "\"\$as_me:$LINENO: output\"" >&AS_MESSAGE_LOG_FD)
   cat conftest.out >&AS_MESSAGE_LOG_FD
   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
     lt_cv_nm_interface="MS dumpbin"
@@ -3260,6 +3504,67 @@ dnl aclocal-1.4 backwards compatibility:
 dnl AC_DEFUN([AM_PROG_NM], [])
 dnl AC_DEFUN([AC_PROG_NM], [])
 
+# _LT_CHECK_SHAREDLIB_FROM_LINKLIB
+# --------------------------------
+# how to determine the name of the shared library
+# associated with a specific link library.
+#  -- PORTME fill in with the dynamic library characteristics
+m4_defun([_LT_CHECK_SHAREDLIB_FROM_LINKLIB],
+[m4_require([_LT_DECL_EGREP])
+m4_require([_LT_DECL_OBJDUMP])
+m4_require([_LT_DECL_DLLTOOL])
+AC_CACHE_CHECK([how to associate runtime and link libraries],
+lt_cv_sharedlib_from_linklib_cmd,
+[lt_cv_sharedlib_from_linklib_cmd='unknown'
+
+case $host_os in
+cygwin* | mingw* | pw32* | cegcc*)
+  # two different shell functions defined in ltmain.sh
+  # decide which to use based on capabilities of $DLLTOOL
+  case `$DLLTOOL --help 2>&1` in
+  *--identify-strict*)
+    lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib
+    ;;
+  *)
+    lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib_fallback
+    ;;
+  esac
+  ;;
+*)
+  # fallback: assume linklib IS sharedlib
+  lt_cv_sharedlib_from_linklib_cmd="$ECHO"
+  ;;
+esac
+])
+sharedlib_from_linklib_cmd=$lt_cv_sharedlib_from_linklib_cmd
+test -z "$sharedlib_from_linklib_cmd" && sharedlib_from_linklib_cmd=$ECHO
+
+_LT_DECL([], [sharedlib_from_linklib_cmd], [1],
+    [Command to associate shared and link libraries])
+])# _LT_CHECK_SHAREDLIB_FROM_LINKLIB
+
+
+# _LT_PATH_MANIFEST_TOOL
+# ----------------------
+# locate the manifest tool
+m4_defun([_LT_PATH_MANIFEST_TOOL],
+[AC_CHECK_TOOL(MANIFEST_TOOL, mt, :)
+test -z "$MANIFEST_TOOL" && MANIFEST_TOOL=mt
+AC_CACHE_CHECK([if $MANIFEST_TOOL is a manifest tool], [lt_cv_path_mainfest_tool],
+  [lt_cv_path_mainfest_tool=no
+  echo "$as_me:$LINENO: $MANIFEST_TOOL '-?'" >&AS_MESSAGE_LOG_FD
+  $MANIFEST_TOOL '-?' 2>conftest.err > conftest.out
+  cat conftest.err >&AS_MESSAGE_LOG_FD
+  if $GREP 'Manifest Tool' conftest.out > /dev/null; then
+    lt_cv_path_mainfest_tool=yes
+  fi
+  rm -f conftest*])
+if test "x$lt_cv_path_mainfest_tool" != xyes; then
+  MANIFEST_TOOL=:
+fi
+_LT_DECL([], [MANIFEST_TOOL], [1], [Manifest tool])dnl
+])# _LT_PATH_MANIFEST_TOOL
+
 
 # LT_LIB_M
 # --------
@@ -3268,7 +3573,7 @@ AC_DEFUN([LT_LIB_M],
 [AC_REQUIRE([AC_CANONICAL_HOST])dnl
 LIBM=
 case $host in
-*-*-beos* | *-*-cygwin* | *-*-pw32* | *-*-darwin*)
+*-*-beos* | *-*-cegcc* | *-*-cygwin* | *-*-haiku* | *-*-pw32* | *-*-darwin*)
   # These system don't have libm, or don't need it
   ;;
 *-ncr-sysv4.3*)
@@ -3296,7 +3601,12 @@ m4_defun([_LT_COMPILER_NO_RTTI],
 _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
 
 if test "$GCC" = yes; then
-  _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
+  case $cc_basename in
+  nvcc*)
+    _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -Xcompiler -fno-builtin' ;;
+  *)
+    _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin' ;;
+  esac
 
   _LT_COMPILER_OPTION([if $compiler supports -fno-rtti -fno-exceptions],
     lt_cv_prog_compiler_rtti_exceptions,
@@ -3313,6 +3623,7 @@ _LT_TAGDECL([no_builtin_flag], [lt_prog_compiler_no_builtin_flag], [1],
 m4_defun([_LT_CMD_GLOBAL_SYMBOLS],
 [AC_REQUIRE([AC_CANONICAL_HOST])dnl
 AC_REQUIRE([AC_PROG_CC])dnl
+AC_REQUIRE([AC_PROG_AWK])dnl
 AC_REQUIRE([LT_PATH_NM])dnl
 AC_REQUIRE([LT_PATH_LD])dnl
 m4_require([_LT_DECL_SED])dnl
@@ -3380,8 +3691,8 @@ esac
 lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
 
 # Transform an extracted symbol line into symbol name and symbol address
-lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (void *) \&\2},/p'"
-lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \(lib[[^ ]]*\)$/  {\"\2\", (void *) \&\2},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"lib\2\", (void *) \&\2},/p'"
+lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\)[[ ]]*$/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (void *) \&\2},/p'"
+lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n -e 's/^: \([[^ ]]*\)[[ ]]*$/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \(lib[[^ ]]*\)$/  {\"\2\", (void *) \&\2},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"lib\2\", (void *) \&\2},/p'"
 
 # Handle CRLF in mingw tool chain
 opt_cr=
@@ -3405,6 +3716,7 @@ for ac_symprfx in "" "_"; do
     # which start with @ or ?.
     lt_cv_sys_global_symbol_pipe="$AWK ['"\
 "     {last_section=section; section=\$ 3};"\
+"     /^COFF SYMBOL TABLE/{for(i in hide) delete hide[i]};"\
 "     /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\
 "     \$ 0!~/External *\|/{next};"\
 "     / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\
@@ -3417,6 +3729,7 @@ for ac_symprfx in "" "_"; do
   else
     lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[	 ]]\($symcode$symcode*\)[[	 ]][[	 ]]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'"
   fi
+  lt_cv_sys_global_symbol_pipe="$lt_cv_sys_global_symbol_pipe | sed '/ __gnu_lto/d'"
 
   # Check to see that the pipe works correctly.
   pipe_works=no
@@ -3438,7 +3751,7 @@ _LT_EOF
   if AC_TRY_EVAL(ac_compile); then
     # Now try to grab the symbols.
     nlist=conftest.nm
-    if AC_TRY_EVAL(NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) && test -s "$nlist"; then
+    if AC_TRY_EVAL(NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) && test -s "$nlist"; then
       # Try sorting and uniquifying the output.
       if sort "$nlist" | uniq > "$nlist"T; then
 	mv -f "$nlist"T "$nlist"
@@ -3450,6 +3763,18 @@ _LT_EOF
       if $GREP ' nm_test_var$' "$nlist" >/dev/null; then
 	if $GREP ' nm_test_func$' "$nlist" >/dev/null; then
 	  cat <<_LT_EOF > conftest.$ac_ext
+/* Keep this code in sync between libtool.m4, ltmain, lt_system.h, and tests.  */
+#if defined(_WIN32) || defined(__CYGWIN__) || defined(_WIN32_WCE)
+/* DATA imports from DLLs on WIN32 con't be const, because runtime
+   relocations are performed -- see ld's documentation on pseudo-relocs.  */
+# define LT@&t@_DLSYM_CONST
+#elif defined(__osf__)
+/* This system does not cope well with relocations in const data.  */
+# define LT@&t@_DLSYM_CONST
+#else
+# define LT@&t@_DLSYM_CONST const
+#endif
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -3461,7 +3786,7 @@ _LT_EOF
 	  cat <<_LT_EOF >> conftest.$ac_ext
 
 /* The mapping between symbol names and symbols.  */
-const struct {
+LT@&t@_DLSYM_CONST struct {
   const char *name;
   void       *address;
 }
@@ -3487,15 +3812,15 @@ static const void *lt_preloaded_setup() {
 _LT_EOF
 	  # Now try linking the two files.
 	  mv conftest.$ac_objext conftstm.$ac_objext
-	  lt_save_LIBS="$LIBS"
-	  lt_save_CFLAGS="$CFLAGS"
+	  lt_globsym_save_LIBS=$LIBS
+	  lt_globsym_save_CFLAGS=$CFLAGS
 	  LIBS="conftstm.$ac_objext"
 	  CFLAGS="$CFLAGS$_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)"
 	  if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext}; then
 	    pipe_works=yes
 	  fi
-	  LIBS="$lt_save_LIBS"
-	  CFLAGS="$lt_save_CFLAGS"
+	  LIBS=$lt_globsym_save_LIBS
+	  CFLAGS=$lt_globsym_save_CFLAGS
 	else
 	  echo "cannot find nm_test_func in $nlist" >&AS_MESSAGE_LOG_FD
 	fi
@@ -3528,6 +3853,13 @@ else
   AC_MSG_RESULT(ok)
 fi
 
+# Response file support.
+if test "$lt_cv_nm_interface" = "MS dumpbin"; then
+  nm_file_list_spec='@'
+elif $NM --help 2>/dev/null | grep '[[@]]FILE' >/dev/null; then
+  nm_file_list_spec='@'
+fi
+
 _LT_DECL([global_symbol_pipe], [lt_cv_sys_global_symbol_pipe], [1],
     [Take the output of nm and produce a listing of raw symbols and C names])
 _LT_DECL([global_symbol_to_cdecl], [lt_cv_sys_global_symbol_to_cdecl], [1],
@@ -3538,6 +3870,8 @@ _LT_DECL([global_symbol_to_c_name_address],
 _LT_DECL([global_symbol_to_c_name_address_lib_prefix],
     [lt_cv_sys_global_symbol_to_c_name_address_lib_prefix], [1],
     [Transform the output of nm in a C name address pair when lib prefix is needed])
+_LT_DECL([], [nm_file_list_spec], [1],
+    [Specify filename containing input files for $NM])
 ]) # _LT_CMD_GLOBAL_SYMBOLS
 
 
@@ -3549,7 +3883,6 @@ _LT_TAGVAR(lt_prog_compiler_wl, $1)=
 _LT_TAGVAR(lt_prog_compiler_pic, $1)=
 _LT_TAGVAR(lt_prog_compiler_static, $1)=
 
-AC_MSG_CHECKING([for $compiler option to produce PIC])
 m4_if([$1], [CXX], [
   # C++ specific cases for pic, static, wl, etc.
   if test "$GXX" = yes; then
@@ -3600,6 +3933,11 @@ m4_if([$1], [CXX], [
       # DJGPP does not support shared libraries at all
       _LT_TAGVAR(lt_prog_compiler_pic, $1)=
       ;;
+    haiku*)
+      # PIC is the default for Haiku.
+      # The "-static" flag exists, but is broken.
+      _LT_TAGVAR(lt_prog_compiler_static, $1)=
+      ;;
     interix[[3-9]]*)
       # Interix 3.x gcc -fpic/-fPIC options generate broken code.
       # Instead, we relocate shared libraries at runtime.
@@ -3649,6 +3987,12 @@ m4_if([$1], [CXX], [
 	  ;;
 	esac
 	;;
+      mingw* | cygwin* | os2* | pw32* | cegcc*)
+	# This hack is so that the source file can tell whether it is being
+	# built for inclusion in a dll (and should export symbols for example).
+	m4_if([$1], [GCJ], [],
+	  [_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
+	;;
       dgux*)
 	case $cc_basename in
 	  ec++*)
@@ -3738,8 +4082,8 @@ m4_if([$1], [CXX], [
 	    _LT_TAGVAR(lt_prog_compiler_pic, $1)=
 	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
 	    ;;
-	  xlc* | xlC*)
-	    # IBM XL 8.0 on PPC
+	  xlc* | xlC* | bgxl[[cC]]* | mpixl[[cC]]*)
+	    # IBM XL 8.0, 9.0 on PPC and BlueGene
 	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
 	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-qpic'
 	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-qstaticlink'
@@ -3801,7 +4145,7 @@ m4_if([$1], [CXX], [
 	;;
       solaris*)
 	case $cc_basename in
-	  CC*)
+	  CC* | sunCC*)
 	    # Sun C++ 4.2, 5.x and Centerline C++
 	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
@@ -3905,6 +4249,12 @@ m4_if([$1], [CXX], [
       _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
       ;;
 
+    haiku*)
+      # PIC is the default for Haiku.
+      # The "-static" flag exists, but is broken.
+      _LT_TAGVAR(lt_prog_compiler_static, $1)=
+      ;;
+
     hpux*)
       # PIC is the default for 64-bit PA HP-UX, but not for 32-bit
       # PA HP-UX.  On IA64 HP-UX, PIC is the default but the pic flag
@@ -3947,6 +4297,15 @@ m4_if([$1], [CXX], [
       _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
       ;;
     esac
+
+    case $cc_basename in
+    nvcc*) # Cuda Compiler Driver 2.2
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Xlinker '
+      if test -n "$_LT_TAGVAR(lt_prog_compiler_pic, $1)"; then
+        _LT_TAGVAR(lt_prog_compiler_pic, $1)="-Xcompiler $_LT_TAGVAR(lt_prog_compiler_pic, $1)"
+      fi
+      ;;
+    esac
   else
     # PORTME Check for flag to pass linker flags through the system compiler.
     case $host_os in
@@ -4010,7 +4369,13 @@ m4_if([$1], [CXX], [
 	_LT_TAGVAR(lt_prog_compiler_pic, $1)='--shared'
 	_LT_TAGVAR(lt_prog_compiler_static, $1)='--static'
 	;;
-      pgcc* | pgf77* | pgf90* | pgf95*)
+      nagfor*)
+	# NAG Fortran compiler
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,-Wl,,'
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	;;
+      pgcc* | pgf77* | pgf90* | pgf95* | pgfortran*)
         # Portland Group compilers (*not* the Pentium gcc compiler,
 	# which looks to be a dead project)
 	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
@@ -4022,25 +4387,40 @@ m4_if([$1], [CXX], [
         # All Alpha code is PIC.
         _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
         ;;
-      xl*)
-	# IBM XL C 8.0/Fortran 10.1 on PPC
+      xl* | bgxl* | bgf* | mpixl*)
+	# IBM XL C 8.0/Fortran 10.1, 11.1 on PPC and BlueGene
 	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
 	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-qpic'
 	_LT_TAGVAR(lt_prog_compiler_static, $1)='-qstaticlink'
 	;;
       *)
 	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ Ceres\ Fortran* | *Sun*Fortran*\ [[1-7]].* | *Sun*Fortran*\ 8.[[0-3]]*)
+	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)=''
+	  ;;
+	*Sun\ F* | *Sun*Fortran*)
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+	  ;;
 	*Sun\ C*)
 	  # Sun C 5.9
 	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
 	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
 	  ;;
-	*Sun\ F*)
-	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
-	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+        *Intel*\ [[CF]]*Compiler*)
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
+	  ;;
+	*Portland\ Group*)
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
 	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	  _LT_TAGVAR(lt_prog_compiler_wl, $1)=''
 	  ;;
 	esac
 	;;
@@ -4072,7 +4452,7 @@ m4_if([$1], [CXX], [
       _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
       _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
       case $cc_basename in
-      f77* | f90* | f95*)
+      f77* | f90* | f95* | sunf77* | sunf90* | sunf95*)
 	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ';;
       *)
 	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,';;
@@ -4129,9 +4509,11 @@ case $host_os in
     _LT_TAGVAR(lt_prog_compiler_pic, $1)="$_LT_TAGVAR(lt_prog_compiler_pic, $1)@&t@m4_if([$1],[],[ -DPIC],[m4_if([$1],[CXX],[ -DPIC],[])])"
     ;;
 esac
-AC_MSG_RESULT([$_LT_TAGVAR(lt_prog_compiler_pic, $1)])
-_LT_TAGDECL([wl], [lt_prog_compiler_wl], [1],
-	[How to pass a linker flag through the compiler])
+
+AC_CACHE_CHECK([for $compiler option to produce PIC],
+  [_LT_TAGVAR(lt_cv_prog_compiler_pic, $1)],
+  [_LT_TAGVAR(lt_cv_prog_compiler_pic, $1)=$_LT_TAGVAR(lt_prog_compiler_pic, $1)])
+_LT_TAGVAR(lt_prog_compiler_pic, $1)=$_LT_TAGVAR(lt_cv_prog_compiler_pic, $1)
 
 #
 # Check to make sure the PIC flag actually works.
@@ -4150,6 +4532,8 @@ fi
 _LT_TAGDECL([pic_flag], [lt_prog_compiler_pic], [1],
 	[Additional compiler flags for building library objects])
 
+_LT_TAGDECL([wl], [lt_prog_compiler_wl], [1],
+	[How to pass a linker flag through the compiler])
 #
 # Check to make sure the static flag actually works.
 #
@@ -4170,6 +4554,7 @@ _LT_TAGDECL([link_static_flag], [lt_prog_compiler_static], [1],
 m4_defun([_LT_LINKER_SHLIBS],
 [AC_REQUIRE([LT_PATH_LD])dnl
 AC_REQUIRE([LT_PATH_NM])dnl
+m4_require([_LT_PATH_MANIFEST_TOOL])dnl
 m4_require([_LT_FILEUTILS_DEFAULTS])dnl
 m4_require([_LT_DECL_EGREP])dnl
 m4_require([_LT_DECL_SED])dnl
@@ -4178,30 +4563,40 @@ m4_require([_LT_TAG_COMPILER])dnl
 AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
 m4_if([$1], [CXX], [
   _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  _LT_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*']
   case $host_os in
   aix[[4-9]]*)
     # If we're using GNU nm, then we don't want the "-C" option.
     # -C means demangle to AIX nm, but means don't demangle with GNU nm
+    # Also, AIX nm treats weak defined symbols like other global defined
+    # symbols, whereas GNU nm marks them as "W".
     if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then
-      _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
+      _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
     else
       _LT_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
     fi
     ;;
   pw32*)
     _LT_TAGVAR(export_symbols_cmds, $1)="$ltdll_cmds"
-  ;;
+    ;;
   cygwin* | mingw* | cegcc*)
-    _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;/^.*[[ ]]__nm__/s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols'
-  ;;
-  linux* | k*bsd*-gnu)
+    case $cc_basename in
+    cl*)
+      _LT_TAGVAR(exclude_expsyms, $1)='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*'
+      ;;
+    *)
+      _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols'
+      _LT_TAGVAR(exclude_expsyms, $1)=['[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname']
+      ;;
+    esac
+    ;;
+  linux* | k*bsd*-gnu | gnu*)
     _LT_TAGVAR(link_all_deplibs, $1)=no
-  ;;
+    ;;
   *)
     _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  ;;
+    ;;
   esac
-  _LT_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*']
 ], [
   runpath_var=
   _LT_TAGVAR(allow_undefined_flag, $1)=
@@ -4216,7 +4611,6 @@ m4_if([$1], [CXX], [
   _LT_TAGVAR(hardcode_direct, $1)=no
   _LT_TAGVAR(hardcode_direct_absolute, $1)=no
   _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-  _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
   _LT_TAGVAR(hardcode_libdir_separator, $1)=
   _LT_TAGVAR(hardcode_minus_L, $1)=no
   _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
@@ -4261,13 +4655,39 @@ dnl Note also adjust exclude_expsyms for C++ above.
   openbsd*)
     with_gnu_ld=no
     ;;
-  linux* | k*bsd*-gnu)
+  linux* | k*bsd*-gnu | gnu*)
     _LT_TAGVAR(link_all_deplibs, $1)=no
     ;;
   esac
 
   _LT_TAGVAR(ld_shlibs, $1)=yes
+
+  # On some targets, GNU ld is compatible enough with the native linker
+  # that we're better off using the native interface for both.
+  lt_use_gnu_ld_interface=no
   if test "$with_gnu_ld" = yes; then
+    case $host_os in
+      aix*)
+	# The AIX port of GNU ld has always aspired to compatibility
+	# with the native linker.  However, as the warning in the GNU ld
+	# block says, versions before 2.19.5* couldn't really create working
+	# shared libraries, regardless of the interface used.
+	case `$LD -v 2>&1` in
+	  *\ \(GNU\ Binutils\)\ 2.19.5*) ;;
+	  *\ \(GNU\ Binutils\)\ 2.[[2-9]]*) ;;
+	  *\ \(GNU\ Binutils\)\ [[3-9]]*) ;;
+	  *)
+	    lt_use_gnu_ld_interface=yes
+	    ;;
+	esac
+	;;
+      *)
+	lt_use_gnu_ld_interface=yes
+	;;
+    esac
+  fi
+
+  if test "$lt_use_gnu_ld_interface" = yes; then
     # If archive_cmds runs LD, not CC, wlarc should be empty
     wlarc='${wl}'
 
@@ -4301,11 +4721,12 @@ dnl Note also adjust exclude_expsyms for C++ above.
 	_LT_TAGVAR(ld_shlibs, $1)=no
 	cat <<_LT_EOF 1>&2
 
-*** Warning: the GNU linker, at least up to release 2.9.1, is reported
+*** Warning: the GNU linker, at least up to release 2.19, is reported
 *** to be unable to reliably create shared libraries on AIX.
 *** Therefore, libtool is disabling shared libraries support.  If you
-*** really care for shared libraries, you may want to modify your PATH
-*** so that a non-GNU linker is found, and then restart.
+*** really care for shared libraries, you may want to install binutils
+*** 2.20 or above, or modify your PATH so that a non-GNU linker is found.
+*** You will then need to restart the configuration process.
 
 _LT_EOF
       fi
@@ -4341,10 +4762,12 @@ _LT_EOF
       # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
       # as there is no search path for DLLs.
       _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-all-symbols'
       _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
       _LT_TAGVAR(always_export_symbols, $1)=no
       _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
-      _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/'\'' | $SED -e '\''/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols'
+      _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols'
+      _LT_TAGVAR(exclude_expsyms, $1)=['[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname']
 
       if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then
         _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
@@ -4362,6 +4785,11 @@ _LT_EOF
       fi
       ;;
 
+    haiku*)
+      _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      _LT_TAGVAR(link_all_deplibs, $1)=yes
+      ;;
+
     interix[[3-9]]*)
       _LT_TAGVAR(hardcode_direct, $1)=no
       _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
@@ -4387,15 +4815,16 @@ _LT_EOF
       if $LD --help 2>&1 | $EGREP ': supported targets:.* elf' > /dev/null \
 	 && test "$tmp_diet" = no
       then
-	tmp_addflag=
+	tmp_addflag=' $pic_flag'
 	tmp_sharedflag='-shared'
 	case $cc_basename,$host_cpu in
         pgcc*)				# Portland Group C compiler
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
 	  tmp_addflag=' $pic_flag'
 	  ;;
-	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	pgf77* | pgf90* | pgf95* | pgfortran*)
+					# Portland Group f77 and f90 compilers
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
 	  tmp_addflag=' $pic_flag -Mnomain' ;;
 	ecc*,ia64* | icc*,ia64*)	# Intel C compiler on ia64
 	  tmp_addflag=' -i_dynamic' ;;
@@ -4406,13 +4835,17 @@ _LT_EOF
 	lf95*)				# Lahey Fortran 8.1
 	  _LT_TAGVAR(whole_archive_flag_spec, $1)=
 	  tmp_sharedflag='--shared' ;;
-	xl[[cC]]*)			# IBM XL C 8.0 on PPC (deal with xlf below)
+	xl[[cC]]* | bgxl[[cC]]* | mpixl[[cC]]*) # IBM XL C 8.0 on PPC (deal with xlf below)
 	  tmp_sharedflag='-qmkshrobj'
 	  tmp_addflag= ;;
+	nvcc*)	# Cuda Compiler Driver 2.2
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
+	  _LT_TAGVAR(compiler_needs_object, $1)=yes
+	  ;;
 	esac
 	case `$CC -V 2>&1 | sed 5q` in
 	*Sun\ C*)			# Sun C 5.9
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
 	  _LT_TAGVAR(compiler_needs_object, $1)=yes
 	  tmp_sharedflag='-G' ;;
 	*Sun\ F*)			# Sun Fortran 8.3
@@ -4428,17 +4861,16 @@ _LT_EOF
         fi
 
 	case $cc_basename in
-	xlf*)
+	xlf* | bgf* | bgxlf* | mpixlf*)
 	  # IBM XL Fortran 10.1 on PPC cannot create shared libs itself
 	  _LT_TAGVAR(whole_archive_flag_spec, $1)='--whole-archive$convenience --no-whole-archive'
-	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-	  _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='-rpath $libdir'
-	  _LT_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $compiler_flags -soname $soname -o $lib'
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+	  _LT_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib'
 	  if test "x$supports_anon_versioning" = xyes; then
 	    _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~
 	      cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
 	      echo "local: *; };" >> $output_objdir/$libname.ver~
-	      $LD -shared $libobjs $deplibs $compiler_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib'
+	      $LD -shared $libobjs $deplibs $linker_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib'
 	  fi
 	  ;;
 	esac
@@ -4452,8 +4884,8 @@ _LT_EOF
 	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
 	wlarc=
       else
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
       fi
       ;;
 
@@ -4471,8 +4903,8 @@ _LT_EOF
 
 _LT_EOF
       elif $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
       else
 	_LT_TAGVAR(ld_shlibs, $1)=no
       fi
@@ -4518,8 +4950,8 @@ _LT_EOF
 
     *)
       if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
       else
 	_LT_TAGVAR(ld_shlibs, $1)=no
       fi
@@ -4559,8 +4991,10 @@ _LT_EOF
       else
 	# If we're using GNU nm, then we don't want the "-C" option.
 	# -C means demangle to AIX nm, but means don't demangle with GNU nm
+	# Also, AIX nm treats weak defined symbols like other global
+	# defined symbols, whereas GNU nm marks them as "W".
 	if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then
-	  _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
+	  _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
 	else
 	  _LT_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
 	fi
@@ -4648,9 +5082,9 @@ _LT_EOF
 	_LT_TAGVAR(allow_undefined_flag, $1)='-berok'
         # Determine the default libpath from the value encoded in an
         # empty executable.
-        _LT_SYS_MODULE_PATH_AIX
+        _LT_SYS_MODULE_PATH_AIX([$1])
         _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
-        _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then $ECHO "X${wl}${allow_undefined_flag}" | $Xsed; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+        _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then func_echo_all "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
       else
 	if test "$host_cpu" = ia64; then
 	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
@@ -4659,14 +5093,19 @@ _LT_EOF
 	else
 	 # Determine the default libpath from the value encoded in an
 	 # empty executable.
-	 _LT_SYS_MODULE_PATH_AIX
+	 _LT_SYS_MODULE_PATH_AIX([$1])
 	 _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
 	  # Warning - without using the other run time loading flags,
 	  # -berok will link without error, but may produce a broken library.
 	  _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
 	  _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
-	  # Exported symbols can be pulled into shared objects from archives
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
+	  if test "$with_gnu_ld" = yes; then
+	    # We only use this code for GNU lds that support --whole-archive.
+	    _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
+	  else
+	    # Exported symbols can be pulled into shared objects from archives
+	    _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
+	  fi
 	  _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
 	  # This is similar to how AIX traditionally builds its shared libraries.
 	  _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
@@ -4698,20 +5137,64 @@ _LT_EOF
       # Microsoft Visual C++.
       # hardcode_libdir_flag_spec is actually meaningless, as there is
       # no search path for DLLs.
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
-      _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
-      # Tell ltmain to make .lib files, not .a files.
-      libext=lib
-      # Tell ltmain to make .dll files, not .so files.
-      shrext_cmds=".dll"
-      # FIXME: Setting linknames here is a bad hack.
-      _LT_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `$ECHO "X$deplibs" | $Xsed -e '\''s/ -lc$//'\''` -link -dll~linknames='
-      # The linker will automatically build a .lib file if we build a DLL.
-      _LT_TAGVAR(old_archive_from_new_cmds, $1)='true'
-      # FIXME: Should let the user specify the lib program.
-      _LT_TAGVAR(old_archive_cmds, $1)='lib -OUT:$oldlib$oldobjs$old_deplibs'
-      _LT_TAGVAR(fix_srcfile_path, $1)='`cygpath -w "$srcfile"`'
-      _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+      case $cc_basename in
+      cl*)
+	# Native MSVC
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
+	_LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+	_LT_TAGVAR(always_export_symbols, $1)=yes
+	_LT_TAGVAR(file_list_spec, $1)='@'
+	# Tell ltmain to make .lib files, not .a files.
+	libext=lib
+	# Tell ltmain to make .dll files, not .so files.
+	shrext_cmds=".dll"
+	# FIXME: Setting linknames here is a bad hack.
+	_LT_TAGVAR(archive_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $compiler_flags $deplibs -Wl,-dll~linknames='
+	_LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	    sed -n -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' -e '1\\\!p' < $export_symbols > $output_objdir/$soname.exp;
+	  else
+	    sed -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' < $export_symbols > $output_objdir/$soname.exp;
+	  fi~
+	  $CC -o $tool_output_objdir$soname $libobjs $compiler_flags $deplibs "@$tool_output_objdir$soname.exp" -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~
+	  linknames='
+	# The linker will not automatically build a static lib if we build a DLL.
+	# _LT_TAGVAR(old_archive_from_new_cmds, $1)='true'
+	_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+	_LT_TAGVAR(exclude_expsyms, $1)='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*'
+	_LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1,DATA/'\'' | $SED -e '\''/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols'
+	# Don't use ranlib
+	_LT_TAGVAR(old_postinstall_cmds, $1)='chmod 644 $oldlib'
+	_LT_TAGVAR(postlink_cmds, $1)='lt_outputfile="@OUTPUT@"~
+	  lt_tool_outputfile="@TOOL_OUTPUT@"~
+	  case $lt_outputfile in
+	    *.exe|*.EXE) ;;
+	    *)
+	      lt_outputfile="$lt_outputfile.exe"
+	      lt_tool_outputfile="$lt_tool_outputfile.exe"
+	      ;;
+	  esac~
+	  if test "$MANIFEST_TOOL" != ":" && test -f "$lt_outputfile.manifest"; then
+	    $MANIFEST_TOOL -manifest "$lt_tool_outputfile.manifest" -outputresource:"$lt_tool_outputfile" || exit 1;
+	    $RM "$lt_outputfile.manifest";
+	  fi'
+	;;
+      *)
+	# Assume MSVC wrapper
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
+	_LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+	# Tell ltmain to make .lib files, not .a files.
+	libext=lib
+	# Tell ltmain to make .dll files, not .so files.
+	shrext_cmds=".dll"
+	# FIXME: Setting linknames here is a bad hack.
+	_LT_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `func_echo_all "$deplibs" | $SED '\''s/ -lc$//'\''` -link -dll~linknames='
+	# The linker will automatically build a .lib file if we build a DLL.
+	_LT_TAGVAR(old_archive_from_new_cmds, $1)='true'
+	# FIXME: Should let the user specify the lib program.
+	_LT_TAGVAR(old_archive_cmds, $1)='lib -OUT:$oldlib$oldobjs$old_deplibs'
+	_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+	;;
+      esac
       ;;
 
     darwin* | rhapsody*)
@@ -4724,10 +5207,6 @@ _LT_EOF
       _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
       ;;
 
-    freebsd1*)
-      _LT_TAGVAR(ld_shlibs, $1)=no
-      ;;
-
     # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
     # support.  Future versions do this automatically, but an explicit c++rt0.o
     # does not break anything, and helps significantly (at the cost of a little
@@ -4740,7 +5219,7 @@ _LT_EOF
       ;;
 
     # Unfortunately, older versions of FreeBSD 2 do not have this feature.
-    freebsd2*)
+    freebsd2.*)
       _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
       _LT_TAGVAR(hardcode_direct, $1)=yes
       _LT_TAGVAR(hardcode_minus_L, $1)=yes
@@ -4749,7 +5228,7 @@ _LT_EOF
 
     # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
     freebsd* | dragonfly*)
-      _LT_TAGVAR(archive_cmds, $1)='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
+      _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
       _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
       _LT_TAGVAR(hardcode_direct, $1)=yes
       _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
@@ -4757,7 +5236,7 @@ _LT_EOF
 
     hpux9*)
       if test "$GCC" = yes; then
-	_LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared $pic_flag ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
       else
 	_LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
       fi
@@ -4772,14 +5251,13 @@ _LT_EOF
       ;;
 
     hpux10*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+      if test "$GCC" = yes && test "$with_gnu_ld" = no; then
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
       else
 	_LT_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
       fi
       if test "$with_gnu_ld" = no; then
 	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-	_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
 	_LT_TAGVAR(hardcode_libdir_separator, $1)=:
 	_LT_TAGVAR(hardcode_direct, $1)=yes
 	_LT_TAGVAR(hardcode_direct_absolute, $1)=yes
@@ -4791,16 +5269,16 @@ _LT_EOF
       ;;
 
     hpux11*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+      if test "$GCC" = yes && test "$with_gnu_ld" = no; then
 	case $host_cpu in
 	hppa*64*)
 	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	ia64*)
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	*)
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	esac
       else
@@ -4812,7 +5290,14 @@ _LT_EOF
 	  _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	*)
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	m4_if($1, [], [
+	  # Older versions of the 11.00 compiler do not understand -b yet
+	  # (HP92453-01 A.11.01.20 doesn't, HP92453-01 B.11.X.35175-35176.GP does)
+	  _LT_LINKER_OPTION([if $CC understands -b],
+	    _LT_TAGVAR(lt_cv_prog_compiler__b, $1), [-b],
+	    [_LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'],
+	    [_LT_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'])],
+	  [_LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'])
 	  ;;
 	esac
       fi
@@ -4840,19 +5325,34 @@ _LT_EOF
 
     irix5* | irix6* | nonstopux*)
       if test "$GCC" = yes; then
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 	# Try to use the -exported_symbol ld option, if it does not
 	# work, assume that -exports_file does not work either and
 	# implicitly export all symbols.
-        save_LDFLAGS="$LDFLAGS"
-        LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null"
-        AC_LINK_IFELSE(int foo(void) {},
-          _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib'
-        )
-        LDFLAGS="$save_LDFLAGS"
+	# This should be the same for all languages, so no per-tag cache variable.
+	AC_CACHE_CHECK([whether the $host_os linker accepts -exported_symbol],
+	  [lt_cv_irix_exported_symbol],
+	  [save_LDFLAGS="$LDFLAGS"
+	   LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null"
+	   AC_LINK_IFELSE(
+	     [AC_LANG_SOURCE(
+	        [AC_LANG_CASE([C], [[int foo (void) { return 0; }]],
+			      [C++], [[int foo (void) { return 0; }]],
+			      [Fortran 77], [[
+      subroutine foo
+      end]],
+			      [Fortran], [[
+      subroutine foo
+      end]])])],
+	      [lt_cv_irix_exported_symbol=yes],
+	      [lt_cv_irix_exported_symbol=no])
+           LDFLAGS="$save_LDFLAGS"])
+	if test "$lt_cv_irix_exported_symbol" = yes; then
+          _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib'
+	fi
       else
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -exports_file $export_symbols -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -exports_file $export_symbols -o $lib'
       fi
       _LT_TAGVAR(archive_cmds_need_lc, $1)='no'
       _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
@@ -4914,17 +5414,17 @@ _LT_EOF
       _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
       _LT_TAGVAR(hardcode_minus_L, $1)=yes
       _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
-      _LT_TAGVAR(archive_cmds, $1)='$ECHO "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$ECHO DATA >> $output_objdir/$libname.def~$ECHO " SINGLE NONSHARED" >> $output_objdir/$libname.def~$ECHO EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
+      _LT_TAGVAR(archive_cmds, $1)='$ECHO "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~echo DATA >> $output_objdir/$libname.def~echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
       _LT_TAGVAR(old_archive_from_new_cmds, $1)='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
       ;;
 
     osf3*)
       if test "$GCC" = yes; then
 	_LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
       else
 	_LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
       fi
       _LT_TAGVAR(archive_cmds_need_lc, $1)='no'
       _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
@@ -4934,13 +5434,13 @@ _LT_EOF
     osf4* | osf5*)	# as osf3* with the addition of -msym flag
       if test "$GCC" = yes; then
 	_LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $pic_flag $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
       else
 	_LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
 	_LT_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; printf "%s\\n" "-hidden">> $lib.exp~
-	$CC -shared${allow_undefined_flag} ${wl}-input ${wl}$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib~$RM $lib.exp'
+	$CC -shared${allow_undefined_flag} ${wl}-input ${wl}$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib~$RM $lib.exp'
 
 	# Both c and cxx compiler support -rpath directly
 	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
@@ -4953,9 +5453,9 @@ _LT_EOF
       _LT_TAGVAR(no_undefined_flag, $1)=' -z defs'
       if test "$GCC" = yes; then
 	wlarc='${wl}'
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-z ${wl}text ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag ${wl}-z ${wl}text ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
 	_LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
-	  $CC -shared ${wl}-z ${wl}text ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp'
+	  $CC -shared $pic_flag ${wl}-z ${wl}text ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp'
       else
 	case `$CC -V 2>&1` in
 	*"Compilers 5.0"*)
@@ -5131,36 +5631,38 @@ x|xyes)
       # Test whether the compiler implicitly links with -lc since on some
       # systems, -lgcc has to come before -lc. If gcc already passes -lc
       # to ld, don't add -lc before -lgcc.
-      AC_MSG_CHECKING([whether -lc should be explicitly linked in])
-      $RM conftest*
-      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-      if AC_TRY_EVAL(ac_compile) 2>conftest.err; then
-        soname=conftest
-        lib=conftest
-        libobjs=conftest.$ac_objext
-        deplibs=
-        wl=$_LT_TAGVAR(lt_prog_compiler_wl, $1)
-	pic_flag=$_LT_TAGVAR(lt_prog_compiler_pic, $1)
-        compiler_flags=-v
-        linker_flags=-v
-        verstring=
-        output_objdir=.
-        libname=conftest
-        lt_save_allow_undefined_flag=$_LT_TAGVAR(allow_undefined_flag, $1)
-        _LT_TAGVAR(allow_undefined_flag, $1)=
-        if AC_TRY_EVAL(_LT_TAGVAR(archive_cmds, $1) 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1)
-        then
-	  _LT_TAGVAR(archive_cmds_need_lc, $1)=no
-        else
-	  _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
-        fi
-        _LT_TAGVAR(allow_undefined_flag, $1)=$lt_save_allow_undefined_flag
-      else
-        cat conftest.err 1>&5
-      fi
-      $RM conftest*
-      AC_MSG_RESULT([$_LT_TAGVAR(archive_cmds_need_lc, $1)])
+      AC_CACHE_CHECK([whether -lc should be explicitly linked in],
+	[lt_cv_]_LT_TAGVAR(archive_cmds_need_lc, $1),
+	[$RM conftest*
+	echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+	if AC_TRY_EVAL(ac_compile) 2>conftest.err; then
+	  soname=conftest
+	  lib=conftest
+	  libobjs=conftest.$ac_objext
+	  deplibs=
+	  wl=$_LT_TAGVAR(lt_prog_compiler_wl, $1)
+	  pic_flag=$_LT_TAGVAR(lt_prog_compiler_pic, $1)
+	  compiler_flags=-v
+	  linker_flags=-v
+	  verstring=
+	  output_objdir=.
+	  libname=conftest
+	  lt_save_allow_undefined_flag=$_LT_TAGVAR(allow_undefined_flag, $1)
+	  _LT_TAGVAR(allow_undefined_flag, $1)=
+	  if AC_TRY_EVAL(_LT_TAGVAR(archive_cmds, $1) 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1)
+	  then
+	    lt_cv_[]_LT_TAGVAR(archive_cmds_need_lc, $1)=no
+	  else
+	    lt_cv_[]_LT_TAGVAR(archive_cmds_need_lc, $1)=yes
+	  fi
+	  _LT_TAGVAR(allow_undefined_flag, $1)=$lt_save_allow_undefined_flag
+	else
+	  cat conftest.err 1>&5
+	fi
+	$RM conftest*
+	])
+      _LT_TAGVAR(archive_cmds_need_lc, $1)=$lt_cv_[]_LT_TAGVAR(archive_cmds_need_lc, $1)
       ;;
     esac
   fi
@@ -5197,9 +5699,6 @@ _LT_TAGDECL([], [no_undefined_flag], [1],
 _LT_TAGDECL([], [hardcode_libdir_flag_spec], [1],
     [Flag to hardcode $libdir into a binary during linking.
     This must work even if $libdir does not exist])
-_LT_TAGDECL([], [hardcode_libdir_flag_spec_ld], [1],
-    [[If ld is used when linking, flag to hardcode $libdir into a binary
-    during linking.  This must work even if $libdir does not exist]])
 _LT_TAGDECL([], [hardcode_libdir_separator], [1],
     [Whether we need a single "-rpath" flag with a separated argument])
 _LT_TAGDECL([], [hardcode_direct], [0],
@@ -5225,8 +5724,6 @@ _LT_TAGDECL([], [inherit_rpath], [0],
     to runtime path list])
 _LT_TAGDECL([], [link_all_deplibs], [0],
     [Whether libtool must link a program against all its dependency libraries])
-_LT_TAGDECL([], [fix_srcfile_path], [1],
-    [Fix the shell variable $srcfile for the compiler])
 _LT_TAGDECL([], [always_export_symbols], [0],
     [Set to "yes" if exported symbols are required])
 _LT_TAGDECL([], [export_symbols_cmds], [2],
@@ -5237,6 +5734,8 @@ _LT_TAGDECL([], [include_expsyms], [1],
     [Symbols that must always be exported])
 _LT_TAGDECL([], [prelink_cmds], [2],
     [Commands necessary for linking programs (against libraries) with templates])
+_LT_TAGDECL([], [postlink_cmds], [2],
+    [Commands necessary for finishing linking programs])
 _LT_TAGDECL([], [file_list_spec], [1],
     [Specify filename containing input files])
 dnl FIXME: Not yet implemented
@@ -5330,37 +5829,22 @@ CC="$lt_save_CC"
 ])# _LT_LANG_C_CONFIG
 
 
-# _LT_PROG_CXX
-# ------------
-# Since AC_PROG_CXX is broken, in that it returns g++ if there is no c++
-# compiler, we have our own version here.
-m4_defun([_LT_PROG_CXX],
-[
-pushdef([AC_MSG_ERROR], [_lt_caught_CXX_error=yes])
-AC_PROG_CXX
-if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
-    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
-    (test "X$CXX" != "Xg++"))) ; then
-  AC_PROG_CXXCPP
-else
-  _lt_caught_CXX_error=yes
-fi
-popdef([AC_MSG_ERROR])
-])# _LT_PROG_CXX
-
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([_LT_PROG_CXX], [])
-
-
 # _LT_LANG_CXX_CONFIG([TAG])
 # --------------------------
 # Ensure that the configuration variables for a C++ compiler are suitably
 # defined.  These variables are subsequently used by _LT_CONFIG to write
 # the compiler configuration to `libtool'.
 m4_defun([_LT_LANG_CXX_CONFIG],
-[AC_REQUIRE([_LT_PROG_CXX])dnl
-m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+[m4_require([_LT_FILEUTILS_DEFAULTS])dnl
 m4_require([_LT_DECL_EGREP])dnl
+m4_require([_LT_PATH_MANIFEST_TOOL])dnl
+if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
+    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
+    (test "X$CXX" != "Xg++"))) ; then
+  AC_PROG_CXXCPP
+else
+  _lt_caught_CXX_error=yes
+fi
 
 AC_LANG_PUSH(C++)
 _LT_TAGVAR(archive_cmds_need_lc, $1)=no
@@ -5372,7 +5856,6 @@ _LT_TAGVAR(export_dynamic_flag_spec, $1)=
 _LT_TAGVAR(hardcode_direct, $1)=no
 _LT_TAGVAR(hardcode_direct_absolute, $1)=no
 _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
 _LT_TAGVAR(hardcode_libdir_separator, $1)=
 _LT_TAGVAR(hardcode_minus_L, $1)=no
 _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
@@ -5382,6 +5865,8 @@ _LT_TAGVAR(module_cmds, $1)=
 _LT_TAGVAR(module_expsym_cmds, $1)=
 _LT_TAGVAR(link_all_deplibs, $1)=unknown
 _LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(reload_flag, $1)=$reload_flag
+_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
 _LT_TAGVAR(no_undefined_flag, $1)=
 _LT_TAGVAR(whole_archive_flag_spec, $1)=
 _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
@@ -5413,6 +5898,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 
   # Allow CC to be a program name with arguments.
   lt_save_CC=$CC
+  lt_save_CFLAGS=$CFLAGS
   lt_save_LD=$LD
   lt_save_GCC=$GCC
   GCC=$GXX
@@ -5430,6 +5916,7 @@ if test "$_lt_caught_CXX_error" != yes; then
   fi
   test -z "${LDCXX+set}" || LD=$LDCXX
   CC=${CXX-"c++"}
+  CFLAGS=$CXXFLAGS
   compiler=$CC
   _LT_TAGVAR(compiler, $1)=$CC
   _LT_CC_BASENAME([$compiler])
@@ -5451,8 +5938,8 @@ if test "$_lt_caught_CXX_error" != yes; then
       # Check if GNU C++ uses GNU ld as the underlying linker, since the
       # archiving commands below assume that GNU ld is being used.
       if test "$with_gnu_ld" = yes; then
-        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-        _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+        _LT_TAGVAR(archive_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+        _LT_TAGVAR(archive_expsym_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
 
         _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
         _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
@@ -5484,7 +5971,7 @@ if test "$_lt_caught_CXX_error" != yes; then
       # Commands to make compiler produce verbose output that lists
       # what "hidden" libraries, object files and flags are used when
       # linking a shared library.
-      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"'
+      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
 
     else
       GXX=no
@@ -5593,10 +6080,10 @@ if test "$_lt_caught_CXX_error" != yes; then
           _LT_TAGVAR(allow_undefined_flag, $1)='-berok'
           # Determine the default libpath from the value encoded in an empty
           # executable.
-          _LT_SYS_MODULE_PATH_AIX
+          _LT_SYS_MODULE_PATH_AIX([$1])
           _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
 
-          _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then $ECHO "X${wl}${allow_undefined_flag}" | $Xsed; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+          _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then func_echo_all "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
         else
           if test "$host_cpu" = ia64; then
 	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
@@ -5605,14 +6092,19 @@ if test "$_lt_caught_CXX_error" != yes; then
           else
 	    # Determine the default libpath from the value encoded in an
 	    # empty executable.
-	    _LT_SYS_MODULE_PATH_AIX
+	    _LT_SYS_MODULE_PATH_AIX([$1])
 	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
 	    # Warning - without using the other run time loading flags,
 	    # -berok will link without error, but may produce a broken library.
 	    _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
 	    _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
-	    # Exported symbols can be pulled into shared objects from archives
-	    _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
+	    if test "$with_gnu_ld" = yes; then
+	      # We only use this code for GNU lds that support --whole-archive.
+	      _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
+	    else
+	      # Exported symbols can be pulled into shared objects from archives
+	      _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
+	    fi
 	    _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
 	    # This is similar to how AIX traditionally builds its shared
 	    # libraries.
@@ -5642,28 +6134,75 @@ if test "$_lt_caught_CXX_error" != yes; then
         ;;
 
       cygwin* | mingw* | pw32* | cegcc*)
-        # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
-        # as there is no search path for DLLs.
-        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-        _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
-        _LT_TAGVAR(always_export_symbols, $1)=no
-        _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
-
-        if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then
-          _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-          # If the export-symbols file already is a .def file (1st line
-          # is EXPORTS), use it as is; otherwise, prepend...
-          _LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	    cp $export_symbols $output_objdir/$soname.def;
-          else
-	    echo EXPORTS > $output_objdir/$soname.def;
-	    cat $export_symbols >> $output_objdir/$soname.def;
-          fi~
-          $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-        else
-          _LT_TAGVAR(ld_shlibs, $1)=no
-        fi
-        ;;
+	case $GXX,$cc_basename in
+	,cl* | no,cl*)
+	  # Native MSVC
+	  # hardcode_libdir_flag_spec is actually meaningless, as there is
+	  # no search path for DLLs.
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
+	  _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+	  _LT_TAGVAR(always_export_symbols, $1)=yes
+	  _LT_TAGVAR(file_list_spec, $1)='@'
+	  # Tell ltmain to make .lib files, not .a files.
+	  libext=lib
+	  # Tell ltmain to make .dll files, not .so files.
+	  shrext_cmds=".dll"
+	  # FIXME: Setting linknames here is a bad hack.
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $compiler_flags $deplibs -Wl,-dll~linknames='
+	  _LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	      $SED -n -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' -e '1\\\!p' < $export_symbols > $output_objdir/$soname.exp;
+	    else
+	      $SED -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' < $export_symbols > $output_objdir/$soname.exp;
+	    fi~
+	    $CC -o $tool_output_objdir$soname $libobjs $compiler_flags $deplibs "@$tool_output_objdir$soname.exp" -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~
+	    linknames='
+	  # The linker will not automatically build a static lib if we build a DLL.
+	  # _LT_TAGVAR(old_archive_from_new_cmds, $1)='true'
+	  _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+	  # Don't use ranlib
+	  _LT_TAGVAR(old_postinstall_cmds, $1)='chmod 644 $oldlib'
+	  _LT_TAGVAR(postlink_cmds, $1)='lt_outputfile="@OUTPUT@"~
+	    lt_tool_outputfile="@TOOL_OUTPUT@"~
+	    case $lt_outputfile in
+	      *.exe|*.EXE) ;;
+	      *)
+		lt_outputfile="$lt_outputfile.exe"
+		lt_tool_outputfile="$lt_tool_outputfile.exe"
+		;;
+	    esac~
+	    func_to_tool_file "$lt_outputfile"~
+	    if test "$MANIFEST_TOOL" != ":" && test -f "$lt_outputfile.manifest"; then
+	      $MANIFEST_TOOL -manifest "$lt_tool_outputfile.manifest" -outputresource:"$lt_tool_outputfile" || exit 1;
+	      $RM "$lt_outputfile.manifest";
+	    fi'
+	  ;;
+	*)
+	  # g++
+	  # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
+	  # as there is no search path for DLLs.
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+	  _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-all-symbols'
+	  _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+	  _LT_TAGVAR(always_export_symbols, $1)=no
+	  _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+
+	  if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+	    # If the export-symbols file already is a .def file (1st line
+	    # is EXPORTS), use it as is; otherwise, prepend...
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	      cp $export_symbols $output_objdir/$soname.def;
+	    else
+	      echo EXPORTS > $output_objdir/$soname.def;
+	      cat $export_symbols >> $output_objdir/$soname.def;
+	    fi~
+	    $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+	  else
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	  fi
+	  ;;
+	esac
+	;;
       darwin* | rhapsody*)
         _LT_DARWIN_LINKER_FEATURES($1)
 	;;
@@ -5686,7 +6225,7 @@ if test "$_lt_caught_CXX_error" != yes; then
         esac
         ;;
 
-      freebsd[[12]]*)
+      freebsd2.*)
         # C++ shared libraries reported to be fairly broken before
 	# switch to ELF
         _LT_TAGVAR(ld_shlibs, $1)=no
@@ -5705,6 +6244,11 @@ if test "$_lt_caught_CXX_error" != yes; then
       gnu*)
         ;;
 
+      haiku*)
+        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+        _LT_TAGVAR(link_all_deplibs, $1)=yes
+        ;;
+
       hpux9*)
         _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
         _LT_TAGVAR(hardcode_libdir_separator, $1)=:
@@ -5729,11 +6273,11 @@ if test "$_lt_caught_CXX_error" != yes; then
             # explicitly linking system object files so we need to strip them
             # from the output so that they don't get included in the library
             # dependencies.
-            output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
+            output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
             ;;
           *)
             if test "$GXX" = yes; then
-              _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared -nostdlib -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+              _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared -nostdlib $pic_flag ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
             else
               # FIXME: insert proper C++ library support
               _LT_TAGVAR(ld_shlibs, $1)=no
@@ -5794,7 +6338,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 	    # explicitly linking system object files so we need to strip them
 	    # from the output so that they don't get included in the library
 	    # dependencies.
-	    output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
+	    output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
 	    ;;
           *)
 	    if test "$GXX" = yes; then
@@ -5804,10 +6348,10 @@ if test "$_lt_caught_CXX_error" != yes; then
 	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
 	            ;;
 	          ia64*)
-	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $pic_flag ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
 	            ;;
 	          *)
-	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
 	            ;;
 	        esac
 	      fi
@@ -5837,7 +6381,7 @@ if test "$_lt_caught_CXX_error" != yes; then
         case $cc_basename in
           CC*)
 	    # SGI C++
-	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
 
 	    # Archives containing C++ object files must be created using
 	    # "CC -ar", where "CC" is the IRIX C++ compiler.  This is
@@ -5848,9 +6392,9 @@ if test "$_lt_caught_CXX_error" != yes; then
           *)
 	    if test "$GXX" = yes; then
 	      if test "$with_gnu_ld" = no; then
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 	      else
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` -o $lib'
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` -o $lib'
 	      fi
 	    fi
 	    _LT_TAGVAR(link_all_deplibs, $1)=yes
@@ -5879,7 +6423,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 	    # explicitly linking system object files so we need to strip them
 	    # from the output so that they don't get included in the library
 	    # dependencies.
-	    output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | $GREP "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
+	    output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | $GREP "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
 
 	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
 	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
@@ -5916,26 +6460,26 @@ if test "$_lt_caught_CXX_error" != yes; then
           pgCC* | pgcpp*)
             # Portland Group C++ compiler
 	    case `$CC -V` in
-	    *pgCC\ [[1-5]]* | *pgcpp\ [[1-5]]*)
+	    *pgCC\ [[1-5]].* | *pgcpp\ [[1-5]].*)
 	      _LT_TAGVAR(prelink_cmds, $1)='tpldir=Template.dir~
 		rm -rf $tpldir~
 		$CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
-		compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
+		compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
 	      _LT_TAGVAR(old_archive_cmds, $1)='tpldir=Template.dir~
 		rm -rf $tpldir~
 		$CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
-		$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
+		$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
 		$RANLIB $oldlib'
 	      _LT_TAGVAR(archive_cmds, $1)='tpldir=Template.dir~
 		rm -rf $tpldir~
 		$CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
-		$CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+		$CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
 	      _LT_TAGVAR(archive_expsym_cmds, $1)='tpldir=Template.dir~
 		rm -rf $tpldir~
 		$CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
-		$CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+		$CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
 	      ;;
-	    *) # Version 6 will use weak symbols
+	    *) # Version 6 and above use weak symbols
 	      _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
 	      _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
 	      ;;
@@ -5943,7 +6487,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 
 	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
 	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-	    _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	    _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
             ;;
 	  cxx*)
 	    # Compaq C++
@@ -5962,9 +6506,9 @@ if test "$_lt_caught_CXX_error" != yes; then
 	    # explicitly linking system object files so we need to strip them
 	    # from the output so that they don't get included in the library
 	    # dependencies.
-	    output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld"`; templist=`$ECHO "X$templist" | $Xsed -e "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
+	    output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld"`; templist=`func_echo_all "$templist" | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "X$list" | $Xsed'
 	    ;;
-	  xl*)
+	  xl* | mpixl* | bgxl*)
 	    # IBM XL 8.0 on PPC, with GNU ld
 	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
 	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
@@ -5984,13 +6528,13 @@ if test "$_lt_caught_CXX_error" != yes; then
 	      _LT_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
 	      _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file ${wl}$export_symbols'
 	      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-	      _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	      _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
 	      _LT_TAGVAR(compiler_needs_object, $1)=yes
 
 	      # Not sure whether something based on
 	      # $CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1
 	      # would be better.
-	      output_verbose_link_cmd='echo'
+	      output_verbose_link_cmd='func_echo_all'
 
 	      # Archives containing C++ object files must be created using
 	      # "CC -xar", where "CC" is the Sun C++ compiler.  This is
@@ -6059,7 +6603,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
 	    _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
 	  fi
-	  output_verbose_link_cmd=echo
+	  output_verbose_link_cmd=func_echo_all
 	else
 	  _LT_TAGVAR(ld_shlibs, $1)=no
 	fi
@@ -6094,15 +6638,15 @@ if test "$_lt_caught_CXX_error" != yes; then
 	    case $host in
 	      osf3*)
 	        _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && $ECHO "X${wl}-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && func_echo_all "${wl}-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
 	        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
 		;;
 	      *)
 	        _LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
 	        _LT_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~
 	          echo "-hidden">> $lib.exp~
-	          $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname ${wl}-input ${wl}$lib.exp  `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib~
+	          $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname ${wl}-input ${wl}$lib.exp  `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib~
 	          $RM $lib.exp'
 	        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
 		;;
@@ -6118,17 +6662,17 @@ if test "$_lt_caught_CXX_error" != yes; then
 	    # explicitly linking system object files so we need to strip them
 	    # from the output so that they don't get included in the library
 	    # dependencies.
-	    output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld" | $GREP -v "ld:"`; templist=`$ECHO "X$templist" | $Xsed -e "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
+	    output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld" | $GREP -v "ld:"`; templist=`func_echo_all "$templist" | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
 	    ;;
 	  *)
 	    if test "$GXX" = yes && test "$with_gnu_ld" = no; then
 	      _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
 	      case $host in
 	        osf3*)
-	          _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	          _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 		  ;;
 	        *)
-	          _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	          _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 		  ;;
 	      esac
 
@@ -6138,7 +6682,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 	      # Commands to make compiler produce verbose output that lists
 	      # what "hidden" libraries, object files and flags are used when
 	      # linking a shared library.
-	      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"'
+	      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
 
 	    else
 	      # FIXME: insert proper C++ library support
@@ -6174,7 +6718,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 
       solaris*)
         case $cc_basename in
-          CC*)
+          CC* | sunCC*)
 	    # Sun C++ 4.2, 5.x and Centerline C++
             _LT_TAGVAR(archive_cmds_need_lc,$1)=yes
 	    _LT_TAGVAR(no_undefined_flag, $1)=' -zdefs'
@@ -6195,7 +6739,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 	    esac
 	    _LT_TAGVAR(link_all_deplibs, $1)=yes
 
-	    output_verbose_link_cmd='echo'
+	    output_verbose_link_cmd='func_echo_all'
 
 	    # Archives containing C++ object files must be created using
 	    # "CC -xar", where "CC" is the Sun C++ compiler.  This is
@@ -6215,14 +6759,14 @@ if test "$_lt_caught_CXX_error" != yes; then
 	    if test "$GXX" = yes && test "$with_gnu_ld" = no; then
 	      _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-z ${wl}defs'
 	      if $CC --version | $GREP -v '^2\.7' > /dev/null; then
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
 	        _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
-		  $CC -shared -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp'
+		  $CC -shared $pic_flag -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp'
 
 	        # Commands to make compiler produce verbose output that lists
 	        # what "hidden" libraries, object files and flags are used when
 	        # linking a shared library.
-	        output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"'
+	        output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
 	      else
 	        # g++ 2.7 appears to require `-G' NOT `-shared' on this
 	        # platform.
@@ -6233,7 +6777,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 	        # Commands to make compiler produce verbose output that lists
 	        # what "hidden" libraries, object files and flags are used when
 	        # linking a shared library.
-	        output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"'
+	        output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
 	      fi
 
 	      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $wl$libdir'
@@ -6287,6 +6831,10 @@ if test "$_lt_caught_CXX_error" != yes; then
           CC*)
 	    _LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
 	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	    _LT_TAGVAR(old_archive_cmds, $1)='$CC -Tprelink_objects $oldobjs~
+	      '"$_LT_TAGVAR(old_archive_cmds, $1)"
+	    _LT_TAGVAR(reload_cmds, $1)='$CC -Tprelink_objects $reload_objs~
+	      '"$_LT_TAGVAR(reload_cmds, $1)"
 	    ;;
 	  *)
 	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
@@ -6342,6 +6890,7 @@ if test "$_lt_caught_CXX_error" != yes; then
   fi # test -n "$compiler"
 
   CC=$lt_save_CC
+  CFLAGS=$lt_save_CFLAGS
   LDCXX=$LD
   LD=$lt_save_LD
   GCC=$lt_save_GCC
@@ -6356,6 +6905,29 @@ AC_LANG_POP
 ])# _LT_LANG_CXX_CONFIG
 
 
+# _LT_FUNC_STRIPNAME_CNF
+# ----------------------
+# func_stripname_cnf prefix suffix name
+# strip PREFIX and SUFFIX off of NAME.
+# PREFIX and SUFFIX must not contain globbing or regex special
+# characters, hashes, percent signs, but SUFFIX may contain a leading
+# dot (in which case that matches only a dot).
+#
+# This function is identical to the (non-XSI) version of func_stripname,
+# except this one can be used by m4 code that may be executed by configure,
+# rather than the libtool script.
+m4_defun([_LT_FUNC_STRIPNAME_CNF],[dnl
+AC_REQUIRE([_LT_DECL_SED])
+AC_REQUIRE([_LT_PROG_ECHO_BACKSLASH])
+func_stripname_cnf ()
+{
+  case ${2} in
+  .*) func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%\\\\${2}\$%%"`;;
+  *)  func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%${2}\$%%"`;;
+  esac
+} # func_stripname_cnf
+])# _LT_FUNC_STRIPNAME_CNF
+
 # _LT_SYS_HIDDEN_LIBDEPS([TAGNAME])
 # ---------------------------------
 # Figure out "hidden" library dependencies from verbose
@@ -6364,6 +6936,7 @@ AC_LANG_POP
 # objects, libraries and library flags.
 m4_defun([_LT_SYS_HIDDEN_LIBDEPS],
 [m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+AC_REQUIRE([_LT_FUNC_STRIPNAME_CNF])dnl
 # Dependencies to place before and after the object being linked:
 _LT_TAGVAR(predep_objects, $1)=
 _LT_TAGVAR(postdep_objects, $1)=
@@ -6413,7 +6986,20 @@ public class foo {
   }
 };
 _LT_EOF
+], [$1], [GO], [cat > conftest.$ac_ext <<_LT_EOF
+package foo
+func foo() {
+}
+_LT_EOF
 ])
+
+_lt_libdeps_save_CFLAGS=$CFLAGS
+case "$CC $CFLAGS " in #(
+*\ -flto*\ *) CFLAGS="$CFLAGS -fno-lto" ;;
+*\ -fwhopr*\ *) CFLAGS="$CFLAGS -fno-whopr" ;;
+*\ -fuse-linker-plugin*\ *) CFLAGS="$CFLAGS -fno-use-linker-plugin" ;;
+esac
+
 dnl Parse the compiler output and extract the necessary
 dnl objects, libraries and library flags.
 if AC_TRY_EVAL(ac_compile); then
@@ -6425,7 +7011,7 @@ if AC_TRY_EVAL(ac_compile); then
   pre_test_object_deps_done=no
 
   for p in `eval "$output_verbose_link_cmd"`; do
-    case $p in
+    case ${prev}${p} in
 
     -L* | -R* | -l*)
        # Some compilers place space between "-{L,R}" and the path.
@@ -6434,13 +7020,22 @@ if AC_TRY_EVAL(ac_compile); then
           test $p = "-R"; then
 	 prev=$p
 	 continue
-       else
-	 prev=
        fi
 
+       # Expand the sysroot to ease extracting the directories later.
+       if test -z "$prev"; then
+         case $p in
+         -L*) func_stripname_cnf '-L' '' "$p"; prev=-L; p=$func_stripname_result ;;
+         -R*) func_stripname_cnf '-R' '' "$p"; prev=-R; p=$func_stripname_result ;;
+         -l*) func_stripname_cnf '-l' '' "$p"; prev=-l; p=$func_stripname_result ;;
+         esac
+       fi
+       case $p in
+       =*) func_stripname_cnf '=' '' "$p"; p=$lt_sysroot$func_stripname_result ;;
+       esac
        if test "$pre_test_object_deps_done" = no; then
-	 case $p in
-	 -L* | -R*)
+	 case ${prev} in
+	 -L | -R)
 	   # Internal compiler library paths should come after those
 	   # provided the user.  The postdeps already come after the
 	   # user supplied libs so there is no need to process them.
@@ -6460,8 +7055,10 @@ if AC_TRY_EVAL(ac_compile); then
 	   _LT_TAGVAR(postdeps, $1)="${_LT_TAGVAR(postdeps, $1)} ${prev}${p}"
 	 fi
        fi
+       prev=
        ;;
 
+    *.lto.$objext) ;; # Ignore GCC LTO objects
     *.$objext)
        # This assumes that the test object file only shows up
        # once in the compiler output.
@@ -6497,6 +7094,7 @@ else
 fi
 
 $RM -f confest.$objext
+CFLAGS=$_lt_libdeps_save_CFLAGS
 
 # PORTME: override above test on systems where it is broken
 m4_if([$1], [CXX],
@@ -6533,7 +7131,7 @@ linux*)
 
 solaris*)
   case $cc_basename in
-  CC*)
+  CC* | sunCC*)
     # The more standards-conforming stlport4 library is
     # incompatible with the Cstd library. Avoid specifying
     # it if it's in CXXFLAGS. Ignore libCrun as
@@ -6577,32 +7175,16 @@ _LT_TAGDECL([], [compiler_lib_search_path], [1],
 ])# _LT_SYS_HIDDEN_LIBDEPS
 
 
-# _LT_PROG_F77
-# ------------
-# Since AC_PROG_F77 is broken, in that it returns the empty string
-# if there is no fortran compiler, we have our own version here.
-m4_defun([_LT_PROG_F77],
-[
-pushdef([AC_MSG_ERROR], [_lt_disable_F77=yes])
-AC_PROG_F77
-if test -z "$F77" || test "X$F77" = "Xno"; then
-  _lt_disable_F77=yes
-fi
-popdef([AC_MSG_ERROR])
-])# _LT_PROG_F77
-
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([_LT_PROG_F77], [])
-
-
 # _LT_LANG_F77_CONFIG([TAG])
 # --------------------------
 # Ensure that the configuration variables for a Fortran 77 compiler are
 # suitably defined.  These variables are subsequently used by _LT_CONFIG
 # to write the compiler configuration to `libtool'.
 m4_defun([_LT_LANG_F77_CONFIG],
-[AC_REQUIRE([_LT_PROG_F77])dnl
-AC_LANG_PUSH(Fortran 77)
+[AC_LANG_PUSH(Fortran 77)
+if test -z "$F77" || test "X$F77" = "Xno"; then
+  _lt_disable_F77=yes
+fi
 
 _LT_TAGVAR(archive_cmds_need_lc, $1)=no
 _LT_TAGVAR(allow_undefined_flag, $1)=
@@ -6612,7 +7194,6 @@ _LT_TAGVAR(export_dynamic_flag_spec, $1)=
 _LT_TAGVAR(hardcode_direct, $1)=no
 _LT_TAGVAR(hardcode_direct_absolute, $1)=no
 _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
 _LT_TAGVAR(hardcode_libdir_separator, $1)=
 _LT_TAGVAR(hardcode_minus_L, $1)=no
 _LT_TAGVAR(hardcode_automatic, $1)=no
@@ -6621,6 +7202,8 @@ _LT_TAGVAR(module_cmds, $1)=
 _LT_TAGVAR(module_expsym_cmds, $1)=
 _LT_TAGVAR(link_all_deplibs, $1)=unknown
 _LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(reload_flag, $1)=$reload_flag
+_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
 _LT_TAGVAR(no_undefined_flag, $1)=
 _LT_TAGVAR(whole_archive_flag_spec, $1)=
 _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
@@ -6660,7 +7243,9 @@ if test "$_lt_disable_F77" != yes; then
   # Allow CC to be a program name with arguments.
   lt_save_CC="$CC"
   lt_save_GCC=$GCC
+  lt_save_CFLAGS=$CFLAGS
   CC=${F77-"f77"}
+  CFLAGS=$FFLAGS
   compiler=$CC
   _LT_TAGVAR(compiler, $1)=$CC
   _LT_CC_BASENAME([$compiler])
@@ -6714,38 +7299,24 @@ if test "$_lt_disable_F77" != yes; then
 
   GCC=$lt_save_GCC
   CC="$lt_save_CC"
+  CFLAGS="$lt_save_CFLAGS"
 fi # test "$_lt_disable_F77" != yes
 
 AC_LANG_POP
 ])# _LT_LANG_F77_CONFIG
 
 
-# _LT_PROG_FC
-# -----------
-# Since AC_PROG_FC is broken, in that it returns the empty string
-# if there is no fortran compiler, we have our own version here.
-m4_defun([_LT_PROG_FC],
-[
-pushdef([AC_MSG_ERROR], [_lt_disable_FC=yes])
-AC_PROG_FC
-if test -z "$FC" || test "X$FC" = "Xno"; then
-  _lt_disable_FC=yes
-fi
-popdef([AC_MSG_ERROR])
-])# _LT_PROG_FC
-
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([_LT_PROG_FC], [])
-
-
 # _LT_LANG_FC_CONFIG([TAG])
 # -------------------------
 # Ensure that the configuration variables for a Fortran compiler are
 # suitably defined.  These variables are subsequently used by _LT_CONFIG
 # to write the compiler configuration to `libtool'.
 m4_defun([_LT_LANG_FC_CONFIG],
-[AC_REQUIRE([_LT_PROG_FC])dnl
-AC_LANG_PUSH(Fortran)
+[AC_LANG_PUSH(Fortran)
+
+if test -z "$FC" || test "X$FC" = "Xno"; then
+  _lt_disable_FC=yes
+fi
 
 _LT_TAGVAR(archive_cmds_need_lc, $1)=no
 _LT_TAGVAR(allow_undefined_flag, $1)=
@@ -6755,7 +7326,6 @@ _LT_TAGVAR(export_dynamic_flag_spec, $1)=
 _LT_TAGVAR(hardcode_direct, $1)=no
 _LT_TAGVAR(hardcode_direct_absolute, $1)=no
 _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
 _LT_TAGVAR(hardcode_libdir_separator, $1)=
 _LT_TAGVAR(hardcode_minus_L, $1)=no
 _LT_TAGVAR(hardcode_automatic, $1)=no
@@ -6764,6 +7334,8 @@ _LT_TAGVAR(module_cmds, $1)=
 _LT_TAGVAR(module_expsym_cmds, $1)=
 _LT_TAGVAR(link_all_deplibs, $1)=unknown
 _LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(reload_flag, $1)=$reload_flag
+_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
 _LT_TAGVAR(no_undefined_flag, $1)=
 _LT_TAGVAR(whole_archive_flag_spec, $1)=
 _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
@@ -6803,7 +7375,9 @@ if test "$_lt_disable_FC" != yes; then
   # Allow CC to be a program name with arguments.
   lt_save_CC="$CC"
   lt_save_GCC=$GCC
+  lt_save_CFLAGS=$CFLAGS
   CC=${FC-"f95"}
+  CFLAGS=$FCFLAGS
   compiler=$CC
   GCC=$ac_cv_fc_compiler_gnu
 
@@ -6859,7 +7433,8 @@ if test "$_lt_disable_FC" != yes; then
   fi # test -n "$compiler"
 
   GCC=$lt_save_GCC
-  CC="$lt_save_CC"
+  CC=$lt_save_CC
+  CFLAGS=$lt_save_CFLAGS
 fi # test "$_lt_disable_FC" != yes
 
 AC_LANG_POP
@@ -6896,10 +7471,12 @@ _LT_COMPILER_BOILERPLATE
 _LT_LINKER_BOILERPLATE
 
 # Allow CC to be a program name with arguments.
-lt_save_CC="$CC"
+lt_save_CC=$CC
+lt_save_CFLAGS=$CFLAGS
 lt_save_GCC=$GCC
 GCC=yes
 CC=${GCJ-"gcj"}
+CFLAGS=$GCJFLAGS
 compiler=$CC
 _LT_TAGVAR(compiler, $1)=$CC
 _LT_TAGVAR(LD, $1)="$LD"
@@ -6909,6 +7486,8 @@ _LT_CC_BASENAME([$compiler])
 _LT_TAGVAR(archive_cmds_need_lc, $1)=no
 
 _LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(reload_flag, $1)=$reload_flag
+_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
 
 ## CAVEAT EMPTOR:
 ## There is no encapsulation within the following macros, do not change
@@ -6928,10 +7507,82 @@ fi
 AC_LANG_RESTORE
 
 GCC=$lt_save_GCC
-CC="$lt_save_CC"
+CC=$lt_save_CC
+CFLAGS=$lt_save_CFLAGS
 ])# _LT_LANG_GCJ_CONFIG
 
 
+# _LT_LANG_GO_CONFIG([TAG])
+# --------------------------
+# Ensure that the configuration variables for the GNU Go compiler
+# are suitably defined.  These variables are subsequently used by _LT_CONFIG
+# to write the compiler configuration to `libtool'.
+m4_defun([_LT_LANG_GO_CONFIG],
+[AC_REQUIRE([LT_PROG_GO])dnl
+AC_LANG_SAVE
+
+# Source file extension for Go test sources.
+ac_ext=go
+
+# Object file extension for compiled Go test sources.
+objext=o
+_LT_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="package main; func main() { }"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='package main; func main() { }'
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_TAG_COMPILER
+
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
+# Allow CC to be a program name with arguments.
+lt_save_CC=$CC
+lt_save_CFLAGS=$CFLAGS
+lt_save_GCC=$GCC
+GCC=yes
+CC=${GOC-"gccgo"}
+CFLAGS=$GOFLAGS
+compiler=$CC
+_LT_TAGVAR(compiler, $1)=$CC
+_LT_TAGVAR(LD, $1)="$LD"
+_LT_CC_BASENAME([$compiler])
+
+# Go did not exist at the time GCC didn't implicitly link libc in.
+_LT_TAGVAR(archive_cmds_need_lc, $1)=no
+
+_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(reload_flag, $1)=$reload_flag
+_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
+
+## CAVEAT EMPTOR:
+## There is no encapsulation within the following macros, do not change
+## the running order or otherwise move them around unless you know exactly
+## what you are doing...
+if test -n "$compiler"; then
+  _LT_COMPILER_NO_RTTI($1)
+  _LT_COMPILER_PIC($1)
+  _LT_COMPILER_C_O($1)
+  _LT_COMPILER_FILE_LOCKS($1)
+  _LT_LINKER_SHLIBS($1)
+  _LT_LINKER_HARDCODE_LIBPATH($1)
+
+  _LT_CONFIG($1)
+fi
+
+AC_LANG_RESTORE
+
+GCC=$lt_save_GCC
+CC=$lt_save_CC
+CFLAGS=$lt_save_CFLAGS
+])# _LT_LANG_GO_CONFIG
+
+
 # _LT_LANG_RC_CONFIG([TAG])
 # -------------------------
 # Ensure that the configuration variables for the Windows resource compiler
@@ -6963,9 +7614,11 @@ _LT_LINKER_BOILERPLATE
 
 # Allow CC to be a program name with arguments.
 lt_save_CC="$CC"
+lt_save_CFLAGS=$CFLAGS
 lt_save_GCC=$GCC
 GCC=
 CC=${RC-"windres"}
+CFLAGS=
 compiler=$CC
 _LT_TAGVAR(compiler, $1)=$CC
 _LT_CC_BASENAME([$compiler])
@@ -6978,7 +7631,8 @@ fi
 
 GCC=$lt_save_GCC
 AC_LANG_RESTORE
-CC="$lt_save_CC"
+CC=$lt_save_CC
+CFLAGS=$lt_save_CFLAGS
 ])# _LT_LANG_RC_CONFIG
 
 
@@ -6998,6 +7652,13 @@ dnl aclocal-1.4 backwards compatibility:
 dnl AC_DEFUN([LT_AC_PROG_GCJ], [])
 
 
+# LT_PROG_GO
+# ----------
+AC_DEFUN([LT_PROG_GO],
+[AC_CHECK_TOOL(GOC, gccgo,)
+])
+
+
 # LT_PROG_RC
 # ----------
 AC_DEFUN([LT_PROG_RC],
@@ -7037,6 +7698,15 @@ _LT_DECL([], [OBJDUMP], [1], [An object symbol dumper])
 AC_SUBST([OBJDUMP])
 ])
 
+# _LT_DECL_DLLTOOL
+# ----------------
+# Ensure DLLTOOL variable is set.
+m4_defun([_LT_DECL_DLLTOOL],
+[AC_CHECK_TOOL(DLLTOOL, dlltool, false)
+test -z "$DLLTOOL" && DLLTOOL=dlltool
+_LT_DECL([], [DLLTOOL], [1], [DLL creation program])
+AC_SUBST([DLLTOOL])
+])
 
 # _LT_DECL_SED
 # ------------
@@ -7130,8 +7800,8 @@ m4_defun([_LT_CHECK_SHELL_FEATURES],
 # Try some XSI features
 xsi_shell=no
 ( _lt_dummy="a/b/c"
-  test "${_lt_dummy##*/},${_lt_dummy%/*},"${_lt_dummy%"$_lt_dummy"}, \
-      = c,a/b,, \
+  test "${_lt_dummy##*/},${_lt_dummy%/*},${_lt_dummy#??}"${_lt_dummy%"$_lt_dummy"}, \
+      = c,a/b,b/c, \
     && eval 'test $(( 1 + 1 )) -eq 2 \
     && test "${#_lt_dummy}" -eq 5' ) >/dev/null 2>&1 \
   && xsi_shell=yes
@@ -7170,208 +7840,162 @@ _LT_DECL([NL2SP], [lt_NL2SP], [1], [turn newlines into spaces])dnl
 ])# _LT_CHECK_SHELL_FEATURES
 
 
-# _LT_PROG_XSI_SHELLFNS
-# ---------------------
-# Bourne and XSI compatible variants of some useful shell functions.
-m4_defun([_LT_PROG_XSI_SHELLFNS],
-[case $xsi_shell in
-  yes)
-    cat << \_LT_EOF >> "$cfgfile"
-
-# func_dirname file append nondir_replacement
-# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
-# otherwise set result to NONDIR_REPLACEMENT.
-func_dirname ()
-{
-  case ${1} in
-    */*) func_dirname_result="${1%/*}${2}" ;;
-    *  ) func_dirname_result="${3}" ;;
-  esac
-}
-
-# func_basename file
-func_basename ()
-{
-  func_basename_result="${1##*/}"
-}
-
-# func_dirname_and_basename file append nondir_replacement
-# perform func_basename and func_dirname in a single function
-# call:
-#   dirname:  Compute the dirname of FILE.  If nonempty,
-#             add APPEND to the result, otherwise set result
-#             to NONDIR_REPLACEMENT.
-#             value returned in "$func_dirname_result"
-#   basename: Compute filename of FILE.
-#             value retuned in "$func_basename_result"
-# Implementation must be kept synchronized with func_dirname
-# and func_basename. For efficiency, we do not delegate to
-# those functions but instead duplicate the functionality here.
-func_dirname_and_basename ()
-{
-  case ${1} in
-    */*) func_dirname_result="${1%/*}${2}" ;;
-    *  ) func_dirname_result="${3}" ;;
-  esac
-  func_basename_result="${1##*/}"
-}
-
-# func_stripname prefix suffix name
-# strip PREFIX and SUFFIX off of NAME.
-# PREFIX and SUFFIX must not contain globbing or regex special
-# characters, hashes, percent signs, but SUFFIX may contain a leading
-# dot (in which case that matches only a dot).
-func_stripname ()
-{
-  # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are
-  # positional parameters, so assign one to ordinary parameter first.
-  func_stripname_result=${3}
-  func_stripname_result=${func_stripname_result#"${1}"}
-  func_stripname_result=${func_stripname_result%"${2}"}
-}
-
-# func_opt_split
-func_opt_split ()
-{
-  func_opt_split_opt=${1%%=*}
-  func_opt_split_arg=${1#*=}
-}
-
-# func_lo2o object
-func_lo2o ()
-{
-  case ${1} in
-    *.lo) func_lo2o_result=${1%.lo}.${objext} ;;
-    *)    func_lo2o_result=${1} ;;
-  esac
-}
-
-# func_xform libobj-or-source
-func_xform ()
-{
-  func_xform_result=${1%.*}.lo
-}
-
-# func_arith arithmetic-term...
-func_arith ()
-{
-  func_arith_result=$(( $[*] ))
-}
-
-# func_len string
-# STRING may not start with a hyphen.
-func_len ()
-{
-  func_len_result=${#1}
-}
+# _LT_PROG_FUNCTION_REPLACE (FUNCNAME, REPLACEMENT-BODY)
+# ------------------------------------------------------
+# In `$cfgfile', look for function FUNCNAME delimited by `^FUNCNAME ()$' and
+# '^} FUNCNAME ', and replace its body with REPLACEMENT-BODY.
+m4_defun([_LT_PROG_FUNCTION_REPLACE],
+[dnl {
+sed -e '/^$1 ()$/,/^} # $1 /c\
+$1 ()\
+{\
+m4_bpatsubsts([$2], [$], [\\], [^\([	 ]\)], [\\\1])
+} # Extended-shell $1 implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+])
 
-_LT_EOF
-    ;;
-  *) # Bourne compatible functions.
-    cat << \_LT_EOF >> "$cfgfile"
 
-# func_dirname file append nondir_replacement
-# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
-# otherwise set result to NONDIR_REPLACEMENT.
-func_dirname ()
-{
-  # Extract subdirectory from the argument.
-  func_dirname_result=`$ECHO "X${1}" | $Xsed -e "$dirname"`
-  if test "X$func_dirname_result" = "X${1}"; then
-    func_dirname_result="${3}"
-  else
-    func_dirname_result="$func_dirname_result${2}"
-  fi
-}
+# _LT_PROG_REPLACE_SHELLFNS
+# -------------------------
+# Replace existing portable implementations of several shell functions with
+# equivalent extended shell implementations where those features are available..
+m4_defun([_LT_PROG_REPLACE_SHELLFNS],
+[if test x"$xsi_shell" = xyes; then
+  _LT_PROG_FUNCTION_REPLACE([func_dirname], [dnl
+    case ${1} in
+      */*) func_dirname_result="${1%/*}${2}" ;;
+      *  ) func_dirname_result="${3}" ;;
+    esac])
+
+  _LT_PROG_FUNCTION_REPLACE([func_basename], [dnl
+    func_basename_result="${1##*/}"])
+
+  _LT_PROG_FUNCTION_REPLACE([func_dirname_and_basename], [dnl
+    case ${1} in
+      */*) func_dirname_result="${1%/*}${2}" ;;
+      *  ) func_dirname_result="${3}" ;;
+    esac
+    func_basename_result="${1##*/}"])
 
-# func_basename file
-func_basename ()
-{
-  func_basename_result=`$ECHO "X${1}" | $Xsed -e "$basename"`
-}
+  _LT_PROG_FUNCTION_REPLACE([func_stripname], [dnl
+    # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are
+    # positional parameters, so assign one to ordinary parameter first.
+    func_stripname_result=${3}
+    func_stripname_result=${func_stripname_result#"${1}"}
+    func_stripname_result=${func_stripname_result%"${2}"}])
 
-dnl func_dirname_and_basename
-dnl A portable version of this function is already defined in general.m4sh
-dnl so there is no need for it here.
+  _LT_PROG_FUNCTION_REPLACE([func_split_long_opt], [dnl
+    func_split_long_opt_name=${1%%=*}
+    func_split_long_opt_arg=${1#*=}])
 
-# func_stripname prefix suffix name
-# strip PREFIX and SUFFIX off of NAME.
-# PREFIX and SUFFIX must not contain globbing or regex special
-# characters, hashes, percent signs, but SUFFIX may contain a leading
-# dot (in which case that matches only a dot).
-# func_strip_suffix prefix name
-func_stripname ()
-{
-  case ${2} in
-    .*) func_stripname_result=`$ECHO "X${3}" \
-           | $Xsed -e "s%^${1}%%" -e "s%\\\\${2}\$%%"`;;
-    *)  func_stripname_result=`$ECHO "X${3}" \
-           | $Xsed -e "s%^${1}%%" -e "s%${2}\$%%"`;;
-  esac
-}
+  _LT_PROG_FUNCTION_REPLACE([func_split_short_opt], [dnl
+    func_split_short_opt_arg=${1#??}
+    func_split_short_opt_name=${1%"$func_split_short_opt_arg"}])
 
-# sed scripts:
-my_sed_long_opt='1s/^\(-[[^=]]*\)=.*/\1/;q'
-my_sed_long_arg='1s/^-[[^=]]*=//'
+  _LT_PROG_FUNCTION_REPLACE([func_lo2o], [dnl
+    case ${1} in
+      *.lo) func_lo2o_result=${1%.lo}.${objext} ;;
+      *)    func_lo2o_result=${1} ;;
+    esac])
 
-# func_opt_split
-func_opt_split ()
-{
-  func_opt_split_opt=`$ECHO "X${1}" | $Xsed -e "$my_sed_long_opt"`
-  func_opt_split_arg=`$ECHO "X${1}" | $Xsed -e "$my_sed_long_arg"`
-}
+  _LT_PROG_FUNCTION_REPLACE([func_xform], [    func_xform_result=${1%.*}.lo])
 
-# func_lo2o object
-func_lo2o ()
-{
-  func_lo2o_result=`$ECHO "X${1}" | $Xsed -e "$lo2o"`
-}
+  _LT_PROG_FUNCTION_REPLACE([func_arith], [    func_arith_result=$(( $[*] ))])
 
-# func_xform libobj-or-source
-func_xform ()
-{
-  func_xform_result=`$ECHO "X${1}" | $Xsed -e 's/\.[[^.]]*$/.lo/'`
-}
+  _LT_PROG_FUNCTION_REPLACE([func_len], [    func_len_result=${#1}])
+fi
 
-# func_arith arithmetic-term...
-func_arith ()
-{
-  func_arith_result=`expr "$[@]"`
-}
+if test x"$lt_shell_append" = xyes; then
+  _LT_PROG_FUNCTION_REPLACE([func_append], [    eval "${1}+=\\${2}"])
 
-# func_len string
-# STRING may not start with a hyphen.
-func_len ()
-{
-  func_len_result=`expr "$[1]" : ".*" 2>/dev/null || echo $max_cmd_len`
-}
+  _LT_PROG_FUNCTION_REPLACE([func_append_quoted], [dnl
+    func_quote_for_eval "${2}"
+dnl m4 expansion turns \\\\ into \\, and then the shell eval turns that into \
+    eval "${1}+=\\\\ \\$func_quote_for_eval_result"])
 
-_LT_EOF
-esac
+  # Save a `func_append' function call where possible by direct use of '+='
+  sed -e 's%func_append \([[a-zA-Z_]]\{1,\}\) "%\1+="%g' $cfgfile > $cfgfile.tmp \
+    && mv -f "$cfgfile.tmp" "$cfgfile" \
+      || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+  test 0 -eq $? || _lt_function_replace_fail=:
+else
+  # Save a `func_append' function call even when '+=' is not available
+  sed -e 's%func_append \([[a-zA-Z_]]\{1,\}\) "%\1="$\1%g' $cfgfile > $cfgfile.tmp \
+    && mv -f "$cfgfile.tmp" "$cfgfile" \
+      || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+  test 0 -eq $? || _lt_function_replace_fail=:
+fi
 
-case $lt_shell_append in
-  yes)
-    cat << \_LT_EOF >> "$cfgfile"
+if test x"$_lt_function_replace_fail" = x":"; then
+  AC_MSG_WARN([Unable to substitute extended shell functions in $ofile])
+fi
+])
 
-# func_append var value
-# Append VALUE to the end of shell variable VAR.
-func_append ()
-{
-  eval "$[1]+=\$[2]"
-}
-_LT_EOF
+# _LT_PATH_CONVERSION_FUNCTIONS
+# -----------------------------
+# Determine which file name conversion functions should be used by
+# func_to_host_file (and, implicitly, by func_to_host_path).  These are needed
+# for certain cross-compile configurations and native mingw.
+m4_defun([_LT_PATH_CONVERSION_FUNCTIONS],
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+AC_MSG_CHECKING([how to convert $build file names to $host format])
+AC_CACHE_VAL(lt_cv_to_host_file_cmd,
+[case $host in
+  *-*-mingw* )
+    case $build in
+      *-*-mingw* ) # actually msys
+        lt_cv_to_host_file_cmd=func_convert_file_msys_to_w32
+        ;;
+      *-*-cygwin* )
+        lt_cv_to_host_file_cmd=func_convert_file_cygwin_to_w32
+        ;;
+      * ) # otherwise, assume *nix
+        lt_cv_to_host_file_cmd=func_convert_file_nix_to_w32
+        ;;
+    esac
     ;;
-  *)
-    cat << \_LT_EOF >> "$cfgfile"
-
-# func_append var value
-# Append VALUE to the end of shell variable VAR.
-func_append ()
-{
-  eval "$[1]=\$$[1]\$[2]"
-}
-
-_LT_EOF
+  *-*-cygwin* )
+    case $build in
+      *-*-mingw* ) # actually msys
+        lt_cv_to_host_file_cmd=func_convert_file_msys_to_cygwin
+        ;;
+      *-*-cygwin* )
+        lt_cv_to_host_file_cmd=func_convert_file_noop
+        ;;
+      * ) # otherwise, assume *nix
+        lt_cv_to_host_file_cmd=func_convert_file_nix_to_cygwin
+        ;;
+    esac
     ;;
-  esac
+  * ) # unhandled hosts (and "normal" native builds)
+    lt_cv_to_host_file_cmd=func_convert_file_noop
+    ;;
+esac
+])
+to_host_file_cmd=$lt_cv_to_host_file_cmd
+AC_MSG_RESULT([$lt_cv_to_host_file_cmd])
+_LT_DECL([to_host_file_cmd], [lt_cv_to_host_file_cmd],
+         [0], [convert $build file names to $host format])dnl
+
+AC_MSG_CHECKING([how to convert $build file names to toolchain format])
+AC_CACHE_VAL(lt_cv_to_tool_file_cmd,
+[#assume ordinary cross tools, or native build.
+lt_cv_to_tool_file_cmd=func_convert_file_noop
+case $host in
+  *-*-mingw* )
+    case $build in
+      *-*-mingw* ) # actually msys
+        lt_cv_to_tool_file_cmd=func_convert_file_msys_to_w32
+        ;;
+    esac
+    ;;
+esac
 ])
+to_tool_file_cmd=$lt_cv_to_tool_file_cmd
+AC_MSG_RESULT([$lt_cv_to_tool_file_cmd])
+_LT_DECL([to_tool_file_cmd], [lt_cv_to_tool_file_cmd],
+         [0], [convert $build files to toolchain format])dnl
+])# _LT_PATH_CONVERSION_FUNCTIONS
diff --git a/m4/config/ltoptions.m4 b/m4/config/ltoptions.m4
index 34151a3ba..5d9acd8e2 100644
--- a/m4/config/ltoptions.m4
+++ b/m4/config/ltoptions.m4
@@ -1,13 +1,14 @@
 # Helper functions for option handling.                    -*- Autoconf -*-
 #
-#   Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc.
+#   Copyright (C) 2004, 2005, 2007, 2008, 2009 Free Software Foundation,
+#   Inc.
 #   Written by Gary V. Vaughan, 2004
 #
 # This file is free software; the Free Software Foundation gives
 # unlimited permission to copy and/or distribute it, with or without
 # modifications, as long as this notice is preserved.
 
-# serial 6 ltoptions.m4
+# serial 7 ltoptions.m4
 
 # This is to help aclocal find these macros, as it can't see m4_define.
 AC_DEFUN([LTOPTIONS_VERSION], [m4_if([1])])
@@ -125,7 +126,7 @@ LT_OPTION_DEFINE([LT_INIT], [win32-dll],
 [enable_win32_dll=yes
 
 case $host in
-*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-cegcc*)
+*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-cegcc*)
   AC_CHECK_TOOL(AS, as, false)
   AC_CHECK_TOOL(DLLTOOL, dlltool, false)
   AC_CHECK_TOOL(OBJDUMP, objdump, false)
@@ -133,13 +134,13 @@ case $host in
 esac
 
 test -z "$AS" && AS=as
-_LT_DECL([], [AS],      [0], [Assembler program])dnl
+_LT_DECL([], [AS],      [1], [Assembler program])dnl
 
 test -z "$DLLTOOL" && DLLTOOL=dlltool
-_LT_DECL([], [DLLTOOL], [0], [DLL creation program])dnl
+_LT_DECL([], [DLLTOOL], [1], [DLL creation program])dnl
 
 test -z "$OBJDUMP" && OBJDUMP=objdump
-_LT_DECL([], [OBJDUMP], [0], [Object dumper program])dnl
+_LT_DECL([], [OBJDUMP], [1], [Object dumper program])dnl
 ])# win32-dll
 
 AU_DEFUN([AC_LIBTOOL_WIN32_DLL],
@@ -325,9 +326,24 @@ dnl AC_DEFUN([AM_DISABLE_FAST_INSTALL], [])
 # MODE is either `yes' or `no'.  If omitted, it defaults to `both'.
 m4_define([_LT_WITH_PIC],
 [AC_ARG_WITH([pic],
-    [AS_HELP_STRING([--with-pic],
+    [AS_HELP_STRING([--with-pic@<:@=PKGS@:>@],
 	[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
-    [pic_mode="$withval"],
+    [lt_p=${PACKAGE-default}
+    case $withval in
+    yes|no) pic_mode=$withval ;;
+    *)
+      pic_mode=default
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for lt_pkg in $withval; do
+	IFS="$lt_save_ifs"
+	if test "X$lt_pkg" = "X$lt_p"; then
+	  pic_mode=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac],
     [pic_mode=default])
 
 test -z "$pic_mode" && pic_mode=m4_default([$1], [default])
diff --git a/m4/config/ltversion.m4 b/m4/config/ltversion.m4
index f3c530980..07a8602d4 100644
--- a/m4/config/ltversion.m4
+++ b/m4/config/ltversion.m4
@@ -7,17 +7,17 @@
 # unlimited permission to copy and/or distribute it, with or without
 # modifications, as long as this notice is preserved.
 
-# Generated from ltversion.in.
+# @configure_input@
 
-# serial 3017 ltversion.m4
+# serial 3337 ltversion.m4
 # This file is part of GNU Libtool
 
-m4_define([LT_PACKAGE_VERSION], [2.2.6b])
-m4_define([LT_PACKAGE_REVISION], [1.3017])
+m4_define([LT_PACKAGE_VERSION], [2.4.2])
+m4_define([LT_PACKAGE_REVISION], [1.3337])
 
 AC_DEFUN([LTVERSION_VERSION],
-[macro_version='2.2.6b'
-macro_revision='1.3017'
+[macro_version='2.4.2'
+macro_revision='1.3337'
 _LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?])
 _LT_DECL(, macro_revision, 0)
 ])
diff --git a/m4/config/lt~obsolete.m4 b/m4/config/lt~obsolete.m4
index 637bb2066..c573da90c 100644
--- a/m4/config/lt~obsolete.m4
+++ b/m4/config/lt~obsolete.m4
@@ -1,13 +1,13 @@
 # lt~obsolete.m4 -- aclocal satisfying obsolete definitions.    -*-Autoconf-*-
 #
-#   Copyright (C) 2004, 2005, 2007 Free Software Foundation, Inc.
+#   Copyright (C) 2004, 2005, 2007, 2009 Free Software Foundation, Inc.
 #   Written by Scott James Remnant, 2004.
 #
 # This file is free software; the Free Software Foundation gives
 # unlimited permission to copy and/or distribute it, with or without
 # modifications, as long as this notice is preserved.
 
-# serial 4 lt~obsolete.m4
+# serial 5 lt~obsolete.m4
 
 # These exist entirely to fool aclocal when bootstrapping libtool.
 #
@@ -77,7 +77,6 @@ m4_ifndef([AC_DISABLE_FAST_INSTALL],	[AC_DEFUN([AC_DISABLE_FAST_INSTALL])])
 m4_ifndef([_LT_AC_LANG_CXX],		[AC_DEFUN([_LT_AC_LANG_CXX])])
 m4_ifndef([_LT_AC_LANG_F77],		[AC_DEFUN([_LT_AC_LANG_F77])])
 m4_ifndef([_LT_AC_LANG_GCJ],		[AC_DEFUN([_LT_AC_LANG_GCJ])])
-m4_ifndef([AC_LIBTOOL_RC],		[AC_DEFUN([AC_LIBTOOL_RC])])
 m4_ifndef([AC_LIBTOOL_LANG_C_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG])])
 m4_ifndef([_LT_AC_LANG_C_CONFIG],	[AC_DEFUN([_LT_AC_LANG_C_CONFIG])])
 m4_ifndef([AC_LIBTOOL_LANG_CXX_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG])])
@@ -90,3 +89,10 @@ m4_ifndef([AC_LIBTOOL_LANG_RC_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG])])
 m4_ifndef([_LT_AC_LANG_RC_CONFIG],	[AC_DEFUN([_LT_AC_LANG_RC_CONFIG])])
 m4_ifndef([AC_LIBTOOL_CONFIG],		[AC_DEFUN([AC_LIBTOOL_CONFIG])])
 m4_ifndef([_LT_AC_FILE_LTDLL_C],	[AC_DEFUN([_LT_AC_FILE_LTDLL_C])])
+m4_ifndef([_LT_REQUIRED_DARWIN_CHECKS],	[AC_DEFUN([_LT_REQUIRED_DARWIN_CHECKS])])
+m4_ifndef([_LT_AC_PROG_CXXCPP],		[AC_DEFUN([_LT_AC_PROG_CXXCPP])])
+m4_ifndef([_LT_PREPARE_SED_QUOTE_VARS],	[AC_DEFUN([_LT_PREPARE_SED_QUOTE_VARS])])
+m4_ifndef([_LT_PROG_ECHO_BACKSLASH],	[AC_DEFUN([_LT_PROG_ECHO_BACKSLASH])])
+m4_ifndef([_LT_PROG_F77],		[AC_DEFUN([_LT_PROG_F77])])
+m4_ifndef([_LT_PROG_FC],		[AC_DEFUN([_LT_PROG_FC])])
+m4_ifndef([_LT_PROG_CXX],		[AC_DEFUN([_LT_PROG_CXX])])
diff --git a/man/Makefile.in b/man/Makefile.in
index b1c54dcd1..e313a4fff 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -75,6 +75,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 man5dir = $(mandir)/man5
 am__installdirs = "$(DESTDIR)$(man5dir)"
 NROFF = nroff
@@ -99,6 +105,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -126,6 +133,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -153,6 +161,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -165,6 +174,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -218,7 +228,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -344,9 +353,7 @@ uninstall-man5:
 	  sed -n '/\.5[a-z]*$$/p'; \
 	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
 	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man5dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man5dir)" && rm -f $$files; }
+	dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir)
 tags: TAGS
 TAGS:
 
@@ -414,10 +421,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/man/ipsec.conf.5 b/man/ipsec.conf.5
index 83ebc223c..e24196c2b 100644
--- a/man/ipsec.conf.5
+++ b/man/ipsec.conf.5
@@ -1,4 +1,4 @@
-.TH IPSEC.CONF 5 "2012-06-26" "5.0.1rc1" "strongSwan"
+.TH IPSEC.CONF 5 "2012-06-26" "5.0.2" "strongSwan"
 .SH NAME
 ipsec.conf \- IPsec configuration and connections
 .SH DESCRIPTION
@@ -369,7 +369,7 @@ for the connection, e.g.
 .BR aes128-sha256 .
 The notation is
 .BR encryption-integrity[-dhgroup][-esnmode] .
-.br
+
 Defaults to
 .BR aes128-sha1,3des-sha1 .
 The daemon adds its extensive default proposal to this default
@@ -377,7 +377,7 @@ or the configured value.  To restrict it to the configured proposal an
 exclamation mark
 .RB ( ! )
 can be added at the end.
-.br
+
 .BR Note :
 As a responder the daemon accepts the first supported proposal received from
 the peer. In order to restrict a responder to only accept specific cipher
@@ -403,15 +403,39 @@ force UDP encapsulation for ESP packets even if no NAT situation is detected.
 This may help to surmount restrictive firewalls. In order to force the peer to
 encapsulate packets, NAT detection payloads are faked.
 .TP
+.BR fragmentation " = yes | force | " no
+whether to use IKE fragmentation (proprietary IKEv1 extension).  Acceptable
+values are
+.BR yes ,
+.B force
+and
+.B no
+(the default). Fragmented messages sent by a peer are always accepted
+irrespective of the value of this option. If set to
+.BR yes ,
+and the peer supports it, larger IKE messages will be sent in fragments.
+If set to
+.B force
+the initial IKE message will already be fragmented if required.
+.TP
 .BR ike " = <cipher suites>"
 comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
 to be used, e.g.
 .BR aes128-sha1-modp2048 .
 The notation is
-.BR encryption-integrity-dhgroup .
-In IKEv2, multiple algorithms and proposals may be included, such as
-aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
+.BR encryption-integrity[-prf]-dhgroup .
+If no PRF is given, the algorithms defined for integrity are used for the PRF.
+The prf keywords are the same as the integrity algorithms, but have a
+.B prf
+prefix (such as
+.BR prfsha1 ,
+.B prfsha256
+or
+.BR prfaesxcbc ).
 .br
+In IKEv2, multiple algorithms and proposals may be included, such as
+.BR aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024 .
+
 Defaults to
 .BR aes128-sha1-modp2048,3des-sha1-modp1536 .
 The daemon adds its extensive default proposal to this
@@ -419,13 +443,14 @@ default or the configured value.  To restrict it to the configured proposal an
 exclamation mark
 .RB ( ! )
 can be added at the end.
-.br
+
 .BR Note :
 As a responder the daemon accepts the first supported proposal received from
 the peer.  In order to restrict a responder to only accept specific cipher
 suites, the strict flag
 .RB ( ! ,
-exclamation mark) can be used, e.g: aes256-sha512-modp4096!
+exclamation mark) can be used, e.g:
+.BR aes256-sha512-modp4096!
 .TP
 .BR ikelifetime " = " 3h " | <time>"
 how long the keying channel of a connection (ISAKMP or IKE SA)
@@ -579,6 +604,15 @@ to the distinguished name of the certificate's subject.
 The left participant's ID can be overridden by specifying a
 .B leftid
 value which must be certified by the certificate, though.
+.br
+A value in the form
+.B %smartcard[<slot nr>[@<module>]]:<keyid>
+defines a specific certificate to load from a PKCS#11 backend for this
+connection. See ipsec.secrets(5) for details about smartcard definitions.
+.B leftcert
+is required only if selecting the certificate with
+.B leftid
+is not sufficient, for example if multiple certificates use the same subject.
 .TP
 .BR leftcert2 " = <path>"
 Same as
@@ -1012,6 +1046,11 @@ currently can have either the value
 .BR cacert " = <path>"
 defines a path to the CA certificate either relative to
 \fI/etc/ipsec.d/cacerts\fP or as an absolute path.
+.br
+A value in the form
+.B %smartcard[<slot nr>[@<module>]]:<keyid>
+defines a specific CA certificate to load from a PKCS#11 backend for this CA.
+See ipsec.secrets(5) for details about smartcard definitions.
 .TP
 .BR crluri " = <uri>"
 defines a CRL distribution point (ldap, http, or file URI)
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index f4d7ed1d6..2766cc4ed 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -369,7 +369,7 @@ for the connection, e.g.
 .BR aes128-sha256 .
 The notation is
 .BR encryption-integrity[-dhgroup][-esnmode] .
-.br
+
 Defaults to
 .BR aes128-sha1,3des-sha1 .
 The daemon adds its extensive default proposal to this default
@@ -377,7 +377,7 @@ or the configured value.  To restrict it to the configured proposal an
 exclamation mark
 .RB ( ! )
 can be added at the end.
-.br
+
 .BR Note :
 As a responder the daemon accepts the first supported proposal received from
 the peer. In order to restrict a responder to only accept specific cipher
@@ -403,15 +403,39 @@ force UDP encapsulation for ESP packets even if no NAT situation is detected.
 This may help to surmount restrictive firewalls. In order to force the peer to
 encapsulate packets, NAT detection payloads are faked.
 .TP
+.BR fragmentation " = yes | force | " no
+whether to use IKE fragmentation (proprietary IKEv1 extension).  Acceptable
+values are
+.BR yes ,
+.B force
+and
+.B no
+(the default). Fragmented messages sent by a peer are always accepted
+irrespective of the value of this option. If set to
+.BR yes ,
+and the peer supports it, larger IKE messages will be sent in fragments.
+If set to
+.B force
+the initial IKE message will already be fragmented if required.
+.TP
 .BR ike " = <cipher suites>"
 comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
 to be used, e.g.
 .BR aes128-sha1-modp2048 .
 The notation is
-.BR encryption-integrity-dhgroup .
-In IKEv2, multiple algorithms and proposals may be included, such as
-aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
+.BR encryption-integrity[-prf]-dhgroup .
+If no PRF is given, the algorithms defined for integrity are used for the PRF.
+The prf keywords are the same as the integrity algorithms, but have a
+.B prf
+prefix (such as
+.BR prfsha1 ,
+.B prfsha256
+or
+.BR prfaesxcbc ).
 .br
+In IKEv2, multiple algorithms and proposals may be included, such as
+.BR aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024 .
+
 Defaults to
 .BR aes128-sha1-modp2048,3des-sha1-modp1536 .
 The daemon adds its extensive default proposal to this
@@ -419,13 +443,14 @@ default or the configured value.  To restrict it to the configured proposal an
 exclamation mark
 .RB ( ! )
 can be added at the end.
-.br
+
 .BR Note :
 As a responder the daemon accepts the first supported proposal received from
 the peer.  In order to restrict a responder to only accept specific cipher
 suites, the strict flag
 .RB ( ! ,
-exclamation mark) can be used, e.g: aes256-sha512-modp4096!
+exclamation mark) can be used, e.g:
+.BR aes256-sha512-modp4096!
 .TP
 .BR ikelifetime " = " 3h " | <time>"
 how long the keying channel of a connection (ISAKMP or IKE SA)
@@ -579,6 +604,15 @@ to the distinguished name of the certificate's subject.
 The left participant's ID can be overridden by specifying a
 .B leftid
 value which must be certified by the certificate, though.
+.br
+A value in the form
+.B %smartcard[<slot nr>[@<module>]]:<keyid>
+defines a specific certificate to load from a PKCS#11 backend for this
+connection. See ipsec.secrets(5) for details about smartcard definitions.
+.B leftcert
+is required only if selecting the certificate with
+.B leftid
+is not sufficient, for example if multiple certificates use the same subject.
 .TP
 .BR leftcert2 " = <path>"
 Same as
@@ -1012,6 +1046,11 @@ currently can have either the value
 .BR cacert " = <path>"
 defines a path to the CA certificate either relative to
 \fI/etc/ipsec.d/cacerts\fP or as an absolute path.
+.br
+A value in the form
+.B %smartcard[<slot nr>[@<module>]]:<keyid>
+defines a specific CA certificate to load from a PKCS#11 backend for this CA.
+See ipsec.secrets(5) for details about smartcard definitions.
 .TP
 .BR crluri " = <uri>"
 defines a CRL distribution point (ldap, http, or file URI)
diff --git a/man/ipsec.secrets.5 b/man/ipsec.secrets.5
index c7c092502..127f18f20 100644
--- a/man/ipsec.secrets.5
+++ b/man/ipsec.secrets.5
@@ -1,4 +1,4 @@
-.TH IPSEC.SECRETS 5 "2011-12-14" "4.6.2dr3" "strongSwan"
+.TH IPSEC.SECRETS 5 "2011-12-14" "5.0.2" "strongSwan"
 .SH NAME
 ipsec.secrets \- secrets for IKE/IPsec authentication
 .SH DESCRIPTION
@@ -37,13 +37,7 @@ by whitespace. If no ID selectors are specified the line must start with a
 colon.
 .LP
 A selector is an IP address, a Fully Qualified Domain Name, user@FQDN,
-\fB%any\fP or \fB%any6\fP (other kinds may come).  An IP address may be written
-in the familiar dotted quad form or as a domain name to be looked up
-when the file is loaded.
-In many cases it is a bad idea to use domain names because
-the name server may not be running or may be insecure.  To denote a
-Fully Qualified Domain Name (as opposed to an IP address denoted by
-its domain name), precede the name with an at sign (\fB@\fP).
+\fB%any\fP or \fB%any6\fP (other kinds may come).
 .LP
 Matching IDs with selectors is fairly straightforward: they have to be
 equal.  In the case of a ``Road Warrior'' connection, if an equal
@@ -100,6 +94,9 @@ defines an ECDSA private key
 .B EAP
 defines EAP credentials
 .TP
+.B NTLM
+defines NTLM credentials
+.TP
 .B XAUTH
 defines XAUTH credentials
 .TP
@@ -151,18 +148,22 @@ The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets.
 .br
 \fBEAP\fP secrets are IKEv2 only.
 .TP
+.B <user id> : NTLM <secret>
+The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets, but the
+secret is stored as NTLM hash, which is MD4(UTF-16LE(secret)), instead of as
+cleartext.
+.br
+\fBNTLM\fP secrets can only be used with the \fBeap-mschapv2\fP plugin.
+.TP
 .B [ <servername> ] <username> : XAUTH <password>
 The format of \fIpassword\fP is the same as that of \fBPSK\fP secrets.
 \fBXAUTH\fP secrets are IKEv1 only.
 .TP
-.B : PIN <smartcard selector> <pin code> | %prompt
-IKEv1 uses the format
-.B "%smartcard[<slot nr>[:<key id>]]"
-to specify the smartcard selector (e.g. %smartcard1:50).
-The IKEv2 daemon supports multiple modules with the format
-.B "%smartcard[<slot nr>[@<module>]]:<keyid>"
-, but always requires a keyid to uniquely select the correct key. Instead of
-specifying the pin code statically,
+.B : PIN %smartcard[<slot nr>[@<module>]]:<keyid> <pin code> | %prompt
+The smartcard selector always requires a keyid to uniquely select the correct
+key. The slot number defines the slot on the token, the module name refers to
+the module name defined in strongswan.conf(5).
+Instead of specifying the pin code statically,
 .B %prompt
 can be specified, which causes the daemons to ask the user for the pin code.
 .LP
diff --git a/man/ipsec.secrets.5.in b/man/ipsec.secrets.5.in
index aa1b5c9c1..319d4856b 100644
--- a/man/ipsec.secrets.5.in
+++ b/man/ipsec.secrets.5.in
@@ -37,13 +37,7 @@ by whitespace. If no ID selectors are specified the line must start with a
 colon.
 .LP
 A selector is an IP address, a Fully Qualified Domain Name, user@FQDN,
-\fB%any\fP or \fB%any6\fP (other kinds may come).  An IP address may be written
-in the familiar dotted quad form or as a domain name to be looked up
-when the file is loaded.
-In many cases it is a bad idea to use domain names because
-the name server may not be running or may be insecure.  To denote a
-Fully Qualified Domain Name (as opposed to an IP address denoted by
-its domain name), precede the name with an at sign (\fB@\fP).
+\fB%any\fP or \fB%any6\fP (other kinds may come).
 .LP
 Matching IDs with selectors is fairly straightforward: they have to be
 equal.  In the case of a ``Road Warrior'' connection, if an equal
@@ -100,6 +94,9 @@ defines an ECDSA private key
 .B EAP
 defines EAP credentials
 .TP
+.B NTLM
+defines NTLM credentials
+.TP
 .B XAUTH
 defines XAUTH credentials
 .TP
@@ -151,18 +148,22 @@ The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets.
 .br
 \fBEAP\fP secrets are IKEv2 only.
 .TP
+.B <user id> : NTLM <secret>
+The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets, but the
+secret is stored as NTLM hash, which is MD4(UTF-16LE(secret)), instead of as
+cleartext.
+.br
+\fBNTLM\fP secrets can only be used with the \fBeap-mschapv2\fP plugin.
+.TP
 .B [ <servername> ] <username> : XAUTH <password>
 The format of \fIpassword\fP is the same as that of \fBPSK\fP secrets.
 \fBXAUTH\fP secrets are IKEv1 only.
 .TP
-.B : PIN <smartcard selector> <pin code> | %prompt
-IKEv1 uses the format
-.B "%smartcard[<slot nr>[:<key id>]]"
-to specify the smartcard selector (e.g. %smartcard1:50).
-The IKEv2 daemon supports multiple modules with the format
-.B "%smartcard[<slot nr>[@<module>]]:<keyid>"
-, but always requires a keyid to uniquely select the correct key. Instead of
-specifying the pin code statically,
+.B : PIN %smartcard[<slot nr>[@<module>]]:<keyid> <pin code> | %prompt
+The smartcard selector always requires a keyid to uniquely select the correct
+key. The slot number defines the slot on the token, the module name refers to
+the module name defined in strongswan.conf(5).
+Instead of specifying the pin code statically,
 .B %prompt
 can be specified, which causes the daemons to ask the user for the pin code.
 .LP
diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5
index 16b9f245a..8a34a7f93 100644
--- a/man/strongswan.conf.5
+++ b/man/strongswan.conf.5
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2012-05-01" "5.0.1" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2013-01-25" "5.0.2" "strongSwan"
 .SH NAME
 strongswan.conf \- strongSwan configuration file
 .SH DESCRIPTION
@@ -164,6 +164,10 @@ are released to free memory once an IKE_SA is established.
 Enabling this might conflict with plugins that later need access to e.g. the
 used certificates.
 .TP
+.BR charon.fragment_size " [512]"
+Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
+fragmentation extension.
+.TP
 .BR charon.half_open_timeout " [30]"
 Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
 .TP
@@ -178,6 +182,10 @@ openly transmitted hash of the PSK)
 .BR charon.ignore_routing_tables
 A space-separated list of routing tables to be excluded from route lookups
 .TP
+.BR charon.ikesa_limit " [0]"
+Maximum number of IKE_SAs that can be established at the same time before new
+connection attempts are blocked
+.TP
 .BR charon.ikesa_table_segments " [1]"
 Number of exclusively locked segments in the hash table
 .TP
@@ -635,9 +643,15 @@ Passphrase protecting the private key
 .BR charon.plugins.tnc-ifmap.username
 Authentication username of strongSwan MAP client
 .TP
+.BR charon.plugins.tnc-imc.dlclose " [yes]"
+Unload IMC after use
+.TP
 .BR charon.plugins.tnc-imc.preferred_language " [en]"
 Preferred language for TNC recommendations
 .TP
+.BR charon.plugins.tnc-imv.dlclose " [yes]"
+Unload IMV after use
+.TP
 .BR charon.plugins.tnc-pdp.method " [ttls]"
 EAP tunnel method to be used
 .TP
@@ -696,6 +710,12 @@ strength
 .BR libstrongswan.ecp_x_coordinate_only " [yes]"
 Compliance with the errata for RFC 4753
 .TP
+.BR libstrongswan.host_resolver.max_threads " [3]"
+Maximum number of concurrent resolver threads (they are terminated if unused)
+.TP
+.BR libstrongswan.host_resolver.min_threads " [0]"
+Minimum number of resolver threads to keep around
+.TP
 .BR libstrongswan.integrity_test " [no]"
 Check daemon, libstrongswan and plugin integrity at startup
 .TP
@@ -728,6 +748,12 @@ ENGINE ID to use in the OpenSSL plugin
 .BR libstrongswan.plugins.pkcs11.modules
 List of available PKCS#11 modules
 .TP
+.BR libstrongswan.plugins.pkcs11.load_certs " [yes]"
+Whether to load certificates from tokens
+.TP
+.BR libstrongswan.plugins.pkcs11.reload_certs " [no]"
+Reload certificates from all tokens if charon receives a SIGHUP
+.TP
 .BR libstrongswan.plugins.pkcs11.use_dh " [no]"
 Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc option)
 .TP
@@ -764,10 +790,13 @@ Debug level for a stand-alone libimcv library
 .TP
 .BR libimcv.stderr_quiet " [no]"
 Disable output to stderr with a stand-alone libimcv library
-.SS libimcv plugins section
 .TP
-.BR libimcv.plugins.imc-attestation.platform_info
-Information on operating system and hardware platform
+.BR libimcv.os_info.name
+Manually set the name of the client OS (e.g. Ubuntu)
+.TP
+.BR libimcv.os_info.version
+Manually set the version of the client OS (e.g. 12.04 i686)
+.SS libimcv plugins section
 .TP
 .BR libimcv.plugins.imc-attestation.aik_blob
 AIK encrypted private key blob file
@@ -799,12 +828,27 @@ Preferred measurement hash algorithm
 .BR libimcv.plugins.imv-attestation.min_nonce_len " [0]"
 DH minimum nonce length
 .TP
-.BR libimcv.plugins.imv-attestation.platform_info
-Information on operating system and hardware platform
+.BR libimcv.plugins.imv-attestation.remediation_uri
+URI pointing to attestation remediation instructions
+.TP
+.BR libimcv.plugins.imc-os.push_info " [yes]"
+Send operating system info without being prompted
+.TP
+.BR libimcv.plugins.imv-os.database
+Database URI for the database that stores operating system information
+.TP
+.BR libimcv.plugins.imv-os.remediation_uri
+URI pointing to operating system remediation instructions
+.TP
+.BR libimcv.plugins.imc-scanner.push_info " [yes]"
+Send open listening ports without being prompted
 .TP
 .BR libimcv.plugins.imv-scanner.closed_port_policy " [yes]"
 By default all ports must be closed (yes) or can be open (no)
 .TP
+.BR libimcv.plugins.imv-scanner.remediation_uri
+URI pointing to scanner remediation instructions
+.TP
 .BR libimcv.plugins.imv-scanner.tcp_ports
 List of TCP ports that can be open or must be closed
 .TP
@@ -826,6 +870,9 @@ Do a handshake retry
 .BR libimcv.plugins.imc-test.retry_command
 Command to be sent to the Test IMV in the handshake retry
 .TP
+.BR libimcv.plugins.imv-test.remediation_uri
+URI pointing to test remediation instructions
+.TP
 .BR libimcv.plugins.imv-test.rounds " [0]"
 Number of IMC-IMV retry rounds
 .SS libtls section
@@ -902,6 +949,10 @@ Session timeout for mediation service
 .TP
 .BR openac.load
 Plugins to load in ipsec openac tool
+.SS pacman section
+.TP
+.BR pacman.database
+Database URI for the database that stores the package information
 .SS pki section
 .TP
 .BR pki.load
@@ -1244,6 +1295,17 @@ Never enable the load-testing plugin on productive systems. It provides
 preconfigured credentials and allows an attacker to authenticate as any user.
 .SS Options
 .TP
+.BR charon.plugins.load-tester.addrs
+Subsection that contains key/value pairs with address pools (in CIDR notation)
+to use for a specific network interface e.g. eth0 = 10.10.0.0/16
+.TP
+.BR charon.plugins.load-tester.addrs_prefix " [16]"
+Network prefix length to use when installing dynamic addresses. If set to -1 the
+full address is used (i.e. 32 or 128)
+.TP
+.BR charon.plugins.load-tester.ca_dir
+Directory to load (intermediate) CA certificates from
+.TP
 .BR charon.plugins.load-tester.child_rekey " [600]"
 Seconds to start CHILD_SA rekeying after setup
 .TP
@@ -1253,6 +1315,9 @@ Delay between initiatons for each thread
 .BR charon.plugins.load-tester.delete_after_established " [no]"
 Delete an IKE_SA as soon as it has been established
 .TP
+.BR charon.plugins.load-tester.digest " [sha1]"
+Digest algorithm used when issuing certificates
+.TP
 .BR charon.plugins.load-tester.dpd_delay " [0]"
 DPD delay to use in load test
 .TP
@@ -1274,6 +1339,9 @@ Seconds to start IKE_SA rekeying after setup
 .BR charon.plugins.load-tester.init_limit " [0]"
 Global limit of concurrently established SAs during load test
 .TP
+.BR charon.plugins.load-tester.initiator " [0.0.0.0]"
+Address to initiate from
+.TP
 .BR charon.plugins.load-tester.initiators " [0]"
 Number of concurrent initiator threads to use in load test
 .TP
@@ -1283,8 +1351,24 @@ Authentication method(s) the intiator uses
 .BR charon.plugins.load-tester.initiator_id
 Initiator ID used in load test
 .TP
+.BR charon.plugins.load-tester.initiator_match
+Initiator ID to to match against as responder
+.TP
+.BR charon.plugins.load-tester.initiator_tsi
+Traffic selector on initiator side, as proposed by initiator
+.TP
+.BR charon.plugins.load-tester.initiator_tsr
+Traffic selector on responder side, as proposed by initiator
+.TP
 .BR charon.plugins.load-tester.iterations " [1]"
-Number of IKE_SAs to initate by each initiator in load test
+Number of IKE_SAs to initiate by each initiator in load test
+.TP
+.BR charon.plugins.load-tester.issuer_cert
+Path to the issuer certificate (if not configured a hard-coded value is used)
+.TP
+.BR charon.plugins.load-tester.issuer_key
+Path to private key that is used to issue certificates (if not configured a
+hard-coded value is used)
 .TP
 .BR charon.plugins.load-tester.pool
 Provide INTERNAL_IPV4_ADDRs from a named pool
@@ -1295,7 +1379,7 @@ Preshared key to use in load test
 .BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]"
 IKE proposal to use in load test
 .TP
-.BR charon.plugins.load-tester.remote " [127.0.0.1]"
+.BR charon.plugins.load-tester.responder " [127.0.0.1]"
 Address to initiation connections to
 .TP
 .BR charon.plugins.load-tester.responder_auth " [pubkey]"
@@ -1304,11 +1388,21 @@ Authentication method(s) the responder uses
 .BR charon.plugins.load-tester.responder_id
 Responder ID used in load test
 .TP
+.BR charon.plugins.load-tester.responder_tsi " [initiator_tsi]"
+Traffic selector on initiator side, as narrowed by responder
+.TP
+.BR charon.plugins.load-tester.responder_tsr " [initiator_tsr]"
+Traffic selector on responder side, as narrowed by responder
+.TP
 .BR charon.plugins.load-tester.request_virtual_ip " [no]"
 Request an INTERNAL_IPV4_ADDR from the server
 .TP
 .BR charon.plugins.load-tester.shutdown_when_complete " [no]"
 Shutdown the daemon after all IKE_SAs have been established
+.TP
+.BR charon.plugins.load-tester.version " [0]"
+IKE version to use (0 means use IKEv2 as initiator and accept any version as
+responder)
 .SS Configuration details
 For public key authentication, the responder uses the
 .B \(dqCN=srv, OU=load-test, O=strongSwan\(dq
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index 217d7d739..2fafed62d 100644
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2012-05-01" "@IPSEC_VERSION@" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2013-01-25" "@IPSEC_VERSION@" "strongSwan"
 .SH NAME
 strongswan.conf \- strongSwan configuration file
 .SH DESCRIPTION
@@ -164,6 +164,10 @@ are released to free memory once an IKE_SA is established.
 Enabling this might conflict with plugins that later need access to e.g. the
 used certificates.
 .TP
+.BR charon.fragment_size " [512]"
+Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
+fragmentation extension.
+.TP
 .BR charon.half_open_timeout " [30]"
 Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
 .TP
@@ -178,6 +182,10 @@ openly transmitted hash of the PSK)
 .BR charon.ignore_routing_tables
 A space-separated list of routing tables to be excluded from route lookups
 .TP
+.BR charon.ikesa_limit " [0]"
+Maximum number of IKE_SAs that can be established at the same time before new
+connection attempts are blocked
+.TP
 .BR charon.ikesa_table_segments " [1]"
 Number of exclusively locked segments in the hash table
 .TP
@@ -635,9 +643,15 @@ Passphrase protecting the private key
 .BR charon.plugins.tnc-ifmap.username
 Authentication username of strongSwan MAP client
 .TP
+.BR charon.plugins.tnc-imc.dlclose " [yes]"
+Unload IMC after use
+.TP
 .BR charon.plugins.tnc-imc.preferred_language " [en]"
 Preferred language for TNC recommendations
 .TP
+.BR charon.plugins.tnc-imv.dlclose " [yes]"
+Unload IMV after use
+.TP
 .BR charon.plugins.tnc-pdp.method " [ttls]"
 EAP tunnel method to be used
 .TP
@@ -696,6 +710,12 @@ strength
 .BR libstrongswan.ecp_x_coordinate_only " [yes]"
 Compliance with the errata for RFC 4753
 .TP
+.BR libstrongswan.host_resolver.max_threads " [3]"
+Maximum number of concurrent resolver threads (they are terminated if unused)
+.TP
+.BR libstrongswan.host_resolver.min_threads " [0]"
+Minimum number of resolver threads to keep around
+.TP
 .BR libstrongswan.integrity_test " [no]"
 Check daemon, libstrongswan and plugin integrity at startup
 .TP
@@ -728,6 +748,12 @@ ENGINE ID to use in the OpenSSL plugin
 .BR libstrongswan.plugins.pkcs11.modules
 List of available PKCS#11 modules
 .TP
+.BR libstrongswan.plugins.pkcs11.load_certs " [yes]"
+Whether to load certificates from tokens
+.TP
+.BR libstrongswan.plugins.pkcs11.reload_certs " [no]"
+Reload certificates from all tokens if charon receives a SIGHUP
+.TP
 .BR libstrongswan.plugins.pkcs11.use_dh " [no]"
 Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc option)
 .TP
@@ -764,10 +790,13 @@ Debug level for a stand-alone libimcv library
 .TP
 .BR libimcv.stderr_quiet " [no]"
 Disable output to stderr with a stand-alone libimcv library
-.SS libimcv plugins section
 .TP
-.BR libimcv.plugins.imc-attestation.platform_info
-Information on operating system and hardware platform
+.BR libimcv.os_info.name
+Manually set the name of the client OS (e.g. Ubuntu)
+.TP
+.BR libimcv.os_info.version
+Manually set the version of the client OS (e.g. 12.04 i686)
+.SS libimcv plugins section
 .TP
 .BR libimcv.plugins.imc-attestation.aik_blob
 AIK encrypted private key blob file
@@ -799,12 +828,27 @@ Preferred measurement hash algorithm
 .BR libimcv.plugins.imv-attestation.min_nonce_len " [0]"
 DH minimum nonce length
 .TP
-.BR libimcv.plugins.imv-attestation.platform_info
-Information on operating system and hardware platform
+.BR libimcv.plugins.imv-attestation.remediation_uri
+URI pointing to attestation remediation instructions
+.TP
+.BR libimcv.plugins.imc-os.push_info " [yes]"
+Send operating system info without being prompted
+.TP
+.BR libimcv.plugins.imv-os.database
+Database URI for the database that stores operating system information
+.TP
+.BR libimcv.plugins.imv-os.remediation_uri
+URI pointing to operating system remediation instructions
+.TP
+.BR libimcv.plugins.imc-scanner.push_info " [yes]"
+Send open listening ports without being prompted
 .TP
 .BR libimcv.plugins.imv-scanner.closed_port_policy " [yes]"
 By default all ports must be closed (yes) or can be open (no)
 .TP
+.BR libimcv.plugins.imv-scanner.remediation_uri
+URI pointing to scanner remediation instructions
+.TP
 .BR libimcv.plugins.imv-scanner.tcp_ports
 List of TCP ports that can be open or must be closed
 .TP
@@ -826,6 +870,9 @@ Do a handshake retry
 .BR libimcv.plugins.imc-test.retry_command
 Command to be sent to the Test IMV in the handshake retry
 .TP
+.BR libimcv.plugins.imv-test.remediation_uri
+URI pointing to test remediation instructions
+.TP
 .BR libimcv.plugins.imv-test.rounds " [0]"
 Number of IMC-IMV retry rounds
 .SS libtls section
@@ -902,6 +949,10 @@ Session timeout for mediation service
 .TP
 .BR openac.load
 Plugins to load in ipsec openac tool
+.SS pacman section
+.TP
+.BR pacman.database
+Database URI for the database that stores the package information
 .SS pki section
 .TP
 .BR pki.load
@@ -1244,6 +1295,17 @@ Never enable the load-testing plugin on productive systems. It provides
 preconfigured credentials and allows an attacker to authenticate as any user.
 .SS Options
 .TP
+.BR charon.plugins.load-tester.addrs
+Subsection that contains key/value pairs with address pools (in CIDR notation)
+to use for a specific network interface e.g. eth0 = 10.10.0.0/16
+.TP
+.BR charon.plugins.load-tester.addrs_prefix " [16]"
+Network prefix length to use when installing dynamic addresses. If set to -1 the
+full address is used (i.e. 32 or 128)
+.TP
+.BR charon.plugins.load-tester.ca_dir
+Directory to load (intermediate) CA certificates from
+.TP
 .BR charon.plugins.load-tester.child_rekey " [600]"
 Seconds to start CHILD_SA rekeying after setup
 .TP
@@ -1253,6 +1315,9 @@ Delay between initiatons for each thread
 .BR charon.plugins.load-tester.delete_after_established " [no]"
 Delete an IKE_SA as soon as it has been established
 .TP
+.BR charon.plugins.load-tester.digest " [sha1]"
+Digest algorithm used when issuing certificates
+.TP
 .BR charon.plugins.load-tester.dpd_delay " [0]"
 DPD delay to use in load test
 .TP
@@ -1274,6 +1339,9 @@ Seconds to start IKE_SA rekeying after setup
 .BR charon.plugins.load-tester.init_limit " [0]"
 Global limit of concurrently established SAs during load test
 .TP
+.BR charon.plugins.load-tester.initiator " [0.0.0.0]"
+Address to initiate from
+.TP
 .BR charon.plugins.load-tester.initiators " [0]"
 Number of concurrent initiator threads to use in load test
 .TP
@@ -1283,8 +1351,24 @@ Authentication method(s) the intiator uses
 .BR charon.plugins.load-tester.initiator_id
 Initiator ID used in load test
 .TP
+.BR charon.plugins.load-tester.initiator_match
+Initiator ID to to match against as responder
+.TP
+.BR charon.plugins.load-tester.initiator_tsi
+Traffic selector on initiator side, as proposed by initiator
+.TP
+.BR charon.plugins.load-tester.initiator_tsr
+Traffic selector on responder side, as proposed by initiator
+.TP
 .BR charon.plugins.load-tester.iterations " [1]"
-Number of IKE_SAs to initate by each initiator in load test
+Number of IKE_SAs to initiate by each initiator in load test
+.TP
+.BR charon.plugins.load-tester.issuer_cert
+Path to the issuer certificate (if not configured a hard-coded value is used)
+.TP
+.BR charon.plugins.load-tester.issuer_key
+Path to private key that is used to issue certificates (if not configured a
+hard-coded value is used)
 .TP
 .BR charon.plugins.load-tester.pool
 Provide INTERNAL_IPV4_ADDRs from a named pool
@@ -1295,7 +1379,7 @@ Preshared key to use in load test
 .BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]"
 IKE proposal to use in load test
 .TP
-.BR charon.plugins.load-tester.remote " [127.0.0.1]"
+.BR charon.plugins.load-tester.responder " [127.0.0.1]"
 Address to initiation connections to
 .TP
 .BR charon.plugins.load-tester.responder_auth " [pubkey]"
@@ -1304,11 +1388,21 @@ Authentication method(s) the responder uses
 .BR charon.plugins.load-tester.responder_id
 Responder ID used in load test
 .TP
+.BR charon.plugins.load-tester.responder_tsi " [initiator_tsi]"
+Traffic selector on initiator side, as narrowed by responder
+.TP
+.BR charon.plugins.load-tester.responder_tsr " [initiator_tsr]"
+Traffic selector on responder side, as narrowed by responder
+.TP
 .BR charon.plugins.load-tester.request_virtual_ip " [no]"
 Request an INTERNAL_IPV4_ADDR from the server
 .TP
 .BR charon.plugins.load-tester.shutdown_when_complete " [no]"
 Shutdown the daemon after all IKE_SAs have been established
+.TP
+.BR charon.plugins.load-tester.version " [0]"
+IKE version to use (0 means use IKEv2 as initiator and accept any version as
+responder)
 .SS Configuration details
 For public key authentication, the responder uses the
 .B \(dqCN=srv, OU=load-test, O=strongSwan\(dq
diff --git a/missing b/missing
index 28055d2ae..86a8fc31e 100755
--- a/missing
+++ b/missing
@@ -1,10 +1,10 @@
 #! /bin/sh
 # Common stub for a few missing GNU programs while installing.
 
-scriptversion=2009-04-28.21; # UTC
+scriptversion=2012-01-06.13; # UTC
 
 # Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003, 2004, 2005, 2006,
-# 2008, 2009 Free Software Foundation, Inc.
+# 2008, 2009, 2010, 2011, 2012 Free Software Foundation, Inc.
 # Originally by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
 
 # This program is free software; you can redistribute it and/or modify
@@ -84,7 +84,6 @@ Supported PROGRAM values:
   help2man     touch the output file
   lex          create \`lex.yy.c', if possible, from existing .c
   makeinfo     touch the output file
-  tar          try tar, gnutar, gtar, then tar without non-portable flags
   yacc         create \`y.tab.[ch]', if possible, from existing .[ch]
 
 Version suffixes to PROGRAM as well as the prefixes \`gnu-', \`gnu', and
@@ -122,15 +121,6 @@ case $1 in
     # Not GNU programs, they don't have --version.
     ;;
 
-  tar*)
-    if test -n "$run"; then
-       echo 1>&2 "ERROR: \`tar' requires --run"
-       exit 1
-    elif test "x$2" = "x--version" || test "x$2" = "x--help"; then
-       exit 1
-    fi
-    ;;
-
   *)
     if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
        # We have it, but it failed.
@@ -226,7 +216,7 @@ WARNING: \`$1' $msg.  You should only need it if
          \`Bison' from any GNU archive site."
     rm -f y.tab.c y.tab.h
     if test $# -ne 1; then
-        eval LASTARG="\${$#}"
+        eval LASTARG=\${$#}
 	case $LASTARG in
 	*.y)
 	    SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'`
@@ -256,7 +246,7 @@ WARNING: \`$1' is $msg.  You should only need it if
          \`Flex' from any GNU archive site."
     rm -f lex.yy.c
     if test $# -ne 1; then
-        eval LASTARG="\${$#}"
+        eval LASTARG=\${$#}
 	case $LASTARG in
 	*.l)
 	    SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'`
@@ -318,41 +308,6 @@ WARNING: \`$1' is $msg.  You should only need it if
     touch $file
     ;;
 
-  tar*)
-    shift
-
-    # We have already tried tar in the generic part.
-    # Look for gnutar/gtar before invocation to avoid ugly error
-    # messages.
-    if (gnutar --version > /dev/null 2>&1); then
-       gnutar "$@" && exit 0
-    fi
-    if (gtar --version > /dev/null 2>&1); then
-       gtar "$@" && exit 0
-    fi
-    firstarg="$1"
-    if shift; then
-	case $firstarg in
-	*o*)
-	    firstarg=`echo "$firstarg" | sed s/o//`
-	    tar "$firstarg" "$@" && exit 0
-	    ;;
-	esac
-	case $firstarg in
-	*h*)
-	    firstarg=`echo "$firstarg" | sed s/h//`
-	    tar "$firstarg" "$@" && exit 0
-	    ;;
-	esac
-    fi
-
-    echo 1>&2 "\
-WARNING: I can't seem to be able to run \`tar' with the given arguments.
-         You may want to install GNU tar or Free paxutils, or check the
-         command line arguments."
-    exit 1
-    ;;
-
   *)
     echo 1>&2 "\
 WARNING: \`$1' is needed, and is $msg.
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index a50e8d6e0..bb95cdf43 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -157,6 +157,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -184,6 +185,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -211,6 +213,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -223,6 +226,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -276,7 +280,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -395,43 +398,43 @@ clean-noinstPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-bin2array$(EXEEXT): $(bin2array_OBJECTS) $(bin2array_DEPENDENCIES) 
+bin2array$(EXEEXT): $(bin2array_OBJECTS) $(bin2array_DEPENDENCIES) $(EXTRA_bin2array_DEPENDENCIES) 
 	@rm -f bin2array$(EXEEXT)
 	$(LINK) $(bin2array_OBJECTS) $(bin2array_LDADD) $(LIBS)
-bin2sql$(EXEEXT): $(bin2sql_OBJECTS) $(bin2sql_DEPENDENCIES) 
+bin2sql$(EXEEXT): $(bin2sql_OBJECTS) $(bin2sql_DEPENDENCIES) $(EXTRA_bin2sql_DEPENDENCIES) 
 	@rm -f bin2sql$(EXEEXT)
 	$(LINK) $(bin2sql_OBJECTS) $(bin2sql_LDADD) $(LIBS)
-crypt_burn$(EXEEXT): $(crypt_burn_OBJECTS) $(crypt_burn_DEPENDENCIES) 
+crypt_burn$(EXEEXT): $(crypt_burn_OBJECTS) $(crypt_burn_DEPENDENCIES) $(EXTRA_crypt_burn_DEPENDENCIES) 
 	@rm -f crypt_burn$(EXEEXT)
 	$(LINK) $(crypt_burn_OBJECTS) $(crypt_burn_LDADD) $(LIBS)
-dh_speed$(EXEEXT): $(dh_speed_OBJECTS) $(dh_speed_DEPENDENCIES) 
+dh_speed$(EXEEXT): $(dh_speed_OBJECTS) $(dh_speed_DEPENDENCIES) $(EXTRA_dh_speed_DEPENDENCIES) 
 	@rm -f dh_speed$(EXEEXT)
 	$(LINK) $(dh_speed_OBJECTS) $(dh_speed_LDADD) $(LIBS)
-fetch$(EXEEXT): $(fetch_OBJECTS) $(fetch_DEPENDENCIES) 
+fetch$(EXEEXT): $(fetch_OBJECTS) $(fetch_DEPENDENCIES) $(EXTRA_fetch_DEPENDENCIES) 
 	@rm -f fetch$(EXEEXT)
 	$(LINK) $(fetch_OBJECTS) $(fetch_LDADD) $(LIBS)
-hash_burn$(EXEEXT): $(hash_burn_OBJECTS) $(hash_burn_DEPENDENCIES) 
+hash_burn$(EXEEXT): $(hash_burn_OBJECTS) $(hash_burn_DEPENDENCIES) $(EXTRA_hash_burn_DEPENDENCIES) 
 	@rm -f hash_burn$(EXEEXT)
 	$(LINK) $(hash_burn_OBJECTS) $(hash_burn_LDADD) $(LIBS)
-id2sql$(EXEEXT): $(id2sql_OBJECTS) $(id2sql_DEPENDENCIES) 
+id2sql$(EXEEXT): $(id2sql_OBJECTS) $(id2sql_DEPENDENCIES) $(EXTRA_id2sql_DEPENDENCIES) 
 	@rm -f id2sql$(EXEEXT)
 	$(LINK) $(id2sql_OBJECTS) $(id2sql_LDADD) $(LIBS)
-key2keyid$(EXEEXT): $(key2keyid_OBJECTS) $(key2keyid_DEPENDENCIES) 
+key2keyid$(EXEEXT): $(key2keyid_OBJECTS) $(key2keyid_DEPENDENCIES) $(EXTRA_key2keyid_DEPENDENCIES) 
 	@rm -f key2keyid$(EXEEXT)
 	$(LINK) $(key2keyid_OBJECTS) $(key2keyid_LDADD) $(LIBS)
-keyid2sql$(EXEEXT): $(keyid2sql_OBJECTS) $(keyid2sql_DEPENDENCIES) 
+keyid2sql$(EXEEXT): $(keyid2sql_OBJECTS) $(keyid2sql_DEPENDENCIES) $(EXTRA_keyid2sql_DEPENDENCIES) 
 	@rm -f keyid2sql$(EXEEXT)
 	$(LINK) $(keyid2sql_OBJECTS) $(keyid2sql_LDADD) $(LIBS)
-oid2der$(EXEEXT): $(oid2der_OBJECTS) $(oid2der_DEPENDENCIES) 
+oid2der$(EXEEXT): $(oid2der_OBJECTS) $(oid2der_DEPENDENCIES) $(EXTRA_oid2der_DEPENDENCIES) 
 	@rm -f oid2der$(EXEEXT)
 	$(LINK) $(oid2der_OBJECTS) $(oid2der_LDADD) $(LIBS)
-pubkey_speed$(EXEEXT): $(pubkey_speed_OBJECTS) $(pubkey_speed_DEPENDENCIES) 
+pubkey_speed$(EXEEXT): $(pubkey_speed_OBJECTS) $(pubkey_speed_DEPENDENCIES) $(EXTRA_pubkey_speed_DEPENDENCIES) 
 	@rm -f pubkey_speed$(EXEEXT)
 	$(LINK) $(pubkey_speed_OBJECTS) $(pubkey_speed_LDADD) $(LIBS)
-thread_analysis$(EXEEXT): $(thread_analysis_OBJECTS) $(thread_analysis_DEPENDENCIES) 
+thread_analysis$(EXEEXT): $(thread_analysis_OBJECTS) $(thread_analysis_DEPENDENCIES) $(EXTRA_thread_analysis_DEPENDENCIES) 
 	@rm -f thread_analysis$(EXEEXT)
 	$(LINK) $(thread_analysis_OBJECTS) $(thread_analysis_LDADD) $(LIBS)
-tls_test$(EXEEXT): $(tls_test_OBJECTS) $(tls_test_DEPENDENCIES) 
+tls_test$(EXEEXT): $(tls_test_OBJECTS) $(tls_test_DEPENDENCIES) $(EXTRA_tls_test_DEPENDENCIES) 
 	@rm -f tls_test$(EXEEXT)
 	$(LINK) $(tls_test_OBJECTS) $(tls_test_LDADD) $(LIBS)
 
@@ -578,10 +581,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/scripts/dh_speed.c b/scripts/dh_speed.c
index 629a8eabb..588807597 100644
--- a/scripts/dh_speed.c
+++ b/scripts/dh_speed.c
@@ -16,7 +16,7 @@
 #include <stdio.h>
 #include <time.h>
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <crypto/diffie_hellman.h>
 
 static void usage()
diff --git a/scripts/fetch.c b/scripts/fetch.c
index ad50d0cd6..23f857246 100644
--- a/scripts/fetch.c
+++ b/scripts/fetch.c
@@ -17,7 +17,7 @@
 #include <unistd.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 static int count = 0;
 
diff --git a/scripts/key2keyid.c b/scripts/key2keyid.c
index 5b63381b8..aba96a8c1 100644
--- a/scripts/key2keyid.c
+++ b/scripts/key2keyid.c
@@ -15,7 +15,7 @@
 
 #include <stdio.h>
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/keys/private_key.h>
 #include <credentials/keys/public_key.h>
 
diff --git a/scripts/keyid2sql.c b/scripts/keyid2sql.c
index 7cad4c45e..26427ab3d 100644
--- a/scripts/keyid2sql.c
+++ b/scripts/keyid2sql.c
@@ -15,7 +15,7 @@
 
 #include <stdio.h>
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/keys/private_key.h>
 #include <credentials/keys/public_key.h>
 
diff --git a/scripts/pubkey_speed.c b/scripts/pubkey_speed.c
index 6402e606d..32c6e8f49 100644
--- a/scripts/pubkey_speed.c
+++ b/scripts/pubkey_speed.c
@@ -2,7 +2,7 @@
 #include <stdio.h>
 #include <time.h>
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/keys/private_key.h>
 
 void start_timing(struct timespec *start)
diff --git a/scripts/tls_test.c b/scripts/tls_test.c
index 560c4a4ba..d0d259e60 100644
--- a/scripts/tls_test.c
+++ b/scripts/tls_test.c
@@ -22,9 +22,9 @@
 #include <string.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <tls_socket.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <credentials/sets/mem_cred.h>
 
 /**
diff --git a/src/Makefile.in b/src/Makefile.in
index 939473424..ada684eae 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -141,6 +141,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -168,6 +169,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -195,6 +197,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -207,6 +210,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -260,7 +264,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -564,10 +567,15 @@ install-am: all-am
 
 installcheck: installcheck-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index c4477f303..83b25bebf 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -96,6 +96,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -123,6 +124,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -150,6 +152,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -162,6 +165,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -215,7 +219,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -344,7 +347,7 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-_copyright$(EXEEXT): $(_copyright_OBJECTS) $(_copyright_DEPENDENCIES) 
+_copyright$(EXEEXT): $(_copyright_OBJECTS) $(_copyright_DEPENDENCIES) $(EXTRA__copyright_DEPENDENCIES) 
 	@rm -f _copyright$(EXEEXT)
 	$(LINK) $(_copyright_OBJECTS) $(_copyright_LDADD) $(LIBS)
 
@@ -482,10 +485,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index 672285ad0..d67bdb844 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -74,6 +74,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
 SCRIPTS = $(ipsec_SCRIPTS)
 SOURCES =
@@ -101,6 +107,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -128,6 +135,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -155,6 +163,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -167,6 +176,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -220,7 +230,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -335,9 +344,7 @@ uninstall-ipsecSCRIPTS:
 	@list='$(ipsec_SCRIPTS)'; test -n "$(ipsecdir)" || exit 0; \
 	files=`for p in $$list; do echo "$$p"; done | \
 	       sed -e 's,.*/,,;$(transform)'`; \
-	test -n "$$list" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+	dir='$(DESTDIR)$(ipsecdir)'; $(am__uninstall_files_from_dir)
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -375,9 +382,7 @@ uninstall-man8:
 	files=`{ for i in $$list; do echo "$$i"; done; \
 	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
 	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
+	dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
 tags: TAGS
 TAGS:
 
@@ -445,10 +450,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
index b62ceba2b..88683f38b 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/_updown_espmark/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -74,6 +74,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
 SCRIPTS = $(dist_ipsec_SCRIPTS)
 SOURCES =
@@ -101,6 +107,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -128,6 +135,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -155,6 +163,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -167,6 +176,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -220,7 +230,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -333,9 +342,7 @@ uninstall-dist_ipsecSCRIPTS:
 	@list='$(dist_ipsec_SCRIPTS)'; test -n "$(ipsecdir)" || exit 0; \
 	files=`for p in $$list; do echo "$$p"; done | \
 	       sed -e 's,.*/,,;$(transform)'`; \
-	test -n "$$list" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+	dir='$(DESTDIR)$(ipsecdir)'; $(am__uninstall_files_from_dir)
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -373,9 +380,7 @@ uninstall-man8:
 	files=`{ for i in $$list; do echo "$$i"; done; \
 	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
 	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
+	dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
 tags: TAGS
 TAGS:
 
@@ -443,10 +448,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/charon-nm/Makefile.in b/src/charon-nm/Makefile.in
index be72892e9..8416455ae 100644
--- a/src/charon-nm/Makefile.in
+++ b/src/charon-nm/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -102,6 +102,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -129,6 +130,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -156,6 +158,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -168,6 +171,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -221,7 +225,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -370,7 +373,7 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-charon-nm$(EXEEXT): $(charon_nm_OBJECTS) $(charon_nm_DEPENDENCIES) 
+charon-nm$(EXEEXT): $(charon_nm_OBJECTS) $(charon_nm_DEPENDENCIES) $(EXTRA_charon_nm_DEPENDENCIES) 
 	@rm -f charon-nm$(EXEEXT)
 	$(LINK) $(charon_nm_OBJECTS) $(charon_nm_LDADD) $(LIBS)
 
@@ -568,10 +571,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/charon-nm/charon-nm.c b/src/charon-nm/charon-nm.c
index 35e906778..61f2937ce 100644
--- a/src/charon-nm/charon-nm.c
+++ b/src/charon-nm/charon-nm.c
@@ -117,28 +117,6 @@ static void segv_handler(int signal)
 }
 
 /**
- * Initialize logging to syslog
- */
-static void initialize_logger()
-{
-	sys_logger_t *sys_logger;
-	debug_t group;
-	level_t def;
-
-	sys_logger = sys_logger_create(LOG_DAEMON, FALSE);
-	def = lib->settings->get_int(lib->settings,
-								 "charon-nm.syslog.default", 1);
-	for (group = 0; group < DBG_MAX; group++)
-	{
-		sys_logger->set_level(sys_logger, group,
-			lib->settings->get_int(lib->settings, "charon-nm.syslog.%N", def,
-								   debug_lower_names, group));
-	}
-	charon->sys_loggers->insert_last(charon->sys_loggers, sys_logger);
-	charon->bus->add_logger(charon->bus, &sys_logger->logger);
-}
-
-/**
  * Lookup UID and GID
  */
 static bool lookup_uid_gid()
@@ -204,7 +182,11 @@ int main(int argc, char *argv[])
 		goto deinit;
 	}
 
-	initialize_logger();
+	/* make sure we log to the DAEMON facility by default */
+	lib->settings->set_int(lib->settings, "charon-nm.syslog.daemon.default",
+		lib->settings->get_int(lib->settings,
+							   "charon-nm.syslog.daemon.default", 1));
+	charon->load_loggers(charon, NULL, FALSE);
 
 	/* use random ports to avoid conflicts with regular charon */
 	lib->settings->set_int(lib->settings, "charon-nm.port", 0);
diff --git a/src/charon-nm/nm/nm_backend.c b/src/charon-nm/nm/nm_backend.c
index f36cf1f68..5bb2ed930 100644
--- a/src/charon-nm/nm/nm_backend.c
+++ b/src/charon-nm/nm/nm_backend.c
@@ -117,10 +117,13 @@ static bool nm_backend_init()
 	nm_backend_t *this;
 
 	g_type_init ();
+
+#if !GLIB_CHECK_VERSION(2,23,0)
 	if (!g_thread_supported())
 	{
 		g_thread_init(NULL);
 	}
+#endif
 
 	INIT(this,
 		.creds = nm_creds_create(),
diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index b7155b44b..eb187496d 100644
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -18,7 +18,7 @@
 #include "nm_service.h"
 
 #include <daemon.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <utils/identification.h>
 #include <config/peer_cfg.h>
 #include <credentials/certificates/x509.h>
@@ -498,11 +498,12 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	/**
 	 * Set up configurations
 	 */
-	ike_cfg = ike_cfg_create(TRUE, encap, "0.0.0.0", FALSE,
+	ike_cfg = ike_cfg_create(IKEV2, TRUE, encap, "0.0.0.0", FALSE,
 							 charon->socket->get_port(charon->socket, FALSE),
-							(char*)address, FALSE, IKEV2_UDP_PORT);
+							(char*)address, FALSE, IKEV2_UDP_PORT,
+							 FRAGMENTATION_NO);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
-	peer_cfg = peer_cfg_create(priv->name, IKEV2, ike_cfg,
+	peer_cfg = peer_cfg_create(priv->name, ike_cfg,
 					CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
 					36000, 0, /* rekey 10h, reauth none */
 					600, 600, /* jitter, over 10min */
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index d8109bb7f..4776b783a 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -100,6 +100,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -127,6 +128,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -154,6 +156,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -166,6 +169,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -219,7 +223,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -363,7 +366,7 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-charon$(EXEEXT): $(charon_OBJECTS) $(charon_DEPENDENCIES) 
+charon$(EXEEXT): $(charon_OBJECTS) $(charon_DEPENDENCIES) $(EXTRA_charon_DEPENDENCIES) 
 	@rm -f charon$(EXEEXT)
 	$(LINK) $(charon_OBJECTS) $(charon_LDADD) $(LIBS)
 
@@ -501,10 +504,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/charon/charon.c b/src/charon/charon.c
index bd36c72f4..f4bd27d34 100644
--- a/src/charon/charon.c
+++ b/src/charon/charon.c
@@ -24,8 +24,6 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/utsname.h>
-#include <syslog.h>
-#include <errno.h>
 #include <unistd.h>
 #include <getopt.h>
 
@@ -40,10 +38,6 @@
 #include <private/android_filesystem_config.h> /* for AID_VPN */
 #endif
 
-#ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */
-#define LOG_AUTHPRIV LOG_AUTH
-#endif
-
 /**
  * PID file, in which charon stores its process id
  */
@@ -55,6 +49,16 @@
 static FILE *pidfile = NULL;
 
 /**
+ * Log levels as defined via command line arguments
+ */
+static level_t levels[DBG_MAX];
+
+/**
+ * Whether to only use syslog when logging
+ */
+static bool use_syslog = FALSE;
+
+/**
  * hook in library for debugging messages
  */
 extern void (*dbg) (debug_t group, level_t level, char *fmt, ...);
@@ -109,6 +113,7 @@ static void run()
 					 "configuration");
 				if (lib->settings->load_files(lib->settings, NULL, FALSE))
 				{
+					charon->load_loggers(charon, levels, !use_syslog);
 					lib->plugins->reload(lib->plugins, NULL);
 				}
 				else
@@ -239,141 +244,6 @@ static void unlink_pidfile()
 }
 
 /**
- * Initialize logging
- */
-static void initialize_loggers(bool use_stderr, level_t levels[])
-{
-	sys_logger_t *sys_logger;
-	file_logger_t *file_logger;
-	enumerator_t *enumerator;
-	char *identifier, *facility, *filename;
-	int loggers_defined = 0;
-	debug_t group;
-	level_t  def;
-	bool append, ike_name;
-	FILE *file;
-
-	/* setup sysloggers */
-	identifier = lib->settings->get_str(lib->settings,
-										"charon.syslog.identifier", NULL);
-	if (identifier)
-	{	/* set identifier, which is prepended to each log line */
-		openlog(identifier, 0, 0);
-	}
-	enumerator = lib->settings->create_section_enumerator(lib->settings,
-														  "charon.syslog");
-	while (enumerator->enumerate(enumerator, &facility))
-	{
-		loggers_defined++;
-
-		ike_name = lib->settings->get_bool(lib->settings,
-								"charon.syslog.%s.ike_name", FALSE, facility);
-		if (streq(facility, "daemon"))
-		{
-			sys_logger = sys_logger_create(LOG_DAEMON, ike_name);
-		}
-		else if (streq(facility, "auth"))
-		{
-			sys_logger = sys_logger_create(LOG_AUTHPRIV, ike_name);
-		}
-		else
-		{
-			continue;
-		}
-		def = lib->settings->get_int(lib->settings,
-									 "charon.syslog.%s.default", 1, facility);
-		for (group = 0; group < DBG_MAX; group++)
-		{
-			sys_logger->set_level(sys_logger, group,
-				lib->settings->get_int(lib->settings,
-									   "charon.syslog.%s.%N", def,
-									   facility, debug_lower_names, group));
-		}
-		charon->sys_loggers->insert_last(charon->sys_loggers, sys_logger);
-		charon->bus->add_logger(charon->bus, &sys_logger->logger);
-	}
-	enumerator->destroy(enumerator);
-
-	/* and file loggers */
-	enumerator = lib->settings->create_section_enumerator(lib->settings,
-														  "charon.filelog");
-	while (enumerator->enumerate(enumerator, &filename))
-	{
-		loggers_defined++;
-		if (streq(filename, "stderr"))
-		{
-			file = stderr;
-		}
-		else if (streq(filename, "stdout"))
-		{
-			file = stdout;
-		}
-		else
-		{
-			append = lib->settings->get_bool(lib->settings,
-									"charon.filelog.%s.append", TRUE, filename);
-			file = fopen(filename, append ? "a" : "w");
-			if (file == NULL)
-			{
-				DBG1(DBG_DMN, "opening file %s for logging failed: %s",
-					 filename, strerror(errno));
-				continue;
-			}
-			if (lib->settings->get_bool(lib->settings,
-							"charon.filelog.%s.flush_line", FALSE, filename))
-			{
-				setlinebuf(file);
-			}
-		}
-		file_logger = file_logger_create(file,
-						lib->settings->get_str(lib->settings,
-							"charon.filelog.%s.time_format", NULL, filename),
-						lib->settings->get_bool(lib->settings,
-							"charon.filelog.%s.ike_name", FALSE, filename));
-		def = lib->settings->get_int(lib->settings,
-									 "charon.filelog.%s.default", 1, filename);
-		for (group = 0; group < DBG_MAX; group++)
-		{
-			file_logger->set_level(file_logger, group,
-				lib->settings->get_int(lib->settings,
-									   "charon.filelog.%s.%N", def,
-									   filename, debug_lower_names, group));
-		}
-		charon->file_loggers->insert_last(charon->file_loggers, file_logger);
-		charon->bus->add_logger(charon->bus, &file_logger->logger);
-
-	}
-	enumerator->destroy(enumerator);
-
-	/* set up legacy style default loggers provided via command-line */
-	if (!loggers_defined)
-	{
-		/* set up default stdout file_logger */
-		file_logger = file_logger_create(stdout, NULL, FALSE);
-		charon->file_loggers->insert_last(charon->file_loggers, file_logger);
-		/* set up default daemon sys_logger */
-		sys_logger = sys_logger_create(LOG_DAEMON, FALSE);
-		charon->sys_loggers->insert_last(charon->sys_loggers, sys_logger);
-		for (group = 0; group < DBG_MAX; group++)
-		{
-			sys_logger->set_level(sys_logger, group, levels[group]);
-			if (use_stderr)
-			{
-				file_logger->set_level(file_logger, group, levels[group]);
-			}
-		}
-		charon->bus->add_logger(charon->bus, &file_logger->logger);
-		charon->bus->add_logger(charon->bus, &sys_logger->logger);
-
-		/* set up default auth sys_logger */
-		sys_logger = sys_logger_create(LOG_AUTHPRIV, FALSE);
-		sys_logger->set_level(sys_logger, DBG_ANY, LEVEL_AUDIT);
-		charon->sys_loggers->insert_last(charon->sys_loggers, sys_logger);
-		charon->bus->add_logger(charon->bus, &sys_logger->logger);
-	}
-}
-
-/**
  * print command line usage and exit
  */
 static void usage(const char *msg)
@@ -400,8 +270,6 @@ static void usage(const char *msg)
 int main(int argc, char *argv[])
 {
 	struct sigaction action;
-	bool use_syslog = FALSE;
-	level_t levels[DBG_MAX];
 	int group, status = SS_RC_INITIALIZATION_FAILED;
 	struct utsname utsname;
 
@@ -505,7 +373,7 @@ int main(int argc, char *argv[])
 		goto deinit;
 	}
 
-	initialize_loggers(!use_syslog, levels);
+	charon->load_loggers(charon, levels, !use_syslog);
 
 	if (uname(&utsname) != 0)
 	{
@@ -533,7 +401,6 @@ int main(int argc, char *argv[])
 	if (check_pidfile())
 	{
 		DBG1(DBG_DMN, "charon already running (\""PID_FILE"\" exists)");
-		status = -1;
 		goto deinit;
 	}
 
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
index ecbc3ae39..8a816d626 100644
--- a/src/checksum/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -103,6 +103,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libchecksum_la_LIBADD =
@@ -157,6 +163,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -184,6 +191,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -211,6 +219,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -223,6 +232,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -276,7 +286,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -423,7 +432,7 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libchecksum.la: $(libchecksum_la_OBJECTS) $(libchecksum_la_DEPENDENCIES) 
+libchecksum.la: $(libchecksum_la_OBJECTS) $(libchecksum_la_DEPENDENCIES) $(EXTRA_libchecksum_la_DEPENDENCIES) 
 	$(libchecksum_la_LINK)  $(libchecksum_la_OBJECTS) $(libchecksum_la_LIBADD) $(LIBS)
 
 clean-noinstPROGRAMS:
@@ -434,7 +443,7 @@ clean-noinstPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-checksum_builder$(EXEEXT): $(checksum_builder_OBJECTS) $(checksum_builder_DEPENDENCIES) 
+checksum_builder$(EXEEXT): $(checksum_builder_OBJECTS) $(checksum_builder_DEPENDENCIES) $(EXTRA_checksum_builder_DEPENDENCIES) 
 	@rm -f checksum_builder$(EXEEXT)
 	$(LINK) $(checksum_builder_OBJECTS) $(checksum_builder_LDADD) $(LIBS)
 
@@ -573,10 +582,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/checksum/checksum_builder.c b/src/checksum/checksum_builder.c
index b083d54db..0d9e8fd85 100644
--- a/src/checksum/checksum_builder.c
+++ b/src/checksum/checksum_builder.c
@@ -21,7 +21,7 @@
 #include <library.h>
 #include <hydra.h>
 #include <daemon.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 /* we need to fake the pluto symbol to dlopen() the xauth plugin */
 void *pluto;
diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in
index ea26b70e7..960705ce1 100644
--- a/src/conftest/Makefile.in
+++ b/src/conftest/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -111,6 +111,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -138,6 +139,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -165,6 +167,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -177,6 +180,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -230,7 +234,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -379,7 +382,7 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-conftest$(EXEEXT): $(conftest_OBJECTS) $(conftest_DEPENDENCIES) 
+conftest$(EXEEXT): $(conftest_OBJECTS) $(conftest_DEPENDENCIES) $(EXTRA_conftest_DEPENDENCIES) 
 	@rm -f conftest$(EXEEXT)
 	$(LINK) $(conftest_OBJECTS) $(conftest_LDADD) $(LIBS)
 
@@ -864,10 +867,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/conftest/README b/src/conftest/README
index e2156921f..617195df9 100644
--- a/src/conftest/README
+++ b/src/conftest/README
@@ -98,9 +98,10 @@ The IKE_SA configuration uses the following options (as key/value pairs):
                   src/libstrongswan/crypt/proposal/proposal_keywords.txt
   fake_nat:       Fake the NAT_DETECTION_*_IP payloads to simulate a NAT
                   scenario
-  rsa_strength:   connection requires a trustchain with RSA keys of given bits
-  ecdsa_strength: connection requires a trustchain with ECDSA keys of given bits
-  cert_policy:    connection requries a certificate with the given OID policy
+  rsa_strength:   Connection requires a trustchain with RSA keys of given bits
+  ecdsa_strength: Connection requires a trustchain with ECDSA keys of given bits
+  cert_policy:    Connection requries a certificate with the given OID policy
+  named_pool:     Name of an IP pool defined e.g. in a database backend
 
 The following CHILD_SA specific configuration options are supported:
 
@@ -109,6 +110,7 @@ The following CHILD_SA specific configuration options are supported:
   transport:   Propose IPsec transport mode instead of tunnel mode
   tfc_padding: Inject Traffic Flow Confidentialty bytes to align packets to the
                given length
+  proposal:    CHILD_SA proposal list, same syntax as IKE_SA proposal list
 
 6. Credentials
 --------------
@@ -238,6 +240,7 @@ Currently, the following hooks are defined with the following options:
   rebuild_auth:       rebuild AUTH payload, i.e. if ID payload changed
   reset_seq:          Reset sequence numbers of an ESP SA
     delay:            Seconds to delay reset after SA established
+    oseq:             Sequence number to set, default is 0
   set_critical:       Set critical bit on existing payloads:
     request:          yes to set in request, no in response
     id:               IKEv2 message identifier of message to mangle payloads
diff --git a/src/conftest/config.c b/src/conftest/config.c
index cbc6ac05f..ae0d93460 100644
--- a/src/conftest/config.c
+++ b/src/conftest/config.c
@@ -101,12 +101,13 @@ static ike_cfg_t *load_ike_config(private_config_t *this,
 	proposal_t *proposal;
 	char *token;
 
-	ike_cfg = ike_cfg_create(TRUE,
+	ike_cfg = ike_cfg_create(IKEV2, TRUE,
 		settings->get_bool(settings, "configs.%s.fake_nat", FALSE, config),
 		settings->get_str(settings, "configs.%s.lhost", "%any", config), FALSE,
 		settings->get_int(settings, "configs.%s.lport", 500, config),
 		settings->get_str(settings, "configs.%s.rhost", "%any", config), FALSE,
-		settings->get_int(settings, "configs.%s.rport", 500, config));
+		settings->get_int(settings, "configs.%s.rport", 500, config),
+		FRAGMENTATION_NO);
 	token = settings->get_str(settings, "configs.%s.proposal", NULL, config);
 	if (token)
 	{
@@ -143,9 +144,7 @@ static child_cfg_t *load_child_config(private_config_t *this,
 	proposal_t *proposal;
 	traffic_selector_t *ts;
 	ipsec_mode_t mode = MODE_TUNNEL;
-	host_t *net;
 	char *token;
-	int bits;
 	u_int32_t tfc;
 
 	if (settings->get_bool(settings, "configs.%s.%s.transport",
@@ -183,16 +182,15 @@ static child_cfg_t *load_child_config(private_config_t *this,
 		child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 	}
 
-	token = settings->get_str(settings, "configs.%s.%s.lts", NULL, config);
+	token = settings->get_str(settings, "configs.%s.%s.lts", NULL, config, child);
 	if (token)
 	{
 		enumerator = enumerator_create_token(token, ",", " ");
 		while (enumerator->enumerate(enumerator, &token))
 		{
-			net = host_create_from_subnet(token, &bits);
-			if (net)
+			ts = traffic_selector_create_from_cidr(token, 0, 0);
+			if (ts)
 			{
-				ts = traffic_selector_create_from_subnet(net, bits, 0, 0);
 				child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
 			}
 			else
@@ -208,16 +206,15 @@ static child_cfg_t *load_child_config(private_config_t *this,
 		child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
 	}
 
-	token = settings->get_str(settings, "configs.%s.%s.rts", NULL, config);
+	token = settings->get_str(settings, "configs.%s.%s.rts", NULL, config, child);
 	if (token)
 	{
 		enumerator = enumerator_create_token(token, ",", " ");
 		while (enumerator->enumerate(enumerator, &token))
 		{
-			net = host_create_from_subnet(token, &bits);
-			if (net)
+			ts = traffic_selector_create_from_cidr(token, 0, 0);
+			if (ts)
 			{
-				ts = traffic_selector_create_from_subnet(net, bits, 0, 0);
 				child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
 			}
 			else
@@ -247,11 +244,11 @@ static peer_cfg_t *load_peer_config(private_config_t *this,
 	child_cfg_t *child_cfg;
 	enumerator_t *enumerator;
 	identification_t *lid, *rid;
-	char *child, *policy;
+	char *child, *policy, *pool;
 	uintptr_t strength;
 
 	ike_cfg = load_ike_config(this, settings, config);
-	peer_cfg = peer_cfg_create(config, IKEV2, ike_cfg, CERT_ALWAYS_SEND,
+	peer_cfg = peer_cfg_create(config, ike_cfg, CERT_ALWAYS_SEND,
 							   UNIQUE_NO, 1, 0, 0, 0, 0, FALSE, FALSE, 0, 0,
 							   FALSE, NULL, NULL);
 
@@ -266,12 +263,12 @@ static peer_cfg_t *load_peer_config(private_config_t *this,
 	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
 	rid = identification_create_from_string(
 				settings->get_str(settings, "configs.%s.rid", "%any", config));
-	strength = settings->get_int(settings, "configs.%s.rsa_strength", 0);
+	strength = settings->get_int(settings, "configs.%s.rsa_strength", 0, config);
 	if (strength)
 	{
 		auth->add(auth, AUTH_RULE_RSA_STRENGTH, strength);
 	}
-	strength = settings->get_int(settings, "configs.%s.ecdsa_strength", 0);
+	strength = settings->get_int(settings, "configs.%s.ecdsa_strength", 0, config);
 	if (strength)
 	{
 		auth->add(auth, AUTH_RULE_ECDSA_STRENGTH, strength);
@@ -283,6 +280,11 @@ static peer_cfg_t *load_peer_config(private_config_t *this,
 	}
 	auth->add(auth, AUTH_RULE_IDENTITY, rid);
 	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
+	pool = settings->get_str(settings, "configs.%s.named_pool", NULL, config);
+	if (pool)
+	{
+		peer_cfg->add_pool(peer_cfg, pool);
+	}
 
 	DBG1(DBG_CFG, "loaded config %s: %Y - %Y", config, lid, rid);
 
diff --git a/src/conftest/conftest.c b/src/conftest/conftest.c
index 6491fd294..c2251effa 100644
--- a/src/conftest/conftest.c
+++ b/src/conftest/conftest.c
@@ -26,6 +26,7 @@
 #include "config.h"
 #include "hooks/hook.h"
 
+#include <bus/listeners/file_logger.h>
 #include <threading/thread.h>
 #include <credentials/certificates/x509.h>
 
@@ -322,6 +323,7 @@ static bool load_hooks()
  */
 static void cleanup()
 {
+	file_logger_t *logger;
 	hook_t *hook;
 
 	DESTROY_IF(conftest->test);
@@ -344,6 +346,13 @@ static void cleanup()
 		}
 		conftest->config->destroy(conftest->config);
 	}
+	while (conftest->loggers->remove_last(conftest->loggers,
+										  (void**)&logger) == SUCCESS)
+	{
+		charon->bus->remove_logger(charon->bus, &logger->logger);
+		logger->destroy(logger);
+	}
+	conftest->loggers->destroy(conftest->loggers);
 	free(conftest->suite_dir);
 	free(conftest);
 	libcharon_deinit();
@@ -369,32 +378,46 @@ static void load_log_levels(file_logger_t *logger, char *section)
 }
 
 /**
+ * Load logger options for a logger from section
+ */
+static void load_logger_options(file_logger_t *logger, char *section)
+{
+	bool ike_name;
+	char *time_format;
+
+	time_format = conftest->test->get_str(conftest->test,
+					"log.%s.time_format", NULL, section);
+	ike_name = conftest->test->get_bool(conftest->test,
+					"log.%s.ike_name", FALSE, section);
+
+	logger->set_options(logger, time_format, ike_name);
+}
+
+/**
  * Load logger configuration
  */
 static void load_loggers(file_logger_t *logger)
 {
 	enumerator_t *enumerator;
 	char *section;
-	FILE *file;
 
 	load_log_levels(logger, "stdout");
+	load_logger_options(logger, "stdout");
+	/* Re-add the logger to propagate configuration changes to the
+	 * logging system */
+	charon->bus->add_logger(charon->bus, &logger->logger);
 
 	enumerator = conftest->test->create_section_enumerator(conftest->test, "log");
 	while (enumerator->enumerate(enumerator, &section))
 	{
 		if (!streq(section, "stdout"))
 		{
-			file = fopen(section, "w");
-			if (file == NULL)
-			{
-				fprintf(stderr, "opening file %s for logging failed: %s",
-						section, strerror(errno));
-				continue;
-			}
-			logger = file_logger_create(file, NULL, FALSE);
+			logger = file_logger_create(section);
+			load_logger_options(logger, section);
+			logger->open(logger, FALSE, FALSE);
 			load_log_levels(logger, section);
 			charon->bus->add_logger(charon->bus, &logger->logger);
-			charon->file_loggers->insert_last(charon->file_loggers, logger);
+			conftest->loggers->insert_last(conftest->loggers, logger);
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -433,16 +456,18 @@ int main(int argc, char *argv[])
 
 	INIT(conftest,
 		.creds = mem_cred_create(),
+		.config = config_create(),
+		.hooks = linked_list_create(),
+		.loggers = linked_list_create(),
 	);
+	lib->credmgr->add_set(lib->credmgr, &conftest->creds->set);
 
-	logger = file_logger_create(stdout, NULL, FALSE);
+	logger = file_logger_create("stdout");
+	logger->set_options(logger, NULL, FALSE);
+	logger->open(logger, FALSE, FALSE);
 	logger->set_level(logger, DBG_ANY, LEVEL_CTRL);
 	charon->bus->add_logger(charon->bus, &logger->logger);
-	charon->file_loggers->insert_last(charon->file_loggers, logger);
-
-	lib->credmgr->add_set(lib->credmgr, &conftest->creds->set);
-	conftest->hooks = linked_list_create();
-	conftest->config = config_create();
+	conftest->loggers->insert_last(conftest->loggers, logger);
 
 	atexit(cleanup);
 
diff --git a/src/conftest/conftest.h b/src/conftest/conftest.h
index 2caf9b3ce..6bbdabd07 100644
--- a/src/conftest/conftest.h
+++ b/src/conftest/conftest.h
@@ -64,6 +64,11 @@ struct conftest_t {
 	 * Action handling
 	 */
 	actions_t *actions;
+
+	/**
+	 * Test specific loggers
+	 */
+	linked_list_t *loggers;
 };
 
 /**
diff --git a/src/conftest/hooks/reset_seq.c b/src/conftest/hooks/reset_seq.c
index 6fb7a2e4b..100977324 100644
--- a/src/conftest/hooks/reset_seq.c
+++ b/src/conftest/hooks/reset_seq.c
@@ -12,6 +12,27 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
+/*
+ * Copyright (C) 2012 achelos GmbH
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
 
 #include "hook.h"
 
@@ -40,21 +61,46 @@ struct private_reset_seq_t {
 	 * Delay for reset
 	 */
 	int delay;
+
+	/**
+	 * Sequence number to set for outgoing packages
+	 */
+	int oseq;
+};
+
+typedef struct reset_cb_data_t reset_cb_data_t;
+
+/**
+ * Data needed for the callback job
+ */
+struct reset_cb_data_t {
+
+	/**
+	 * The SA to modify
+	 */
+	struct xfrm_usersa_id usersa;
+
+	/**
+	 * Sequence number to set for outgoing packages
+	 */
+	int oseq;
 };
 
 /**
  * Callback job
  */
-static job_requeue_t reset_cb(struct xfrm_usersa_id *data)
+static job_requeue_t reset_cb(struct reset_cb_data_t *data)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *hdr;
 	struct xfrm_aevent_id *id;
 	struct rtattr *rthdr;
+	struct xfrm_replay_state *rpstate;
 	struct sockaddr_nl addr;
 	int s, len;
 
-	DBG1(DBG_CFG, "resetting sequence number of SPI 0x%x", htonl(data->spi));
+	DBG1(DBG_CFG, "setting sequence number of SPI 0x%x to %d",
+		 htonl(data->usersa.spi), data->oseq);
 
 	memset(&request, 0, sizeof(request));
 
@@ -66,13 +112,22 @@ static job_requeue_t reset_cb(struct xfrm_usersa_id *data)
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
 
 	id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
-	id->sa_id = *data;
+	id->sa_id = data->usersa;
 
 	rthdr = XFRM_RTA(hdr, struct xfrm_aevent_id);
 	rthdr->rta_type = XFRMA_REPLAY_VAL;
 	rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
 	hdr->nlmsg_len += rthdr->rta_len;
 
+	/* xfrm_replay_state is the structure the kernel uses for
+	 * replay detection, and the oseq element contains the
+	 * sequence number for outgoing packets. Currently, this
+	 * function sets the other elements seq (records the number of
+	 * incoming packets) and bitmask to zero, but they could be
+	 * adjusted in the same way as oseq if required. */
+	rpstate = (struct xfrm_replay_state*)RTA_DATA(rthdr);
+	rpstate->oseq = data->oseq;
+
 	s = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
 	if (s == -1)
 	{
@@ -97,17 +152,21 @@ static job_requeue_t reset_cb(struct xfrm_usersa_id *data)
 static void schedule_reset_job(private_reset_seq_t *this, host_t *dst,
 							   u_int32_t spi)
 {
-	struct xfrm_usersa_id *data;
+	struct reset_cb_data_t *data;
 	chunk_t chunk;
 
 	INIT(data,
-		.spi = spi,
-		.family = dst->get_family(dst),
-		.proto = IPPROTO_ESP,
+		.usersa = {
+			.spi = spi,
+			.family = dst->get_family(dst),
+			.proto = IPPROTO_ESP,
+		},
+		.oseq = this->oseq,
 	);
 
 	chunk = dst->get_address(dst);
-	memcpy(&data->daddr, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
+	memcpy(&data->usersa.daddr, chunk.ptr,
+		   min(chunk.len, sizeof(xfrm_address_t)));
 
 	lib->scheduler->schedule_job(lib->scheduler,
 								 (job_t*)callback_job_create(
@@ -149,6 +208,8 @@ hook_t *reset_seq_hook_create(char *name)
 		},
 		.delay = conftest->test->get_int(conftest->test,
 										"hooks.%s.delay", 10, name),
+		.oseq = conftest->test->get_int(conftest->test,
+										"hooks.%s.oseq", 0, name),
 	);
 
 	return &this->hook;
diff --git a/src/dumm/Makefile.am b/src/dumm/Makefile.am
index 8b8cebcd8..3e4625ec8 100644
--- a/src/dumm/Makefile.am
+++ b/src/dumm/Makefile.am
@@ -11,7 +11,7 @@ irdumm_SOURCES = irdumm.c
 
 libdumm_la_LIBADD = -lbridge -lfuse -lutil $(top_builddir)/src/libstrongswan/libstrongswan.la
 dumm_LDADD = libdumm.la ${gtk_LIBS} $(top_builddir)/src/libstrongswan/libstrongswan.la
-irdumm_LDADD = libdumm.la -lruby1.8 $(top_builddir)/src/libstrongswan/libstrongswan.la
+irdumm_LDADD = libdumm.la ${RUBYLIB} $(top_builddir)/src/libstrongswan/libstrongswan.la
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan ${gtk_CFLAGS} \
   ${RUBYINCLUDE}
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index ad24ca998..a2b994ec3 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -75,6 +75,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)" "$(DESTDIR)$(ipsecdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libdumm_la_DEPENDENCIES =  \
@@ -90,7 +96,7 @@ dumm_DEPENDENCIES = libdumm.la $(am__DEPENDENCIES_1) \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
 am_irdumm_OBJECTS = irdumm.$(OBJEXT)
 irdumm_OBJECTS = $(am_irdumm_OBJECTS)
-irdumm_DEPENDENCIES = libdumm.la \
+irdumm_DEPENDENCIES = libdumm.la $(am__DEPENDENCIES_1) \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
@@ -129,6 +135,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -156,6 +163,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -183,6 +191,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -195,6 +204,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -248,7 +258,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -306,7 +315,7 @@ dumm_SOURCES = main.c
 irdumm_SOURCES = irdumm.c
 libdumm_la_LIBADD = -lbridge -lfuse -lutil $(top_builddir)/src/libstrongswan/libstrongswan.la
 dumm_LDADD = libdumm.la ${gtk_LIBS} $(top_builddir)/src/libstrongswan/libstrongswan.la
-irdumm_LDADD = libdumm.la -lruby1.8 $(top_builddir)/src/libstrongswan/libstrongswan.la
+irdumm_LDADD = libdumm.la ${RUBYLIB} $(top_builddir)/src/libstrongswan/libstrongswan.la
 INCLUDES = -I$(top_srcdir)/src/libstrongswan ${gtk_CFLAGS} \
   ${RUBYINCLUDE}
 
@@ -376,7 +385,7 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libdumm.la: $(libdumm_la_OBJECTS) $(libdumm_la_DEPENDENCIES) 
+libdumm.la: $(libdumm_la_OBJECTS) $(libdumm_la_DEPENDENCIES) $(EXTRA_libdumm_la_DEPENDENCIES) 
 	$(LINK) -rpath $(ipseclibdir) $(libdumm_la_OBJECTS) $(libdumm_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
@@ -421,10 +430,10 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-dumm$(EXEEXT): $(dumm_OBJECTS) $(dumm_DEPENDENCIES) 
+dumm$(EXEEXT): $(dumm_OBJECTS) $(dumm_DEPENDENCIES) $(EXTRA_dumm_DEPENDENCIES) 
 	@rm -f dumm$(EXEEXT)
 	$(LINK) $(dumm_OBJECTS) $(dumm_LDADD) $(LIBS)
-irdumm$(EXEEXT): $(irdumm_OBJECTS) $(irdumm_DEPENDENCIES) 
+irdumm$(EXEEXT): $(irdumm_OBJECTS) $(irdumm_DEPENDENCIES) $(EXTRA_irdumm_DEPENDENCIES) 
 	@rm -f irdumm$(EXEEXT)
 	$(LINK) $(irdumm_OBJECTS) $(irdumm_LDADD) $(LIBS)
 
@@ -569,10 +578,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/dumm/bridge.c b/src/dumm/bridge.c
index 85b6471b6..d00e49b3e 100644
--- a/src/dumm/bridge.c
+++ b/src/dumm/bridge.c
@@ -16,8 +16,8 @@
 #include <sys/types.h>
 #include <libbridge.h>
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 #include "bridge.h"
 
diff --git a/src/dumm/bridge.h b/src/dumm/bridge.h
index c557de994..9d48092df 100644
--- a/src/dumm/bridge.h
+++ b/src/dumm/bridge.h
@@ -17,7 +17,7 @@
 #define BRIDGE_H
 
 #include <library.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 typedef struct bridge_t bridge_t;
 
diff --git a/src/dumm/cowfs.c b/src/dumm/cowfs.c
index f708a293b..28c62c217 100644
--- a/src/dumm/cowfs.c
+++ b/src/dumm/cowfs.c
@@ -34,10 +34,10 @@
 #include "cowfs.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/thread.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /** define _XOPEN_SOURCE 500 fails when using libstrongswan, define popen */
 extern ssize_t pread(int fd, void *buf, size_t count, off_t offset);
diff --git a/src/dumm/dumm.c b/src/dumm/dumm.c
index 59751fa09..cc4f5a16b 100644
--- a/src/dumm/dumm.c
+++ b/src/dumm/dumm.c
@@ -23,8 +23,8 @@
 #include <dirent.h>
 #include <errno.h>
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 #include "dumm.h"
 
diff --git a/src/dumm/dumm.h b/src/dumm/dumm.h
index 4bd20808c..7c7923c46 100644
--- a/src/dumm/dumm.h
+++ b/src/dumm/dumm.h
@@ -20,7 +20,7 @@
 #include <signal.h>
 
 #include <library.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 #include "guest.h"
 #include "bridge.h"
diff --git a/src/dumm/ext/dumm.c b/src/dumm/ext/dumm.c
index ca9b29388..603fac088 100644
--- a/src/dumm/ext/dumm.c
+++ b/src/dumm/ext/dumm.c
@@ -21,8 +21,8 @@
 
 #include <library.h>
 #include <dumm.h>
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 #undef PACKAGE_NAME
 #undef PACKAGE_TARNAME
@@ -30,6 +30,8 @@
 #undef PACKAGE_STRING
 #undef PACKAGE_BUGREPORT
 #undef PACKAGE_URL
+/* avoid redefintiion of snprintf etc. */
+#define RUBY_DONT_SUBST
 #include <ruby.h>
 
 static dumm_t *dumm;
@@ -141,7 +143,11 @@ static VALUE guest_hash(VALUE class)
 	if (!rb_cvar_defined(class, id))
 	{
 		VALUE hash = guest_hash_create(class);
+#ifdef RB_CVAR_SET_4_ARGS
 		rb_cvar_set(class, id, hash, 0);
+#else
+		rb_cvar_set(class, id, hash);
+#endif
 		return hash;
 	}
 	return rb_cvar_get(class, id);
@@ -627,6 +633,7 @@ static VALUE iface_each_addr(int argc, VALUE *argv, VALUE self)
 	{
 		rb_raise(rb_eArgError, "must be called with a block");
 	}
+	list = linked_list_create();
 	Data_Get_Struct(self, iface_t, iface);
 	enumerator = iface->create_address_enumerator(iface);
 	while (enumerator->enumerate(enumerator, &addr))
diff --git a/src/dumm/guest.c b/src/dumm/guest.c
index 336f6effa..8e74ca629 100644
--- a/src/dumm/guest.c
+++ b/src/dumm/guest.c
@@ -28,8 +28,8 @@
 #include <termios.h>
 #include <stdarg.h>
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 #include "dumm.h"
 #include "guest.h"
diff --git a/src/dumm/guest.h b/src/dumm/guest.h
index 789f2310e..0da05d88c 100644
--- a/src/dumm/guest.h
+++ b/src/dumm/guest.h
@@ -18,7 +18,7 @@
 #define GUEST_H
 
 #include <library.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 typedef enum guest_state_t guest_state_t;
 typedef struct guest_t guest_t;
diff --git a/src/dumm/iface.c b/src/dumm/iface.c
index 214387e88..3e7b010b3 100644
--- a/src/dumm/iface.c
+++ b/src/dumm/iface.c
@@ -25,8 +25,8 @@
 #include <sys/ioctl.h>
 #include <linux/if_tun.h>
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 #include "iface.h"
 
diff --git a/src/dumm/iface.h b/src/dumm/iface.h
index e96ee508c..ae886acc3 100644
--- a/src/dumm/iface.h
+++ b/src/dumm/iface.h
@@ -17,8 +17,8 @@
 #define IFACE_H
 
 #include <library.h>
-#include <utils/enumerator.h>
-#include <utils/host.h>
+#include <collections/enumerator.h>
+#include <networking/host.h>
 
 #define TAP_DEVICE "/dev/net/tun"
 
diff --git a/src/dumm/irdumm.c b/src/dumm/irdumm.c
index 7543e6bd6..d30973737 100644
--- a/src/dumm/irdumm.c
+++ b/src/dumm/irdumm.c
@@ -21,6 +21,10 @@
 #undef PACKAGE_URL
 #include <ruby.h>
 
+#ifdef HAVE_RB_ERRINFO
+#define ruby_errinfo rb_errinfo()
+#endif
+
 /**
  * main routine, parses args and reads from console
  */
diff --git a/src/dumm/main.c b/src/dumm/main.c
index 37e7ba8f7..4cdf4682f 100644
--- a/src/dumm/main.c
+++ b/src/dumm/main.c
@@ -15,7 +15,7 @@
 
 #include "dumm.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 #include <sys/types.h>
 #include <unistd.h>
diff --git a/src/dumm/mconsole.c b/src/dumm/mconsole.c
index 40045cc3a..54c4fe395 100644
--- a/src/dumm/mconsole.c
+++ b/src/dumm/mconsole.c
@@ -25,7 +25,7 @@
 #include <errno.h>
 #include <sys/un.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "mconsole.h"
 
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index bdf80a49c..ccf98b280 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -100,6 +101,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -127,6 +129,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -139,6 +142,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -192,7 +196,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -333,10 +336,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index dbb163f42..faa5f5cef 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -74,6 +74,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"
 SCRIPTS = $(sbin_SCRIPTS)
 SOURCES =
@@ -101,6 +107,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -128,6 +135,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -155,6 +163,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -167,6 +176,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -220,7 +230,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -335,9 +344,7 @@ uninstall-sbinSCRIPTS:
 	@list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || exit 0; \
 	files=`for p in $$list; do echo "$$p"; done | \
 	       sed -e 's,.*/,,;$(transform)'`; \
-	test -n "$$list" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(sbindir)" && rm -f $$files
+	dir='$(DESTDIR)$(sbindir)'; $(am__uninstall_files_from_dir)
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -375,9 +382,7 @@ uninstall-man8:
 	files=`{ for i in $$list; do echo "$$i"; done; \
 	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
 	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
+	dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
 tags: TAGS
 TAGS:
 
@@ -445,10 +450,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8
index 7802fc48f..40eeb1f3e 100644
--- a/src/ipsec/_ipsec.8
+++ b/src/ipsec/_ipsec.8
@@ -1,4 +1,4 @@
-.TH IPSEC 8 "2012-06-19" "5.0.1dr3" "strongSwan"
+.TH IPSEC 8 "2012-06-19" "5.0.2" "strongSwan"
 .SH NAME
 ipsec \- invoke IPsec utilities
 .SH SYNOPSIS
@@ -172,6 +172,10 @@ an HTTP- or LDAP-based CRL distribution point.
 returns revocation information fetched from OCSP servers.
 .PP
 .TP
+.B "listcounters"
+show IKE counter values collected since daemon startup.
+.PP
+.TP
 .B "listall [ --utc ]"
 returns all information generated by the list commands above. Each list command
 can be called with the
diff --git a/src/ipsec/_ipsec.8.in b/src/ipsec/_ipsec.8.in
index 41c6ff8d2..a190fa568 100644
--- a/src/ipsec/_ipsec.8.in
+++ b/src/ipsec/_ipsec.8.in
@@ -172,6 +172,10 @@ an HTTP- or LDAP-based CRL distribution point.
 returns revocation information fetched from OCSP servers.
 .PP
 .TP
+.B "listcounters"
+show IKE counter values collected since daemon startup.
+.PP
+.TP
 .B "listall [ --utc ]"
 returns all information generated by the list commands above. Each list command
 can be called with the
diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in
index 2acf5a3f6..8b6ad660d 100644
--- a/src/ipsec/_ipsec.in
+++ b/src/ipsec/_ipsec.in
@@ -59,7 +59,7 @@ case "$1" in
 	echo "	listalgs|listpubkeys|listcerts [--utc]"
 	echo "	listcacerts|listaacerts|listocspcerts [--utc]"
 	echo "	listacerts|listgroups|listcainfos [--utc]"
-	echo "	listcrls|listocsp|listcards|listplugins|listall [--utc]"
+	echo "	listcrls|listocsp|listcards|listplugins|listcounters|listall [--utc]"
 	echo "	leases [<poolname> [<address>]]"
 	echo "	rereadsecrets|rereadgroups"
 	echo "	rereadcacerts|rereadaacerts|rereadocspcerts"
@@ -149,7 +149,7 @@ leases)
 listalgs|listpubkeys|listplugins|\
 listcerts|listcacerts|listaacerts|\
 listacerts|listgroups|listocspcerts|\
-listcainfos|listcrls|listocsp|listall|\
+listcainfos|listcrls|listocsp|listcounters|listall|\
 rereadsecrets|rereadcacerts|rereadaacerts|\
 rereadacerts|rereadocspcerts|rereadcrls|\
 rereadall|purgeocsp)
diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk
index 9eb864f50..b2d6c3128 100644
--- a/src/libcharon/Android.mk
+++ b/src/libcharon/Android.mk
@@ -42,6 +42,7 @@ encoding/payloads/ts_payload.c encoding/payloads/ts_payload.h \
 encoding/payloads/unknown_payload.c encoding/payloads/unknown_payload.h \
 encoding/payloads/vendor_id_payload.c encoding/payloads/vendor_id_payload.h \
 encoding/payloads/hash_payload.c encoding/payloads/hash_payload.h \
+encoding/payloads/fragment_payload.c encoding/payloads/fragment_payload.h \
 kernel/kernel_handler.c kernel/kernel_handler.h \
 network/receiver.c network/receiver.h network/sender.c network/sender.h \
 network/socket.c network/socket.h \
diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
index 56192bf0e..5203890ff 100644
--- a/src/libcharon/Makefile.am
+++ b/src/libcharon/Makefile.am
@@ -40,6 +40,7 @@ encoding/payloads/ts_payload.c encoding/payloads/ts_payload.h \
 encoding/payloads/unknown_payload.c encoding/payloads/unknown_payload.h \
 encoding/payloads/vendor_id_payload.c encoding/payloads/vendor_id_payload.h \
 encoding/payloads/hash_payload.c encoding/payloads/hash_payload.h \
+encoding/payloads/fragment_payload.c encoding/payloads/fragment_payload.h \
 kernel/kernel_handler.c kernel/kernel_handler.h \
 network/receiver.c network/receiver.h network/sender.c network/sender.h \
 network/socket.c network/socket.h \
@@ -484,6 +485,20 @@ if MONOLITHIC
 endif
 endif
 
+if USE_LOOKIP
+  SUBDIRS += plugins/lookip
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/lookip/libstrongswan-lookip.la
+endif
+endif
+
+if USE_ERROR_NOTIFY
+  SUBDIRS += plugins/error_notify
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/error_notify/libstrongswan-error-notify.la
+endif
+endif
+
 if USE_CERTEXPIRE
   SUBDIRS += plugins/certexpire
 if MONOLITHIC
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
index 3a9239af3..063bc6d11 100644
--- a/src/libcharon/Makefile.in
+++ b/src/libcharon/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -178,30 +178,34 @@ host_triplet = @host@
 @MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_89 = plugins/ha/libstrongswan-ha.la
 @USE_WHITELIST_TRUE@am__append_90 = plugins/whitelist
 @MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_91 = plugins/whitelist/libstrongswan-whitelist.la
-@USE_CERTEXPIRE_TRUE@am__append_92 = plugins/certexpire
-@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_93 = plugins/certexpire/libstrongswan-certexpire.la
-@USE_LED_TRUE@am__append_94 = plugins/led
-@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_95 = plugins/led/libstrongswan-led.la
-@USE_DUPLICHECK_TRUE@am__append_96 = plugins/duplicheck
-@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_97 = plugins/duplicheck/libstrongswan-duplicheck.la
-@USE_COUPLING_TRUE@am__append_98 = plugins/coupling
-@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_99 = plugins/coupling/libstrongswan-coupling.la
-@USE_RADATTR_TRUE@am__append_100 = plugins/radattr
-@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_101 = plugins/radattr/libstrongswan-radattr.la
-@USE_UCI_TRUE@am__append_102 = plugins/uci
-@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_103 = plugins/uci/libstrongswan-uci.la
-@USE_ADDRBLOCK_TRUE@am__append_104 = plugins/addrblock
-@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_105 = plugins/addrblock/libstrongswan-addrblock.la
-@USE_UNITY_TRUE@am__append_106 = plugins/unity
-@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_107 = plugins/unity/libstrongswan-unity.la
-@USE_UNIT_TESTS_TRUE@am__append_108 = plugins/unit_tester
-@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_109 = plugins/unit_tester/libstrongswan-unit-tester.la
-@USE_XAUTH_GENERIC_TRUE@am__append_110 = plugins/xauth_generic
-@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_111 = plugins/xauth_generic/libstrongswan-xauth-generic.la
-@USE_XAUTH_EAP_TRUE@am__append_112 = plugins/xauth_eap
-@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_113 = plugins/xauth_eap/libstrongswan-xauth-eap.la
-@USE_XAUTH_PAM_TRUE@am__append_114 = plugins/xauth_pam
-@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_115 = plugins/xauth_pam/libstrongswan-xauth-pam.la
+@USE_LOOKIP_TRUE@am__append_92 = plugins/lookip
+@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_93 = plugins/lookip/libstrongswan-lookip.la
+@USE_ERROR_NOTIFY_TRUE@am__append_94 = plugins/error_notify
+@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_95 = plugins/error_notify/libstrongswan-error-notify.la
+@USE_CERTEXPIRE_TRUE@am__append_96 = plugins/certexpire
+@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_97 = plugins/certexpire/libstrongswan-certexpire.la
+@USE_LED_TRUE@am__append_98 = plugins/led
+@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_99 = plugins/led/libstrongswan-led.la
+@USE_DUPLICHECK_TRUE@am__append_100 = plugins/duplicheck
+@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_101 = plugins/duplicheck/libstrongswan-duplicheck.la
+@USE_COUPLING_TRUE@am__append_102 = plugins/coupling
+@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_103 = plugins/coupling/libstrongswan-coupling.la
+@USE_RADATTR_TRUE@am__append_104 = plugins/radattr
+@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_105 = plugins/radattr/libstrongswan-radattr.la
+@USE_UCI_TRUE@am__append_106 = plugins/uci
+@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_107 = plugins/uci/libstrongswan-uci.la
+@USE_ADDRBLOCK_TRUE@am__append_108 = plugins/addrblock
+@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_109 = plugins/addrblock/libstrongswan-addrblock.la
+@USE_UNITY_TRUE@am__append_110 = plugins/unity
+@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_111 = plugins/unity/libstrongswan-unity.la
+@USE_UNIT_TESTS_TRUE@am__append_112 = plugins/unit_tester
+@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_113 = plugins/unit_tester/libstrongswan-unit-tester.la
+@USE_XAUTH_GENERIC_TRUE@am__append_114 = plugins/xauth_generic
+@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_115 = plugins/xauth_generic/libstrongswan-xauth-generic.la
+@USE_XAUTH_EAP_TRUE@am__append_116 = plugins/xauth_eap
+@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_117 = plugins/xauth_eap/libstrongswan-xauth-eap.la
+@USE_XAUTH_PAM_TRUE@am__append_118 = plugins/xauth_pam
+@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_119 = plugins/xauth_pam/libstrongswan-xauth-pam.la
 subdir = src/libcharon
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -241,6 +245,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 am__DEPENDENCIES_1 =
@@ -264,7 +274,8 @@ libcharon_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__append_93) $(am__append_95) $(am__append_97) \
 	$(am__append_99) $(am__append_101) $(am__append_103) \
 	$(am__append_105) $(am__append_107) $(am__append_109) \
-	$(am__append_111) $(am__append_113) $(am__append_115)
+	$(am__append_111) $(am__append_113) $(am__append_115) \
+	$(am__append_117) $(am__append_119)
 am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	bus/listeners/listener.h bus/listeners/logger.h \
 	bus/listeners/file_logger.c bus/listeners/file_logger.h \
@@ -315,7 +326,9 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	encoding/payloads/vendor_id_payload.c \
 	encoding/payloads/vendor_id_payload.h \
 	encoding/payloads/hash_payload.c \
-	encoding/payloads/hash_payload.h kernel/kernel_handler.c \
+	encoding/payloads/hash_payload.h \
+	encoding/payloads/fragment_payload.c \
+	encoding/payloads/fragment_payload.h kernel/kernel_handler.c \
 	kernel/kernel_handler.h network/receiver.c network/receiver.h \
 	network/sender.c network/sender.h network/socket.c \
 	network/socket.h network/socket_manager.c \
@@ -448,17 +461,18 @@ am_libcharon_la_OBJECTS = bus.lo file_logger.lo sys_logger.lo \
 	sa_payload.lo traffic_selector_substructure.lo \
 	transform_attribute.lo transform_substructure.lo ts_payload.lo \
 	unknown_payload.lo vendor_id_payload.lo hash_payload.lo \
-	kernel_handler.lo receiver.lo sender.lo socket.lo \
-	socket_manager.lo acquire_job.lo delete_child_sa_job.lo \
-	delete_ike_sa_job.lo migrate_job.lo process_message_job.lo \
-	rekey_child_sa_job.lo rekey_ike_sa_job.lo retransmit_job.lo \
-	retry_initiate_job.lo send_dpd_job.lo send_keepalive_job.lo \
-	start_action_job.lo roam_job.lo update_sa_job.lo \
-	inactivity_job.lo eap_method.lo eap_manager.lo xauth_method.lo \
-	xauth_manager.lo authenticator.lo child_sa.lo ike_sa.lo \
-	ike_sa_id.lo keymat.lo ike_sa_manager.lo task_manager.lo \
-	shunt_manager.lo trap_manager.lo task.lo $(am__objects_1) \
-	$(am__objects_2) $(am__objects_3)
+	fragment_payload.lo kernel_handler.lo receiver.lo sender.lo \
+	socket.lo socket_manager.lo acquire_job.lo \
+	delete_child_sa_job.lo delete_ike_sa_job.lo migrate_job.lo \
+	process_message_job.lo rekey_child_sa_job.lo \
+	rekey_ike_sa_job.lo retransmit_job.lo retry_initiate_job.lo \
+	send_dpd_job.lo send_keepalive_job.lo start_action_job.lo \
+	roam_job.lo update_sa_job.lo inactivity_job.lo eap_method.lo \
+	eap_manager.lo xauth_method.lo xauth_manager.lo \
+	authenticator.lo child_sa.lo ike_sa.lo ike_sa_id.lo keymat.lo \
+	ike_sa_manager.lo task_manager.lo shunt_manager.lo \
+	trap_manager.lo task.lo $(am__objects_1) $(am__objects_2) \
+	$(am__objects_3)
 libcharon_la_OBJECTS = $(am_libcharon_la_OBJECTS)
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
@@ -503,10 +517,11 @@ DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \
 	plugins/tnccs_11 plugins/tnccs_20 plugins/tnccs_dynamic \
 	plugins/medsrv plugins/medcli plugins/dhcp plugins/android \
 	plugins/android_log plugins/maemo plugins/ha plugins/whitelist \
-	plugins/certexpire plugins/led plugins/duplicheck \
-	plugins/coupling plugins/radattr plugins/uci plugins/addrblock \
-	plugins/unity plugins/unit_tester plugins/xauth_generic \
-	plugins/xauth_eap plugins/xauth_pam
+	plugins/lookip plugins/error_notify plugins/certexpire \
+	plugins/led plugins/duplicheck plugins/coupling \
+	plugins/radattr plugins/uci plugins/addrblock plugins/unity \
+	plugins/unit_tester plugins/xauth_generic plugins/xauth_eap \
+	plugins/xauth_pam
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -552,6 +567,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -579,6 +595,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -606,6 +623,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -618,6 +636,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -671,7 +690,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -768,7 +786,9 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	encoding/payloads/vendor_id_payload.c \
 	encoding/payloads/vendor_id_payload.h \
 	encoding/payloads/hash_payload.c \
-	encoding/payloads/hash_payload.h kernel/kernel_handler.c \
+	encoding/payloads/hash_payload.h \
+	encoding/payloads/fragment_payload.c \
+	encoding/payloads/fragment_payload.h kernel/kernel_handler.c \
 	kernel/kernel_handler.h network/receiver.c network/receiver.h \
 	network/sender.c network/sender.h network/socket.c \
 	network/socket.h network/socket_manager.c \
@@ -838,7 +858,7 @@ libcharon_la_LIBADD = -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB) \
 	$(am__append_97) $(am__append_99) $(am__append_101) \
 	$(am__append_103) $(am__append_105) $(am__append_107) \
 	$(am__append_109) $(am__append_111) $(am__append_113) \
-	$(am__append_115)
+	$(am__append_115) $(am__append_117) $(am__append_119)
 EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@SUBDIRS = . $(am__append_4) $(am__append_6) \
 @MONOLITHIC_FALSE@	$(am__append_8) $(am__append_10) \
@@ -866,7 +886,8 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@	$(am__append_100) $(am__append_102) \
 @MONOLITHIC_FALSE@	$(am__append_104) $(am__append_106) \
 @MONOLITHIC_FALSE@	$(am__append_108) $(am__append_110) \
-@MONOLITHIC_FALSE@	$(am__append_112) $(am__append_114)
+@MONOLITHIC_FALSE@	$(am__append_112) $(am__append_114) \
+@MONOLITHIC_FALSE@	$(am__append_116) $(am__append_118)
 
 # build optional plugins
 ########################
@@ -896,7 +917,8 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_TRUE@	$(am__append_100) $(am__append_102) \
 @MONOLITHIC_TRUE@	$(am__append_104) $(am__append_106) \
 @MONOLITHIC_TRUE@	$(am__append_108) $(am__append_110) \
-@MONOLITHIC_TRUE@	$(am__append_112) $(am__append_114)
+@MONOLITHIC_TRUE@	$(am__append_112) $(am__append_114) \
+@MONOLITHIC_TRUE@	$(am__append_116) $(am__append_118)
 all: all-recursive
 
 .SUFFIXES:
@@ -962,7 +984,7 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libcharon.la: $(libcharon_la_OBJECTS) $(libcharon_la_DEPENDENCIES) 
+libcharon.la: $(libcharon_la_OBJECTS) $(libcharon_la_DEPENDENCIES) $(EXTRA_libcharon_la_DEPENDENCIES) 
 	$(LINK) -rpath $(ipseclibdir) $(libcharon_la_OBJECTS) $(libcharon_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -1002,6 +1024,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/encryption_payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/endpoint_notify.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/file_logger.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fragment_payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/generator.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hash_payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hybrid_authenticator.Plo@am__quote@
@@ -1364,6 +1387,13 @@ hash_payload.lo: encoding/payloads/hash_payload.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hash_payload.lo `test -f 'encoding/payloads/hash_payload.c' || echo '$(srcdir)/'`encoding/payloads/hash_payload.c
 
+fragment_payload.lo: encoding/payloads/fragment_payload.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fragment_payload.lo -MD -MP -MF $(DEPDIR)/fragment_payload.Tpo -c -o fragment_payload.lo `test -f 'encoding/payloads/fragment_payload.c' || echo '$(srcdir)/'`encoding/payloads/fragment_payload.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/fragment_payload.Tpo $(DEPDIR)/fragment_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/fragment_payload.c' object='fragment_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fragment_payload.lo `test -f 'encoding/payloads/fragment_payload.c' || echo '$(srcdir)/'`encoding/payloads/fragment_payload.c
+
 kernel_handler.lo: kernel/kernel_handler.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_handler.lo -MD -MP -MF $(DEPDIR)/kernel_handler.Tpo -c -o kernel_handler.lo `test -f 'kernel/kernel_handler.c' || echo '$(srcdir)/'`kernel/kernel_handler.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_handler.Tpo $(DEPDIR)/kernel_handler.Plo
@@ -2155,10 +2185,15 @@ install-am: all-am
 
 installcheck: installcheck-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c
index 1f9592e6e..b5cdaaa89 100644
--- a/src/libcharon/bus/bus.c
+++ b/src/libcharon/bus/bus.c
@@ -309,6 +309,7 @@ METHOD(bus_t, vlog, void,
 		va_end(copy);
 		if (len >= sizeof(buf))
 		{
+			len++;
 			data.message = malloc(len);
 			len = vsnprintf(data.message, len, format, args);
 		}
@@ -719,6 +720,10 @@ METHOD(bus_t, authorize, bool,
 	}
 	enumerator->destroy(enumerator);
 	this->mutex->unlock(this->mutex);
+	if (!success)
+	{
+		alert(this, ALERT_AUTHORIZATION_FAILED);
+	}
 	return success;
 }
 
diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h
index aba8acdbd..4645bbde6 100644
--- a/src/libcharon/bus/bus.h
+++ b/src/libcharon/bus/bus.h
@@ -28,7 +28,7 @@ typedef struct bus_t bus_t;
 
 #include <stdarg.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <sa/ike_sa.h>
 #include <sa/child_sa.h>
 #include <processing/jobs/job.h>
@@ -86,10 +86,50 @@ enum alert_t {
 	ALERT_RADIUS_NOT_RESPONDING,
 	/** a shutdown signal has been received, argument is the signal (int) */
 	ALERT_SHUTDOWN_SIGNAL,
+	/** creating local authentication data failed, no arguments */
+	ALERT_LOCAL_AUTH_FAILED,
 	/** peer authentication failed, no arguments */
 	ALERT_PEER_AUTH_FAILED,
 	/** failed to resolve peer address, no arguments */
 	ALERT_PEER_ADDR_FAILED,
+	/** peer did not respond to initial message, current try (int, 0-based) */
+	ALERT_PEER_INIT_UNREACHABLE,
+	/** received IKE message with invalid SPI, argument is message_t* */
+	ALERT_INVALID_IKE_SPI,
+	/** received IKE message with invalid header, argument is message_t* */
+	ALERT_PARSE_ERROR_HEADER,
+	/** received IKE message with invalid body, argument is message_t*,
+	 *  followed by a status_t result returned by message_t.parse_body(). */
+	ALERT_PARSE_ERROR_BODY,
+	/** sending a retransmit for a message, argument is packet_t */
+	ALERT_RETRANSMIT_SEND,
+	/** sending retransmits timed out, argument is packet_t */
+	ALERT_RETRANSMIT_SEND_TIMEOUT,
+	/** received a retransmit for a message, argument is message_t */
+	ALERT_RETRANSMIT_RECEIVE,
+	/** received half-open timeout before IKE_SA established, no argument */
+	ALERT_HALF_OPEN_TIMEOUT,
+	/** IKE proposals do not match, argument is linked_list_t of proposal_t */
+	ALERT_PROPOSAL_MISMATCH_IKE,
+	/** CHILD proposals do not match, argument is linked_list_t of proposal_t */
+	ALERT_PROPOSAL_MISMATCH_CHILD,
+	/** traffic selectors do not match, arguments are two linked_list_t
+	 *  containing traffic_selector_t for initiator and for responder */
+	ALERT_TS_MISMATCH,
+	/** Installation of IPsec SAs failed, argument is child_sa_t */
+	ALERT_INSTALL_CHILD_SA_FAILED,
+	/** Installation of IPsec Policy failed, argument is child_sa_t */
+	ALERT_INSTALL_CHILD_POLICY_FAILED,
+	/** IKE_SA deleted because of "replace" unique policy, no argument */
+	ALERT_UNIQUE_REPLACE,
+	/** IKE_SA deleted because of "keep" unique policy, no argument */
+	ALERT_UNIQUE_KEEP,
+	/** IKE_SA kept on failed child SA establishment, no argument */
+	ALERT_KEEP_ON_CHILD_SA_FAILURE,
+	/** allocating virtual IP failed, linked_list_t of host_t requested */
+	ALERT_VIP_FAILURE,
+	/** an authorize() hook failed, no argument */
+	ALERT_AUTHORIZATION_FAILED,
 };
 
 /**
diff --git a/src/libcharon/bus/listeners/file_logger.c b/src/libcharon/bus/listeners/file_logger.c
index 9c8458eb5..68a386d11 100644
--- a/src/libcharon/bus/listeners/file_logger.c
+++ b/src/libcharon/bus/listeners/file_logger.c
@@ -17,10 +17,15 @@
 #include <stdio.h>
 #include <string.h>
 #include <time.h>
+#include <errno.h>
+#include <unistd.h>
+#include <sys/types.h>
 
 #include "file_logger.h"
 
+#include <daemon.h>
 #include <threading/mutex.h>
+#include <threading/rwlock.h>
 
 typedef struct private_file_logger_t private_file_logger_t;
 
@@ -35,7 +40,12 @@ struct private_file_logger_t {
 	file_logger_t public;
 
 	/**
-	 * output file
+	 * File name of the target
+	 */
+	char *filename;
+
+	/**
+	 * Current output file
 	 */
 	FILE *out;
 
@@ -58,6 +68,11 @@ struct private_file_logger_t {
 	 * Mutex to ensure multi-line log messages are not torn apart
 	 */
 	mutex_t *mutex;
+
+	/**
+	 * Lock to read/write options (FD, levels, time_format, etc.)
+	 */
+	rwlock_t *lock;
 };
 
 METHOD(logger_t, log_, void,
@@ -69,6 +84,12 @@ METHOD(logger_t, log_, void,
 	struct tm tm;
 	time_t t;
 
+	this->lock->read_lock(this->lock);
+	if (!this->out)
+	{	/* file is not open */
+		this->lock->unlock(this->lock);
+		return;
+	}
 	if (this->time_format)
 	{
 		t = time(NULL);
@@ -117,17 +138,24 @@ METHOD(logger_t, log_, void,
 		current = next + 1;
 	}
 	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 }
 
 METHOD(logger_t, get_level, level_t,
 	private_file_logger_t *this, debug_t group)
 {
-	return this->levels[group];
+	level_t level;
+
+	this->lock->read_lock(this->lock);
+	level = this->levels[group];
+	this->lock->unlock(this->lock);
+	return level;
 }
 
 METHOD(file_logger_t, set_level, void,
 	private_file_logger_t *this, debug_t group, level_t level)
 {
+	this->lock->write_lock(this->lock);
 	if (group < DBG_ANY)
 	{
 		this->levels[group] = level;
@@ -139,23 +167,81 @@ METHOD(file_logger_t, set_level, void,
 			this->levels[group] = level;
 		}
 	}
+	this->lock->unlock(this->lock);
 }
 
-METHOD(file_logger_t, destroy, void,
-	private_file_logger_t *this)
+METHOD(file_logger_t, set_options, void,
+	private_file_logger_t *this, char *time_format, bool ike_name)
 {
-	if (this->out != stdout && this->out != stderr)
+	this->lock->write_lock(this->lock);
+	free(this->time_format);
+	this->time_format = strdupnull(time_format);
+	this->ike_name = ike_name;
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Close the current file, if any
+ */
+static void close_file(private_file_logger_t *this)
+{
+	if (this->out && this->out != stdout && this->out != stderr)
 	{
 		fclose(this->out);
+		this->out = NULL;
+	}
+}
+
+METHOD(file_logger_t, open_, void,
+	private_file_logger_t *this, bool flush_line, bool append)
+{
+	FILE *file;
+
+	if (streq(this->filename, "stderr"))
+	{
+		file = stderr;
+	}
+	else if (streq(this->filename, "stdout"))
+	{
+		file = stdout;
+	}
+	else
+	{
+		file = fopen(this->filename, append ? "a" : "w");
+		if (file == NULL)
+		{
+			DBG1(DBG_DMN, "opening file %s for logging failed: %s",
+				 this->filename, strerror(errno));
+			return;
+		}
+		if (flush_line)
+		{
+			setlinebuf(file);
+		}
 	}
+	this->lock->write_lock(this->lock);
+	close_file(this);
+	this->out = file;
+	this->lock->unlock(this->lock);
+}
+
+METHOD(file_logger_t, destroy, void,
+	private_file_logger_t *this)
+{
+	this->lock->write_lock(this->lock);
+	close_file(this);
+	this->lock->unlock(this->lock);
 	this->mutex->destroy(this->mutex);
+	this->lock->destroy(this->lock);
+	free(this->time_format);
+	free(this->filename);
 	free(this);
 }
 
 /*
  * Described in header.
  */
-file_logger_t *file_logger_create(FILE *out, char *time_format, bool ike_name)
+file_logger_t *file_logger_create(char *filename)
 {
 	private_file_logger_t *this;
 
@@ -166,16 +252,16 @@ file_logger_t *file_logger_create(FILE *out, char *time_format, bool ike_name)
 				.get_level = _get_level,
 			},
 			.set_level = _set_level,
+			.set_options = _set_options,
+			.open = _open_,
 			.destroy = _destroy,
 		},
-		.out = out,
-		.time_format = time_format,
-		.ike_name = ike_name,
+		.filename = strdup(filename),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 	);
 
 	set_level(this, DBG_ANY, LEVEL_SILENT);
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/bus/listeners/file_logger.h b/src/libcharon/bus/listeners/file_logger.h
index 85a2690a2..9e5aed50b 100644
--- a/src/libcharon/bus/listeners/file_logger.h
+++ b/src/libcharon/bus/listeners/file_logger.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2006 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -44,6 +45,22 @@ struct file_logger_t {
 	void (*set_level) (file_logger_t *this, debug_t group, level_t level);
 
 	/**
+	 * Set options used by this logger
+	 *
+	 * @param time_format	format of timestamp prefix, as in strftime(), cloned
+	 * @param ike_name		TRUE to prefix the name of the IKE_SA
+	 */
+	void (*set_options) (file_logger_t *this, char *time_format, bool ike_name);
+
+	/**
+	 * Open (or reopen) the log file according to the given parameters
+	 *
+	 * @param flush_line	TRUE to flush buffers after every logged line
+	 * @param append		FALSE to overwrite an existing file, TRUE to append
+	 */
+	void (*open) (file_logger_t *this, bool flush_line, bool append);
+
+	/**
 	 * Destroys a file_logger_t object.
 	 */
 	void (*destroy) (file_logger_t *this);
@@ -52,11 +69,13 @@ struct file_logger_t {
 /**
  * Constructor to create a file_logger_t object.
  *
- * @param out			FILE to write to
- * @param time_format	format of timestamp prefix, as in strftime()
- * @param ike_name		TRUE to prefix the name of the IKE_SA
- * @return				file_logger_t object
+ * The logger has to be opened via file_logger_t.open() before anything is
+ * logged.
+ *
+ * @param filename	name of the log file (stderr and stdout are handled
+ *					specially), cloned
+ * @return			file_logger_t object
  */
-file_logger_t *file_logger_create(FILE *out, char *time_format, bool ike_name);
+file_logger_t *file_logger_create(char *filename);
 
 #endif /** FILE_LOGGER_H_ @}*/
diff --git a/src/libcharon/bus/listeners/sys_logger.c b/src/libcharon/bus/listeners/sys_logger.c
index 53fdefe89..82e2c8e4c 100644
--- a/src/libcharon/bus/listeners/sys_logger.c
+++ b/src/libcharon/bus/listeners/sys_logger.c
@@ -21,6 +21,7 @@
 #include "sys_logger.h"
 
 #include <threading/mutex.h>
+#include <threading/rwlock.h>
 
 typedef struct private_sys_logger_t private_sys_logger_t;
 
@@ -53,6 +54,11 @@ struct private_sys_logger_t {
 	 * Mutex to ensure multi-line log messages are not torn apart
 	 */
 	mutex_t *mutex;
+
+	/**
+	 * Lock to read/write options (levels, ike_name)
+	 */
+	rwlock_t *lock;
 };
 
 METHOD(logger_t, log_, void,
@@ -65,6 +71,7 @@ METHOD(logger_t, log_, void,
 	/* cache group name and optional name string */
 	snprintf(groupstr, sizeof(groupstr), "%N", debug_names, group);
 
+	this->lock->read_lock(this->lock);
 	if (this->ike_name && ike_sa)
 	{
 		if (ike_sa->get_peer_cfg(ike_sa))
@@ -78,6 +85,7 @@ METHOD(logger_t, log_, void,
 				ike_sa->get_unique_id(ike_sa));
 		}
 	}
+	this->lock->unlock(this->lock);
 
 	/* do a syslog for every line */
 	this->mutex->lock(this->mutex);
@@ -100,12 +108,18 @@ METHOD(logger_t, log_, void,
 METHOD(logger_t, get_level, level_t,
 	private_sys_logger_t *this, debug_t group)
 {
-	return this->levels[group];
+	level_t level;
+
+	this->lock->read_lock(this->lock);
+	level = this->levels[group];
+	this->lock->unlock(this->lock);
+	return level;
 }
 
 METHOD(sys_logger_t, set_level, void,
 	private_sys_logger_t *this, debug_t group, level_t level)
 {
+	this->lock->write_lock(this->lock);
 	if (group < DBG_ANY)
 	{
 		this->levels[group] = level;
@@ -117,12 +131,21 @@ METHOD(sys_logger_t, set_level, void,
 			this->levels[group] = level;
 		}
 	}
+	this->lock->unlock(this->lock);
+}
+
+METHOD(sys_logger_t, set_options, void,
+	private_sys_logger_t *this, bool ike_name)
+{
+	this->lock->write_lock(this->lock);
+	this->ike_name = ike_name;
+	this->lock->unlock(this->lock);
 }
 
 METHOD(sys_logger_t, destroy, void,
 	private_sys_logger_t *this)
 {
-	closelog();
+	this->lock->destroy(this->lock);
 	this->mutex->destroy(this->mutex);
 	free(this);
 }
@@ -130,7 +153,7 @@ METHOD(sys_logger_t, destroy, void,
 /*
  * Described in header.
  */
-sys_logger_t *sys_logger_create(int facility, bool ike_name)
+sys_logger_t *sys_logger_create(int facility)
 {
 	private_sys_logger_t *this;
 
@@ -141,11 +164,12 @@ sys_logger_t *sys_logger_create(int facility, bool ike_name)
 				.get_level = _get_level,
 			},
 			.set_level = _set_level,
+			.set_options = _set_options,
 			.destroy = _destroy,
 		},
 		.facility = facility,
-		.ike_name = ike_name,
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 	);
 
 	set_level(this, DBG_ANY, LEVEL_SILENT);
diff --git a/src/libcharon/bus/listeners/sys_logger.h b/src/libcharon/bus/listeners/sys_logger.h
index fcb6655ca..9a0fee018 100644
--- a/src/libcharon/bus/listeners/sys_logger.h
+++ b/src/libcharon/bus/listeners/sys_logger.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2006 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -44,6 +45,13 @@ struct sys_logger_t {
 	void (*set_level) (sys_logger_t *this, debug_t group, level_t level);
 
 	/**
+	 * Set options used by this logger.
+	 *
+	 * @param ike_name	TRUE to prefix the name of the IKE_SA
+	 */
+	void (*set_options) (sys_logger_t *this, bool ike_name);
+
+	/**
 	 * Destroys a sys_logger_t object.
 	 */
 	void (*destroy) (sys_logger_t *this);
@@ -53,9 +61,8 @@ struct sys_logger_t {
  * Constructor to create a sys_logger_t object.
  *
  * @param facility	syslog facility to use
- * @param ike_name	TRUE to prefix the name of the IKE_SA
  * @return			sys_logger_t object
  */
-sys_logger_t *sys_logger_create(int facility, bool ike_name);
+sys_logger_t *sys_logger_create(int facility);
 
 #endif /** SYS_LOGGER_H_ @}*/
diff --git a/src/libcharon/config/backend.h b/src/libcharon/config/backend.h
index 458abc37f..aca3352ba 100644
--- a/src/libcharon/config/backend.h
+++ b/src/libcharon/config/backend.h
@@ -26,7 +26,7 @@ typedef struct backend_t backend_t;
 #include <library.h>
 #include <config/ike_cfg.h>
 #include <config/peer_cfg.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /**
  * The interface for a configuration backend.
diff --git a/src/libcharon/config/backend_manager.c b/src/libcharon/config/backend_manager.c
index 09e123e67..f47d5715a 100644
--- a/src/libcharon/config/backend_manager.c
+++ b/src/libcharon/config/backend_manager.c
@@ -18,7 +18,7 @@
 #include <sys/types.h>
 
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 
@@ -49,10 +49,16 @@ struct private_backend_manager_t {
  * match of an ike_cfg
  */
 typedef enum ike_cfg_match_t {
-	MATCH_NONE  = 0x00,
-	MATCH_ANY   = 0x01,
-	MATCH_ME	= 0x04,
-	MATCH_OTHER = 0x08,
+	/* doesn't match at all */
+	MATCH_NONE		= 0x00,
+	/* match for a %any host. For both hosts, hence skip 0x02 */
+	MATCH_ANY		= 0x01,
+	/* IKE version matches exactly (config is not for any version) */
+	MATCH_VERSION	= 0x04,
+	/* local identity matches */
+	MATCH_ME		= 0x08,
+	/* remote identity matches */
+	MATCH_OTHER		= 0x10,
 } ike_cfg_match_t;
 
 /**
@@ -75,13 +81,20 @@ static enumerator_t *ike_enum_create(backend_t *backend, ike_data_t *data)
 /**
  * get a match of a candidate ike_cfg for two hosts
  */
-static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other)
+static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other,
+									 ike_version_t version)
 {
 	host_t *me_cand, *other_cand;
 	char *my_addr, *other_addr;
 	bool my_allow_any, other_allow_any;
 	ike_cfg_match_t match = MATCH_NONE;
 
+	if (cand->get_version(cand) != IKE_ANY &&
+		version != cand->get_version(cand))
+	{
+		return MATCH_NONE;
+	}
+
 	if (me)
 	{
 		my_addr = cand->get_my_addr(cand, &my_allow_any);
@@ -137,11 +150,18 @@ static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other)
 	{
 		match += MATCH_ANY;
 	}
+
+	if (match != MATCH_NONE &&
+		cand->get_version(cand) != IKE_ANY)
+	{	/* if we have a match, improve it if candidate version specified */
+		match += MATCH_VERSION;
+	}
 	return match;
 }
 
 METHOD(backend_manager_t, get_ike_cfg, ike_cfg_t*,
-	private_backend_manager_t *this, host_t *me, host_t *other)
+	private_backend_manager_t *this, host_t *me, host_t *other,
+	ike_version_t version)
 {
 	ike_cfg_t *current, *found = NULL;
 	char *my_addr, *other_addr;
@@ -164,8 +184,9 @@ METHOD(backend_manager_t, get_ike_cfg, ike_cfg_t*,
 						(void*)ike_enum_create, data, (void*)free);
 	while (enumerator->enumerate(enumerator, (void**)&current))
 	{
-		match = get_ike_match(current, me, other);
-		DBG3(DBG_CFG, "ike config match: %d (%H %H)", match, me, other);
+		match = get_ike_match(current, me, other, version);
+		DBG3(DBG_CFG, "ike config match: %d (%H %H %N)",
+			 match, me, other, ike_version_names, version);
 		if (match)
 		{
 			my_addr = current->get_my_addr(current, &my_allow_any);
@@ -243,22 +264,6 @@ static id_match_t get_peer_match(identification_t *id,
 }
 
 /**
- * Get match quality of IKE version
- */
-static int get_version_match(ike_version_t cfg, ike_version_t req)
-{
-	if (req == IKE_ANY || cfg == IKE_ANY)
-	{
-		return 1;
-	}
-	if (req == cfg)
-	{
-		return 2;
-	}
-	return 0;
-}
-
-/**
  * data to pass nested peer enumerator
  */
 typedef struct {
@@ -382,20 +387,18 @@ METHOD(backend_manager_t, create_peer_cfg_enumerator, enumerator_t*,
 	{
 		id_match_t match_peer_me, match_peer_other;
 		ike_cfg_match_t match_ike;
-		int match_version;
 		match_entry_t *entry;
 
 		match_peer_me = get_peer_match(my_id, cfg, TRUE);
 		match_peer_other = get_peer_match(other_id, cfg, FALSE);
-		match_ike = get_ike_match(cfg->get_ike_cfg(cfg), me, other);
-		match_version = get_version_match(cfg->get_ike_version(cfg), version);
-		DBG3(DBG_CFG, "ike config match: %d (%H %H)", match_ike, me, other);
+		match_ike = get_ike_match(cfg->get_ike_cfg(cfg), me, other, version);
+		DBG3(DBG_CFG, "ike config match: %d (%H %H %N)",
+			 match_ike, me, other, ike_version_names, version);
 
-		if (match_peer_me && match_peer_other && match_ike && match_version)
+		if (match_peer_me && match_peer_other && match_ike)
 		{
-			DBG2(DBG_CFG, "  candidate \"%s\", match: %d/%d/%d/%d "
-				 "(me/other/ike/version)", cfg->get_name(cfg),
-				 match_peer_me, match_peer_other, match_ike, match_version);
+			DBG2(DBG_CFG, "  candidate \"%s\", match: %d/%d/%d (me/other/ike)",
+				 cfg->get_name(cfg), match_peer_me, match_peer_other, match_ike);
 
 			INIT(entry,
 				.match_peer = match_peer_me + match_peer_other,
diff --git a/src/libcharon/config/backend_manager.h b/src/libcharon/config/backend_manager.h
index de263365b..cc8ef8785 100644
--- a/src/libcharon/config/backend_manager.h
+++ b/src/libcharon/config/backend_manager.h
@@ -24,7 +24,7 @@
 typedef struct backend_manager_t backend_manager_t;
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <utils/identification.h>
 #include <config/ike_cfg.h>
 #include <config/peer_cfg.h>
@@ -60,7 +60,8 @@ struct backend_manager_t {
 	 * @return					matching ike_config, or NULL if none found
 	 */
 	ike_cfg_t* (*get_ike_cfg)(backend_manager_t *this,
-							  host_t *my_host, host_t *other_host);
+							  host_t *my_host, host_t *other_host,
+							  ike_version_t version);
 
 	/**
 	 * Get a peer_config identified by it's name.
diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
index b675c908f..33d47a41e 100644
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@@ -165,7 +165,7 @@ METHOD(child_cfg_t, get_proposals, linked_list_t*,
 		current = current->clone(current);
 		if (strip_dh)
 		{
-			current->strip_dh(current);
+			current->strip_dh(current, MODP_NONE);
 		}
 		proposals->insert_last(proposals, current);
 	}
@@ -194,7 +194,7 @@ METHOD(child_cfg_t, select_proposal, proposal_t*,
 		{
 			if (strip_dh)
 			{
-				stored->strip_dh(stored);
+				stored->strip_dh(stored, MODP_NONE);
 			}
 			selected = stored->select(stored, supplied, private);
 			if (selected)
diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c
index acf4b6141..5e5fbba42 100644
--- a/src/libcharon/config/ike_cfg.c
+++ b/src/libcharon/config/ike_cfg.c
@@ -21,6 +21,12 @@
 #include <daemon.h>
 
 
+ENUM(ike_version_names, IKE_ANY, IKEV2,
+	"IKEv1/2",
+	"IKEv1",
+	"IKEv2",
+);
+
 typedef struct private_ike_cfg_t private_ike_cfg_t;
 
 /**
@@ -39,6 +45,11 @@ struct private_ike_cfg_t {
 	refcount_t refcount;
 
 	/**
+	 * IKE version to use
+	 */
+	ike_version_t version;
+
+	/**
 	 * Address of local host
 	 */
 	char *me;
@@ -79,11 +90,22 @@ struct private_ike_cfg_t {
 	bool force_encap;
 
 	/**
+	 * use IKEv1 fragmentation
+	 */
+	fragmentation_t fragmentation;
+
+	/**
 	 * List of proposals to use
 	 */
 	linked_list_t *proposals;
 };
 
+METHOD(ike_cfg_t, get_version, ike_version_t,
+	private_ike_cfg_t *this)
+{
+	return this->version;
+}
+
 METHOD(ike_cfg_t, send_certreq, bool,
 	private_ike_cfg_t *this)
 {
@@ -96,6 +118,12 @@ METHOD(ike_cfg_t, force_encap_, bool,
 	return this->force_encap;
 }
 
+METHOD(ike_cfg_t, fragmentation, fragmentation_t,
+	private_ike_cfg_t *this)
+{
+	return this->fragmentation;
+}
+
 METHOD(ike_cfg_t, get_my_addr, char*,
 	private_ike_cfg_t *this, bool *allow_any)
 {
@@ -248,8 +276,10 @@ METHOD(ike_cfg_t, equals, bool,
 	e2->destroy(e2);
 
 	return (eq &&
+		this->version == other->version &&
 		this->certreq == other->certreq &&
 		this->force_encap == other->force_encap &&
+		this->fragmentation == other->fragmentation &&
 		streq(this->me, other->me) &&
 		streq(this->other, other->other) &&
 		this->my_port == other->my_port &&
@@ -279,16 +309,19 @@ METHOD(ike_cfg_t, destroy, void,
 /**
  * Described in header.
  */
-ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
+ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
 						  char *me, bool my_allow_any, u_int16_t my_port,
-						  char *other, bool other_allow_any, u_int16_t other_port)
+						  char *other, bool other_allow_any, u_int16_t other_port,
+						  fragmentation_t fragmentation)
 {
 	private_ike_cfg_t *this;
 
 	INIT(this,
 		.public = {
+			.get_version = _get_version,
 			.send_certreq = _send_certreq,
 			.force_encap = _force_encap_,
+			.fragmentation = _fragmentation,
 			.get_my_addr = _get_my_addr,
 			.get_other_addr = _get_other_addr,
 			.get_my_port = _get_my_port,
@@ -302,8 +335,10 @@ ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
 			.destroy = _destroy,
 		},
 		.refcount = 1,
+		.version = version,
 		.certreq = certreq,
 		.force_encap = force_encap,
+		.fragmentation = fragmentation,
 		.me = strdup(me),
 		.other = strdup(other),
 		.my_allow_any = my_allow_any,
diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h
index 691d223a3..5a7fae1e9 100644
--- a/src/libcharon/config/ike_cfg.h
+++ b/src/libcharon/config/ike_cfg.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -22,16 +23,47 @@
 #ifndef IKE_CFG_H_
 #define IKE_CFG_H_
 
+typedef enum ike_version_t ike_version_t;
+typedef enum fragmentation_t fragmentation_t;
 typedef struct ike_cfg_t ike_cfg_t;
 
 #include <library.h>
-#include <utils/host.h>
-#include <utils/linked_list.h>
+#include <networking/host.h>
+#include <collections/linked_list.h>
 #include <utils/identification.h>
 #include <config/proposal.h>
 #include <crypto/diffie_hellman.h>
 
 /**
+ * IKE version.
+ */
+enum ike_version_t {
+	/** any version */
+	IKE_ANY = 0,
+	/** IKE version 1 */
+	IKEV1 = 1,
+	/** IKE version 2 */
+	IKEV2 = 2,
+};
+
+/**
+ * Proprietary IKEv1 fragmentation
+ */
+enum fragmentation_t {
+	/** disable fragmentation */
+	FRAGMENTATION_NO,
+	/** enable fragmentation if supported by peer */
+	FRAGMENTATION_YES,
+	/** force use of fragmentation (even for the first message) */
+	FRAGMENTATION_FORCE,
+};
+
+/**
+ * enum strings fro ike_version_t
+ */
+extern enum_name_t *ike_version_names;
+
+/**
  * An ike_cfg_t defines the rules to set up an IKE_SA.
  *
  * @see peer_cfg_t to get an overview over the configurations.
@@ -39,6 +71,13 @@ typedef struct ike_cfg_t ike_cfg_t;
 struct ike_cfg_t {
 
 	/**
+	 * Get the IKE version to use with this configuration.
+	 *
+	 * @return				IKE major version
+	 */
+	ike_version_t (*get_version)(ike_cfg_t *this);
+
+	/**
 	 * Get own address.
 	 *
 	 * @param allow_any		allow any address to match
@@ -109,11 +148,18 @@ struct ike_cfg_t {
 	/**
 	 * Enforce UDP encapsulation by faking NATD notifies?
 	 *
-	 * @return				TRUE to enfoce UDP encapsulation
+	 * @return				TRUE to enforce UDP encapsulation
 	 */
 	bool (*force_encap) (ike_cfg_t *this);
 
 	/**
+	 * Use proprietary IKEv1 fragmentation
+	 *
+	 * @return				TRUE to use fragmentation
+	 */
+	fragmentation_t (*fragmentation) (ike_cfg_t *this);
+
+	/**
 	 * Get the DH group to use for IKE_SA setup.
 	 *
 	 * @return				dh group to use for initialization
@@ -149,6 +195,7 @@ struct ike_cfg_t {
  *
  * Supplied hosts become owned by ike_cfg, the name gets cloned.
  *
+ * @param version			IKE major version to use for this config
  * @param certreq			TRUE to send a certificate request
  * @param force_encap		enforce UDP encapsulation by faking NATD notify
  * @param me				address/DNS name of local peer
@@ -157,10 +204,12 @@ struct ike_cfg_t {
  * @param other				address/DNS name of remote peer
  * @param other_allow_any	allow override of remote address by any address
  * @param other_port		IKE port to use as dest, 500 uses IKEv2 port floating
+ * @param fragmentation		use IKEv1 fragmentation
  * @return 					ike_cfg_t object.
  */
-ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
+ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
 						  char *me, bool my_allow_any, u_int16_t my_port,
-						  char *other, bool other_allow_any, u_int16_t other_port);
+						  char *other, bool other_allow_any, u_int16_t other_port,
+						  fragmentation_t fragmentation);
 
 #endif /** IKE_CFG_H_ @}*/
diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c
index 01ca026e1..8de7d1289 100644
--- a/src/libcharon/config/peer_cfg.c
+++ b/src/libcharon/config/peer_cfg.c
@@ -22,15 +22,9 @@
 #include <daemon.h>
 
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/identification.h>
 
-ENUM(ike_version_names, IKE_ANY, IKEV2,
-	"IKEv1/2",
-	"IKEv1",
-	"IKEv2",
-);
-
 ENUM(cert_policy_names, CERT_ALWAYS_SEND, CERT_NEVER_SEND,
 	"CERT_ALWAYS_SEND",
 	"CERT_SEND_IF_ASKED",
@@ -66,11 +60,6 @@ struct private_peer_cfg_t {
 	char *name;
 
 	/**
-	 * IKE version to use for initiation
-	 */
-	ike_version_t ike_version;
-
-	/**
 	 * IKE config associated to this peer config
 	 */
 	ike_cfg_t *ike_cfg;
@@ -188,7 +177,7 @@ METHOD(peer_cfg_t, get_name, char*,
 METHOD(peer_cfg_t, get_ike_version, ike_version_t,
 	private_peer_cfg_t *this)
 {
-	return this->ike_version;
+	return this->ike_cfg->get_version(this->ike_cfg);
 }
 
 METHOD(peer_cfg_t, get_ike_cfg, ike_cfg_t*,
@@ -584,7 +573,7 @@ METHOD(peer_cfg_t, equals, bool,
 	e2->destroy(e2);
 
 	return (
-		this->ike_version == other->ike_version &&
+		get_ike_version(this) == get_ike_version(other) &&
 		this->cert_policy == other->cert_policy &&
 		this->unique == other->unique &&
 		this->keyingtries == other->keyingtries &&
@@ -594,6 +583,7 @@ METHOD(peer_cfg_t, equals, bool,
 		this->jitter_time == other->jitter_time &&
 		this->over_time == other->over_time &&
 		this->dpd == other->dpd &&
+		this->aggressive == other->aggressive &&
 		auth_cfg_equal(this, other)
 #ifdef ME
 		&& this->mediation == other->mediation &&
@@ -639,7 +629,7 @@ METHOD(peer_cfg_t, destroy, void,
 /*
  * Described in header-file
  */
-peer_cfg_t *peer_cfg_create(char *name, ike_version_t ike_version,
+peer_cfg_t *peer_cfg_create(char *name,
 							ike_cfg_t *ike_cfg, cert_policy_t cert_policy,
 							unique_policy_t unique, u_int32_t keyingtries,
 							u_int32_t rekey_time, u_int32_t reauth_time,
@@ -695,7 +685,6 @@ peer_cfg_t *peer_cfg_create(char *name, ike_version_t ike_version,
 #endif /* ME */
 		},
 		.name = strdup(name),
-		.ike_version = ike_version,
 		.ike_cfg = ike_cfg,
 		.child_cfgs = linked_list_create(),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h
index 97089e1b0..80913beba 100644
--- a/src/libcharon/config/peer_cfg.h
+++ b/src/libcharon/config/peer_cfg.h
@@ -23,14 +23,13 @@
 #ifndef PEER_CFG_H_
 #define PEER_CFG_H_
 
-typedef enum ike_version_t ike_version_t;
 typedef enum cert_policy_t cert_policy_t;
 typedef enum unique_policy_t unique_policy_t;
 typedef struct peer_cfg_t peer_cfg_t;
 
 #include <library.h>
 #include <utils/identification.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <selectors/traffic_selector.h>
 #include <config/proposal.h>
 #include <config/ike_cfg.h>
@@ -38,23 +37,6 @@ typedef struct peer_cfg_t peer_cfg_t;
 #include <credentials/auth_cfg.h>
 
 /**
- * IKE version.
- */
-enum ike_version_t {
-	/** any version */
-	IKE_ANY = 0,
-	/** IKE version 1 */
-	IKEV1 = 1,
-	/** IKE version 2 */
-	IKEV2 = 2,
-};
-
-/**
- * enum strings fro ike_version_t
- */
-extern enum_name_t *ike_version_names;
-
-/**
  * Certificate sending policy. This is also used for certificate
  * requests when using this definition for the other peer. If
  * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
@@ -374,7 +356,6 @@ struct peer_cfg_t {
  * (rekeylifetime - random(0, jitter)).
  *
  * @param name				name of the peer_cfg
- * @param ike_version		which IKE version we should use for this peer
  * @param ike_cfg			IKE config to use when acting as initiator
  * @param cert_policy		should we send a certificate payload?
  * @param unique			uniqueness of an IKE_SA
@@ -392,7 +373,7 @@ struct peer_cfg_t {
  * @param peer_id			ID that identifies our peer at the mediation server
  * @return					peer_cfg_t object
  */
-peer_cfg_t *peer_cfg_create(char *name, ike_version_t ike_version,
+peer_cfg_t *peer_cfg_create(char *name,
 							ike_cfg_t *ike_cfg, cert_policy_t cert_policy,
 							unique_policy_t unique, u_int32_t keyingtries,
 							u_int32_t rekey_time, u_int32_t reauth_time,
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index 43b467f46..4803c7be2 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -19,7 +19,7 @@
 #include "proposal.h"
 
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/identification.h>
 
 #include <crypto/transform.h>
@@ -232,14 +232,21 @@ METHOD(proposal_t, has_dh_group, bool,
 }
 
 METHOD(proposal_t, strip_dh, void,
-	private_proposal_t *this)
+	private_proposal_t *this, diffie_hellman_group_t keep)
 {
+	enumerator_t *enumerator;
 	algorithm_t *alg;
 
-	while (this->dh_groups->remove_last(this->dh_groups, (void**)&alg) == SUCCESS)
+	enumerator = this->dh_groups->create_enumerator(this->dh_groups);
+	while (enumerator->enumerate(enumerator, (void**)&alg))
 	{
-		free(alg);
+		if (alg->algorithm != keep)
+		{
+			this->dh_groups->remove_at(this->dh_groups, enumerator);
+			free(alg);
+		}
 	}
+	enumerator->destroy(enumerator);
 }
 
 /**
@@ -515,6 +522,23 @@ METHOD(proposal_t, clone_, proposal_t*,
 }
 
 /**
+ * Map integrity algorithms to the PRF functions using the same algorithm.
+ */
+static const struct {
+	integrity_algorithm_t integ;
+	pseudo_random_function_t prf;
+} integ_prf_map[] = {
+	{AUTH_HMAC_SHA1_96,					PRF_HMAC_SHA1					},
+	{AUTH_HMAC_SHA2_256_128,			PRF_HMAC_SHA2_256				},
+	{AUTH_HMAC_SHA2_384_192,			PRF_HMAC_SHA2_384				},
+	{AUTH_HMAC_SHA2_512_256,			PRF_HMAC_SHA2_512				},
+	{AUTH_HMAC_MD5_96,					PRF_HMAC_MD5					},
+	{AUTH_AES_XCBC_96,					PRF_AES128_XCBC					},
+	{AUTH_CAMELLIA_XCBC_96,				PRF_CAMELLIA128_XCBC			},
+	{AUTH_AES_CMAC_96,					PRF_AES128_CMAC					},
+};
+
+/**
  * Checks the proposal read from a string.
  */
 static void check_proposal(private_proposal_t *this)
@@ -522,6 +546,27 @@ static void check_proposal(private_proposal_t *this)
 	enumerator_t *e;
 	algorithm_t *alg;
 	bool all_aead = TRUE;
+	int i;
+
+	if (this->protocol == PROTO_IKE &&
+		this->prf_algos->get_count(this->prf_algos) == 0)
+	{	/* No explicit PRF found. We assume the same algorithm as used
+		 * for integrity checking */
+		e = this->integrity_algos->create_enumerator(this->integrity_algos);
+		while (e->enumerate(e, &alg))
+		{
+			for (i = 0; i < countof(integ_prf_map); i++)
+			{
+				if (alg->algorithm == integ_prf_map[i].integ)
+				{
+					add_algorithm(this, PSEUDO_RANDOM_FUNCTION,
+								  integ_prf_map[i].prf, 0);
+					break;
+				}
+			}
+		}
+		e->destroy(e);
+	}
 
 	e = this->encryption_algos->create_enumerator(this->encryption_algos);
 	while (e->enumerate(e, &alg))
@@ -572,44 +617,6 @@ static bool add_string_algo(private_proposal_t *this, const char *alg)
 
 	add_algorithm(this, token->type, token->algorithm, token->keysize);
 
-	if (this->protocol == PROTO_IKE && token->type == INTEGRITY_ALGORITHM)
-	{
-		pseudo_random_function_t prf;
-
-		switch (token->algorithm)
-		{
-			case AUTH_HMAC_SHA1_96:
-				prf = PRF_HMAC_SHA1;
-				break;
-			case AUTH_HMAC_SHA2_256_128:
-				prf = PRF_HMAC_SHA2_256;
-				break;
-			case AUTH_HMAC_SHA2_384_192:
-				prf = PRF_HMAC_SHA2_384;
-				break;
-			case AUTH_HMAC_SHA2_512_256:
-				prf = PRF_HMAC_SHA2_512;
-				break;
-			case AUTH_HMAC_MD5_96:
-				prf = PRF_HMAC_MD5;
-				break;
-			case AUTH_AES_XCBC_96:
-				prf = PRF_AES128_XCBC;
-				break;
-			case AUTH_CAMELLIA_XCBC_96:
-				prf = PRF_CAMELLIA128_XCBC;
-				break;
-			case AUTH_AES_CMAC_96:
-				prf = PRF_AES128_CMAC;
-				break;
-			default:
-				prf = PRF_UNDEFINED;
-		}
-		if (prf != PRF_UNDEFINED)
-		{
-			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0);
-		}
-	}
 	return TRUE;
 }
 
diff --git a/src/libcharon/config/proposal.h b/src/libcharon/config/proposal.h
index 33abf006c..7733143a8 100644
--- a/src/libcharon/config/proposal.h
+++ b/src/libcharon/config/proposal.h
@@ -27,8 +27,8 @@ typedef struct proposal_t proposal_t;
 
 #include <library.h>
 #include <utils/identification.h>
-#include <utils/linked_list.h>
-#include <utils/host.h>
+#include <collections/linked_list.h>
+#include <networking/host.h>
 #include <crypto/transform.h>
 #include <crypto/crypters/crypter.h>
 #include <crypto/signers/signer.h>
@@ -111,8 +111,10 @@ struct proposal_t {
 
 	/**
 	 * Strip DH groups from proposal to use it without PFS.
+	 *
+	 * @param keep			group to keep (MODP_NONE to remove all)
 	 */
-	void (*strip_dh)(proposal_t *this);
+	void (*strip_dh)(proposal_t *this, diffie_hellman_group_t keep);
 
 	/**
 	 * Compare two proposal, and select a matching subset.
diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index 6e977efc4..b27e1776a 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -19,20 +19,28 @@
 #include <stdio.h>
 #include <sys/types.h>
 #include <unistd.h>
+#include <syslog.h>
 #include <time.h>
 
 #include "daemon.h"
 
 #include <library.h>
-#include <plugins/plugin_feature.h>
+#include <bus/listeners/sys_logger.h>
+#include <bus/listeners/file_logger.h>
 #include <config/proposal.h>
+#include <plugins/plugin_feature.h>
 #include <kernel/kernel_handler.h>
 #include <processing/jobs/start_action_job.h>
+#include <threading/mutex.h>
 
 #ifndef CAP_NET_ADMIN
 #define CAP_NET_ADMIN 12
 #endif
 
+#ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */
+#define LOG_AUTHPRIV LOG_AUTH
+#endif
+
 typedef struct private_daemon_t private_daemon_t;
 
 /**
@@ -48,6 +56,31 @@ struct private_daemon_t {
 	 * Handler for kernel events
 	 */
 	kernel_handler_t *kernel_handler;
+
+	/**
+	 * A list of installed loggers (as logger_entry_t*)
+	 */
+	linked_list_t *loggers;
+
+	/**
+	 * Identifier used for syslog (in the openlog call)
+	 */
+	char *syslog_identifier;
+
+	/**
+	 * Mutex for configured loggers
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Integrity check failed?
+	 */
+	bool integrity_failed;
+
+	/**
+	 * Number of times we have been initialized
+	 */
+	refcount_t ref;
 };
 
 /**
@@ -78,13 +111,333 @@ static void dbg_bus(debug_t group, level_t level, char *fmt, ...)
 }
 
 /**
+ * Some metadata about configured loggers
+ */
+typedef struct {
+	/**
+	 * Target of the logger (syslog facility or filename)
+	 */
+	char *target;
+
+	/**
+	 * TRUE if this is a file logger
+	 */
+	bool file;
+
+	/**
+	 * The actual logger
+	 */
+	union {
+		sys_logger_t *sys;
+		file_logger_t *file;
+	} logger;
+
+} logger_entry_t;
+
+/**
+ * Destroy a logger entry
+ */
+static void logger_entry_destroy(logger_entry_t *this)
+{
+	if (this->file)
+	{
+		DESTROY_IF(this->logger.file);
+	}
+	else
+	{
+		DESTROY_IF(this->logger.sys);
+	}
+	free(this->target);
+	free(this);
+}
+
+/**
+ * Unregister and destroy a logger entry
+ */
+static void logger_entry_unregister_destroy(logger_entry_t *this)
+{
+	if (this->file)
+	{
+		charon->bus->remove_logger(charon->bus, &this->logger.file->logger);
+	}
+	else
+	{
+		charon->bus->remove_logger(charon->bus, &this->logger.sys->logger);
+	}
+	logger_entry_destroy(this);
+}
+
+/**
+ * Match a logger entry by target and whether it is a file or syslog logger
+ */
+static bool logger_entry_match(logger_entry_t *this, char *target, bool *file)
+{
+	return this->file == *file && streq(this->target, target);
+}
+
+/**
+ * Handle configured syslog identifier
+ *
+ * mutex must be locked when calling this function
+ */
+static void handle_syslog_identifier(private_daemon_t *this)
+{
+	char *identifier;
+
+	identifier = lib->settings->get_str(lib->settings, "%s.syslog.identifier",
+										NULL, charon->name);
+	if (identifier)
+	{	/* set identifier, which is prepended to each log line */
+		if (!this->syslog_identifier ||
+			!streq(identifier, this->syslog_identifier))
+		{
+			closelog();
+			this->syslog_identifier = identifier;
+			openlog(this->syslog_identifier, 0, 0);
+		}
+	}
+	else if (this->syslog_identifier)
+	{
+		closelog();
+		this->syslog_identifier = NULL;
+	}
+}
+
+/**
+ * Convert the given string into a syslog facility, returns -1 if the facility
+ * is not supported
+ */
+static int get_syslog_facility(char *facility)
+{
+	if (streq(facility, "daemon"))
+	{
+		return LOG_DAEMON;
+	}
+	else if (streq(facility, "auth"))
+	{
+		return LOG_AUTHPRIV;
+	}
+	return -1;
+}
+
+/**
+ * Returns an existing or newly created logger entry (if found, it is removed
+ * from the given linked list of existing loggers)
+ */
+static logger_entry_t *get_logger_entry(char *target, bool is_file_logger,
+										linked_list_t *existing)
+{
+	logger_entry_t *entry;
+
+	if (existing->find_first(existing, (void*)logger_entry_match,
+							(void**)&entry, target, &is_file_logger) != SUCCESS)
+	{
+		INIT(entry,
+			.target = strdup(target),
+			.file = is_file_logger,
+		);
+		if (is_file_logger)
+		{
+			entry->logger.file = file_logger_create(target);
+		}
+		else
+		{
+			entry->logger.sys = sys_logger_create(get_syslog_facility(target));
+		}
+	}
+	else
+	{
+		existing->remove(existing, entry, NULL);
+	}
+	return entry;
+}
+
+/**
+ * Create or reuse a syslog logger
+ */
+static sys_logger_t *add_sys_logger(private_daemon_t *this, char *facility,
+									linked_list_t *current_loggers)
+{
+	logger_entry_t *entry;
+
+	entry = get_logger_entry(facility, FALSE, current_loggers);
+	this->loggers->insert_last(this->loggers, entry);
+	return entry->logger.sys;
+}
+
+/**
+ * Create or reuse a file logger
+ */
+static file_logger_t *add_file_logger(private_daemon_t *this, char *filename,
+									  linked_list_t *current_loggers)
+{
+	logger_entry_t *entry;
+
+	entry = get_logger_entry(filename, TRUE, current_loggers);
+	this->loggers->insert_last(this->loggers, entry);
+	return entry->logger.file;
+}
+
+/**
+ * Load the given syslog logger configured in strongswan.conf
+ */
+static void load_sys_logger(private_daemon_t *this, char *facility,
+							linked_list_t *current_loggers)
+{
+	sys_logger_t *sys_logger;
+	debug_t group;
+	level_t def;
+
+	if (get_syslog_facility(facility) == -1)
+	{
+		return;
+	}
+
+	sys_logger = add_sys_logger(this, facility, current_loggers);
+	sys_logger->set_options(sys_logger,
+				lib->settings->get_bool(lib->settings, "%s.syslog.%s.ike_name",
+										FALSE, charon->name, facility));
+
+	def = lib->settings->get_int(lib->settings, "%s.syslog.%s.default", 1,
+								 charon->name, facility);
+	for (group = 0; group < DBG_MAX; group++)
+	{
+		sys_logger->set_level(sys_logger, group,
+				lib->settings->get_int(lib->settings, "%s.syslog.%s.%N", def,
+							charon->name, facility, debug_lower_names, group));
+	}
+	charon->bus->add_logger(charon->bus, &sys_logger->logger);
+}
+
+/**
+ * Load the given file logger configured in strongswan.conf
+ */
+static void load_file_logger(private_daemon_t *this, char *filename,
+							 linked_list_t *current_loggers)
+{
+	file_logger_t *file_logger;
+	debug_t group;
+	level_t def;
+	bool ike_name, flush_line, append;
+	char *time_format;
+
+	time_format = lib->settings->get_str(lib->settings,
+					"%s.filelog.%s.time_format", NULL, charon->name, filename);
+	ike_name = lib->settings->get_bool(lib->settings,
+					"%s.filelog.%s.ike_name", FALSE, charon->name, filename);
+	flush_line = lib->settings->get_bool(lib->settings,
+					"%s.filelog.%s.flush_line", FALSE, charon->name, filename);
+	append = lib->settings->get_bool(lib->settings,
+					"%s.filelog.%s.append", TRUE, charon->name, filename);
+
+	file_logger = add_file_logger(this, filename, current_loggers);
+	file_logger->set_options(file_logger, time_format, ike_name);
+	file_logger->open(file_logger, flush_line, append);
+
+	def = lib->settings->get_int(lib->settings, "%s.filelog.%s.default", 1,
+								 charon->name, filename);
+	for (group = 0; group < DBG_MAX; group++)
+	{
+		file_logger->set_level(file_logger, group,
+				lib->settings->get_int(lib->settings, "%s.filelog.%s.%N", def,
+							charon->name, filename, debug_lower_names, group));
+	}
+	charon->bus->add_logger(charon->bus, &file_logger->logger);
+}
+
+METHOD(daemon_t, load_loggers, void,
+	private_daemon_t *this, level_t levels[DBG_MAX], bool to_stderr)
+{
+	enumerator_t *enumerator;
+	linked_list_t *current_loggers;
+	char *target;
+
+	this->mutex->lock(this->mutex);
+	handle_syslog_identifier(this);
+	current_loggers = this->loggers;
+	this->loggers = linked_list_create();
+	enumerator = lib->settings->create_section_enumerator(lib->settings,
+													"%s.syslog", charon->name);
+	while (enumerator->enumerate(enumerator, &target))
+	{
+		load_sys_logger(this, target, current_loggers);
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = lib->settings->create_section_enumerator(lib->settings,
+													"%s.filelog", charon->name);
+	while (enumerator->enumerate(enumerator, &target))
+	{
+		load_file_logger(this, target, current_loggers);
+	}
+	enumerator->destroy(enumerator);
+
+	if (!this->loggers->get_count(this->loggers) && levels)
+	{	/* setup legacy style default loggers configured via command-line */
+		file_logger_t *file_logger;
+		sys_logger_t *sys_logger;
+		debug_t group;
+
+		sys_logger = add_sys_logger(this, "daemon", current_loggers);
+		file_logger = add_file_logger(this, "stdout", current_loggers);
+		file_logger->open(file_logger, FALSE, FALSE);
+
+		for (group = 0; group < DBG_MAX; group++)
+		{
+			sys_logger->set_level(sys_logger, group, levels[group]);
+			if (to_stderr)
+			{
+				file_logger->set_level(file_logger, group, levels[group]);
+			}
+		}
+		charon->bus->add_logger(charon->bus, &sys_logger->logger);
+		charon->bus->add_logger(charon->bus, &file_logger->logger);
+
+		sys_logger = add_sys_logger(this, "auth", current_loggers);
+		sys_logger->set_level(sys_logger, DBG_ANY, LEVEL_AUDIT);
+		charon->bus->add_logger(charon->bus, &sys_logger->logger);
+	}
+	/* unregister and destroy any unused remaining loggers */
+	current_loggers->destroy_function(current_loggers,
+									 (void*)logger_entry_unregister_destroy);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(daemon_t, set_level, void,
+	private_daemon_t *this, debug_t group, level_t level)
+{
+	enumerator_t *enumerator;
+	logger_entry_t *entry;
+
+	/* we set the loglevel on ALL sys- and file-loggers */
+	this->mutex->lock(this->mutex);
+	enumerator = this->loggers->create_enumerator(this->loggers);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->file)
+		{
+			entry->logger.file->set_level(entry->logger.file, group, level);
+			charon->bus->add_logger(charon->bus, &entry->logger.file->logger);
+		}
+		else
+		{
+			entry->logger.sys->set_level(entry->logger.sys, group, level);
+			charon->bus->add_logger(charon->bus, &entry->logger.sys->logger);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
  * Clean up all daemon resources
  */
 static void destroy(private_daemon_t *this)
 {
 	/* terminate all idle threads */
 	lib->processor->set_threads(lib->processor, 0);
-
+	/* make sure nobody waits for a DNS query */
+	lib->hosts->flush(lib->hosts);
 	/* close all IKE_SAs */
 	if (this->public.ike_sa_manager)
 	{
@@ -123,10 +476,8 @@ static void destroy(private_daemon_t *this)
 	/* rehook library logging, shutdown logging */
 	dbg = dbg_old;
 	DESTROY_IF(this->public.bus);
-	this->public.file_loggers->destroy_offset(this->public.file_loggers,
-											offsetof(file_logger_t, destroy));
-	this->public.sys_loggers->destroy_offset(this->public.sys_loggers,
-											offsetof(sys_logger_t, destroy));
+	this->loggers->destroy_function(this->loggers, (void*)logger_entry_destroy);
+	this->mutex->destroy(this->mutex);
 	free((void*)this->public.name);
 	free(this);
 }
@@ -222,11 +573,14 @@ private_daemon_t *daemon_create(const char *name)
 		.public = {
 			.initialize = _initialize,
 			.start = _start,
+			.load_loggers = _load_loggers,
+			.set_level = _set_level,
 			.bus = bus_create(),
-			.file_loggers = linked_list_create(),
-			.sys_loggers = linked_list_create(),
 			.name = strdup(name ?: "libcharon"),
 		},
+		.loggers = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.ref = 1,
 	);
 	charon = &this->public;
 	this->public.caps = capabilities_create();
@@ -249,7 +603,14 @@ private_daemon_t *daemon_create(const char *name)
  */
 void libcharon_deinit()
 {
-	destroy((private_daemon_t*)charon);
+	private_daemon_t *this = (private_daemon_t*)charon;
+
+	if (!this || !ref_put(&this->ref))
+	{	/* have more users */
+		return;
+	}
+
+	destroy(this);
 	charon = NULL;
 }
 
@@ -258,7 +619,16 @@ void libcharon_deinit()
  */
 bool libcharon_init(const char *name)
 {
-	daemon_create(name);
+	private_daemon_t *this;
+
+	if (charon)
+	{	/* already initialized, increase refcount */
+		this = (private_daemon_t*)charon;
+		ref_get(&this->ref);
+		return !this->integrity_failed;
+	}
+
+	this = daemon_create(name);
 
 	/* for uncritical pseudo random numbers */
 	srandom(time(NULL) + getpid());
@@ -276,8 +646,7 @@ bool libcharon_init(const char *name)
 		!lib->integrity->check(lib->integrity, "libcharon", libcharon_init))
 	{
 		dbg(DBG_DMN, 1, "integrity check of libcharon failed");
-		return FALSE;
+		this->integrity_failed = TRUE;
 	}
-
-	return TRUE;
+	return !this->integrity_failed;
 }
diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h
index b67de77b8..2926d945b 100644
--- a/src/libcharon/daemon.h
+++ b/src/libcharon/daemon.h
@@ -157,8 +157,6 @@ typedef struct daemon_t daemon_t;
 #include <network/socket_manager.h>
 #include <control/controller.h>
 #include <bus/bus.h>
-#include <bus/listeners/file_logger.h>
-#include <bus/listeners/sys_logger.h>
 #include <sa/ike_sa_manager.h>
 #include <sa/trap_manager.h>
 #include <sa/shunt_manager.h>
@@ -248,16 +246,6 @@ struct daemon_t {
 	bus_t *bus;
 
 	/**
-	 * A list of installed file_logger_t's
-	 */
-	linked_list_t *file_loggers;
-
-	/**
-	 * A list of installed sys_logger_t's
-	 */
-	linked_list_t *sys_loggers;
-
-	/**
 	 * Controller to control the daemon
 	 */
 	controller_t *controller;
@@ -307,6 +295,25 @@ struct daemon_t {
 	 */
 	void (*start)(daemon_t *this);
 
+	/**
+	 * Load/Reload loggers defined in strongswan.conf
+	 *
+	 * @param levels	optional debug levels used to create default loggers
+	 * 					if none are defined in strongswan.conf
+	 * @param to_stderr	TRUE to log to stderr/stdout if no loggers are defined
+	 * 					in strongswan.conf
+	 */
+	void (*load_loggers)(daemon_t *this, level_t levels[DBG_MAX],
+						 bool to_stderr);
+
+	/**
+	 * Set the log level for the given log group for all configured file- and
+	 * syslog-loggers.
+	 *
+	 * @param group		log group
+	 * @param level		log level
+	 */
+	void (*set_level)(daemon_t *this, debug_t group, level_t level);
 };
 
 /**
@@ -322,6 +329,9 @@ extern daemon_t *charon;
  * This function initializes the bus, listeners can be registered before
  * calling initialize().
  *
+ * libcharon_init() may be called multiple times in a single process, but each
+ * caller should call libcharon_deinit() for each call to libcharon_init().
+ *
  * @param name	name of the binary that uses the library
  * @return		FALSE if integrity check failed
  */
diff --git a/src/libcharon/encoding/generator.c b/src/libcharon/encoding/generator.c
index 2dfaf43df..2b6825c71 100644
--- a/src/libcharon/encoding/generator.c
+++ b/src/libcharon/encoding/generator.c
@@ -24,7 +24,7 @@
 
 #include <library.h>
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/proposal_substructure.h>
 #include <encoding/payloads/transform_substructure.h>
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index d3b72ea95..28fdda735 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -57,7 +57,7 @@
 /**
  * Max number of certificate request payloads per IKEv1 message
  */
-#define MAX_CERTREQ_PAYLOADS 5
+#define MAX_CERTREQ_PAYLOADS 20
 
 /**
  * Max number of NAT-D payloads per IKEv1 message
@@ -437,10 +437,12 @@ static payload_rule_t id_prot_i_rules[] = {
 	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
 	{CERTIFICATE_REQUEST_V1,	0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
 	{NAT_D_V1,					0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{NAT_D_DRAFT_00_03_V1,		0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
 	{ID_V1,						0,	1,						TRUE,	FALSE},
 	{CERTIFICATE_V1,			0,	2,						TRUE,	FALSE},
 	{SIGNATURE_V1,				0,	1,						TRUE,	FALSE},
 	{HASH_V1,					0,	1,						TRUE,	FALSE},
+	{FRAGMENT_V1,				0,	1,						FALSE,	TRUE},
 };
 
 /**
@@ -459,6 +461,8 @@ static payload_order_t id_prot_i_order[] = {
 	{NOTIFY_V1,					0},
 	{VENDOR_ID_V1,				0},
 	{NAT_D_V1,					0},
+	{NAT_D_DRAFT_00_03_V1,		0},
+	{FRAGMENT_V1,				0},
 };
 
 /**
@@ -473,10 +477,12 @@ static payload_rule_t id_prot_r_rules[] = {
 	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
 	{CERTIFICATE_REQUEST_V1,	0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
 	{NAT_D_V1,					0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{NAT_D_DRAFT_00_03_V1,		0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
 	{ID_V1,						0,	1,						TRUE,	FALSE},
 	{CERTIFICATE_V1,			0,	2,						TRUE,	FALSE},
 	{SIGNATURE_V1,				0,	1,						TRUE,	FALSE},
 	{HASH_V1,					0,	1,						TRUE,	FALSE},
+	{FRAGMENT_V1,				0,	1,						FALSE,	TRUE},
 };
 
 /**
@@ -495,6 +501,8 @@ static payload_order_t id_prot_r_order[] = {
 	{NOTIFY_V1,					0},
 	{VENDOR_ID_V1,				0},
 	{NAT_D_V1,					0},
+	{NAT_D_DRAFT_00_03_V1,		0},
+	{FRAGMENT_V1,				0},
 };
 
 /**
@@ -509,10 +517,12 @@ static payload_rule_t aggressive_i_rules[] = {
 	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
 	{CERTIFICATE_REQUEST_V1,	0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
 	{NAT_D_V1,					0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{NAT_D_DRAFT_00_03_V1,		0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
 	{ID_V1,						0,	1,						FALSE,	FALSE},
 	{CERTIFICATE_V1,			0,	1,						TRUE,	FALSE},
 	{SIGNATURE_V1,				0,	1,						TRUE,	FALSE},
 	{HASH_V1,					0,	1,						TRUE,	FALSE},
+	{FRAGMENT_V1,				0,	1,						FALSE,	TRUE},
 };
 
 /**
@@ -526,11 +536,13 @@ static payload_order_t aggressive_i_order[] = {
 	{ID_V1,						0},
 	{CERTIFICATE_V1,			0},
 	{NAT_D_V1,					0},
+	{NAT_D_DRAFT_00_03_V1,		0},
 	{SIGNATURE_V1,				0},
 	{HASH_V1,					0},
 	{CERTIFICATE_REQUEST_V1,	0},
 	{NOTIFY_V1,					0},
 	{VENDOR_ID_V1,				0},
+	{FRAGMENT_V1,				0},
 };
 
 /**
@@ -545,10 +557,12 @@ static payload_rule_t aggressive_r_rules[] = {
 	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
 	{CERTIFICATE_REQUEST_V1,	0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
 	{NAT_D_V1,					0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{NAT_D_DRAFT_00_03_V1,		0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
 	{ID_V1,						0,	1,						FALSE,	FALSE},
 	{CERTIFICATE_V1,			0,	1,						FALSE,	FALSE},
 	{SIGNATURE_V1,				0,	1,						FALSE,	FALSE},
 	{HASH_V1,					0,	1,						FALSE,	FALSE},
+	{FRAGMENT_V1,				0,	1,						FALSE,	TRUE},
 };
 
 /**
@@ -562,11 +576,13 @@ static payload_order_t aggressive_r_order[] = {
 	{ID_V1,						0},
 	{CERTIFICATE_V1,			0},
 	{NAT_D_V1,					0},
+	{NAT_D_DRAFT_00_03_V1,		0},
 	{SIGNATURE_V1,				0},
 	{HASH_V1,					0},
 	{CERTIFICATE_REQUEST_V1,	0},
 	{NOTIFY_V1,					0},
 	{VENDOR_ID_V1,				0},
+	{FRAGMENT_V1,				0},
 };
 
 /**
@@ -624,6 +640,7 @@ static payload_rule_t quick_mode_i_rules[] = {
 	{KEY_EXCHANGE_V1,			0,	1,						TRUE,	FALSE},
 	{ID_V1,						0,	2,						TRUE,	FALSE},
 	{NAT_OA_V1,					0,	2,						TRUE,	FALSE},
+	{NAT_OA_DRAFT_00_03_V1,		0,	2,						TRUE,	FALSE},
 };
 
 /**
@@ -639,6 +656,7 @@ static payload_order_t quick_mode_i_order[] = {
 	{KEY_EXCHANGE_V1,			0},
 	{ID_V1,						0},
 	{NAT_OA_V1,					0},
+	{NAT_OA_DRAFT_00_03_V1,		0},
 };
 
 /**
@@ -654,6 +672,7 @@ static payload_rule_t quick_mode_r_rules[] = {
 	{KEY_EXCHANGE_V1,			0,	1,						TRUE,	FALSE},
 	{ID_V1,						0,	2,						TRUE,	FALSE},
 	{NAT_OA_V1,					0,	2,						TRUE,	FALSE},
+	{NAT_OA_DRAFT_00_03_V1,		0,	2,						TRUE,	FALSE},
 };
 
 /**
@@ -669,6 +688,7 @@ static payload_order_t quick_mode_r_order[] = {
 	{KEY_EXCHANGE_V1,			0},
 	{ID_V1,						0},
 	{NAT_OA_V1,					0},
+	{NAT_OA_DRAFT_00_03_V1,		0},
 };
 
 /**
@@ -1681,6 +1701,12 @@ METHOD(message_t, parse_header, status_t,
 	}
 	this->first_payload = ike_header->payload_interface.get_next_type(
 												&ike_header->payload_interface);
+	if (this->first_payload == FRAGMENT_V1 && this->is_encrypted)
+	{	/* racoon sets the encryted bit when sending a fragment, but these
+		 * messages are really not encrypted */
+		this->is_encrypted = FALSE;
+	}
+
 	for (i = 0; i < countof(this->reserved); i++)
 	{
 		reserved = payload_get_field(&ike_header->payload_interface,
diff --git a/src/libcharon/encoding/message.h b/src/libcharon/encoding/message.h
index 6d558daf6..2c11e4581 100644
--- a/src/libcharon/encoding/message.h
+++ b/src/libcharon/encoding/message.h
@@ -31,8 +31,8 @@ typedef struct message_t message_t;
 #include <encoding/payloads/notify_payload.h>
 #include <sa/keymat.h>
 #include <sa/ike_sa_id.h>
-#include <utils/packet.h>
-#include <utils/linked_list.h>
+#include <networking/packet.h>
+#include <collections/linked_list.h>
 
 /**
  * This class is used to represent an IKE-Message.
diff --git a/src/libcharon/encoding/parser.c b/src/libcharon/encoding/parser.c
index e4b140c3e..9e7f8311b 100644
--- a/src/libcharon/encoding/parser.c
+++ b/src/libcharon/encoding/parser.c
@@ -22,7 +22,7 @@
 
 #include <library.h>
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <encoding/payloads/encodings.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/sa_payload.h>
diff --git a/src/libcharon/encoding/payloads/cert_payload.c b/src/libcharon/encoding/payloads/cert_payload.c
index 3a230b91e..a32f5705d 100644
--- a/src/libcharon/encoding/payloads/cert_payload.c
+++ b/src/libcharon/encoding/payloads/cert_payload.c
@@ -234,6 +234,23 @@ METHOD(cert_payload_t, get_cert, certificate_t*,
 							  BUILD_BLOB_ASN1_DER, this->data, BUILD_END);
 }
 
+METHOD(cert_payload_t, get_container, container_t*,
+	private_cert_payload_t *this)
+{
+	int type;
+
+	switch (this->encoding)
+	{
+		case ENC_PKCS7_WRAPPED_X509:
+			type = CONTAINER_PKCS7;
+			break;
+		default:
+			return NULL;
+	}
+	return lib->creds->create(lib->creds, CRED_CONTAINER, type,
+							  BUILD_BLOB_ASN1_DER, this->data, BUILD_END);
+}
+
 METHOD(cert_payload_t, get_hash, chunk_t,
 	private_cert_payload_t *this)
 {
@@ -289,6 +306,7 @@ cert_payload_t *cert_payload_create(payload_type_t type)
 				.destroy = _destroy,
 			},
 			.get_cert = _get_cert,
+			.get_container = _get_container,
 			.get_cert_encoding = _get_cert_encoding,
 			.get_hash = _get_hash,
 			.get_url = _get_url,
diff --git a/src/libcharon/encoding/payloads/cert_payload.h b/src/libcharon/encoding/payloads/cert_payload.h
index 19ed2ccd2..834f35d60 100644
--- a/src/libcharon/encoding/payloads/cert_payload.h
+++ b/src/libcharon/encoding/payloads/cert_payload.h
@@ -28,10 +28,11 @@ typedef enum cert_encoding_t cert_encoding_t;
 
 #include <library.h>
 #include <credentials/certificates/certificate.h>
+#include <credentials/containers/container.h>
 #include <encoding/payloads/payload.h>
 
 /**
- * Certifcate encodings, as in RFC4306
+ * Certificate encodings, as in RFC4306
  */
 enum cert_encoding_t {
 	ENC_PKCS7_WRAPPED_X509 =		 1,
@@ -65,13 +66,20 @@ struct cert_payload_t {
 	payload_t payload_interface;
 
 	/**
-	 * Get the playoads encoded certifcate.
+	 * Get the payloads encoded certificate.
 	 *
-	 * @return				certifcate copy
+	 * @return				certificate copy
 	 */
 	certificate_t *(*get_cert)(cert_payload_t *this);
 
 	/**
+	 * Get the payloads certificate container.
+	 *
+	 * @return				container copy
+	 */
+	container_t *(*get_container)(cert_payload_t *this);
+
+	/**
 	 * Get the encoding of the certificate.
 	 *
 	 * @return				encoding
diff --git a/src/libcharon/encoding/payloads/certreq_payload.h b/src/libcharon/encoding/payloads/certreq_payload.h
index cce71c0ad..2915decf3 100644
--- a/src/libcharon/encoding/payloads/certreq_payload.h
+++ b/src/libcharon/encoding/payloads/certreq_payload.h
@@ -56,7 +56,7 @@ struct certreq_payload_t {
 	/**
 	 * Add a certificates keyid to the payload (IKEv2 only).
 	 *
-	 * @param keyid		keyid of the trusted certifcate
+	 * @param keyid		keyid of the trusted certificate
 	 * @return
 	 */
 	void (*add_keyid)(certreq_payload_t *this, chunk_t keyid);
diff --git a/src/libcharon/encoding/payloads/cp_payload.c b/src/libcharon/encoding/payloads/cp_payload.c
index 40f6ae48f..f6f373f99 100644
--- a/src/libcharon/encoding/payloads/cp_payload.c
+++ b/src/libcharon/encoding/payloads/cp_payload.c
@@ -20,7 +20,7 @@
 #include "cp_payload.h"
 
 #include <encoding/payloads/encodings.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 ENUM(config_type_names, CFG_REQUEST, CFG_ACK,
 	"CFG_REQUEST",
diff --git a/src/libcharon/encoding/payloads/cp_payload.h b/src/libcharon/encoding/payloads/cp_payload.h
index 5eb1e06a7..c23bc0bb4 100644
--- a/src/libcharon/encoding/payloads/cp_payload.h
+++ b/src/libcharon/encoding/payloads/cp_payload.h
@@ -28,7 +28,7 @@ typedef struct cp_payload_t cp_payload_t;
 #include <library.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/configuration_attribute.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 /**
  * Config Type of an Configuration Payload.
diff --git a/src/libcharon/encoding/payloads/eap_payload.c b/src/libcharon/encoding/payloads/eap_payload.c
index dd2e25795..f2f35aa69 100644
--- a/src/libcharon/encoding/payloads/eap_payload.c
+++ b/src/libcharon/encoding/payloads/eap_payload.c
@@ -410,14 +410,15 @@ eap_payload_t *eap_payload_create_nak(u_int8_t identifier, eap_type_t type,
 	eap_type_t reg_type;
 	u_int32_t reg_vendor;
 	bio_writer_t *writer;
-	chunk_t length, data;
+	chunk_t data;
 	bool added_any = FALSE, found_vendor = FALSE;
 	eap_payload_t *payload;
 
 	writer = bio_writer_create(12);
 	writer->write_uint8(writer, EAP_RESPONSE);
 	writer->write_uint8(writer, identifier);
-	length = writer->skip(writer, 2);
+	/* write zero length, we update it once we know the length */
+	writer->write_uint16(writer, 0);
 
 	write_type(writer, EAP_NAK, 0, expanded);
 
@@ -453,10 +454,9 @@ eap_payload_t *eap_payload_create_nak(u_int8_t identifier, eap_type_t type,
 
 	/* set length */
 	data = writer->get_buf(writer);
-	htoun16(length.ptr, data.len);
+	htoun16(data.ptr + offsetof(eap_packet_t, length), data.len);
 
 	payload = eap_payload_create_data(data);
 	writer->destroy(writer);
 	return payload;
 }
-
diff --git a/src/libcharon/encoding/payloads/encryption_payload.c b/src/libcharon/encoding/payloads/encryption_payload.c
index 02e7b8bf3..6ba1b23a0 100644
--- a/src/libcharon/encoding/payloads/encryption_payload.c
+++ b/src/libcharon/encoding/payloads/encryption_payload.c
@@ -23,7 +23,7 @@
 
 #include <daemon.h>
 #include <encoding/payloads/encodings.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <encoding/generator.h>
 #include <encoding/parser.h>
 
diff --git a/src/libcharon/encoding/payloads/fragment_payload.c b/src/libcharon/encoding/payloads/fragment_payload.c
new file mode 100644
index 000000000..1a6b3234b
--- /dev/null
+++ b/src/libcharon/encoding/payloads/fragment_payload.c
@@ -0,0 +1,225 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "fragment_payload.h"
+
+#include <encoding/payloads/encodings.h>
+
+/** Flag that is set in case the given fragment is the last for the message */
+#define LAST_FRAGMENT 0x01
+
+typedef struct private_fragment_payload_t private_fragment_payload_t;
+
+/**
+ * Private data of an fragment_payload_t object.
+ */
+struct private_fragment_payload_t {
+
+	/**
+	 * Public fragment_payload_t interface.
+	 */
+	fragment_payload_t public;
+
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t next_payload;
+
+	/**
+	 * Reserved byte
+	 */
+	u_int8_t reserved;
+
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+
+	/**
+	 * Fragment ID.
+	 */
+	u_int16_t fragment_id;
+
+	/**
+	 * Fragment number.
+	 */
+	u_int8_t fragment_number;
+
+	/**
+	 * Flags
+	 */
+	u_int8_t flags;
+
+	/**
+	 * The contained fragment data.
+	 */
+	chunk_t data;
+};
+
+/**
+ * Encoding rules for an IKEv1 fragment payload
+ */
+static encoding_rule_t encodings[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_fragment_payload_t, next_payload)		},
+	{ RESERVED_BYTE,	offsetof(private_fragment_payload_t, reserved)			},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_fragment_payload_t, payload_length)	},
+	{ U_INT_16,			offsetof(private_fragment_payload_t, fragment_id)		},
+	{ U_INT_8,			offsetof(private_fragment_payload_t, fragment_number)	},
+	{ U_INT_8,			offsetof(private_fragment_payload_t, flags)				},
+	/* Fragment data is of variable size */
+	{ CHUNK_DATA,		offsetof(private_fragment_payload_t, data)				},
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !    RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !         Fragment ID           !  Fragment Num !     Flags     !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                       Fragment Data                           ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+METHOD(payload_t, verify, status_t,
+	private_fragment_payload_t *this)
+{
+	if (this->fragment_number == 0)
+	{
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+METHOD(payload_t, get_encoding_rules, int,
+	private_fragment_payload_t *this, encoding_rule_t **rules)
+{
+	*rules = encodings;
+	return countof(encodings);
+}
+
+METHOD(payload_t, get_header_length, int,
+	private_fragment_payload_t *this)
+{
+	return 8;
+}
+
+METHOD(payload_t, get_type, payload_type_t,
+	private_fragment_payload_t *this)
+{
+	return FRAGMENT_V1;
+}
+
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_fragment_payload_t *this)
+{
+	return this->next_payload;
+}
+
+METHOD(payload_t, set_next_type, void,
+	private_fragment_payload_t *this, payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+METHOD(payload_t, get_length, size_t,
+	private_fragment_payload_t *this)
+{
+	return this->payload_length;
+}
+
+METHOD(fragment_payload_t, get_id, u_int16_t,
+	private_fragment_payload_t *this)
+{
+	return this->fragment_id;
+}
+
+METHOD(fragment_payload_t, get_number, u_int8_t,
+	private_fragment_payload_t *this)
+{
+	return this->fragment_number;
+}
+
+METHOD(fragment_payload_t, is_last, bool,
+	private_fragment_payload_t *this)
+{
+	return (this->flags & LAST_FRAGMENT) == LAST_FRAGMENT;
+}
+
+METHOD(fragment_payload_t, get_data, chunk_t,
+	private_fragment_payload_t *this)
+{
+	return this->data;
+}
+
+METHOD2(payload_t, fragment_payload_t, destroy, void,
+	private_fragment_payload_t *this)
+{
+	free(this->data.ptr);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+fragment_payload_t *fragment_payload_create()
+{
+	private_fragment_payload_t *this;
+
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_header_length = _get_header_length,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+			.get_id = _get_id,
+			.get_number = _get_number,
+			.is_last = _is_last,
+			.get_data = _get_data,
+			.destroy = _destroy,
+		},
+		.next_payload = NO_PAYLOAD,
+	);
+	this->payload_length = get_header_length(this);
+	return &this->public;
+}
+
+/*
+ * Described in header
+ */
+fragment_payload_t *fragment_payload_create_from_data(u_int8_t num, bool last,
+													  chunk_t data)
+{
+	private_fragment_payload_t *this;
+
+	this = (private_fragment_payload_t*)fragment_payload_create();
+	this->fragment_id = 1;
+	this->fragment_number = num;
+	this->flags |= (last ? LAST_FRAGMENT : 0);
+	this->data = chunk_clone(data);
+	this->payload_length = get_header_length(this) + data.len;
+	return &this->public;
+}
\ No newline at end of file
diff --git a/src/libcharon/encoding/payloads/fragment_payload.h b/src/libcharon/encoding/payloads/fragment_payload.h
new file mode 100644
index 000000000..a49cf32dd
--- /dev/null
+++ b/src/libcharon/encoding/payloads/fragment_payload.h
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup fragment_payload fragment_payload
+ * @{ @ingroup payloads
+ */
+
+#ifndef FRAGMENT_PAYLOAD_H_
+#define FRAGMENT_PAYLOAD_H_
+
+typedef struct fragment_payload_t fragment_payload_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+
+/**
+ * Object representing an IKEv1 fragment payload.
+ */
+struct fragment_payload_t {
+
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * Get the fragment ID. Identifies the fragments for a particular IKE
+	 * message.
+	 *
+	 * @return				fragment ID
+	 */
+	u_int16_t (*get_id)(fragment_payload_t *this);
+
+	/**
+	 * Get the fragment number. Defines the order of the fragments.
+	 *
+	 * @return				fragment number
+	 */
+	u_int8_t (*get_number)(fragment_payload_t *this);
+
+	/**
+	 * Check if this is the last fragment.
+	 *
+	 * @return				TRUE if this is the last fragment
+	 */
+	bool (*is_last)(fragment_payload_t *this);
+
+	/**
+	 * Get the fragment data.
+	 *
+	 * @return				chunkt to internal fragment data
+	 */
+	chunk_t (*get_data)(fragment_payload_t *this);
+
+	/**
+	 * Destroys an fragment_payload_t object.
+	 */
+	void (*destroy)(fragment_payload_t *this);
+};
+
+/**
+ * Creates an empty fragment_payload_t object.
+ *
+ * @return			fragment_payload_t object
+ */
+fragment_payload_t *fragment_payload_create();
+
+/**
+ * Creates a fragment payload from the given data.  All fragments currently
+ * have the same fragment ID (1), which seems what other implementations are
+ * doing.
+ *
+ * @param num		fragment number (first one should be 1)
+ * @param last		TRUE to indicate that this is the last fragment
+ * @param data		fragment data (gets cloned)
+ * @return			fragment_payload_t object
+ */
+fragment_payload_t *fragment_payload_create_from_data(u_int8_t num, bool last,
+													  chunk_t data);
+
+#endif /** FRAGMENT_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/id_payload.c b/src/libcharon/encoding/payloads/id_payload.c
index 02b07d691..7470bb3b4 100644
--- a/src/libcharon/encoding/payloads/id_payload.c
+++ b/src/libcharon/encoding/payloads/id_payload.c
@@ -165,7 +165,7 @@ METHOD(payload_t, verify, status_t,
 {
 	bool bad_length = FALSE;
 
-	if (this->type == NAT_OA_V1 &&
+	if ((this->type == NAT_OA_V1 || this->type == NAT_OA_DRAFT_00_03_V1) &&
 		this->id_type != ID_IPV4_ADDR && this->id_type != ID_IPV6_ADDR)
 	{
 		DBG1(DBG_ENC, "invalid ID type %N for %N payload", id_type_names,
@@ -195,7 +195,8 @@ METHOD(payload_t, verify, status_t,
 METHOD(payload_t, get_encoding_rules, int,
 	private_id_payload_t *this, encoding_rule_t **rules)
 {
-	if (this->type == ID_V1 || this->type == NAT_OA_V1)
+	if (this->type == ID_V1 ||
+		this->type == NAT_OA_V1 || this->type == NAT_OA_DRAFT_00_03_V1)
 	{
 		*rules = encodings_v1;
 		return countof(encodings_v1);
diff --git a/src/libcharon/encoding/payloads/ike_header.h b/src/libcharon/encoding/payloads/ike_header.h
index e6b7d0dff..d9a44dd0c 100644
--- a/src/libcharon/encoding/payloads/ike_header.h
+++ b/src/libcharon/encoding/payloads/ike_header.h
@@ -72,7 +72,7 @@ enum exchange_type_t{
 	AUTH_ONLY = 3,
 
 	/**
-	 * Aggresive (Aggressive mode)
+	 * Aggressive (Aggressive mode)
 	 */
 	AGGRESSIVE = 4,
 
diff --git a/src/libcharon/encoding/payloads/ke_payload.h b/src/libcharon/encoding/payloads/ke_payload.h
index 5942954d9..d3aa18484 100644
--- a/src/libcharon/encoding/payloads/ke_payload.h
+++ b/src/libcharon/encoding/payloads/ke_payload.h
@@ -27,7 +27,7 @@ typedef struct ke_payload_t ke_payload_t;
 #include <library.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/transform_substructure.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <crypto/diffie_hellman.h>
 
 /**
diff --git a/src/libcharon/encoding/payloads/notify_payload.h b/src/libcharon/encoding/payloads/notify_payload.h
index beec1e233..498c659b1 100644
--- a/src/libcharon/encoding/payloads/notify_payload.h
+++ b/src/libcharon/encoding/payloads/notify_payload.h
@@ -30,7 +30,7 @@ typedef struct notify_payload_t notify_payload_t;
 #include <library.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/proposal_substructure.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /**
  * Notify message types for IKEv2, and a subset for IKEv1.
diff --git a/src/libcharon/encoding/payloads/payload.c b/src/libcharon/encoding/payloads/payload.c
index dc158476b..f9dd33edb 100644
--- a/src/libcharon/encoding/payloads/payload.c
+++ b/src/libcharon/encoding/payloads/payload.c
@@ -36,6 +36,7 @@
 #include <encoding/payloads/configuration_attribute.h>
 #include <encoding/payloads/eap_payload.h>
 #include <encoding/payloads/hash_payload.h>
+#include <encoding/payloads/fragment_payload.h>
 #include <encoding/payloads/unknown_payload.h>
 
 ENUM_BEGIN(payload_type_names, NO_PAYLOAD, NO_PAYLOAD,
@@ -79,20 +80,17 @@ ENUM_NEXT(payload_type_names, SECURITY_ASSOCIATION, GENERIC_SECURE_PASSWORD_METH
 #ifdef ME
 ENUM_NEXT(payload_type_names, ID_PEER, ID_PEER, GENERIC_SECURE_PASSWORD_METHOD,
 	"ID_PEER");
-ENUM_NEXT(payload_type_names, HEADER, ENCRYPTED_V1, ID_PEER,
-	"HEADER",
-	"PROPOSAL_SUBSTRUCTURE",
-	"PROPOSAL_SUBSTRUCTURE_V1",
-	"TRANSFORM_SUBSTRUCTURE",
-	"TRANSFORM_SUBSTRUCTURE_V1",
-	"TRANSFORM_ATTRIBUTE",
-	"TRANSFORM_ATTRIBUTE_V1",
-	"TRAFFIC_SELECTOR_SUBSTRUCTURE",
-	"CONFIGURATION_ATTRIBUTE",
-	"CONFIGURATION_ATTRIBUTE_V1",
-	"ENCRYPTED_V1");
+ENUM_NEXT(payload_type_names, NAT_D_DRAFT_00_03_V1, FRAGMENT_V1, ID_PEER,
+	"NAT_D_DRAFT_V1",
+	"NAT_OA_DRAFT_V1",
+	"FRAGMENT");
 #else
-ENUM_NEXT(payload_type_names, HEADER, ENCRYPTED_V1, GENERIC_SECURE_PASSWORD_METHOD,
+ENUM_NEXT(payload_type_names, NAT_D_DRAFT_00_03_V1, FRAGMENT_V1, GENERIC_SECURE_PASSWORD_METHOD,
+	"NAT_D_DRAFT_V1",
+	"NAT_OA_DRAFT_V1",
+	"FRAGMENT");
+#endif /* ME */
+ENUM_NEXT(payload_type_names, HEADER, ENCRYPTED_V1, FRAGMENT_V1,
 	"HEADER",
 	"PROPOSAL_SUBSTRUCTURE",
 	"PROPOSAL_SUBSTRUCTURE_V1",
@@ -104,7 +102,6 @@ ENUM_NEXT(payload_type_names, HEADER, ENCRYPTED_V1, GENERIC_SECURE_PASSWORD_METH
 	"CONFIGURATION_ATTRIBUTE",
 	"CONFIGURATION_ATTRIBUTE_V1",
 	"ENCRYPTED_V1");
-#endif /* ME */
 ENUM_END(payload_type_names, ENCRYPTED_V1);
 
 /* short forms of payload names */
@@ -147,23 +144,19 @@ ENUM_NEXT(payload_type_short_names, SECURITY_ASSOCIATION, GENERIC_SECURE_PASSWOR
 	"EAP",
 	"GSPM");
 #ifdef ME
-ENUM_NEXT(payload_type_short_names, ID_PEER, ID_PEER,
-									GENERIC_SECURE_PASSWORD_METHOD,
+ENUM_NEXT(payload_type_short_names, ID_PEER, ID_PEER, GENERIC_SECURE_PASSWORD_METHOD,
 	"IDp");
-ENUM_NEXT(payload_type_short_names, HEADER, ENCRYPTED_V1, ID_PEER,
-	"HDR",
-	"PROP",
-	"PROP",
-	"TRANS",
-	"TRANS",
-	"TRANSATTR",
-	"TRANSATTR",
-	"TSSUB",
-	"CATTR",
-	"CATTR",
-	"E");
+ENUM_NEXT(payload_type_short_names, NAT_D_DRAFT_00_03_V1, FRAGMENT_V1, ID_PEER,
+	"NAT-D",
+	"NAT-OA",
+	"FRAG");
 #else
-ENUM_NEXT(payload_type_short_names, HEADER, ENCRYPTED_V1, GENERIC_SECURE_PASSWORD_METHOD,
+ENUM_NEXT(payload_type_short_names, NAT_D_DRAFT_00_03_V1, FRAGMENT_V1, GENERIC_SECURE_PASSWORD_METHOD,
+	"NAT-D",
+	"NAT-OA",
+	"FRAG");
+#endif /* ME */
+ENUM_NEXT(payload_type_short_names, HEADER, ENCRYPTED_V1, FRAGMENT_V1,
 	"HDR",
 	"PROP",
 	"PROP",
@@ -175,7 +168,6 @@ ENUM_NEXT(payload_type_short_names, HEADER, ENCRYPTED_V1, GENERIC_SECURE_PASSWOR
 	"CATTR",
 	"CATTR",
 	"E");
-#endif /* ME */
 ENUM_END(payload_type_short_names, ENCRYPTED_V1);
 
 /*
@@ -206,6 +198,7 @@ payload_t *payload_create(payload_type_t type)
 		case ID_RESPONDER:
 		case ID_V1:
 		case NAT_OA_V1:
+		case NAT_OA_DRAFT_00_03_V1:
 #ifdef ME
 		case ID_PEER:
 #endif /* ME */
@@ -239,6 +232,7 @@ payload_t *payload_create(payload_type_t type)
 		case HASH_V1:
 		case SIGNATURE_V1:
 		case NAT_D_V1:
+		case NAT_D_DRAFT_00_03_V1:
 			return (payload_t*)hash_payload_create(type);
 		case CONFIGURATION:
 		case CONFIGURATION_V1:
@@ -251,6 +245,8 @@ payload_t *payload_create(payload_type_t type)
 		case ENCRYPTED:
 		case ENCRYPTED_V1:
 			return (payload_t*)encryption_payload_create(type);
+		case FRAGMENT_V1:
+			return (payload_t*)fragment_payload_create();
 		default:
 			return (payload_t*)unknown_payload_create(type);
 	}
@@ -283,6 +279,10 @@ bool payload_is_known(payload_type_t type)
 		return TRUE;
 	}
 #endif
+	if (type >= NAT_D_DRAFT_00_03_V1 && type <= FRAGMENT_V1)
+	{
+		return TRUE;
+	}
 	return FALSE;
 }
 
diff --git a/src/libcharon/encoding/payloads/payload.h b/src/libcharon/encoding/payloads/payload.h
index d5e862601..0e8a9267b 100644
--- a/src/libcharon/encoding/payloads/payload.h
+++ b/src/libcharon/encoding/payloads/payload.h
@@ -123,7 +123,7 @@ enum payload_type_t {
 	NAT_D_V1 = 20,
 
 	/**
-	 * NAT original address payload (NAT-OA)
+	 * NAT original address payload (NAT-OA).
 	 */
 	NAT_OA_V1 = 21,
 
@@ -221,6 +221,21 @@ enum payload_type_t {
 #endif /* ME */
 
 	/**
+	 * NAT discovery payload (NAT-D) (drafts).
+	 */
+	NAT_D_DRAFT_00_03_V1 = 130,
+
+	/**
+	 * NAT original address payload (NAT-OA) (drafts).
+	 */
+	NAT_OA_DRAFT_00_03_V1 = 131,
+
+	/**
+	 * IKE fragment (proprietary IKEv1 extension)
+	 */
+	FRAGMENT_V1 = 132,
+
+	/**
 	 * Header has a value of PRIVATE USE space.
 	 *
 	 * This type and all the following are never sent over wire and are
diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c
index 653f51a46..ae0fce991 100644
--- a/src/libcharon/encoding/payloads/proposal_substructure.c
+++ b/src/libcharon/encoding/payloads/proposal_substructure.c
@@ -22,7 +22,7 @@
 #include <encoding/payloads/encodings.h>
 #include <encoding/payloads/transform_substructure.h>
 #include <library.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <daemon.h>
 
 /**
@@ -253,6 +253,8 @@ typedef enum {
   IKEV1_ENCAP_TRANSPORT = 2,
   IKEV1_ENCAP_UDP_TUNNEL = 3,
   IKEV1_ENCAP_UDP_TRANSPORT = 4,
+  IKEV1_ENCAP_UDP_TUNNEL_DRAFT_00_03 = 61443,
+  IKEV1_ENCAP_UDP_TRANSPORT_DRAFT_00_03 = 61444,
 } ikev1_esp_encap_t;
 
 /**
@@ -810,14 +812,30 @@ static u_int16_t get_ikev1_auth(auth_method_t method)
 /**
  * Get IKEv1 encapsulation mode
  */
-static u_int16_t get_ikev1_mode(ipsec_mode_t mode, bool udp)
+static u_int16_t get_ikev1_mode(ipsec_mode_t mode, encap_t udp)
 {
 	switch (mode)
 	{
 		case MODE_TUNNEL:
-			return udp ? IKEV1_ENCAP_UDP_TUNNEL : IKEV1_ENCAP_TUNNEL;
+			switch (udp)
+			{
+				case ENCAP_UDP:
+					return IKEV1_ENCAP_UDP_TUNNEL;
+				case ENCAP_UDP_DRAFT_00_03:
+					return IKEV1_ENCAP_UDP_TUNNEL_DRAFT_00_03;
+				default:
+					return IKEV1_ENCAP_TUNNEL;
+			}
 		case MODE_TRANSPORT:
-			return udp ? IKEV1_ENCAP_UDP_TRANSPORT : IKEV1_ENCAP_TRANSPORT;
+			switch (udp)
+			{
+				case ENCAP_UDP:
+					return IKEV1_ENCAP_UDP_TRANSPORT;
+				case ENCAP_UDP_DRAFT_00_03:
+					return IKEV1_ENCAP_UDP_TRANSPORT_DRAFT_00_03;
+				default:
+					return IKEV1_ENCAP_TRANSPORT;
+			}
 		default:
 			return IKEV1_ENCAP_TUNNEL;
 	}
@@ -1125,9 +1143,11 @@ METHOD(proposal_substructure_t, get_encap_mode, ipsec_mode_t,
 		case IKEV1_ENCAP_TUNNEL:
 			return MODE_TUNNEL;
 		case IKEV1_ENCAP_UDP_TRANSPORT:
+		case IKEV1_ENCAP_UDP_TRANSPORT_DRAFT_00_03:
 			*udp = TRUE;
 			return MODE_TRANSPORT;
 		case IKEV1_ENCAP_UDP_TUNNEL:
+		case IKEV1_ENCAP_UDP_TUNNEL_DRAFT_00_03:
 			*udp = TRUE;
 			return MODE_TUNNEL;
 		default:
@@ -1263,7 +1283,7 @@ static void set_from_proposal_v1_ike(private_proposal_substructure_t *this,
  */
 static void set_from_proposal_v1_esp(private_proposal_substructure_t *this,
 				proposal_t *proposal, u_int32_t lifetime, u_int64_t lifebytes,
-				ipsec_mode_t mode, bool udp, int number)
+				ipsec_mode_t mode, encap_t udp, int number)
 {
 	transform_substructure_t *transform = NULL;
 	u_int16_t alg, key_size;
@@ -1459,7 +1479,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal_v2(
  */
 proposal_substructure_t *proposal_substructure_create_from_proposal_v1(
 			proposal_t *proposal, u_int32_t lifetime, u_int64_t lifebytes,
-			auth_method_t auth, ipsec_mode_t mode, bool udp)
+			auth_method_t auth, ipsec_mode_t mode, encap_t udp)
 {
 	private_proposal_substructure_t *this;
 
@@ -1487,7 +1507,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal_v1(
  */
 proposal_substructure_t *proposal_substructure_create_from_proposals_v1(
 			linked_list_t *proposals, u_int32_t lifetime, u_int64_t lifebytes,
-			auth_method_t auth, ipsec_mode_t mode, bool udp)
+			auth_method_t auth, ipsec_mode_t mode, encap_t udp)
 {
 	private_proposal_substructure_t *this = NULL;
 	enumerator_t *enumerator;
@@ -1531,7 +1551,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposals_v1(
  */
 proposal_substructure_t *proposal_substructure_create_for_ipcomp_v1(
 			u_int32_t lifetime, u_int64_t lifebytes, u_int16_t cpi,
-			ipsec_mode_t mode, bool udp, u_int8_t proposal_number)
+			ipsec_mode_t mode, encap_t udp, u_int8_t proposal_number)
 {
 	private_proposal_substructure_t *this;
 	transform_substructure_t *transform;
diff --git a/src/libcharon/encoding/payloads/proposal_substructure.h b/src/libcharon/encoding/payloads/proposal_substructure.h
index 5d42a6116..c8e7adfd8 100644
--- a/src/libcharon/encoding/payloads/proposal_substructure.h
+++ b/src/libcharon/encoding/payloads/proposal_substructure.h
@@ -23,17 +23,27 @@
 #ifndef PROPOSAL_SUBSTRUCTURE_H_
 #define PROPOSAL_SUBSTRUCTURE_H_
 
+typedef enum encap_t encap_t;
 typedef struct proposal_substructure_t proposal_substructure_t;
 
 #include <library.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/transform_substructure.h>
 #include <config/proposal.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <kernel/kernel_ipsec.h>
 #include <sa/authenticator.h>
 
 /**
+ * Encap type for proposal substructure
+ */
+enum encap_t {
+	ENCAP_NONE = 0,
+	ENCAP_UDP,
+	ENCAP_UDP_DRAFT_00_03,
+};
+
+/**
  * Class representing an IKEv1/IKEv2 proposal substructure.
  */
 struct proposal_substructure_t {
@@ -179,12 +189,12 @@ proposal_substructure_t *proposal_substructure_create_from_proposal_v2(
  * @param lifebytes	lifebytes, in bytes
  * @param auth		authentication method to use, or AUTH_NONE
  * @param mode		IPsec encapsulation mode, TRANSPORT or TUNNEL
- * @param udp		TRUE to use UDP encapsulation
+ * @param udp		ENCAP_UDP to use UDP encapsulation
  * @return			proposal_substructure_t object PROPOSAL_SUBSTRUCTURE_V1
  */
 proposal_substructure_t *proposal_substructure_create_from_proposal_v1(
 			proposal_t *proposal,  u_int32_t lifetime, u_int64_t lifebytes,
-			auth_method_t auth, ipsec_mode_t mode, bool udp);
+			auth_method_t auth, ipsec_mode_t mode, encap_t udp);
 
 /**
  * Creates an IKEv1 proposal_substructure_t from a list of proposal_t.
@@ -194,12 +204,12 @@ proposal_substructure_t *proposal_substructure_create_from_proposal_v1(
  * @param lifebytes	lifebytes, in bytes
  * @param auth		authentication method to use, or AUTH_NONE
  * @param mode		IPsec encapsulation mode, TRANSPORT or TUNNEL
- * @param udp		TRUE to use UDP encapsulation
+ * @param udp		ENCAP_UDP to use UDP encapsulation
  * @return			IKEv1 proposal_substructure_t PROPOSAL_SUBSTRUCTURE_V1
  */
 proposal_substructure_t *proposal_substructure_create_from_proposals_v1(
 			linked_list_t *proposals, u_int32_t lifetime, u_int64_t lifebytes,
-			auth_method_t auth, ipsec_mode_t mode, bool udp);
+			auth_method_t auth, ipsec_mode_t mode, encap_t udp);
 
 /**
  * Creates an IKEv1 proposal_substructure_t for IPComp with the given
@@ -209,12 +219,12 @@ proposal_substructure_t *proposal_substructure_create_from_proposals_v1(
  * @param lifebytes			lifebytes, in bytes
  * @param cpi				the CPI to be used
  * @param mode				IPsec encapsulation mode, TRANSPORT or TUNNEL
- * @param udp				TRUE to use UDP encapsulation
+ * @param udp				ENCAP_UDP to use UDP encapsulation
  * @param proposal_number	the proposal number of the proposal to be linked
  * @return					IKEv1 proposal_substructure_t PROPOSAL_SUBSTRUCTURE_V1
  */
 proposal_substructure_t *proposal_substructure_create_for_ipcomp_v1(
 			u_int32_t lifetime, u_int64_t lifebytes, u_int16_t cpi,
-			ipsec_mode_t mode, bool udp, u_int8_t proposal_number);
+			ipsec_mode_t mode, encap_t udp, u_int8_t proposal_number);
 
 #endif /** PROPOSAL_SUBSTRUCTURE_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/sa_payload.c b/src/libcharon/encoding/payloads/sa_payload.c
index adf19aa67..a588d4e97 100644
--- a/src/libcharon/encoding/payloads/sa_payload.c
+++ b/src/libcharon/encoding/payloads/sa_payload.c
@@ -20,7 +20,7 @@
 #include "sa_payload.h"
 
 #include <encoding/payloads/encodings.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <daemon.h>
 
 /* IKEv1 situation */
@@ -552,8 +552,8 @@ sa_payload_t *sa_payload_create_from_proposal_v2(proposal_t *proposal)
  */
 sa_payload_t *sa_payload_create_from_proposals_v1(linked_list_t *proposals,
 								u_int32_t lifetime, u_int64_t lifebytes,
-								auth_method_t auth, ipsec_mode_t mode, bool udp,
-								u_int16_t cpi)
+								auth_method_t auth, ipsec_mode_t mode,
+								encap_t udp, u_int16_t cpi)
 {
 	proposal_substructure_t *substruct;
 	private_sa_payload_t *this;
@@ -591,8 +591,8 @@ sa_payload_t *sa_payload_create_from_proposals_v1(linked_list_t *proposals,
  */
 sa_payload_t *sa_payload_create_from_proposal_v1(proposal_t *proposal,
 								u_int32_t lifetime, u_int64_t lifebytes,
-								auth_method_t auth, ipsec_mode_t mode, bool udp,
-								u_int16_t cpi)
+								auth_method_t auth, ipsec_mode_t mode,
+								encap_t udp, u_int16_t cpi)
 {
 	private_sa_payload_t *this;
 	linked_list_t *proposals;
diff --git a/src/libcharon/encoding/payloads/sa_payload.h b/src/libcharon/encoding/payloads/sa_payload.h
index 9a88cccd5..b62a341d8 100644
--- a/src/libcharon/encoding/payloads/sa_payload.h
+++ b/src/libcharon/encoding/payloads/sa_payload.h
@@ -27,7 +27,7 @@ typedef struct sa_payload_t sa_payload_t;
 #include <library.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/proposal_substructure.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <kernel/kernel_ipsec.h>
 #include <sa/authenticator.h>
 
@@ -133,13 +133,13 @@ sa_payload_t *sa_payload_create_from_proposal_v2(proposal_t *proposal);
  * @param lifebytes			lifebytes, in bytes
  * @param auth				authentication method to use, or AUTH_NONE
  * @param mode				IPsec encapsulation mode, TRANSPORT or TUNNEL
- * @param udp				TRUE to use UDP encapsulation
+ * @param udp				ENCAP_UDP to use UDP encapsulation
  * @param cpi				CPI in case IPComp should be used
  * @return					sa_payload_t object
  */
 sa_payload_t *sa_payload_create_from_proposals_v1(linked_list_t *proposals,
 							u_int32_t lifetime, u_int64_t lifebytes,
-							auth_method_t auth, ipsec_mode_t mode, bool udp,
+							auth_method_t auth, ipsec_mode_t mode, encap_t udp,
 							u_int16_t cpi);
 
 /**
@@ -150,13 +150,13 @@ sa_payload_t *sa_payload_create_from_proposals_v1(linked_list_t *proposals,
  * @param lifebytes			lifebytes, in bytes
  * @param auth				authentication method to use, or AUTH_NONE
  * @param mode				IPsec encapsulation mode, TRANSPORT or TUNNEL
- * @param udp				TRUE to use UDP encapsulation
+ * @param udp				ENCAP_UDP to use UDP encapsulation
  * @param cpi				CPI in case IPComp should be used
  * @return					sa_payload_t object
  */
 sa_payload_t *sa_payload_create_from_proposal_v1(proposal_t *proposal,
 							u_int32_t lifetime, u_int64_t lifebytes,
-							auth_method_t auth, ipsec_mode_t mode, bool udp,
+							auth_method_t auth, ipsec_mode_t mode, encap_t udp,
 							u_int16_t cpi);
 
 #endif /** SA_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/traffic_selector_substructure.c b/src/libcharon/encoding/payloads/traffic_selector_substructure.c
index 378f5bbc3..15f791b95 100644
--- a/src/libcharon/encoding/payloads/traffic_selector_substructure.c
+++ b/src/libcharon/encoding/payloads/traffic_selector_substructure.c
@@ -18,7 +18,7 @@
 #include "traffic_selector_substructure.h"
 
 #include <encoding/payloads/encodings.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_traffic_selector_substructure_t private_traffic_selector_substructure_t;
 
diff --git a/src/libcharon/encoding/payloads/traffic_selector_substructure.h b/src/libcharon/encoding/payloads/traffic_selector_substructure.h
index 1ad5fb526..d3fbe8476 100644
--- a/src/libcharon/encoding/payloads/traffic_selector_substructure.h
+++ b/src/libcharon/encoding/payloads/traffic_selector_substructure.h
@@ -25,7 +25,7 @@
 typedef struct traffic_selector_substructure_t traffic_selector_substructure_t;
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <selectors/traffic_selector.h>
 #include <encoding/payloads/payload.h>
 
diff --git a/src/libcharon/encoding/payloads/transform_substructure.c b/src/libcharon/encoding/payloads/transform_substructure.c
index a4a920b60..a85027561 100644
--- a/src/libcharon/encoding/payloads/transform_substructure.c
+++ b/src/libcharon/encoding/payloads/transform_substructure.c
@@ -22,7 +22,7 @@
 #include <encoding/payloads/transform_attribute.h>
 #include <encoding/payloads/encodings.h>
 #include <library.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <daemon.h>
 
 typedef struct private_transform_substructure_t private_transform_substructure_t;
diff --git a/src/libcharon/encoding/payloads/transform_substructure.h b/src/libcharon/encoding/payloads/transform_substructure.h
index 947df24f9..97717e65b 100644
--- a/src/libcharon/encoding/payloads/transform_substructure.h
+++ b/src/libcharon/encoding/payloads/transform_substructure.h
@@ -27,7 +27,7 @@ typedef struct transform_substructure_t transform_substructure_t;
 #include <library.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/transform_attribute.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <crypto/diffie_hellman.h>
 #include <crypto/signers/signer.h>
 #include <crypto/prfs/prf.h>
diff --git a/src/libcharon/encoding/payloads/ts_payload.c b/src/libcharon/encoding/payloads/ts_payload.c
index a7678da73..8dfa47bc2 100644
--- a/src/libcharon/encoding/payloads/ts_payload.c
+++ b/src/libcharon/encoding/payloads/ts_payload.c
@@ -20,7 +20,7 @@
 #include "ts_payload.h"
 
 #include <encoding/payloads/encodings.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_ts_payload_t private_ts_payload_t;
 
diff --git a/src/libcharon/encoding/payloads/ts_payload.h b/src/libcharon/encoding/payloads/ts_payload.h
index 5a92655dc..933245c62 100644
--- a/src/libcharon/encoding/payloads/ts_payload.h
+++ b/src/libcharon/encoding/payloads/ts_payload.h
@@ -25,7 +25,7 @@
 typedef struct ts_payload_t ts_payload_t;
 
 #include <library.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <selectors/traffic_selector.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/traffic_selector_substructure.h>
diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c
index 2f87a5ecb..f683cf818 100644
--- a/src/libcharon/network/receiver.c
+++ b/src/libcharon/network/receiver.c
@@ -28,7 +28,7 @@
 #include <processing/jobs/callback_job.h>
 #include <crypto/hashers/hasher.h>
 #include <threading/mutex.h>
-#include <utils/packet.h>
+#include <networking/packet.h>
 
 /** lifetime of a cookie, in seconds */
 #define COOKIE_LIFETIME 10
@@ -488,6 +488,7 @@ static job_requeue_t receive_packets(private_receiver_t *this)
 	{
 		DBG1(DBG_NET, "received invalid IKE header from %H - ignored",
 			 packet->get_source(packet));
+		charon->bus->alert(charon->bus, ALERT_PARSE_ERROR_HEADER, message);
 		message->destroy(message);
 		return JOB_REQUEUE_DIRECT;
 	}
diff --git a/src/libcharon/network/receiver.h b/src/libcharon/network/receiver.h
index 9e8edee45..58bfe4a96 100644
--- a/src/libcharon/network/receiver.h
+++ b/src/libcharon/network/receiver.h
@@ -26,8 +26,8 @@
 typedef struct receiver_t receiver_t;
 
 #include <library.h>
-#include <utils/host.h>
-#include <utils/packet.h>
+#include <networking/host.h>
+#include <networking/packet.h>
 
 /**
  * Callback called for any received UDP encapsulated ESP packet.
diff --git a/src/libcharon/network/sender.c b/src/libcharon/network/sender.c
index 059f24b39..dd8efc1ec 100644
--- a/src/libcharon/network/sender.c
+++ b/src/libcharon/network/sender.c
@@ -94,10 +94,11 @@ METHOD(sender_t, send_, void,
 {
 	host_t *src, *dst;
 
-	/* if neither source nor destination port is 500 we add a Non-ESP marker */
 	src = packet->get_source(packet);
 	dst = packet->get_destination(packet);
-	DBG1(DBG_NET, "sending packet: from %#H to %#H", src, dst);
+
+	DBG1(DBG_NET, "sending packet: from %#H to %#H (%zu bytes)", src, dst,
+		 packet->get_data(packet).len);
 
 	if (this->send_delay)
 	{
@@ -120,6 +121,7 @@ METHOD(sender_t, send_, void,
 		message->destroy(message);
 	}
 
+	/* if neither source nor destination port is 500 we add a Non-ESP marker */
 	if (dst->get_port(dst) != IKEV2_UDP_PORT &&
 		src->get_port(src) != IKEV2_UDP_PORT)
 	{
diff --git a/src/libcharon/network/sender.h b/src/libcharon/network/sender.h
index 9b5c325cc..080559b89 100644
--- a/src/libcharon/network/sender.h
+++ b/src/libcharon/network/sender.h
@@ -26,7 +26,7 @@
 typedef struct sender_t sender_t;
 
 #include <library.h>
-#include <utils/packet.h>
+#include <networking/packet.h>
 
 /**
  * Callback job responsible for sending IKE packets over the socket.
diff --git a/src/libcharon/network/socket.h b/src/libcharon/network/socket.h
index b8850c6ed..f6c8a8660 100644
--- a/src/libcharon/network/socket.h
+++ b/src/libcharon/network/socket.h
@@ -27,8 +27,8 @@
 typedef struct socket_t socket_t;
 
 #include <library.h>
-#include <utils/packet.h>
-#include <utils/enumerator.h>
+#include <networking/packet.h>
+#include <collections/enumerator.h>
 #include <plugins/plugin.h>
 
 /**
diff --git a/src/libcharon/network/socket_manager.c b/src/libcharon/network/socket_manager.c
index d2736de8e..bf1fe5ba2 100644
--- a/src/libcharon/network/socket_manager.c
+++ b/src/libcharon/network/socket_manager.c
@@ -20,7 +20,7 @@
 #include <daemon.h>
 #include <threading/thread.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_socket_manager_t private_socket_manager_t;
 
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in
index 8673e6ecd..5bc6d1ec3 100644
--- a/src/libcharon/plugins/addrblock/Makefile.in
+++ b/src/libcharon/plugins/addrblock/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_addrblock_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -376,7 +385,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-addrblock.la: $(libstrongswan_addrblock_la_OBJECTS) $(libstrongswan_addrblock_la_DEPENDENCIES) 
+libstrongswan-addrblock.la: $(libstrongswan_addrblock_la_OBJECTS) $(libstrongswan_addrblock_la_DEPENDENCIES) $(EXTRA_libstrongswan_addrblock_la_DEPENDENCIES) 
 	$(libstrongswan_addrblock_la_LINK) $(am_libstrongswan_addrblock_la_rpath) $(libstrongswan_addrblock_la_OBJECTS) $(libstrongswan_addrblock_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -515,10 +524,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/addrblock/addrblock_validator.c b/src/libcharon/plugins/addrblock/addrblock_validator.c
index 1b07378f7..65f4ed08c 100644
--- a/src/libcharon/plugins/addrblock/addrblock_validator.c
+++ b/src/libcharon/plugins/addrblock/addrblock_validator.c
@@ -15,7 +15,7 @@
 
 #include "addrblock_validator.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/certificates/x509.h>
 #include <selectors/traffic_selector.h>
 
diff --git a/src/libcharon/plugins/android/Makefile.in b/src/libcharon/plugins/android/Makefile.in
index ebe6ebb4d..312e63f2a 100644
--- a/src/libcharon/plugins/android/Makefile.in
+++ b/src/libcharon/plugins/android/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_android_la_DEPENDENCIES =
@@ -123,6 +129,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -150,6 +157,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,6 +185,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -189,6 +198,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -242,7 +252,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -377,7 +386,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-android.la: $(libstrongswan_android_la_OBJECTS) $(libstrongswan_android_la_DEPENDENCIES) 
+libstrongswan-android.la: $(libstrongswan_android_la_OBJECTS) $(libstrongswan_android_la_DEPENDENCIES) $(EXTRA_libstrongswan_android_la_DEPENDENCIES) 
 	$(libstrongswan_android_la_LINK) $(am_libstrongswan_android_la_rpath) $(libstrongswan_android_la_OBJECTS) $(libstrongswan_android_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -517,10 +526,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/android/android_handler.c b/src/libcharon/plugins/android/android_handler.c
index f1d3045ca..29dbbbfd0 100644
--- a/src/libcharon/plugins/android/android_handler.c
+++ b/src/libcharon/plugins/android/android_handler.c
@@ -16,7 +16,8 @@
 
 #include "android_handler.h"
 
-#include <utils/linked_list.h>
+#include <networking/host.h>
+#include <collections/linked_list.h>
 
 #include <cutils/properties.h>
 
diff --git a/src/libcharon/plugins/android/android_service.c b/src/libcharon/plugins/android/android_service.c
index 81628b80a..6af35e5df 100644
--- a/src/libcharon/plugins/android/android_service.c
+++ b/src/libcharon/plugins/android/android_service.c
@@ -264,12 +264,12 @@ static job_requeue_t initiate(private_android_service_t *this)
 		this->creds->set_username_password(this->creds, user, password);
 	}
 
-	ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", FALSE,
+	ike_cfg = ike_cfg_create(IKEV2, TRUE, FALSE, "0.0.0.0", FALSE,
 							 charon->socket->get_port(charon->socket, FALSE),
-							 hostname, FALSE, IKEV2_UDP_PORT);
+							 hostname, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
 
-	peer_cfg = peer_cfg_create("android", IKEV2, ike_cfg, CERT_SEND_IF_ASKED,
+	peer_cfg = peer_cfg_create("android", ike_cfg, CERT_SEND_IF_ASKED,
 							   UNIQUE_REPLACE, 1, /* keyingtries */
 							   36000, 0, /* rekey 10h, reauth none */
 							   600, 600, /* jitter, over 10min */
diff --git a/src/libcharon/plugins/android_log/Makefile.in b/src/libcharon/plugins/android_log/Makefile.in
index 00f0eb869..5875e6202 100644
--- a/src/libcharon/plugins/android_log/Makefile.in
+++ b/src/libcharon/plugins/android_log/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_android_log_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -375,7 +384,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-android-log.la: $(libstrongswan_android_log_la_OBJECTS) $(libstrongswan_android_log_la_DEPENDENCIES) 
+libstrongswan-android-log.la: $(libstrongswan_android_log_la_OBJECTS) $(libstrongswan_android_log_la_DEPENDENCIES) $(EXTRA_libstrongswan_android_log_la_DEPENDENCIES) 
 	$(libstrongswan_android_log_la_LINK) $(am_libstrongswan_android_log_la_rpath) $(libstrongswan_android_log_la_OBJECTS) $(libstrongswan_android_log_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -513,10 +522,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/certexpire/Makefile.in b/src/libcharon/plugins/certexpire/Makefile.in
index 4c098fcc7..50000ce5e 100644
--- a/src/libcharon/plugins/certexpire/Makefile.in
+++ b/src/libcharon/plugins/certexpire/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_certexpire_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -378,7 +387,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-certexpire.la: $(libstrongswan_certexpire_la_OBJECTS) $(libstrongswan_certexpire_la_DEPENDENCIES) 
+libstrongswan-certexpire.la: $(libstrongswan_certexpire_la_OBJECTS) $(libstrongswan_certexpire_la_DEPENDENCIES) $(EXTRA_libstrongswan_certexpire_la_DEPENDENCIES) 
 	$(libstrongswan_certexpire_la_LINK) $(am_libstrongswan_certexpire_la_rpath) $(libstrongswan_certexpire_la_OBJECTS) $(libstrongswan_certexpire_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -518,10 +527,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/certexpire/certexpire_cron.c b/src/libcharon/plugins/certexpire/certexpire_cron.c
index e8cd4bfd8..5f2fd7ca4 100644
--- a/src/libcharon/plugins/certexpire/certexpire_cron.c
+++ b/src/libcharon/plugins/certexpire/certexpire_cron.c
@@ -17,7 +17,7 @@
 
 #include <time.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <processing/jobs/callback_job.h>
 
 typedef struct private_certexpire_cron_t private_certexpire_cron_t;
diff --git a/src/libcharon/plugins/certexpire/certexpire_export.c b/src/libcharon/plugins/certexpire/certexpire_export.c
index 8e046d0fe..e339b8004 100644
--- a/src/libcharon/plugins/certexpire/certexpire_export.c
+++ b/src/libcharon/plugins/certexpire/certexpire_export.c
@@ -21,9 +21,9 @@
 #include <limits.h>
 #include <errno.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <daemon.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 #include <threading/mutex.h>
 #include <credentials/certificates/x509.h>
 
diff --git a/src/libcharon/plugins/certexpire/certexpire_export.h b/src/libcharon/plugins/certexpire/certexpire_export.h
index 64281d0bd..7b75f2c92 100644
--- a/src/libcharon/plugins/certexpire/certexpire_export.h
+++ b/src/libcharon/plugins/certexpire/certexpire_export.h
@@ -23,7 +23,7 @@
 
 typedef struct certexpire_export_t certexpire_export_t;
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /**
  * Caches and exports trustchain information to CSV files.
diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in
index 9ad158b4c..7eaadf74f 100644
--- a/src/libcharon/plugins/coupling/Makefile.in
+++ b/src/libcharon/plugins/coupling/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_coupling_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -374,7 +383,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-coupling.la: $(libstrongswan_coupling_la_OBJECTS) $(libstrongswan_coupling_la_DEPENDENCIES) 
+libstrongswan-coupling.la: $(libstrongswan_coupling_la_OBJECTS) $(libstrongswan_coupling_la_DEPENDENCIES) $(EXTRA_libstrongswan_coupling_la_DEPENDENCIES) 
 	$(libstrongswan_coupling_la_LINK) $(am_libstrongswan_coupling_la_rpath) $(libstrongswan_coupling_la_OBJECTS) $(libstrongswan_coupling_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -512,10 +521,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in
index ec42d8de6..f25f02845 100644
--- a/src/libcharon/plugins/dhcp/Makefile.in
+++ b/src/libcharon/plugins/dhcp/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_dhcp_la_LIBADD =
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -373,7 +382,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-dhcp.la: $(libstrongswan_dhcp_la_OBJECTS) $(libstrongswan_dhcp_la_DEPENDENCIES) 
+libstrongswan-dhcp.la: $(libstrongswan_dhcp_la_OBJECTS) $(libstrongswan_dhcp_la_DEPENDENCIES) $(EXTRA_libstrongswan_dhcp_la_DEPENDENCIES) 
 	$(libstrongswan_dhcp_la_LINK) $(am_libstrongswan_dhcp_la_rpath) $(libstrongswan_dhcp_la_OBJECTS) $(libstrongswan_dhcp_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -513,10 +522,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/dhcp/dhcp_provider.c b/src/libcharon/plugins/dhcp/dhcp_provider.c
index 8bc547462..f83efda5d 100644
--- a/src/libcharon/plugins/dhcp/dhcp_provider.c
+++ b/src/libcharon/plugins/dhcp/dhcp_provider.c
@@ -15,7 +15,7 @@
 
 #include "dhcp_provider.h"
 
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 #include <threading/mutex.h>
 
 typedef struct private_dhcp_provider_t private_dhcp_provider_t;
diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c
index f469c5a35..46d4c64ef 100644
--- a/src/libcharon/plugins/dhcp/dhcp_socket.c
+++ b/src/libcharon/plugins/dhcp/dhcp_socket.c
@@ -25,7 +25,7 @@
 #include <linux/if_ether.h>
 #include <linux/filter.h>
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/identification.h>
 #include <threading/mutex.h>
 #include <threading/condvar.h>
diff --git a/src/libcharon/plugins/dhcp/dhcp_transaction.c b/src/libcharon/plugins/dhcp/dhcp_transaction.c
index 83f822dd8..22d3f3fdf 100644
--- a/src/libcharon/plugins/dhcp/dhcp_transaction.c
+++ b/src/libcharon/plugins/dhcp/dhcp_transaction.c
@@ -15,7 +15,7 @@
 
 #include "dhcp_transaction.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_dhcp_transaction_t private_dhcp_transaction_t;
 
diff --git a/src/libcharon/plugins/dhcp/dhcp_transaction.h b/src/libcharon/plugins/dhcp/dhcp_transaction.h
index 19c163f88..35f08e836 100644
--- a/src/libcharon/plugins/dhcp/dhcp_transaction.h
+++ b/src/libcharon/plugins/dhcp/dhcp_transaction.h
@@ -21,7 +21,7 @@
 #ifndef DHCP_TRANSACTION_H_
 #define DHCP_TRANSACTION_H_
 
-#include <utils/host.h>
+#include <networking/host.h>
 #include <utils/identification.h>
 #include <attributes/attributes.h>
 
diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in
index d739660da..0577b25ac 100644
--- a/src/libcharon/plugins/duplicheck/Makefile.in
+++ b/src/libcharon/plugins/duplicheck/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -75,6 +75,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_duplicheck_la_LIBADD =
@@ -131,6 +137,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -158,6 +165,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -185,6 +193,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -197,6 +206,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -250,7 +260,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -385,7 +394,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-duplicheck.la: $(libstrongswan_duplicheck_la_OBJECTS) $(libstrongswan_duplicheck_la_DEPENDENCIES) 
+libstrongswan-duplicheck.la: $(libstrongswan_duplicheck_la_OBJECTS) $(libstrongswan_duplicheck_la_DEPENDENCIES) $(EXTRA_libstrongswan_duplicheck_la_DEPENDENCIES) 
 	$(libstrongswan_duplicheck_la_LINK) $(am_libstrongswan_duplicheck_la_rpath) $(libstrongswan_duplicheck_la_OBJECTS) $(libstrongswan_duplicheck_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
@@ -430,7 +439,7 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-duplicheck$(EXEEXT): $(duplicheck_OBJECTS) $(duplicheck_DEPENDENCIES) 
+duplicheck$(EXEEXT): $(duplicheck_OBJECTS) $(duplicheck_DEPENDENCIES) $(EXTRA_duplicheck_DEPENDENCIES) 
 	@rm -f duplicheck$(EXEEXT)
 	$(LINK) $(duplicheck_OBJECTS) $(duplicheck_LDADD) $(LIBS)
 
@@ -571,10 +580,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_listener.c b/src/libcharon/plugins/duplicheck/duplicheck_listener.c
index 4f59e034f..1b0df1e8b 100644
--- a/src/libcharon/plugins/duplicheck/duplicheck_listener.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck_listener.c
@@ -17,7 +17,7 @@
 
 #include <daemon.h>
 #include <threading/mutex.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 #include <encoding/payloads/delete_payload.h>
 #include <processing/jobs/delete_ike_sa_job.h>
 
@@ -191,6 +191,7 @@ METHOD(listener_t, message_hook, bool,
 		{
 			DBG1(DBG_CFG, "got a response on a duplicate IKE_SA for '%Y', "
 				 "deleting new IKE_SA", id);
+			charon->bus->alert(charon->bus, ALERT_UNIQUE_KEEP);
 			entry_destroy(entry);
 			this->mutex->lock(this->mutex);
 			entry = this->active->remove(this->active, id);
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_notify.c b/src/libcharon/plugins/duplicheck/duplicheck_notify.c
index 06a88ed7d..cd5d4970b 100644
--- a/src/libcharon/plugins/duplicheck/duplicheck_notify.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck_notify.c
@@ -25,7 +25,7 @@
 #include <daemon.h>
 #include <threading/mutex.h>
 #include <threading/thread.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <processing/jobs/callback_job.h>
 
 #define DUPLICHECK_SOCKET IPSEC_PIDDIR "/charon.dck"
diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index e098c2c75..b0be409aa 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_aka_la_DEPENDENCIES =  \
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -377,7 +386,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-aka.la: $(libstrongswan_eap_aka_la_OBJECTS) $(libstrongswan_eap_aka_la_DEPENDENCIES) 
+libstrongswan-eap-aka.la: $(libstrongswan_eap_aka_la_OBJECTS) $(libstrongswan_eap_aka_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_aka_la_DEPENDENCIES) 
 	$(libstrongswan_eap_aka_la_LINK) $(am_libstrongswan_eap_aka_la_rpath) $(libstrongswan_eap_aka_la_OBJECTS) $(libstrongswan_eap_aka_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -516,10 +525,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
index 4655d341b..1b805a050 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -74,6 +74,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_eap_aka_3gpp2_la_DEPENDENCIES = $(am__append_1)
@@ -126,6 +132,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -153,6 +160,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -180,6 +188,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -192,6 +201,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -245,7 +255,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -380,7 +389,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-aka-3gpp2.la: $(libstrongswan_eap_aka_3gpp2_la_OBJECTS) $(libstrongswan_eap_aka_3gpp2_la_DEPENDENCIES) 
+libstrongswan-eap-aka-3gpp2.la: $(libstrongswan_eap_aka_3gpp2_la_OBJECTS) $(libstrongswan_eap_aka_3gpp2_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_aka_3gpp2_la_DEPENDENCIES) 
 	$(libstrongswan_eap_aka_3gpp2_la_LINK) $(am_libstrongswan_eap_aka_3gpp2_la_rpath) $(libstrongswan_eap_aka_3gpp2_la_OBJECTS) $(libstrongswan_eap_aka_3gpp2_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -520,10 +529,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.in b/src/libcharon/plugins/eap_dynamic/Makefile.in
index bf467ebeb..7e55847d6 100644
--- a/src/libcharon/plugins/eap_dynamic/Makefile.in
+++ b/src/libcharon/plugins/eap_dynamic/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_eap_dynamic_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -374,7 +383,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-dynamic.la: $(libstrongswan_eap_dynamic_la_OBJECTS) $(libstrongswan_eap_dynamic_la_DEPENDENCIES) 
+libstrongswan-eap-dynamic.la: $(libstrongswan_eap_dynamic_la_OBJECTS) $(libstrongswan_eap_dynamic_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_dynamic_la_DEPENDENCIES) 
 	$(libstrongswan_eap_dynamic_la_LINK) $(am_libstrongswan_eap_dynamic_la_rpath) $(libstrongswan_eap_dynamic_la_OBJECTS) $(libstrongswan_eap_dynamic_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -512,10 +521,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in
index 8a334983b..3bff722d3 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.in
+++ b/src/libcharon/plugins/eap_gtc/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_eap_gtc_la_LIBADD =
@@ -122,6 +128,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -149,6 +156,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,6 +184,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -188,6 +197,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -241,7 +251,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -372,7 +381,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-gtc.la: $(libstrongswan_eap_gtc_la_OBJECTS) $(libstrongswan_eap_gtc_la_DEPENDENCIES) 
+libstrongswan-eap-gtc.la: $(libstrongswan_eap_gtc_la_OBJECTS) $(libstrongswan_eap_gtc_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_gtc_la_DEPENDENCIES) 
 	$(libstrongswan_eap_gtc_la_LINK) $(am_libstrongswan_eap_gtc_la_rpath) $(libstrongswan_eap_gtc_la_OBJECTS) $(libstrongswan_eap_gtc_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -510,10 +519,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in
index 2f4494c39..f7e768aa1 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.in
+++ b/src/libcharon/plugins/eap_identity/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_eap_identity_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -374,7 +383,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-identity.la: $(libstrongswan_eap_identity_la_OBJECTS) $(libstrongswan_eap_identity_la_DEPENDENCIES) 
+libstrongswan-eap-identity.la: $(libstrongswan_eap_identity_la_OBJECTS) $(libstrongswan_eap_identity_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_identity_la_DEPENDENCIES) 
 	$(libstrongswan_eap_identity_la_LINK) $(am_libstrongswan_eap_identity_la_rpath) $(libstrongswan_eap_identity_la_OBJECTS) $(libstrongswan_eap_identity_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -512,10 +521,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in
index dcf95198f..9b344967b 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.in
+++ b/src/libcharon/plugins/eap_md5/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_eap_md5_la_LIBADD =
@@ -122,6 +128,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -149,6 +156,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,6 +184,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -188,6 +197,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -241,7 +251,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -372,7 +381,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-md5.la: $(libstrongswan_eap_md5_la_OBJECTS) $(libstrongswan_eap_md5_la_DEPENDENCIES) 
+libstrongswan-eap-md5.la: $(libstrongswan_eap_md5_la_OBJECTS) $(libstrongswan_eap_md5_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_md5_la_DEPENDENCIES) 
 	$(libstrongswan_eap_md5_la_LINK) $(am_libstrongswan_eap_md5_la_rpath) $(libstrongswan_eap_md5_la_OBJECTS) $(libstrongswan_eap_md5_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -510,10 +519,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in
index e954396ec..82ea844a0 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.in
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_eap_mschapv2_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -375,7 +384,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-mschapv2.la: $(libstrongswan_eap_mschapv2_la_OBJECTS) $(libstrongswan_eap_mschapv2_la_DEPENDENCIES) 
+libstrongswan-eap-mschapv2.la: $(libstrongswan_eap_mschapv2_la_OBJECTS) $(libstrongswan_eap_mschapv2_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_mschapv2_la_DEPENDENCIES) 
 	$(libstrongswan_eap_mschapv2_la_LINK) $(am_libstrongswan_eap_mschapv2_la_rpath) $(libstrongswan_eap_mschapv2_la_OBJECTS) $(libstrongswan_eap_mschapv2_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -513,10 +522,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
index 0d71c3d97..96f437583 100644
--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
@@ -21,7 +21,7 @@
 
 #include <daemon.h>
 #include <library.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <crypto/crypters/crypter.h>
 #include <crypto/hashers/hasher.h>
 
diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in
index 82aa990ae..e6ccb9e17 100644
--- a/src/libcharon/plugins/eap_peap/Makefile.in
+++ b/src/libcharon/plugins/eap_peap/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_peap_la_DEPENDENCIES =  \
@@ -125,6 +131,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -152,6 +159,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -179,6 +187,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -191,6 +200,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -244,7 +254,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -380,7 +389,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-peap.la: $(libstrongswan_eap_peap_la_OBJECTS) $(libstrongswan_eap_peap_la_DEPENDENCIES) 
+libstrongswan-eap-peap.la: $(libstrongswan_eap_peap_la_OBJECTS) $(libstrongswan_eap_peap_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_peap_la_DEPENDENCIES) 
 	$(libstrongswan_eap_peap_la_LINK) $(am_libstrongswan_eap_peap_la_rpath) $(libstrongswan_eap_peap_la_OBJECTS) $(libstrongswan_eap_peap_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -521,10 +530,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_avp.c b/src/libcharon/plugins/eap_peap/eap_peap_avp.c
index 10f6ec11c..f7f634a53 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap_avp.c
+++ b/src/libcharon/plugins/eap_peap/eap_peap_avp.c
@@ -16,7 +16,7 @@
 #include "eap_peap_avp.h"
 
 #include <eap/eap.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * Microsoft Success and Failure Result AVPs
@@ -78,7 +78,7 @@ METHOD(eap_peap_avp_t, build, void,
 	}
 	*/
 	else
-	{	
+	{
 		avp_data = chunk_skip(data, 4);
 	}
 	writer->write_data(writer, avp_data);
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_peer.c b/src/libcharon/plugins/eap_peap/eap_peap_peer.c
index 79fd667cb..f482c5b54 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap_peer.c
+++ b/src/libcharon/plugins/eap_peap/eap_peap_peer.c
@@ -16,7 +16,7 @@
 #include "eap_peap_peer.h"
 #include "eap_peap_avp.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <daemon.h>
 
 typedef struct private_eap_peap_peer_t private_eap_peap_peer_t;
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_server.c b/src/libcharon/plugins/eap_peap/eap_peap_server.c
index 0e8046501..5237cb62c 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap_server.c
+++ b/src/libcharon/plugins/eap_peap/eap_peap_server.c
@@ -16,7 +16,7 @@
 #include "eap_peap_server.h"
 #include "eap_peap_avp.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <daemon.h>
 
 typedef struct private_eap_peap_server_t private_eap_peap_server_t;
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
index 1bdf24c2c..86d26390f 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.in
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_radius_la_DEPENDENCIES =  \
@@ -126,6 +132,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -153,6 +160,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -180,6 +188,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -192,6 +201,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -245,7 +255,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -381,7 +390,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-radius.la: $(libstrongswan_eap_radius_la_OBJECTS) $(libstrongswan_eap_radius_la_DEPENDENCIES) 
+libstrongswan-eap-radius.la: $(libstrongswan_eap_radius_la_OBJECTS) $(libstrongswan_eap_radius_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_radius_la_DEPENDENCIES) 
 	$(libstrongswan_eap_radius_la_LINK) $(am_libstrongswan_eap_radius_la_rpath) $(libstrongswan_eap_radius_la_OBJECTS) $(libstrongswan_eap_radius_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -522,10 +531,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c
index 870ed1fc0..6009d3a1f 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius.c
@@ -181,9 +181,23 @@ METHOD(eap_method_t, initiate, status_t,
 	if (response)
 	{
 		eap_radius_forward_to_ike(response);
-		if (radius2ike(this, response, out))
+		switch (response->get_code(response))
 		{
-			status = NEED_MORE;
+			case RMC_ACCESS_CHALLENGE:
+				if (radius2ike(this, response, out))
+				{
+					status = NEED_MORE;
+				}
+				break;
+			case RMC_ACCESS_ACCEPT:
+				/* Microsoft RADIUS servers can run in a mode where they respond
+				 * like this on the first request (i.e. without authentication),
+				 * we treat this as Access-Reject */
+			case RMC_ACCESS_REJECT:
+			default:
+				DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed",
+					 this->peer);
+				break;
 		}
 		response->destroy(response);
 	}
@@ -365,7 +379,8 @@ METHOD(eap_method_t, process, status_t,
 				break;
 			case RMC_ACCESS_REJECT:
 			default:
-				DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed", this->peer);
+				DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed",
+					 this->peer);
 				status = FAILED;
 				break;
 		}
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
index f164f67ed..3c72c122d 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
@@ -21,7 +21,7 @@
 #include <radius_message.h>
 #include <radius_client.h>
 #include <daemon.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 #include <threading/mutex.h>
 
 typedef struct private_eap_radius_accounting_t private_eap_radius_accounting_t;
@@ -301,6 +301,28 @@ METHOD(listener_t, message_hook, bool,
 	return TRUE;
 }
 
+METHOD(listener_t, ike_rekey, bool,
+	private_eap_radius_accounting_t *this, ike_sa_t *old, ike_sa_t *new)
+{
+	entry_t *entry;
+
+	this->mutex->lock(this->mutex);
+	entry = this->sessions->remove(this->sessions,
+							(void*)(uintptr_t)old->get_unique_id(old));
+	if (entry)
+	{
+		entry = this->sessions->put(this->sessions,
+							(void*)(uintptr_t)new->get_unique_id(new), entry);
+		if (entry)
+		{
+			free(entry);
+		}
+	}
+	this->mutex->unlock(this->mutex);
+
+	return TRUE;
+}
+
 METHOD(listener_t, child_rekey, bool,
 	private_eap_radius_accounting_t *this, ike_sa_t *ike_sa,
 	child_sa_t *old, child_sa_t *new)
@@ -340,6 +362,7 @@ eap_radius_accounting_t *eap_radius_accounting_create()
 		.public = {
 			.listener = {
 				.ike_updown = _ike_updown,
+				.ike_rekey = _ike_rekey,
 				.message = _message_hook,
 				.child_updown = _child_updown,
 				.child_rekey = _child_rekey,
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_forward.c b/src/libcharon/plugins/eap_radius/eap_radius_forward.c
index 2dd38ea2f..e9124877c 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_forward.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_forward.c
@@ -16,8 +16,8 @@
 #include "eap_radius_forward.h"
 
 #include <daemon.h>
-#include <utils/linked_list.h>
-#include <utils/hashtable.h>
+#include <collections/linked_list.h>
+#include <collections/hashtable.h>
 #include <threading/mutex.h>
 
 typedef struct private_eap_radius_forward_t private_eap_radius_forward_t;
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in
index 99a5c1cc5..8cf79e503 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.in
+++ b/src/libcharon/plugins/eap_sim/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_sim_la_DEPENDENCIES =  \
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -377,7 +386,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-sim.la: $(libstrongswan_eap_sim_la_OBJECTS) $(libstrongswan_eap_sim_la_DEPENDENCIES) 
+libstrongswan-eap-sim.la: $(libstrongswan_eap_sim_la_OBJECTS) $(libstrongswan_eap_sim_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_sim_la_DEPENDENCIES) 
 	$(libstrongswan_eap_sim_la_LINK) $(am_libstrongswan_eap_sim_la_rpath) $(libstrongswan_eap_sim_la_OBJECTS) $(libstrongswan_eap_sim_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -516,10 +525,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in
index d1caa30c4..781087d3b 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_sim_file_la_DEPENDENCIES =  \
@@ -126,6 +132,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -153,6 +160,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -180,6 +188,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -192,6 +201,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -245,7 +255,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -380,7 +389,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-sim-file.la: $(libstrongswan_eap_sim_file_la_OBJECTS) $(libstrongswan_eap_sim_file_la_DEPENDENCIES) 
+libstrongswan-eap-sim-file.la: $(libstrongswan_eap_sim_file_la_OBJECTS) $(libstrongswan_eap_sim_file_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_sim_file_la_DEPENDENCIES) 
 	$(libstrongswan_eap_sim_file_la_LINK) $(am_libstrongswan_eap_sim_file_la_rpath) $(libstrongswan_eap_sim_file_la_OBJECTS) $(libstrongswan_eap_sim_file_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -520,10 +529,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.c b/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.c
index de3b69382..ec1686910 100644
--- a/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.c
+++ b/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.c
@@ -19,7 +19,7 @@
 #include <errno.h>
 
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/mutex.h>
 #include <simaka_manager.h>
 
diff --git a/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.h b/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.h
index c8e9e0359..3fa0ea381 100644
--- a/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.h
+++ b/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.h
@@ -21,7 +21,7 @@
 #ifndef EAP_SIM_FILE_TRIPLETS_H_
 #define EAP_SIM_FILE_TRIPLETS_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 typedef struct eap_sim_file_triplets_t eap_sim_file_triplets_t;
 
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
index 83d931883..168b0e3d6 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -74,6 +74,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 am__DEPENDENCIES_1 =
@@ -127,6 +133,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -154,6 +161,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -181,6 +189,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -193,6 +202,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -246,7 +256,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -380,7 +389,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-sim-pcsc.la: $(libstrongswan_eap_sim_pcsc_la_OBJECTS) $(libstrongswan_eap_sim_pcsc_la_DEPENDENCIES) 
+libstrongswan-eap-sim-pcsc.la: $(libstrongswan_eap_sim_pcsc_la_OBJECTS) $(libstrongswan_eap_sim_pcsc_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_sim_pcsc_la_DEPENDENCIES) 
 	$(libstrongswan_eap_sim_pcsc_la_LINK) $(am_libstrongswan_eap_sim_pcsc_la_rpath) $(libstrongswan_eap_sim_pcsc_la_OBJECTS) $(libstrongswan_eap_sim_pcsc_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -518,10 +527,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
index e8436f2b6..63ef0db8e 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_simaka_pseudonym_la_DEPENDENCIES =  \
@@ -127,6 +133,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -154,6 +161,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -181,6 +189,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -193,6 +202,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -246,7 +256,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -380,7 +389,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-simaka-pseudonym.la: $(libstrongswan_eap_simaka_pseudonym_la_OBJECTS) $(libstrongswan_eap_simaka_pseudonym_la_DEPENDENCIES) 
+libstrongswan-eap-simaka-pseudonym.la: $(libstrongswan_eap_simaka_pseudonym_la_OBJECTS) $(libstrongswan_eap_simaka_pseudonym_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_simaka_pseudonym_la_DEPENDENCIES) 
 	$(libstrongswan_eap_simaka_pseudonym_la_LINK) $(am_libstrongswan_eap_simaka_pseudonym_la_rpath) $(libstrongswan_eap_simaka_pseudonym_la_OBJECTS) $(libstrongswan_eap_simaka_pseudonym_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -519,10 +528,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c
index 5f78c967a..b5bbdd60f 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c
@@ -16,7 +16,7 @@
 #include "eap_simaka_pseudonym_card.h"
 
 #include <daemon.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 
 typedef struct private_eap_simaka_pseudonym_card_t private_eap_simaka_pseudonym_card_t;
 
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.c b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.c
index 3070b808a..3c63e82a9 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.c
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.c
@@ -15,8 +15,8 @@
 
 #include "eap_simaka_pseudonym_provider.h"
 
-#include <debug.h>
-#include <utils/hashtable.h>
+#include <utils/debug.h>
+#include <collections/hashtable.h>
 
 typedef struct private_eap_simaka_pseudonym_provider_t private_eap_simaka_pseudonym_provider_t;
 
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
index 627f8c12e..daf329ce2 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_simaka_reauth_la_DEPENDENCIES =  \
@@ -126,6 +132,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -153,6 +160,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -180,6 +188,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -192,6 +201,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -245,7 +255,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -379,7 +388,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-simaka-reauth.la: $(libstrongswan_eap_simaka_reauth_la_OBJECTS) $(libstrongswan_eap_simaka_reauth_la_DEPENDENCIES) 
+libstrongswan-eap-simaka-reauth.la: $(libstrongswan_eap_simaka_reauth_la_OBJECTS) $(libstrongswan_eap_simaka_reauth_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_simaka_reauth_la_DEPENDENCIES) 
 	$(libstrongswan_eap_simaka_reauth_la_LINK) $(am_libstrongswan_eap_simaka_reauth_la_rpath) $(libstrongswan_eap_simaka_reauth_la_OBJECTS) $(libstrongswan_eap_simaka_reauth_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -518,10 +527,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c
index 870d72781..5bc5fd382 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c
+++ b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c
@@ -16,7 +16,7 @@
 #include "eap_simaka_reauth_card.h"
 
 #include <daemon.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 
 typedef struct private_eap_simaka_reauth_card_t private_eap_simaka_reauth_card_t;
 
diff --git a/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c
index b1a9a7f7c..937095ec1 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c
+++ b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c
@@ -16,7 +16,7 @@
 #include "eap_simaka_reauth_provider.h"
 
 #include <daemon.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 
 typedef struct private_eap_simaka_reauth_provider_t private_eap_simaka_reauth_provider_t;
 
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
index 8030190f8..b72fc42e9 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_simaka_sql_la_DEPENDENCIES =  \
@@ -125,6 +131,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -152,6 +159,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -179,6 +187,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -191,6 +200,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -244,7 +254,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -378,7 +387,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-simaka-sql.la: $(libstrongswan_eap_simaka_sql_la_OBJECTS) $(libstrongswan_eap_simaka_sql_la_DEPENDENCIES) 
+libstrongswan-eap-simaka-sql.la: $(libstrongswan_eap_simaka_sql_la_OBJECTS) $(libstrongswan_eap_simaka_sql_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_simaka_sql_la_DEPENDENCIES) 
 	$(libstrongswan_eap_simaka_sql_la_LINK) $(am_libstrongswan_eap_simaka_sql_la_rpath) $(libstrongswan_eap_simaka_sql_la_OBJECTS) $(libstrongswan_eap_simaka_sql_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -517,10 +526,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in
index 55e03b2f7..095eff6cf 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.in
+++ b/src/libcharon/plugins/eap_tls/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_tls_la_DEPENDENCIES =  \
@@ -123,6 +129,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -150,6 +157,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,6 +185,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -189,6 +198,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -242,7 +252,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -374,7 +383,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-tls.la: $(libstrongswan_eap_tls_la_OBJECTS) $(libstrongswan_eap_tls_la_DEPENDENCIES) 
+libstrongswan-eap-tls.la: $(libstrongswan_eap_tls_la_OBJECTS) $(libstrongswan_eap_tls_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_tls_la_DEPENDENCIES) 
 	$(libstrongswan_eap_tls_la_LINK) $(am_libstrongswan_eap_tls_la_rpath) $(libstrongswan_eap_tls_la_OBJECTS) $(libstrongswan_eap_tls_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -512,10 +521,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in
index c452f7e16..60a6d6de6 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.in
+++ b/src/libcharon/plugins/eap_tnc/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_tnc_la_DEPENDENCIES =  \
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -383,7 +392,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-tnc.la: $(libstrongswan_eap_tnc_la_OBJECTS) $(libstrongswan_eap_tnc_la_DEPENDENCIES) 
+libstrongswan-eap-tnc.la: $(libstrongswan_eap_tnc_la_OBJECTS) $(libstrongswan_eap_tnc_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_tnc_la_DEPENDENCIES) 
 	$(libstrongswan_eap_tnc_la_LINK) $(am_libstrongswan_eap_tnc_la_rpath) $(libstrongswan_eap_tnc_la_OBJECTS) $(libstrongswan_eap_tnc_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -521,10 +530,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c
index 7efc0fec5..ffa1bae39 100644
--- a/src/libcharon/plugins/eap_tnc/eap_tnc.c
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c
@@ -18,7 +18,7 @@
 #include <tnc/tnc.h>
 #include <tnc/tnccs/tnccs_manager.h>
 #include <tls_eap.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <daemon.h>
 
 /**
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in
index 95a5c1fda..f3ec17b0f 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.in
+++ b/src/libcharon/plugins/eap_ttls/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_ttls_la_DEPENDENCIES =  \
@@ -126,6 +132,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -153,6 +160,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -180,6 +188,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -192,6 +201,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -245,7 +255,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -382,7 +391,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-ttls.la: $(libstrongswan_eap_ttls_la_OBJECTS) $(libstrongswan_eap_ttls_la_DEPENDENCIES) 
+libstrongswan-eap-ttls.la: $(libstrongswan_eap_ttls_la_OBJECTS) $(libstrongswan_eap_ttls_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_ttls_la_DEPENDENCIES) 
 	$(libstrongswan_eap_ttls_la_LINK) $(am_libstrongswan_eap_ttls_la_rpath) $(libstrongswan_eap_ttls_la_OBJECTS) $(libstrongswan_eap_ttls_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -523,10 +532,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
index 0d531c437..47e0f8afb 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
@@ -15,7 +15,7 @@
 
 #include "eap_ttls_avp.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #define AVP_EAP_MESSAGE		79
 #define AVP_HEADER_LEN		 8
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
index 00a4da3f8..66c9deed8 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
@@ -16,7 +16,7 @@
 #include "eap_ttls_peer.h"
 #include "eap_ttls_avp.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <daemon.h>
 #include <radius_message.h>
 #include <sa/eap/eap_method.h>
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_server.c b/src/libcharon/plugins/eap_ttls/eap_ttls_server.c
index 1418d6a4d..464de17ba 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls_server.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_server.c
@@ -16,7 +16,7 @@
 #include "eap_ttls_server.h"
 #include "eap_ttls_avp.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <daemon.h>
 
 #include <sa/eap/eap_method.h>
diff --git a/src/libcharon/plugins/error_notify/Makefile.am b/src/libcharon/plugins/error_notify/Makefile.am
new file mode 100644
index 000000000..fccd25201
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/Makefile.am
@@ -0,0 +1,23 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic \
+	-DIPSEC_PIDDIR=\"${piddir}\"
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-error-notify.la
+else
+plugin_LTLIBRARIES = libstrongswan-error-notify.la
+endif
+
+libstrongswan_error_notify_la_SOURCES = \
+	error_notify_plugin.h error_notify_plugin.c \
+	error_notify_socket.h error_notify_socket.c \
+	error_notify_listener.h error_notify_listener.c \
+	error_notify_msg.h
+
+libstrongswan_error_notify_la_LDFLAGS = -module -avoid-version
+
+ipsec_PROGRAMS = error-notify
+error_notify_SOURCES = error_notify.c
diff --git a/src/libcharon/plugins/error_notify/Makefile.in b/src/libcharon/plugins/error_notify/Makefile.in
new file mode 100644
index 000000000..814304dce
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/Makefile.in
@@ -0,0 +1,698 @@
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+ipsec_PROGRAMS = error-notify$(EXEEXT)
+subdir = src/libcharon/plugins/error_notify
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_error_notify_la_LIBADD =
+am_libstrongswan_error_notify_la_OBJECTS = error_notify_plugin.lo \
+	error_notify_socket.lo error_notify_listener.lo
+libstrongswan_error_notify_la_OBJECTS =  \
+	$(am_libstrongswan_error_notify_la_OBJECTS)
+libstrongswan_error_notify_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_error_notify_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_error_notify_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_error_notify_la_rpath =
+PROGRAMS = $(ipsec_PROGRAMS)
+am_error_notify_OBJECTS = error_notify.$(OBJEXT)
+error_notify_OBJECTS = $(am_error_notify_OBJECTS)
+error_notify_LDADD = $(LDADD)
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_error_notify_la_SOURCES) \
+	$(error_notify_SOURCES)
+DIST_SOURCES = $(libstrongswan_error_notify_la_SOURCES) \
+	$(error_notify_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+axis2c_CFLAGS = @axis2c_CFLAGS@
+axis2c_LIBS = @axis2c_LIBS@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic \
+	-DIPSEC_PIDDIR=\"${piddir}\"
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-error-notify.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-error-notify.la
+libstrongswan_error_notify_la_SOURCES = \
+	error_notify_plugin.h error_notify_plugin.c \
+	error_notify_socket.h error_notify_socket.c \
+	error_notify_listener.h error_notify_listener.c \
+	error_notify_msg.h
+
+libstrongswan_error_notify_la_LDFLAGS = -module -avoid-version
+error_notify_SOURCES = error_notify.c
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/error_notify/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/error_notify/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-error-notify.la: $(libstrongswan_error_notify_la_OBJECTS) $(libstrongswan_error_notify_la_DEPENDENCIES) $(EXTRA_libstrongswan_error_notify_la_DEPENDENCIES) 
+	$(libstrongswan_error_notify_la_LINK) $(am_libstrongswan_error_notify_la_rpath) $(libstrongswan_error_notify_la_OBJECTS) $(libstrongswan_error_notify_la_LIBADD) $(LIBS)
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+error-notify$(EXEEXT): $(error_notify_OBJECTS) $(error_notify_DEPENDENCIES) $(EXTRA_error_notify_DEPENDENCIES) 
+	@rm -f error-notify$(EXEEXT)
+	$(LINK) $(error_notify_OBJECTS) $(error_notify_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/error_notify.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/error_notify_listener.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/error_notify_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/error_notify_socket.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
+	clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipsecPROGRAMS install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-ipsecPROGRAMS uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-ipsecPROGRAMS clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES ctags distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-ipsecPROGRAMS install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-ipsecPROGRAMS \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/error_notify/error_notify.c b/src/libcharon/plugins/error_notify/error_notify.c
new file mode 100644
index 000000000..fec35a45d
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/error_notify.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "error_notify_msg.h"
+
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <errno.h>
+
+/**
+ * Example of a simple notification listener
+ */
+int main(int argc, char *argv[])
+{
+	struct sockaddr_un addr;
+	error_notify_msg_t msg;
+	int s;
+
+	addr.sun_family = AF_UNIX;
+	strcpy(addr.sun_path, ERROR_NOTIFY_SOCKET);
+
+	s = socket(AF_UNIX, SOCK_SEQPACKET, 0);
+	if (s < 0)
+	{
+		fprintf(stderr, "opening socket failed: %s\n", strerror(errno));
+		return 1;
+	}
+	if (connect(s, (struct sockaddr *)&addr, sizeof(addr)) < 0)
+	{
+		fprintf(stderr, "connect failed: %s\n", strerror(errno));
+		close(s);
+		return 1;
+	}
+	while (1)
+	{
+		if (read(s, &msg, sizeof(msg)) != sizeof(msg))
+		{
+			fprintf(stderr, "read failed: %s\n", strerror(errno));
+			close(s);
+			return 1;
+		}
+		printf("%d %s %s %s %s\n",
+			   msg.type, msg.name, msg.id, msg.ip, msg.str);
+	}
+	close(s);
+	return 0;
+}
diff --git a/src/libcharon/plugins/error_notify/error_notify_listener.c b/src/libcharon/plugins/error_notify/error_notify_listener.c
new file mode 100644
index 000000000..9a6383cbe
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/error_notify_listener.c
@@ -0,0 +1,203 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "error_notify_listener.h"
+
+#include <daemon.h>
+
+typedef struct private_error_notify_listener_t private_error_notify_listener_t;
+
+/**
+ * Private data of an error_notify_listener_t object.
+ */
+struct private_error_notify_listener_t {
+
+	/**
+	 * Public error_notify_listener_t interface.
+	 */
+	error_notify_listener_t public;
+
+	/**
+	 * Socket to send notifications over
+	 */
+	error_notify_socket_t *socket;
+};
+
+METHOD(listener_t, alert, bool,
+	private_error_notify_listener_t *this, ike_sa_t *ike_sa,
+	alert_t alert, va_list args)
+{
+	error_notify_msg_t msg;
+	message_t *message;
+	host_t *host;
+	identification_t *id;
+	linked_list_t *list, *list2;
+	peer_cfg_t *peer_cfg;
+
+	if (!this->socket->has_listeners(this->socket))
+	{
+		return TRUE;
+	}
+
+	memset(&msg, 0, sizeof(msg));
+
+	switch (alert)
+	{
+		case ALERT_RADIUS_NOT_RESPONDING:
+			msg.type = ERROR_NOTIFY_RADIUS_NOT_RESPONDING;
+			snprintf(msg.str, sizeof(msg.str),
+					 "a RADIUS request message timed out");
+			break;
+		case ALERT_LOCAL_AUTH_FAILED:
+			msg.type = ERROR_NOTIFY_LOCAL_AUTH_FAILED;
+			snprintf(msg.str, sizeof(msg.str),
+					 "creating local authentication data failed");
+			break;
+		case ALERT_PEER_AUTH_FAILED:
+			msg.type = ERROR_NOTIFY_PEER_AUTH_FAILED;
+			snprintf(msg.str, sizeof(msg.str), "peer authentication failed");
+			break;
+		case ALERT_PARSE_ERROR_HEADER:
+			msg.type = ERROR_NOTIFY_PARSE_ERROR_HEADER;
+			message = va_arg(args, message_t*);
+			snprintf(msg.str, sizeof(msg.str), "parsing IKE header from "
+					 "%#H failed", message->get_source(message));
+			break;
+		case ALERT_PARSE_ERROR_BODY:
+			msg.type = ERROR_NOTIFY_PARSE_ERROR_BODY;
+			message = va_arg(args, message_t*);
+			snprintf(msg.str, sizeof(msg.str), "parsing IKE message from "
+					 "%#H failed", message->get_source(message));
+			break;
+		case ALERT_RETRANSMIT_SEND_TIMEOUT:
+			msg.type = ERROR_NOTIFY_RETRANSMIT_SEND_TIMEOUT;
+			snprintf(msg.str, sizeof(msg.str),
+					 "IKE message retransmission timed out");
+			break;
+		case ALERT_HALF_OPEN_TIMEOUT:
+			msg.type = ERROR_NOTIFY_HALF_OPEN_TIMEOUT;
+			snprintf(msg.str, sizeof(msg.str), "IKE_SA timed out before it "
+					 "could be established");
+			break;
+		case ALERT_PROPOSAL_MISMATCH_IKE:
+			msg.type = ERROR_NOTIFY_PROPOSAL_MISMATCH_IKE;
+			list = va_arg(args, linked_list_t*);
+			snprintf(msg.str, sizeof(msg.str), "the received IKE_SA poposals "
+					 "did not match: %#P", list);
+			break;
+		case ALERT_PROPOSAL_MISMATCH_CHILD:
+			msg.type = ERROR_NOTIFY_PROPOSAL_MISMATCH_CHILD;
+			list = va_arg(args, linked_list_t*);
+			snprintf(msg.str, sizeof(msg.str), "the received CHILD_SA poposals "
+					 "did not match: %#P", list);
+			break;
+		case ALERT_TS_MISMATCH:
+			msg.type = ERROR_NOTIFY_TS_MISMATCH;
+			list = va_arg(args, linked_list_t*);
+			list2 = va_arg(args, linked_list_t*);
+			snprintf(msg.str, sizeof(msg.str), "the received traffic selectors "
+					 "did not match: %#R=== %#R", list, list2);
+			break;
+		case ALERT_INSTALL_CHILD_SA_FAILED:
+			msg.type = ERROR_NOTIFY_INSTALL_CHILD_SA_FAILED;
+			snprintf(msg.str, sizeof(msg.str), "installing IPsec SA failed");
+			break;
+		case ALERT_INSTALL_CHILD_POLICY_FAILED:
+			msg.type = ERROR_NOTIFY_INSTALL_CHILD_POLICY_FAILED;
+			snprintf(msg.str, sizeof(msg.str), "installing IPsec policy failed");
+			break;
+		case ALERT_UNIQUE_REPLACE:
+			msg.type = ERROR_NOTIFY_UNIQUE_REPLACE;
+			snprintf(msg.str, sizeof(msg.str),
+					 "replaced old IKE_SA due to uniqueness policy");
+			break;
+		case ALERT_UNIQUE_KEEP:
+			msg.type = ERROR_NOTIFY_UNIQUE_KEEP;
+			snprintf(msg.str, sizeof(msg.str), "keep existing in favor of "
+					 "rejected new IKE_SA due to uniqueness policy");
+			break;
+		case ALERT_VIP_FAILURE:
+			msg.type = ERROR_NOTIFY_VIP_FAILURE;
+			list = va_arg(args, linked_list_t*);
+			if (list->get_first(list, (void**)&host) == SUCCESS)
+			{
+				snprintf(msg.str, sizeof(msg.str),
+					"allocating a virtual IP failed, requested was %H", host);
+			}
+			else
+			{
+				snprintf(msg.str, sizeof(msg.str),
+					"expected a virtual IP request, but none found");
+			}
+			break;
+		case ALERT_AUTHORIZATION_FAILED:
+			msg.type = ERROR_NOTIFY_AUTHORIZATION_FAILED;
+			snprintf(msg.str, sizeof(msg.str), "an authorization plugin "
+					 "prevented establishment of an IKE_SA");
+			break;
+		default:
+			return TRUE;
+	}
+
+	if (ike_sa)
+	{
+		id = ike_sa->get_other_eap_id(ike_sa);
+		if (id->get_type(id) != ID_ANY)
+		{
+			snprintf(msg.id, sizeof(msg.id), "%Y", id);
+		}
+		host = ike_sa->get_other_host(ike_sa);
+		if (!host->is_anyaddr(host))
+		{
+			snprintf(msg.ip, sizeof(msg.ip), "%#H", host);
+		}
+		peer_cfg = ike_sa->get_peer_cfg(ike_sa);
+		if (peer_cfg)
+		{
+			snprintf(msg.name, sizeof(msg.name), "%s",
+					 peer_cfg->get_name(peer_cfg));
+		}
+	}
+
+	this->socket->notify(this->socket, &msg);
+
+	return TRUE;
+}
+
+METHOD(error_notify_listener_t, destroy, void,
+	private_error_notify_listener_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+error_notify_listener_t *error_notify_listener_create(error_notify_socket_t *s)
+{
+	private_error_notify_listener_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.alert = _alert,
+			},
+			.destroy = _destroy,
+		},
+		.socket = s,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/error_notify/error_notify_listener.h b/src/libcharon/plugins/error_notify/error_notify_listener.h
new file mode 100644
index 000000000..70be9d1ad
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/error_notify_listener.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup error_notify_listener error_notify_listener
+ * @{ @ingroup error_notify
+ */
+
+#ifndef ERROR_NOTIFY_LISTENER_H_
+#define ERROR_NOTIFY_LISTENER_H_
+
+typedef struct error_notify_listener_t error_notify_listener_t;
+
+#include <bus/listeners/listener.h>
+
+#include "error_notify_socket.h"
+
+/**
+ * Listener catching bus alerts.
+ */
+struct error_notify_listener_t {
+
+	/**
+	 * Implements listener_t interface.
+	 */
+	listener_t listener;
+
+	/**
+	 * Destroy a error_notify_listener_t.
+	 */
+	void (*destroy)(error_notify_listener_t *this);
+};
+
+/**
+ * Create a error_notify_listener instance.
+ */
+error_notify_listener_t *error_notify_listener_create(error_notify_socket_t *s);
+
+#endif /** ERROR_NOTIFY_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/error_notify/error_notify_msg.h b/src/libcharon/plugins/error_notify/error_notify_msg.h
new file mode 100644
index 000000000..e3cdd67e9
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/error_notify_msg.h
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup error_notify_msg error_notify_msg
+ * @{ @ingroup error_notify
+ */
+
+#ifndef ERROR_NOTIFY_MSG_H_
+#define ERROR_NOTIFY_MSG_H_
+
+#define ERROR_NOTIFY_SOCKET IPSEC_PIDDIR "/charon.enfy"
+
+typedef struct error_notify_msg_t error_notify_msg_t;
+
+/**
+ * Message type, these are mapped to ALERT_* types.
+ */
+enum {
+	ERROR_NOTIFY_RADIUS_NOT_RESPONDING = 1,
+	ERROR_NOTIFY_LOCAL_AUTH_FAILED = 2,
+	ERROR_NOTIFY_PEER_AUTH_FAILED = 3,
+	ERROR_NOTIFY_PARSE_ERROR_HEADER = 4,
+	ERROR_NOTIFY_PARSE_ERROR_BODY = 5,
+	ERROR_NOTIFY_RETRANSMIT_SEND_TIMEOUT = 6,
+	ERROR_NOTIFY_HALF_OPEN_TIMEOUT = 7,
+	ERROR_NOTIFY_PROPOSAL_MISMATCH_IKE = 8,
+	ERROR_NOTIFY_PROPOSAL_MISMATCH_CHILD = 9,
+	ERROR_NOTIFY_TS_MISMATCH = 10,
+	ERROR_NOTIFY_INSTALL_CHILD_SA_FAILED = 11,
+	ERROR_NOTIFY_INSTALL_CHILD_POLICY_FAILED = 12,
+	ERROR_NOTIFY_UNIQUE_REPLACE = 13,
+	ERROR_NOTIFY_UNIQUE_KEEP = 14,
+	ERROR_NOTIFY_VIP_FAILURE = 15,
+	ERROR_NOTIFY_AUTHORIZATION_FAILED = 16,
+};
+
+/**
+ * Message to exchange over notify socket, strings are null-terminated.
+ */
+struct error_notify_msg_t {
+	/** message type */
+	int type;
+	/** string with an error description */
+	char str[128];
+	/** connection name, if known */
+	char name[64];
+	/** peer identity, if known */
+	char id[128];
+	/** peer address and port, if known */
+	char ip[60];
+};
+
+#endif /** ERROR_NOTIFY_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/error_notify/error_notify_plugin.c b/src/libcharon/plugins/error_notify/error_notify_plugin.c
new file mode 100644
index 000000000..f4f0647fb
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/error_notify_plugin.c
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "error_notify_plugin.h"
+
+#include "error_notify_listener.h"
+#include "error_notify_socket.h"
+
+#include <daemon.h>
+
+typedef struct private_error_notify_plugin_t private_error_notify_plugin_t;
+
+/**
+ * private data of error_notify plugin
+ */
+struct private_error_notify_plugin_t {
+
+	/**
+	 * Implements plugin interface
+	 */
+	error_notify_plugin_t public;
+
+	/**
+	 * Listener catching error alerts
+	 */
+	error_notify_listener_t *listener;
+
+	/**
+	 * Socket sending notifications
+	 */
+	error_notify_socket_t *socket;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_error_notify_plugin_t *this)
+{
+	return "error-notify";
+}
+
+METHOD(plugin_t, destroy, void,
+	private_error_notify_plugin_t *this)
+{
+	charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	this->listener->destroy(this->listener);
+	this->socket->destroy(this->socket);
+	free(this);
+}
+
+/**
+ * Plugin constructor
+ */
+plugin_t *error_notify_plugin_create()
+{
+	private_error_notify_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.reload = (void*)return_false,
+				.destroy = _destroy,
+			},
+		},
+		.socket = error_notify_socket_create(),
+	);
+
+	this->listener = error_notify_listener_create(this->socket);
+	charon->bus->add_listener(charon->bus, &this->listener->listener);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/error_notify/error_notify_plugin.h b/src/libcharon/plugins/error_notify/error_notify_plugin.h
new file mode 100644
index 000000000..ed5303a91
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/error_notify_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup error_notify error_notify
+ * @ingroup cplugins
+ *
+ * @defgroup error_notify_plugin error_notify_plugin
+ * @{ @ingroup error_notify
+ */
+
+#ifndef ERROR_NOTIFY_PLUGIN_H_
+#define ERROR_NOTIFY_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct error_notify_plugin_t error_notify_plugin_t;
+
+/**
+ * Plugin sending error notifications over a UNIX socket.
+ */
+struct error_notify_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** ERROR_NOTIFY_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/error_notify/error_notify_socket.c b/src/libcharon/plugins/error_notify/error_notify_socket.c
new file mode 100644
index 000000000..fe3b6355d
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/error_notify_socket.c
@@ -0,0 +1,213 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "error_notify_socket.h"
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <daemon.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
+#include <collections/linked_list.h>
+#include <processing/jobs/callback_job.h>
+
+#include "error_notify_msg.h"
+
+typedef struct private_error_notify_socket_t private_error_notify_socket_t;
+
+/**
+ * Private data of an error_notify_socket_t object.
+ */
+struct private_error_notify_socket_t {
+
+	/**
+	 * Public error_notify_socket_t interface.
+	 */
+	error_notify_socket_t public;
+
+	/**
+	 * Unix socket file descriptor
+	 */
+	int socket;
+
+	/**
+	 * List of connected clients, as uintptr_t FD
+	 */
+	linked_list_t *connected;
+
+	/**
+	 * Mutex to lock clients list
+	 */
+	mutex_t *mutex;
+};
+
+/**
+ * Open error notify unix socket
+ */
+static bool open_socket(private_error_notify_socket_t *this)
+{
+	struct sockaddr_un addr;
+	mode_t old;
+
+	addr.sun_family = AF_UNIX;
+	strcpy(addr.sun_path, ERROR_NOTIFY_SOCKET);
+
+	this->socket = socket(AF_UNIX, SOCK_SEQPACKET, 0);
+	if (this->socket == -1)
+	{
+		DBG1(DBG_CFG, "creating notify socket failed");
+		return FALSE;
+	}
+	unlink(addr.sun_path);
+	old = umask(~(S_IRWXU | S_IRWXG));
+	if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)) < 0)
+	{
+		DBG1(DBG_CFG, "binding notify socket failed: %s", strerror(errno));
+		close(this->socket);
+		return FALSE;
+	}
+	umask(old);
+	if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
+			  charon->caps->get_gid(charon->caps)) != 0)
+	{
+		DBG1(DBG_CFG, "changing notify socket permissions failed: %s",
+			 strerror(errno));
+	}
+	if (listen(this->socket, 10) < 0)
+	{
+		DBG1(DBG_CFG, "listening on notify socket failed: %s", strerror(errno));
+		close(this->socket);
+		unlink(addr.sun_path);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(error_notify_socket_t, has_listeners, bool,
+	private_error_notify_socket_t *this)
+{
+	int count;
+
+	this->mutex->lock(this->mutex);
+	count = this->connected->get_count(this->connected);
+	this->mutex->unlock(this->mutex);
+
+	return count != 0;
+}
+
+METHOD(error_notify_socket_t, notify, void,
+	private_error_notify_socket_t *this, error_notify_msg_t *msg)
+{
+	enumerator_t *enumerator;
+	uintptr_t fd;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->connected->create_enumerator(this->connected);
+	while (enumerator->enumerate(enumerator, (void*)&fd))
+	{
+		while (send(fd, msg, sizeof(*msg), 0) <= 0)
+		{
+			switch (errno)
+			{
+				case EINTR:
+					continue;
+				case ECONNRESET:
+				case EPIPE:
+					/* disconnect, remove this listener */
+					this->connected->remove_at(this->connected, enumerator);
+					close(fd);
+					break;
+				default:
+					DBG1(DBG_CFG, "sending notify failed: %s", strerror(errno));
+					break;
+			}
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Accept client connections, dispatch
+ */
+static job_requeue_t accept_(private_error_notify_socket_t *this)
+{
+	struct sockaddr_un addr;
+	int fd, len;
+	bool oldstate;
+
+	len = sizeof(addr);
+	oldstate = thread_cancelability(TRUE);
+	fd = accept(this->socket, (struct sockaddr*)&addr, &len);
+	thread_cancelability(oldstate);
+
+	if (fd != -1)
+	{
+		this->mutex->lock(this->mutex);
+		this->connected->insert_last(this->connected, (void*)(uintptr_t)fd);
+		this->mutex->unlock(this->mutex);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "accepting notify connection failed: %s",
+			 strerror(errno));
+	}
+	return JOB_REQUEUE_DIRECT;
+}
+
+METHOD(error_notify_socket_t, destroy, void,
+	private_error_notify_socket_t *this)
+{
+	this->connected->destroy(this->connected);
+	this->mutex->destroy(this->mutex);
+	close(this->socket);
+	free(this);
+}
+
+/**
+ * See header
+ */
+error_notify_socket_t *error_notify_socket_create()
+{
+	private_error_notify_socket_t *this;
+
+	INIT(this,
+		.public = {
+			.notify = _notify,
+			.has_listeners = _has_listeners,
+			.destroy = _destroy,
+		},
+		.connected = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+	);
+
+	if (!open_socket(this))
+	{
+		free(this);
+		return NULL;
+	}
+
+	lib->processor->queue_job(lib->processor,
+		(job_t*)callback_job_create_with_prio((callback_job_cb_t)accept_, this,
+				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/error_notify/error_notify_socket.h b/src/libcharon/plugins/error_notify/error_notify_socket.h
new file mode 100644
index 000000000..cb35b5584
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/error_notify_socket.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup error_notify_socket error_notify_socket
+ * @{ @ingroup error_notify
+ */
+
+#ifndef ERROR_NOTIFY_SOCKET_H_
+#define ERROR_NOTIFY_SOCKET_H_
+
+typedef struct error_notify_socket_t error_notify_socket_t;
+
+#include "error_notify_listener.h"
+#include "error_notify_msg.h"
+
+/**
+ * Error notification socket.
+ */
+struct error_notify_socket_t {
+
+	/**
+	 * Send an error notification message to all registered listeners.
+	 *
+	 * @param msg		msg to send
+	 */
+	void (*notify)(error_notify_socket_t *this, error_notify_msg_t *msg);
+
+	/**
+	 * Check if we have active listeners on the socket.
+	 *
+	 * @return			TRUE if listeners active
+	 */
+	bool (*has_listeners)(error_notify_socket_t *this);
+
+	/**
+	 * Destroy a error_notify_socket_t.
+	 */
+	void (*destroy)(error_notify_socket_t *this);
+};
+
+/**
+ * Create a error_notify_socket instance.
+ */
+error_notify_socket_t *error_notify_socket_create();
+
+#endif /** ERROR_NOTIFY_SOCKET_H_ @}*/
diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in
index c26bd7856..2e5cf9f64 100644
--- a/src/libcharon/plugins/farp/Makefile.in
+++ b/src/libcharon/plugins/farp/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_farp_la_LIBADD =
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -371,7 +380,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-farp.la: $(libstrongswan_farp_la_OBJECTS) $(libstrongswan_farp_la_DEPENDENCIES) 
+libstrongswan-farp.la: $(libstrongswan_farp_la_OBJECTS) $(libstrongswan_farp_la_DEPENDENCIES) $(EXTRA_libstrongswan_farp_la_DEPENDENCIES) 
 	$(libstrongswan_farp_la_LINK) $(am_libstrongswan_farp_la_rpath) $(libstrongswan_farp_la_OBJECTS) $(libstrongswan_farp_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -510,10 +519,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/farp/farp_listener.c b/src/libcharon/plugins/farp/farp_listener.c
index d1df4cc27..81d5d2405 100644
--- a/src/libcharon/plugins/farp/farp_listener.c
+++ b/src/libcharon/plugins/farp/farp_listener.c
@@ -15,7 +15,7 @@
 
 #include "farp_listener.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 typedef struct private_farp_listener_t private_farp_listener_t;
diff --git a/src/libcharon/plugins/farp/farp_listener.h b/src/libcharon/plugins/farp/farp_listener.h
index 3155f60e2..c7dc56a10 100644
--- a/src/libcharon/plugins/farp/farp_listener.h
+++ b/src/libcharon/plugins/farp/farp_listener.h
@@ -21,7 +21,7 @@
 #ifndef FARP_LISTENER_H_
 #define FARP_LISTENER_H_
 
-#include <utils/host.h>
+#include <networking/host.h>
 #include <bus/listeners/listener.h>
 
 typedef struct farp_listener_t farp_listener_t;
diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in
index 0ac139ca0..aa533165f 100644
--- a/src/libcharon/plugins/ha/Makefile.in
+++ b/src/libcharon/plugins/ha/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_ha_la_LIBADD =
@@ -123,6 +129,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -150,6 +157,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,6 +185,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -189,6 +198,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -242,7 +252,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -384,7 +393,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-ha.la: $(libstrongswan_ha_la_OBJECTS) $(libstrongswan_ha_la_DEPENDENCIES) 
+libstrongswan-ha.la: $(libstrongswan_ha_la_OBJECTS) $(libstrongswan_ha_la_DEPENDENCIES) $(EXTRA_libstrongswan_ha_la_DEPENDENCIES) 
 	$(libstrongswan_ha_la_LINK) $(am_libstrongswan_ha_la_rpath) $(libstrongswan_ha_la_OBJECTS) $(libstrongswan_ha_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -532,10 +541,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c
index ae6296462..981def6a3 100644
--- a/src/libcharon/plugins/ha/ha_attribute.c
+++ b/src/libcharon/plugins/ha/ha_attribute.c
@@ -15,7 +15,7 @@
 
 #include "ha_attribute.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/mutex.h>
 
 typedef struct private_ha_attribute_t private_ha_attribute_t;
diff --git a/src/libcharon/plugins/ha/ha_cache.c b/src/libcharon/plugins/ha/ha_cache.c
index e21b461a7..ce1afe6f9 100644
--- a/src/libcharon/plugins/ha/ha_cache.c
+++ b/src/libcharon/plugins/ha/ha_cache.c
@@ -15,8 +15,8 @@
 
 #include "ha_cache.h"
 
-#include <utils/hashtable.h>
-#include <utils/linked_list.h>
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
 #include <threading/mutex.h>
 #include <processing/jobs/callback_job.h>
 
diff --git a/src/libcharon/plugins/ha/ha_cache.h b/src/libcharon/plugins/ha/ha_cache.h
index 39f1947a8..5e3936a20 100644
--- a/src/libcharon/plugins/ha/ha_cache.h
+++ b/src/libcharon/plugins/ha/ha_cache.h
@@ -27,7 +27,7 @@ typedef struct ha_cache_t ha_cache_t;
 #include "ha_kernel.h"
 #include "ha_socket.h"
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 #include <sa/ike_sa.h>
 
diff --git a/src/libcharon/plugins/ha/ha_message.h b/src/libcharon/plugins/ha/ha_message.h
index 8cd30f711..2ccb1fc55 100644
--- a/src/libcharon/plugins/ha/ha_message.h
+++ b/src/libcharon/plugins/ha/ha_message.h
@@ -22,7 +22,7 @@
 #define HA_MESSAGE_H_
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <utils/identification.h>
 #include <sa/ike_sa_id.h>
 #include <selectors/traffic_selector.h>
diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c
index fb07809ef..688e09bdc 100644
--- a/src/libcharon/plugins/ha/ha_segments.c
+++ b/src/libcharon/plugins/ha/ha_segments.c
@@ -17,7 +17,7 @@
 
 #include <threading/mutex.h>
 #include <threading/condvar.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/thread.h>
 #include <processing/jobs/callback_job.h>
 
diff --git a/src/libcharon/plugins/ha/ha_socket.c b/src/libcharon/plugins/ha/ha_socket.c
index 5196a5dc7..e41e78bbf 100644
--- a/src/libcharon/plugins/ha/ha_socket.c
+++ b/src/libcharon/plugins/ha/ha_socket.c
@@ -22,7 +22,7 @@
 #include <unistd.h>
 
 #include <daemon.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <threading/thread.h>
 #include <processing/jobs/callback_job.h>
 
diff --git a/src/libcharon/plugins/ha/ha_tunnel.c b/src/libcharon/plugins/ha/ha_tunnel.c
index 541dd9313..130c86e48 100644
--- a/src/libcharon/plugins/ha/ha_tunnel.c
+++ b/src/libcharon/plugins/ha/ha_tunnel.c
@@ -203,11 +203,11 @@ static void setup_tunnel(private_ha_tunnel_t *this,
 	lib->credmgr->add_set(lib->credmgr, &this->creds.public);
 
 	/* create config and backend */
-	ike_cfg = ike_cfg_create(FALSE, FALSE, local, FALSE,
+	ike_cfg = ike_cfg_create(IKEV2, FALSE, FALSE, local, FALSE,
 							 charon->socket->get_port(charon->socket, FALSE),
-							 remote, FALSE, IKEV2_UDP_PORT);
+							 remote, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
-	peer_cfg = peer_cfg_create("ha", IKEV2, ike_cfg, CERT_NEVER_SEND,
+	peer_cfg = peer_cfg_create("ha", ike_cfg, CERT_NEVER_SEND,
 						UNIQUE_KEEP, 0, 86400, 0, 7200, 3600, FALSE, FALSE, 30,
 						0, FALSE, NULL, NULL);
 
diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in
index a78ca9701..63ce51f11 100644
--- a/src/libcharon/plugins/led/Makefile.in
+++ b/src/libcharon/plugins/led/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_led_la_LIBADD =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -370,7 +379,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-led.la: $(libstrongswan_led_la_OBJECTS) $(libstrongswan_led_la_DEPENDENCIES) 
+libstrongswan-led.la: $(libstrongswan_led_la_OBJECTS) $(libstrongswan_led_la_DEPENDENCIES) $(EXTRA_libstrongswan_led_la_DEPENDENCIES) 
 	$(libstrongswan_led_la_LINK) $(am_libstrongswan_led_la_rpath) $(libstrongswan_led_la_OBJECTS) $(libstrongswan_led_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -508,10 +517,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/load_tester/Makefile.am b/src/libcharon/plugins/load_tester/Makefile.am
index cdd0445a9..0a5cada43 100644
--- a/src/libcharon/plugins/load_tester/Makefile.am
+++ b/src/libcharon/plugins/load_tester/Makefile.am
@@ -2,7 +2,8 @@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = -rdynamic \
+	-DIPSEC_PIDDIR=\"${piddir}\"
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-load-tester.la
@@ -16,6 +17,10 @@ libstrongswan_load_tester_la_SOURCES = \
 	load_tester_creds.c load_tester_creds.h \
 	load_tester_ipsec.c load_tester_ipsec.h \
 	load_tester_listener.c load_tester_listener.h \
+	load_tester_control.c load_tester_control.h \
 	load_tester_diffie_hellman.c load_tester_diffie_hellman.h
 
 libstrongswan_load_tester_la_LDFLAGS = -module -avoid-version
+
+ipsec_PROGRAMS = load-tester
+load_tester_SOURCES = load_tester.c
diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in
index cb11cff28..e238f443c 100644
--- a/src/libcharon/plugins/load_tester/Makefile.in
+++ b/src/libcharon/plugins/load_tester/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -15,6 +15,7 @@
 
 @SET_MAKE@
 
+
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -34,6 +35,7 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
+ipsec_PROGRAMS = load-tester$(EXEEXT)
 subdir = src/libcharon/plugins/load_tester
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -73,13 +75,19 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_load_tester_la_LIBADD =
 am_libstrongswan_load_tester_la_OBJECTS = load_tester_plugin.lo \
 	load_tester_config.lo load_tester_creds.lo \
 	load_tester_ipsec.lo load_tester_listener.lo \
-	load_tester_diffie_hellman.lo
+	load_tester_control.lo load_tester_diffie_hellman.lo
 libstrongswan_load_tester_la_OBJECTS =  \
 	$(am_libstrongswan_load_tester_la_OBJECTS)
 libstrongswan_load_tester_la_LINK = $(LIBTOOL) --tag=CC \
@@ -89,6 +97,10 @@ libstrongswan_load_tester_la_LINK = $(LIBTOOL) --tag=CC \
 @MONOLITHIC_FALSE@am_libstrongswan_load_tester_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_load_tester_la_rpath =
+PROGRAMS = $(ipsec_PROGRAMS)
+am_load_tester_OBJECTS = load_tester.$(OBJEXT)
+load_tester_OBJECTS = $(am_load_tester_OBJECTS)
+load_tester_LDADD = $(LDADD)
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -102,8 +114,10 @@ CCLD = $(CC)
 LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
 	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_load_tester_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_load_tester_la_SOURCES)
+SOURCES = $(libstrongswan_load_tester_la_SOURCES) \
+	$(load_tester_SOURCES)
+DIST_SOURCES = $(libstrongswan_load_tester_la_SOURCES) \
+	$(load_tester_SOURCES)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -126,6 +140,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -153,6 +168,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -180,6 +196,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -192,6 +209,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -245,7 +263,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -295,7 +312,9 @@ xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = -rdynamic \
+	-DIPSEC_PIDDIR=\"${piddir}\"
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-load-tester.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-load-tester.la
 libstrongswan_load_tester_la_SOURCES = \
@@ -304,9 +323,11 @@ libstrongswan_load_tester_la_SOURCES = \
 	load_tester_creds.c load_tester_creds.h \
 	load_tester_ipsec.c load_tester_ipsec.h \
 	load_tester_listener.c load_tester_listener.h \
+	load_tester_control.c load_tester_control.h \
 	load_tester_diffie_hellman.c load_tester_diffie_hellman.h
 
 libstrongswan_load_tester_la_LDFLAGS = -module -avoid-version
+load_tester_SOURCES = load_tester.c
 all: all-am
 
 .SUFFIXES:
@@ -381,8 +402,54 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-load-tester.la: $(libstrongswan_load_tester_la_OBJECTS) $(libstrongswan_load_tester_la_DEPENDENCIES) 
+libstrongswan-load-tester.la: $(libstrongswan_load_tester_la_OBJECTS) $(libstrongswan_load_tester_la_DEPENDENCIES) $(EXTRA_libstrongswan_load_tester_la_DEPENDENCIES) 
 	$(libstrongswan_load_tester_la_LINK) $(am_libstrongswan_load_tester_la_rpath) $(libstrongswan_load_tester_la_OBJECTS) $(libstrongswan_load_tester_la_LIBADD) $(LIBS)
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+load-tester$(EXEEXT): $(load_tester_OBJECTS) $(load_tester_DEPENDENCIES) $(EXTRA_load_tester_DEPENDENCIES) 
+	@rm -f load-tester$(EXEEXT)
+	$(LINK) $(load_tester_OBJECTS) $(load_tester_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -390,7 +457,9 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_config.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_control.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_creds.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_diffie_hellman.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_ipsec.Plo@am__quote@
@@ -508,9 +577,9 @@ distdir: $(DISTFILES)
 	done
 check-am: all-am
 check: check-am
-all-am: Makefile $(LTLIBRARIES)
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
 installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
+	for dir in "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
@@ -523,10 +592,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
@@ -540,8 +614,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
-	clean-pluginLTLIBRARIES mostlyclean-am
+clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
+	clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -561,7 +635,7 @@ info: info-am
 
 info-am:
 
-install-data-am: install-pluginLTLIBRARIES
+install-data-am: install-ipsecPROGRAMS install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
@@ -607,23 +681,24 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-pluginLTLIBRARIES
+uninstall-am: uninstall-ipsecPROGRAMS uninstall-pluginLTLIBRARIES
 
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
-	ctags distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-man install-pdf install-pdf-am \
-	install-pluginLTLIBRARIES install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	clean-ipsecPROGRAMS clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES ctags distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-ipsecPROGRAMS install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-ipsecPROGRAMS \
 	uninstall-pluginLTLIBRARIES
 
 
diff --git a/src/libcharon/plugins/load_tester/load_tester.c b/src/libcharon/plugins/load_tester/load_tester.c
new file mode 100644
index 000000000..f7361e606
--- /dev/null
+++ b/src/libcharon/plugins/load_tester/load_tester.c
@@ -0,0 +1,104 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "load_tester_control.h"
+
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+
+/**
+ * Connect to the daemon, return stream
+ */
+static FILE* make_connection()
+{
+	struct sockaddr_un addr;
+	FILE *stream;
+	int fd;
+
+	addr.sun_family = AF_UNIX;
+	strcpy(addr.sun_path, LOAD_TESTER_SOCKET);
+
+	fd = socket(AF_UNIX, SOCK_SEQPACKET, 0);
+	if (fd < 0)
+	{
+		fprintf(stderr, "opening socket failed: %s\n", strerror(errno));
+		return NULL;
+	}
+	if (connect(fd, (struct sockaddr *)&addr,
+			offsetof(struct sockaddr_un, sun_path) + strlen(addr.sun_path)) < 0)
+	{
+		fprintf(stderr, "connecting to %s failed: %s\n",
+				LOAD_TESTER_SOCKET, strerror(errno));
+		close(fd);
+		return NULL;
+	}
+	stream = fdopen(fd, "r+");
+	if (!stream)
+	{
+		close(fd);
+		return NULL;
+	}
+	return stream;
+}
+
+/**
+ * Initiate load-tests
+ */
+static int initiate(unsigned int count, unsigned int delay)
+{
+	FILE *stream;
+	char c;
+
+	stream = make_connection();
+	if (!stream)
+	{
+		return 1;
+	}
+
+	fprintf(stream, "%u %u\n", count, delay);
+
+	while (1)
+	{
+		fflush(stream);
+		c = fgetc(stream);
+		if (c == EOF)
+		{
+			break;
+		}
+		if (fputc(c, stdout) == EOF)
+		{
+			break;
+		}
+		fflush(stdout);
+	}
+	fclose(stream);
+	return 0;
+}
+
+int main(int argc, char *argv[])
+{
+	if (argc >= 3 && strcmp(argv[1], "initiate") == 0)
+	{
+		return initiate(atoi(argv[2]), argc > 3 ? atoi(argv[3]) : 0);
+	}
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "  %s initiate <count> [<delay in ms>]\n", argv[0]);
+	return 1;
+}
diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
index 735f17985..c6288c5d9 100644
--- a/src/libcharon/plugins/load_tester/load_tester_config.c
+++ b/src/libcharon/plugins/load_tester/load_tester_config.c
@@ -16,6 +16,10 @@
 #include "load_tester_config.h"
 
 #include <daemon.h>
+#include <hydra.h>
+#include <attributes/mem_pool.h>
+#include <collections/hashtable.h>
+#include <threading/mutex.h>
 
 typedef struct private_load_tester_config_t private_load_tester_config_t;
 
@@ -40,14 +44,14 @@ struct private_load_tester_config_t {
 	host_t *vip;
 
 	/**
-	 * Remote address
+	 * Initiator address
 	 */
-	char *remote;
+	char *initiator;
 
 	/**
-	 * Local address
+	 * Responder address
 	 */
-	char *local;
+	char *responder;
 
 	/**
 	 * IP address pool
@@ -75,11 +79,36 @@ struct private_load_tester_config_t {
 	char *initiator_id;
 
 	/**
+	 * Initiator ID to to match against as responder
+	 */
+	char *initiator_match;
+
+	/**
 	 * Responder ID to enforce
 	 */
 	char *responder_id;
 
 	/**
+	 * Traffic Selector on initiator side, as proposed from initiator
+	 */
+	char *initiator_tsi;
+
+	/**
+	 * Traffic Selector on responder side, as proposed from initiator
+	 */
+	char *initiator_tsr;
+
+	/**
+	 * Traffic Selector on initiator side, as narrowed by responder
+	 */
+	char *responder_tsi;
+
+	/**
+	 * Traffic Selector on responder side, as narrowed by responder
+	 */
+	char *responder_tsr;
+
+	/**
 	 * IKE_SA rekeying delay
 	 */
 	u_int ike_rekey;
@@ -108,9 +137,104 @@ struct private_load_tester_config_t {
 	 * Dynamic source port, if used
 	 */
 	u_int16_t port;
+
+	/**
+	 * IKE version to use for load testing
+	 */
+	ike_version_t version;
+
+	/**
+	 * List of pools to allocate external addresses dynamically, as mem_pool_t
+	 */
+	linked_list_t *pools;
+
+	/**
+	 * Address prefix to use when installing dynamic addresses
+	 */
+	int prefix;
+
+	/**
+	 * Hashtable with leases in "pools", host_t => entry_t
+	 */
+	hashtable_t *leases;
+
+	/**
+	 * Mutex for leases hashtable
+	 */
+	mutex_t *mutex;
 };
 
 /**
+ * Lease entry
+ */
+typedef struct {
+	/** host reference, equal to key */
+	host_t *host;
+	/** associated identity */
+	identification_t *id;
+} entry_t;
+
+/**
+ * Destroy an entry_t
+ */
+static void entry_destroy(entry_t *this)
+{
+	this->host->destroy(this->host);
+	this->id->destroy(this->id);
+	free(this);
+}
+
+/**
+ * Hashtable hash function
+ */
+static u_int hash(host_t *key)
+{
+	return chunk_hash(key->get_address(key));
+}
+
+/**
+ * Hashtable equals function
+ */
+static bool equals(host_t *a, host_t *b)
+{
+	return a->ip_equals(a, b);
+}
+
+/**
+ * Load external addresses to use, if any
+ */
+static void load_addrs(private_load_tester_config_t *this)
+{
+	enumerator_t *enumerator;
+	host_t *net;
+	int bits;
+	char *iface, *cidr;
+	mem_pool_t *pool;
+
+
+	this->prefix = lib->settings->get_int(lib->settings,
+						"%s.plugins.load-tester.addrs_prefix", 16, charon->name);
+	enumerator = lib->settings->create_key_value_enumerator(lib->settings,
+						"%s.plugins.load-tester.addrs", charon->name);
+	while (enumerator->enumerate(enumerator, &iface, &cidr))
+	{
+		net = host_create_from_subnet(cidr, &bits);
+		if (net)
+		{
+			DBG1(DBG_CFG, "loaded load-tester addresses %s", cidr);
+			pool = mem_pool_create(iface, net, bits);
+			net->destroy(net);
+			this->pools->insert_last(this->pools, pool);
+		}
+		else
+		{
+			DBG1(DBG_CFG, "parsing load-tester addresses %s failed", cidr);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
  * Generate auth config from string
  */
 static void generate_auth_cfg(private_load_tester_config_t *this, char *str,
@@ -133,8 +257,14 @@ static void generate_auth_cfg(private_load_tester_config_t *this, char *str,
 
 		if (this->initiator_id)
 		{
-			if ((local && num) || (!local && !num))
-			{
+			if (this->initiator_match && (!local && !num))
+			{	/* as responder, use the secified identity that matches
+				 * all used initiator identities, if given. */
+				snprintf(buf, sizeof(buf), this->initiator_match, rnd);
+				id = identification_create_from_string(buf);
+			}
+			else if ((local && num) || (!local && !num))
+			{	/* as initiator, create peer specific identities */
 				snprintf(buf, sizeof(buf), this->initiator_id, num, rnd);
 				id = identification_create_from_string(buf);
 			}
@@ -231,6 +361,88 @@ static void generate_auth_cfg(private_load_tester_config_t *this, char *str,
 }
 
 /**
+ * Add a TS from a string to a child_cfg
+ */
+static void add_ts(char *string, child_cfg_t *cfg, bool local)
+{
+	traffic_selector_t *ts;
+
+	if (string)
+	{
+		ts = traffic_selector_create_from_cidr(string, 0, 0);
+		if (!ts)
+		{
+			DBG1(DBG_CFG, "parsing TS string '%s' failed", string);
+		}
+	}
+	else
+	{
+		ts = traffic_selector_create_dynamic(0, 0, 65535);
+	}
+	if (ts)
+	{
+		cfg->add_traffic_selector(cfg, local, ts);
+	}
+}
+
+/**
+ * Allocate and install a dynamic external address to use
+ */
+static host_t *allocate_addr(private_load_tester_config_t *this, uint num)
+{
+	enumerator_t *enumerator;
+	mem_pool_t *pool;
+	host_t *found = NULL, *requested;
+	identification_t *id;
+	char *iface = NULL, buf[32];
+	entry_t *entry;
+
+	requested = host_create_any(AF_INET);
+	snprintf(buf, sizeof(buf), "ext-%d", num);
+	id = identification_create_from_string(buf);
+	enumerator = this->pools->create_enumerator(this->pools);
+	while (enumerator->enumerate(enumerator, &pool))
+	{
+		found = pool->acquire_address(pool, id, requested, MEM_POOL_NEW);
+		if (found)
+		{
+			iface = (char*)pool->get_name(pool);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	requested->destroy(requested);
+
+	if (!found)
+	{
+		DBG1(DBG_CFG, "no address found to install as load-tester external IP");
+		id->destroy(id);
+		return NULL;
+	}
+	if (hydra->kernel_interface->add_ip(hydra->kernel_interface,
+										found, this->prefix, iface) != SUCCESS)
+	{
+		DBG1(DBG_CFG, "installing load-tester IP %H on %s failed", found, iface);
+		found->destroy(found);
+		id->destroy(id);
+		return NULL;
+	}
+	DBG1(DBG_CFG, "installed load-tester IP %H on %s", found, iface);
+	INIT(entry,
+		.host = found->clone(found),
+		.id = id,
+	);
+	this->mutex->lock(this->mutex);
+	entry = this->leases->put(this->leases, entry->host, entry);
+	this->mutex->unlock(this->mutex);
+	if (entry)
+	{	/* shouldn't actually happen */
+		entry_destroy(entry);
+	}
+	return found;
+}
+
+/**
  * Generate a new initiator config, num = 0 for responder config
  */
 static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
@@ -238,8 +450,9 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
 	ike_cfg_t *ike_cfg;
 	child_cfg_t *child_cfg;
 	peer_cfg_t *peer_cfg;
-	traffic_selector_t *ts;
 	proposal_t *proposal;
+	char local[32], *remote;
+	host_t *addr;
 	lifetime_cfg_t lifetime = {
 		.time = {
 			.life = this->child_rekey * 2,
@@ -248,20 +461,48 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
 		}
 	};
 
+	if (num)
+	{	/* initiator */
+		if (this->pools->get_count(this->pools))
+		{	/* using dynamically installed external addresses */
+			addr = allocate_addr(this, num);
+			if (!addr)
+			{
+				DBG1(DBG_CFG, "allocating external address failed");
+				return NULL;
+			}
+			snprintf(local, sizeof(local), "%H", addr);
+			addr->destroy(addr);
+		}
+		else
+		{
+			snprintf(local, sizeof(local), "%s", this->initiator);
+		}
+		remote = this->responder;
+	}
+	else
+	{
+		snprintf(local, sizeof(local), "%s", this->responder);
+		remote = this->initiator;
+	}
+
 	if (this->port && num)
 	{
-		ike_cfg = ike_cfg_create(FALSE, FALSE,
-								 this->local, FALSE, this->port + num - 1,
-								 this->remote, FALSE, IKEV2_NATT_PORT);
+		ike_cfg = ike_cfg_create(this->version, TRUE, FALSE,
+								 local, FALSE, this->port + num - 1,
+								 remote, FALSE, IKEV2_NATT_PORT,
+								 FRAGMENTATION_NO);
 	}
 	else
 	{
-		ike_cfg = ike_cfg_create(FALSE, FALSE,
-								 this->local, FALSE, charon->socket->get_port(charon->socket, FALSE),
-								 this->remote, FALSE, IKEV2_UDP_PORT);
+		ike_cfg = ike_cfg_create(this->version, TRUE, FALSE,
+								 local, FALSE,
+								 charon->socket->get_port(charon->socket, FALSE),
+								 remote, FALSE, IKEV2_UDP_PORT,
+								 FRAGMENTATION_NO);
 	}
 	ike_cfg->add_proposal(ike_cfg, this->proposal->clone(this->proposal));
-	peer_cfg = peer_cfg_create("load-test", IKEV2, ike_cfg,
+	peer_cfg = peer_cfg_create("load-test", ike_cfg,
 							   CERT_SEND_IF_ASKED, UNIQUE_NO, 1, /* keytries */
 							   this->ike_rekey, 0, /* rekey, reauth */
 							   0, this->ike_rekey, /* jitter, overtime */
@@ -293,10 +534,24 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
 								 0, 0, NULL, NULL, 0);
 	proposal = proposal_create_from_string(PROTO_ESP, "aes128-sha1");
 	child_cfg->add_proposal(child_cfg, proposal);
-	ts = traffic_selector_create_dynamic(0, 0, 65535);
-	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
-	ts = traffic_selector_create_dynamic(0, 0, 65535);
-	child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
+
+	if (num)
+	{	/* initiator */
+		if (this->vip)
+		{
+			add_ts(NULL, child_cfg, TRUE);
+		}
+		else
+		{
+			add_ts(this->initiator_tsi, child_cfg, TRUE);
+		}
+		add_ts(this->initiator_tsr, child_cfg, FALSE);
+	}
+	else
+	{	/* responder */
+		add_ts(this->responder_tsr, child_cfg, TRUE);
+		add_ts(this->responder_tsi, child_cfg, FALSE);
+	}
 	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
 	return peer_cfg;
 }
@@ -327,9 +582,40 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
 	return NULL;
 }
 
+METHOD(load_tester_config_t, delete_ip, void,
+	private_load_tester_config_t *this, host_t *ip)
+{
+	enumerator_t *enumerator;
+	mem_pool_t *pool;
+	entry_t *entry;
+
+	this->mutex->lock(this->mutex);
+	entry = this->leases->remove(this->leases, ip);
+	this->mutex->unlock(this->mutex);
+
+	if (entry)
+	{
+		enumerator = this->pools->create_enumerator(this->pools);
+		while (enumerator->enumerate(enumerator, &pool))
+		{
+			if (pool->release_address(pool, entry->host, entry->id))
+			{
+				hydra->kernel_interface->del_ip(hydra->kernel_interface,
+											entry->host, this->prefix, FALSE);
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+		entry_destroy(entry);
+	}
+}
+
 METHOD(load_tester_config_t, destroy, void,
 	private_load_tester_config_t *this)
 {
+	this->mutex->destroy(this->mutex);
+	this->leases->destroy(this->leases);
+	this->pools->destroy_offset(this->pools, offsetof(mem_pool_t, destroy));
 	this->peer_cfg->destroy(this->peer_cfg);
 	DESTROY_IF(this->proposal);
 	DESTROY_IF(this->vip);
@@ -350,8 +636,13 @@ load_tester_config_t *load_tester_config_create()
 				.create_ike_cfg_enumerator = _create_ike_cfg_enumerator,
 				.get_peer_cfg_by_name = _get_peer_cfg_by_name,
 			},
+			.delete_ip = _delete_ip,
 			.destroy = _destroy,
 		},
+		.pools = linked_list_create(),
+		.leases = hashtable_create((hashtable_hash_t)hash,
+								   (hashtable_equals_t)equals, 256),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.num = 1,
 	);
 
@@ -362,10 +653,10 @@ load_tester_config_t *load_tester_config_create()
 	}
 	this->pool = lib->settings->get_str(lib->settings,
 			"%s.plugins.load-tester.pool", NULL, charon->name);
-	this->remote = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.remote", "127.0.0.1", charon->name);
-	this->local = lib->settings->get_str(lib->settings,
-			"%s.plugins.load-tester.local", "0.0.0.0", charon->name);
+	this->initiator = lib->settings->get_str(lib->settings,
+			"%s.plugins.load-tester.initiator", "0.0.0.0", charon->name);
+	this->responder = lib->settings->get_str(lib->settings,
+			"%s.plugins.load-tester.responder", "127.0.0.1", charon->name);
 
 	this->proposal = proposal_create_from_string(PROTO_IKE,
 				lib->settings->get_str(lib->settings,
@@ -391,14 +682,30 @@ load_tester_config_t *load_tester_config_create()
 			"%s.plugins.load-tester.responder_auth", "pubkey", charon->name);
 	this->initiator_id = lib->settings->get_str(lib->settings,
 			"%s.plugins.load-tester.initiator_id", NULL, charon->name);
+	this->initiator_match = lib->settings->get_str(lib->settings,
+			"%s.plugins.load-tester.initiator_match", NULL, charon->name);
 	this->responder_id = lib->settings->get_str(lib->settings,
 			"%s.plugins.load-tester.responder_id", NULL, charon->name);
 
+	this->initiator_tsi = lib->settings->get_str(lib->settings,
+			"%s.plugins.load-tester.initiator_tsi", NULL, charon->name);
+	this->responder_tsi =lib->settings->get_str(lib->settings,
+			"%s.plugins.load-tester.responder_tsi",
+			this->initiator_tsi, charon->name);
+	this->initiator_tsr = lib->settings->get_str(lib->settings,
+			"%s.plugins.load-tester.initiator_tsr", NULL, charon->name);
+	this->responder_tsr =lib->settings->get_str(lib->settings,
+			"%s.plugins.load-tester.responder_tsr",
+			this->initiator_tsr, charon->name);
+
 	this->port = lib->settings->get_int(lib->settings,
 			"%s.plugins.load-tester.dynamic_port", 0, charon->name);
+	this->version = lib->settings->get_int(lib->settings,
+			"%s.plugins.load-tester.version", IKE_ANY, charon->name);
+
+	load_addrs(this);
 
 	this->peer_cfg = generate_config(this, 0);
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/load_tester/load_tester_config.h b/src/libcharon/plugins/load_tester/load_tester_config.h
index c22387743..cfa4b1edc 100644
--- a/src/libcharon/plugins/load_tester/load_tester_config.h
+++ b/src/libcharon/plugins/load_tester/load_tester_config.h
@@ -36,6 +36,13 @@ struct load_tester_config_t {
 	backend_t backend;
 
 	/**
+	 * Delete external IP if it was dynamically installed.
+	 *
+	 * @param ip			external IP
+	 */
+	void (*delete_ip)(load_tester_config_t *this, host_t *ip);
+
+	/**
 	 * Destroy the backend.
 	 */
 	void (*destroy)(load_tester_config_t *this);
diff --git a/src/libcharon/plugins/load_tester/load_tester_control.c b/src/libcharon/plugins/load_tester/load_tester_control.c
new file mode 100644
index 000000000..0c21c23ca
--- /dev/null
+++ b/src/libcharon/plugins/load_tester/load_tester_control.c
@@ -0,0 +1,383 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "load_tester_control.h"
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <daemon.h>
+#include <collections/hashtable.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
+#include <threading/condvar.h>
+#include <processing/jobs/callback_job.h>
+
+typedef struct private_load_tester_control_t private_load_tester_control_t;
+typedef struct init_listener_t init_listener_t;
+
+/**
+ * Private data of an load_tester_control_t object.
+ */
+struct private_load_tester_control_t {
+
+	/**
+	 * Public load_tester_control_t interface.
+	 */
+	load_tester_control_t public;
+
+	/**
+	 * Load tester unix socket file descriptor
+	 */
+	int socket;
+};
+
+/**
+ * Listener to follow initiation progress
+ */
+struct init_listener_t {
+
+	/**
+	 * implements listener_t
+	 */
+	listener_t listener;
+
+	/**
+	 * Output stream to log to
+	 */
+	FILE *stream;
+
+	/**
+	 * IKE_SAs we have started to initiate
+	 */
+	hashtable_t *initiated;
+
+	/**
+	 * IKE_SAs we have completed to initate (success or failure)
+	 */
+	hashtable_t *completed;
+
+	/**
+	 * Mutex to lock IKE_SA tables
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Condvar to wait for completion
+	 */
+	condvar_t *condvar;
+};
+
+/**
+ * Open load-tester listening socket
+ */
+static bool open_socket(private_load_tester_control_t *this)
+{
+	struct sockaddr_un addr;
+	mode_t old;
+
+	addr.sun_family = AF_UNIX;
+	strcpy(addr.sun_path, LOAD_TESTER_SOCKET);
+
+	this->socket = socket(AF_UNIX, SOCK_SEQPACKET, 0);
+	if (this->socket == -1)
+	{
+		DBG1(DBG_CFG, "creating load-tester socket failed");
+		return FALSE;
+	}
+	unlink(addr.sun_path);
+	old = umask(~(S_IRWXU | S_IRWXG));
+	if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)) < 0)
+	{
+		DBG1(DBG_CFG, "binding load-tester socket failed: %s", strerror(errno));
+		close(this->socket);
+		return FALSE;
+	}
+	umask(old);
+	if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
+			  charon->caps->get_gid(charon->caps)) != 0)
+	{
+		DBG1(DBG_CFG, "changing load-tester socket permissions failed: %s",
+			 strerror(errno));
+	}
+	if (listen(this->socket, 10) < 0)
+	{
+		DBG1(DBG_CFG, "listening on load-tester socket failed: %s", strerror(errno));
+		close(this->socket);
+		unlink(addr.sun_path);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Hashtable hash function
+ */
+static u_int hash(uintptr_t id)
+{
+	return id;
+}
+
+/**
+ * Hashtable hash function
+ */
+static bool equals(uintptr_t a, uintptr_t b)
+{
+	return a == b;
+}
+
+METHOD(listener_t, alert, bool,
+	init_listener_t *this, ike_sa_t *ike_sa, alert_t alert, va_list args)
+{
+	if (alert == ALERT_RETRANSMIT_SEND)
+	{
+		uintptr_t id;
+		bool match = FALSE;
+
+		id = ike_sa->get_unique_id(ike_sa);
+		this->mutex->lock(this->mutex);
+		if (this->initiated->get(this->initiated, (void*)id))
+		{
+			match = TRUE;
+		}
+		this->mutex->unlock(this->mutex);
+
+		if (match)
+		{
+			fprintf(this->stream, "*");
+			fflush(this->stream);
+		}
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, ike_state_change, bool,
+	init_listener_t *this, ike_sa_t *ike_sa, ike_sa_state_t state)
+{
+	if (state == IKE_ESTABLISHED || state == IKE_DESTROYING)
+	{
+		uintptr_t id;
+		bool match = FALSE;
+
+		id = ike_sa->get_unique_id(ike_sa);
+		this->mutex->lock(this->mutex);
+		if (this->initiated->get(this->initiated, (void*)id))
+		{
+			match = !this->completed->put(this->completed, (void*)id, (void*)id);
+		}
+		this->mutex->unlock(this->mutex);
+
+		if (match)
+		{
+			this->condvar->signal(this->condvar);
+			fprintf(this->stream, state == IKE_ESTABLISHED ? "+" : "-");
+			fflush(this->stream);
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Logging callback function used during initiate
+ */
+static bool initiate_cb(init_listener_t *this, debug_t group, level_t level,
+						ike_sa_t *ike_sa, const char *message)
+{
+	uintptr_t id;
+
+	if (ike_sa)
+	{
+		id = ike_sa->get_unique_id(ike_sa);
+		this->mutex->lock(this->mutex);
+		this->initiated->put(this->initiated, (void*)id, (void*)id);
+		this->mutex->unlock(this->mutex);
+
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
+/**
+ * Initiate load-test, write progress to stream
+ */
+static job_requeue_t initiate(FILE *stream)
+{
+	init_listener_t *listener;
+	enumerator_t *enumerator;
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg;
+	u_int i, count, failed = 0, delay = 0;
+	char buf[16] = "";
+
+	fflush(stream);
+	if (fgets(buf, sizeof(buf), stream) == NULL)
+	{
+		return JOB_REQUEUE_NONE;
+	}
+	if (sscanf(buf, "%u %u", &count, &delay) < 1)
+	{
+		return JOB_REQUEUE_NONE;
+	}
+
+	INIT(listener,
+		.listener = {
+			.ike_state_change = _ike_state_change,
+			.alert = _alert,
+		},
+		.stream = stream,
+		.initiated = hashtable_create((void*)hash, (void*)equals, count),
+		.completed = hashtable_create((void*)hash, (void*)equals, count),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
+	);
+
+	charon->bus->add_listener(charon->bus, &listener->listener);
+
+	for (i = 0; i < count; i++)
+	{
+		peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
+														  "load-test");
+		if (!peer_cfg)
+		{
+			failed++;
+			fprintf(stream, "!");
+			continue;
+		}
+		enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
+		if (!enumerator->enumerate(enumerator, &child_cfg))
+		{
+			enumerator->destroy(enumerator);
+			peer_cfg->destroy(peer_cfg);
+			failed++;
+			fprintf(stream, "!");
+			continue;
+		}
+		enumerator->destroy(enumerator);
+
+		switch (charon->controller->initiate(charon->controller,
+										peer_cfg, child_cfg->get_ref(child_cfg),
+										(void*)initiate_cb, listener, 0))
+		{
+			case NEED_MORE:
+				/* Callback returns FALSE once it got track of this IKE_SA.
+				 * FALL */
+			case SUCCESS:
+				fprintf(stream, ".");
+				break;
+			default:
+				fprintf(stream, "!");
+				break;
+		}
+		if (delay)
+		{
+			usleep(delay * 1000);
+		}
+		fflush(stream);
+	}
+
+	listener->mutex->lock(listener->mutex);
+	while (listener->completed->get_count(listener->completed) < count - failed)
+	{
+		listener->condvar->wait(listener->condvar, listener->mutex);
+	}
+	listener->mutex->unlock(listener->mutex);
+
+	charon->bus->remove_listener(charon->bus, &listener->listener);
+
+	listener->initiated->destroy(listener->initiated);
+	listener->completed->destroy(listener->completed);
+	listener->mutex->destroy(listener->mutex);
+	listener->condvar->destroy(listener->condvar);
+	free(listener);
+
+	fprintf(stream, "\n");
+
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Accept load-tester control connections, dispatch
+ */
+static job_requeue_t receive(private_load_tester_control_t *this)
+{
+	struct sockaddr_un addr;
+	int fd, len = sizeof(addr);
+	bool oldstate;
+	FILE *stream;
+
+	oldstate = thread_cancelability(TRUE);
+	fd = accept(this->socket, (struct sockaddr*)&addr, &len);
+	thread_cancelability(oldstate);
+
+	if (fd != -1)
+	{
+		stream = fdopen(fd, "r+");
+		if (stream)
+		{
+			DBG1(DBG_CFG, "client connected");
+			lib->processor->queue_job(lib->processor,
+				(job_t*)callback_job_create_with_prio(
+					(callback_job_cb_t)initiate, stream, (void*)fclose,
+					(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+		}
+		else
+		{
+			close(fd);
+		}
+	}
+	return JOB_REQUEUE_FAIR;
+}
+
+METHOD(load_tester_control_t, destroy, void,
+	private_load_tester_control_t *this)
+{
+	if (this->socket != -1)
+	{
+		close(this->socket);
+	}
+	free(this);
+}
+
+/**
+ * See header
+ */
+load_tester_control_t *load_tester_control_create()
+{
+	private_load_tester_control_t *this;
+
+	INIT(this,
+		.public = {
+			.destroy = _destroy,
+		},
+	);
+
+	if (open_socket(this))
+	{
+		lib->processor->queue_job(lib->processor, (job_t*)
+			callback_job_create_with_prio((callback_job_cb_t)receive, this, NULL,
+						(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+	}
+	else
+	{
+		this->socket = -1;
+	}
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/load_tester/load_tester_control.h b/src/libcharon/plugins/load_tester/load_tester_control.h
new file mode 100644
index 000000000..5d280f0a0
--- /dev/null
+++ b/src/libcharon/plugins/load_tester/load_tester_control.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup load_tester_control load_tester_control
+ * @{ @ingroup load_tester
+ */
+
+#ifndef LOAD_TESTER_CONTROL_H_
+#define LOAD_TESTER_CONTROL_H_
+
+/**
+ * Socket to accept connections.
+ */
+#define LOAD_TESTER_SOCKET IPSEC_PIDDIR "/charon.ldt"
+
+typedef struct load_tester_control_t load_tester_control_t;
+
+/**
+ * Unix control socket to initiate batches of load-tests.
+ */
+struct load_tester_control_t {
+
+	/**
+	 * Destroy a load_tester_control_t.
+	 */
+	void (*destroy)(load_tester_control_t *this);
+};
+
+/**
+ * Create a load_tester_control instance.
+ */
+load_tester_control_t *load_tester_control_create();
+
+#endif /** LOAD_TESTER_CONTROL_H_ @}*/
diff --git a/src/libcharon/plugins/load_tester/load_tester_creds.c b/src/libcharon/plugins/load_tester/load_tester_creds.c
index 6d3b6933d..946d62021 100644
--- a/src/libcharon/plugins/load_tester/load_tester_creds.c
+++ b/src/libcharon/plugins/load_tester/load_tester_creds.c
@@ -16,6 +16,7 @@
 #include "load_tester_creds.h"
 
 #include <time.h>
+#include <sys/stat.h>
 
 #include <daemon.h>
 #include <credentials/keys/shared_key.h>
@@ -44,6 +45,16 @@ struct private_load_tester_creds_t {
 	certificate_t *ca;
 
 	/**
+	 * Trusted CA certificates, including issuer CA
+	 */
+	linked_list_t *cas;
+
+	/**
+	 * Digest algorithm to issue certificates
+	 */
+	hash_algorithm_t digest;
+
+	/**
 	 * serial number to issue certificates
 	 */
 	u_int32_t serial;
@@ -182,6 +193,84 @@ static char *default_psk = "default-psk";
  */
 static char *default_pwd = "default-pwd";
 
+
+/**
+ * Load the private key, hard-coded or from a file
+ */
+static private_key_t *load_issuer_key()
+{
+	char *path;
+
+	path = lib->settings->get_str(lib->settings,
+					"%s.plugins.load-tester.issuer_key", NULL, charon->name);
+	if (!path)
+	{
+		return lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+					BUILD_BLOB_ASN1_DER, chunk_create(private, sizeof(private)),
+					BUILD_END);
+	}
+	DBG1(DBG_CFG, "loading load-tester private key from '%s'", path);
+	return lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+					BUILD_FROM_FILE, path, BUILD_END);
+}
+
+/**
+ * Load the issuing certificate, hard-coded or from a file
+ */
+static certificate_t *load_issuer_cert()
+{
+	char *path;
+
+	path = lib->settings->get_str(lib->settings,
+					"%s.plugins.load-tester.issuer_cert", NULL, charon->name);
+	if (!path)
+	{
+		return lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+					BUILD_BLOB_ASN1_DER, chunk_create(cert, sizeof(cert)),
+					BUILD_X509_FLAG, X509_CA,
+					BUILD_END);
+	}
+	DBG1(DBG_CFG, "loading load-tester issuer cert from '%s'", path);
+	return lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+					BUILD_FROM_FILE, path, BUILD_END);
+}
+
+/**
+ * Load (intermediate) CA certificates, hard-coded or from a file
+ */
+static void load_ca_certs(private_load_tester_creds_t *this)
+{
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	struct stat st;
+	char *path;
+
+	path = lib->settings->get_str(lib->settings,
+						"%s.plugins.load-tester.ca_dir", NULL, charon->name);
+	if (path)
+	{
+		enumerator = enumerator_create_directory(path);
+		if (enumerator)
+		{
+			while (enumerator->enumerate(enumerator, NULL, &path, &st))
+			{
+				if (S_ISREG(st.st_mode))
+				{
+					DBG1(DBG_CFG, "loading load-tester CA cert from '%s'", path);
+					cert = lib->creds->create(lib->creds,
+											CRED_CERTIFICATE, CERT_X509,
+											BUILD_FROM_FILE, path, BUILD_END);
+					if (cert)
+					{
+						this->cas->insert_last(this->cas, cert);
+					}
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+	}
+}
+
 METHOD(credential_set_t, create_private_enumerator, enumerator_t*,
 	private_load_tester_creds_t *this, key_type_t type, identification_t *id)
 {
@@ -207,8 +296,12 @@ METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
 	private_load_tester_creds_t *this, certificate_type_t cert, key_type_t key,
 	identification_t *id, bool trusted)
 {
-	certificate_t *peer_cert;
+	enumerator_t *enumerator;
+	certificate_t *peer_cert, *ca_cert;
 	public_key_t *peer_key, *ca_key;
+	identification_t *dn = NULL;
+	linked_list_t *sans;
+	char buf[128];
 	u_int32_t serial;
 	time_t now;
 
@@ -226,7 +319,7 @@ METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
 	}
 	if (!id)
 	{
-		return enumerator_create_single(this->ca, NULL);
+		return this->cas->create_enumerator(this->cas);
 	}
 	ca_key = this->ca->get_public_key(this->ca);
 	if (ca_key)
@@ -238,26 +331,56 @@ METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
 		}
 		ca_key->destroy(ca_key);
 	}
-	if (this->ca->has_subject(this->ca, id))
+	enumerator = this->cas->create_enumerator(this->cas);
+	while (enumerator->enumerate(enumerator, &ca_cert))
 	{
-		return enumerator_create_single(this->ca, NULL);
+		if (ca_cert->has_subject(ca_cert, id))
+		{
+			enumerator->destroy(enumerator);
+			return enumerator_create_single(ca_cert, NULL);
+		}
 	}
+	enumerator->destroy(enumerator);
+
 	if (!trusted)
 	{
 		/* peer certificate, generate on demand */
 		serial = htonl(++this->serial);
 		now = time(NULL);
+		sans = linked_list_create();
+
+		switch (id->get_type(id))
+		{
+			case ID_DER_ASN1_DN:
+				break;
+			case ID_FQDN:
+			case ID_RFC822_ADDR:
+			case ID_IPV4_ADDR:
+			case ID_IPV6_ADDR:
+				/* encode as subjectAltName, construct a sane DN */
+				sans->insert_last(sans, id);
+				snprintf(buf, sizeof(buf), "CN=%Y", id);
+				dn = identification_create_from_string(buf);
+				break;
+			default:
+				sans->destroy(sans);
+				return NULL;
+		}
 		peer_key = this->private->get_public_key(this->private);
 		peer_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 									BUILD_SIGNING_KEY, this->private,
 									BUILD_SIGNING_CERT, this->ca,
+									BUILD_DIGEST_ALG, this->digest,
 									BUILD_PUBLIC_KEY, peer_key,
-									BUILD_SUBJECT, id,
+									BUILD_SUBJECT, dn ?: id,
+									BUILD_SUBJECT_ALTNAMES, sans,
 									BUILD_NOT_BEFORE_TIME, now - 60 * 60 * 24,
 									BUILD_NOT_AFTER_TIME, now + 60 * 60 * 24,
 									BUILD_SERIAL, chunk_from_thing(serial),
 									BUILD_END);
 		peer_key->destroy(peer_key);
+		sans->destroy(sans);
+		DESTROY_IF(dn);
 		if (peer_cert)
 		{
 			return enumerator_create_single(peer_cert, (void*)peer_cert->destroy);
@@ -308,6 +431,7 @@ METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
 METHOD(load_tester_creds_t, destroy, void,
 	private_load_tester_creds_t *this)
 {
+	this->cas->destroy_offset(this->cas, offsetof(certificate_t, destroy));
 	DESTROY_IF(this->private);
 	DESTROY_IF(this->ca);
 	this->psk->destroy(this->psk);
@@ -318,12 +442,14 @@ METHOD(load_tester_creds_t, destroy, void,
 load_tester_creds_t *load_tester_creds_create()
 {
 	private_load_tester_creds_t *this;
-	char *pwd, *psk;
+	char *pwd, *psk, *digest;
 
 	psk = lib->settings->get_str(lib->settings,
 			"%s.plugins.load-tester.preshared_key", default_psk, charon->name);
 	pwd = lib->settings->get_str(lib->settings,
 			"%s.plugins.load-tester.eap_password", default_pwd, charon->name);
+	digest = lib->settings->get_str(lib->settings,
+			"%s.plugins.load-tester.digest", "sha1", charon->name);
 
 	INIT(this,
 		.public = {
@@ -336,18 +462,29 @@ load_tester_creds_t *load_tester_creds_create()
 			},
 			.destroy = _destroy,
 		},
-		.private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-					BUILD_BLOB_ASN1_DER, chunk_create(private, sizeof(private)),
-					BUILD_END),
-		.ca = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-					BUILD_BLOB_ASN1_DER, chunk_create(cert, sizeof(cert)),
-					BUILD_X509_FLAG, X509_CA,
-					BUILD_END),
+		.private = load_issuer_key(),
+		.ca = load_issuer_cert(),
+		.cas = linked_list_create(),
+		.digest = enum_from_name(hash_algorithm_short_names, digest),
 		.psk = shared_key_create(SHARED_IKE,
 								 chunk_clone(chunk_create(psk, strlen(psk)))),
 		.pwd = shared_key_create(SHARED_EAP,
 								 chunk_clone(chunk_create(pwd, strlen(pwd)))),
 	);
+
+	if (this->ca)
+	{
+		this->cas->insert_last(this->cas, this->ca->get_ref(this->ca));
+	}
+
+	if (this->digest == -1)
+	{
+		DBG1(DBG_CFG, "invalid load-tester digest: '%s', using sha1", digest);
+		this->digest = HASH_SHA1;
+	}
+
+	load_ca_certs(this);
+
 	return &this->public;
 }
 
diff --git a/src/libcharon/plugins/load_tester/load_tester_listener.c b/src/libcharon/plugins/load_tester/load_tester_listener.c
index 92073e62c..0192c8ff9 100644
--- a/src/libcharon/plugins/load_tester/load_tester_listener.c
+++ b/src/libcharon/plugins/load_tester/load_tester_listener.c
@@ -50,6 +50,11 @@ struct private_load_tester_listener_t {
 	 * Shutdown the daemon if we have established this SA count
 	 */
 	u_int shutdown_on;
+
+	/**
+	 * Configuration backend
+	 */
+	load_tester_config_t *config;
 };
 
 METHOD(listener_t, ike_updown, bool,
@@ -83,6 +88,16 @@ METHOD(listener_t, ike_updown, bool,
 	return TRUE;
 }
 
+METHOD(listener_t, ike_state_change, bool,
+	private_load_tester_listener_t *this, ike_sa_t *ike_sa, ike_sa_state_t state)
+{
+	if (state == IKE_DESTROYING)
+	{
+		this->config->delete_ip(this->config, ike_sa->get_my_host(ike_sa));
+	}
+	return TRUE;
+}
+
 METHOD(load_tester_listener_t, get_established, u_int,
 	private_load_tester_listener_t *this)
 {
@@ -95,7 +110,8 @@ METHOD(load_tester_listener_t, destroy, void,
 	free(this);
 }
 
-load_tester_listener_t *load_tester_listener_create(u_int shutdown_on)
+load_tester_listener_t *load_tester_listener_create(u_int shutdown_on,
+													load_tester_config_t *config)
 {
 	private_load_tester_listener_t *this;
 
@@ -103,6 +119,7 @@ load_tester_listener_t *load_tester_listener_create(u_int shutdown_on)
 		.public = {
 			.listener = {
 				.ike_updown = _ike_updown,
+				.ike_state_change = _ike_state_change,
 			},
 			.get_established = _get_established,
 			.destroy = _destroy,
@@ -111,6 +128,7 @@ load_tester_listener_t *load_tester_listener_create(u_int shutdown_on)
 					"%s.plugins.load-tester.delete_after_established", FALSE,
 					charon->name),
 		.shutdown_on = shutdown_on,
+		.config = config,
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/load_tester/load_tester_listener.h b/src/libcharon/plugins/load_tester/load_tester_listener.h
index 2621798c8..eba4afcf1 100644
--- a/src/libcharon/plugins/load_tester/load_tester_listener.h
+++ b/src/libcharon/plugins/load_tester/load_tester_listener.h
@@ -23,6 +23,8 @@
 
 #include <bus/bus.h>
 
+#include "load_tester_config.h"
+
 typedef struct load_tester_listener_t load_tester_listener_t;
 
 /**
@@ -52,8 +54,10 @@ struct load_tester_listener_t {
  * Create a listener to handle special events during load test
  *
  * @param shutdown_on	shut down the daemon after this many SAs are established
+ * @param config		configuration backend
  * @return				listener
  */
-load_tester_listener_t *load_tester_listener_create(u_int shutdown_on);
+load_tester_listener_t *load_tester_listener_create(u_int shutdown_on,
+													load_tester_config_t *config);
 
 #endif /** LOAD_TESTER_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
index 4a982d4b7..6fee2bf3b 100644
--- a/src/libcharon/plugins/load_tester/load_tester_plugin.c
+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
@@ -18,6 +18,7 @@
 #include "load_tester_creds.h"
 #include "load_tester_ipsec.h"
 #include "load_tester_listener.h"
+#include "load_tester_control.h"
 #include "load_tester_diffie_hellman.h"
 
 #include <unistd.h>
@@ -51,6 +52,11 @@ struct private_load_tester_plugin_t {
 	load_tester_creds_t *creds;
 
 	/**
+	 * Unix control socket to initiate load-tests
+	 */
+	load_tester_control_t *control;
+
+	/**
 	 * event handler, listens on bus
 	 */
 	load_tester_listener_t *listener;
@@ -181,6 +187,7 @@ static bool register_load_tester(private_load_tester_plugin_t *this,
 
 		this->config = load_tester_config_create();
 		this->creds = load_tester_creds_create();
+		this->control = load_tester_control_create();
 
 		charon->backends->add_backend(charon->backends, &this->config->backend);
 		lib->credmgr->add_set(lib->credmgr, &this->creds->credential_set);
@@ -190,7 +197,7 @@ static bool register_load_tester(private_load_tester_plugin_t *this,
 		{
 			shutdown_on = this->iterations * this->initiators;
 		}
-		this->listener = load_tester_listener_create(shutdown_on);
+		this->listener = load_tester_listener_create(shutdown_on, this->config);
 		charon->bus->add_listener(charon->bus, &this->listener->listener);
 
 		for (i = 0; i < this->initiators; i++)
@@ -215,6 +222,7 @@ static bool register_load_tester(private_load_tester_plugin_t *this,
 		this->config->destroy(this->config);
 		this->creds->destroy(this->creds);
 		this->listener->destroy(this->listener);
+		this->control->destroy(this->control);
 	}
 	return TRUE;
 }
@@ -228,6 +236,7 @@ METHOD(plugin_t, get_features, int,
 				PLUGIN_DEPENDS(CUSTOM, "load-tester"),
 		PLUGIN_CALLBACK((plugin_feature_callback_t)register_load_tester, NULL),
 			PLUGIN_PROVIDE(CUSTOM, "load-tester"),
+				PLUGIN_DEPENDS(CUSTOM, "kernel-net"),
 				PLUGIN_SDEPEND(PRIVKEY, KEY_RSA),
 				PLUGIN_SDEPEND(CERT_DECODE, CERT_ANY),
 				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
diff --git a/src/libcharon/plugins/lookip/Makefile.am b/src/libcharon/plugins/lookip/Makefile.am
new file mode 100644
index 000000000..450995c9c
--- /dev/null
+++ b/src/libcharon/plugins/lookip/Makefile.am
@@ -0,0 +1,21 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic \
+	-DIPSEC_PIDDIR=\"${piddir}\"
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-lookip.la
+else
+plugin_LTLIBRARIES = libstrongswan-lookip.la
+endif
+
+libstrongswan_lookip_la_SOURCES = lookip_plugin.h lookip_plugin.c \
+	lookip_listener.h lookip_listener.c lookip_msg.h \
+	lookip_socket.h lookip_socket.c
+
+libstrongswan_lookip_la_LDFLAGS = -module -avoid-version
+
+ipsec_PROGRAMS = lookip
+lookip_SOURCES = lookip.c
diff --git a/src/libcharon/plugins/lookip/Makefile.in b/src/libcharon/plugins/lookip/Makefile.in
new file mode 100644
index 000000000..26ab61ba8
--- /dev/null
+++ b/src/libcharon/plugins/lookip/Makefile.in
@@ -0,0 +1,693 @@
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+ipsec_PROGRAMS = lookip$(EXEEXT)
+subdir = src/libcharon/plugins/lookip
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_lookip_la_LIBADD =
+am_libstrongswan_lookip_la_OBJECTS = lookip_plugin.lo \
+	lookip_listener.lo lookip_socket.lo
+libstrongswan_lookip_la_OBJECTS =  \
+	$(am_libstrongswan_lookip_la_OBJECTS)
+libstrongswan_lookip_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_lookip_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_lookip_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_lookip_la_rpath =
+PROGRAMS = $(ipsec_PROGRAMS)
+am_lookip_OBJECTS = lookip.$(OBJEXT)
+lookip_OBJECTS = $(am_lookip_OBJECTS)
+lookip_LDADD = $(LDADD)
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_lookip_la_SOURCES) $(lookip_SOURCES)
+DIST_SOURCES = $(libstrongswan_lookip_la_SOURCES) $(lookip_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+axis2c_CFLAGS = @axis2c_CFLAGS@
+axis2c_LIBS = @axis2c_LIBS@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic \
+	-DIPSEC_PIDDIR=\"${piddir}\"
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-lookip.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-lookip.la
+libstrongswan_lookip_la_SOURCES = lookip_plugin.h lookip_plugin.c \
+	lookip_listener.h lookip_listener.c lookip_msg.h \
+	lookip_socket.h lookip_socket.c
+
+libstrongswan_lookip_la_LDFLAGS = -module -avoid-version
+lookip_SOURCES = lookip.c
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/lookip/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/lookip/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-lookip.la: $(libstrongswan_lookip_la_OBJECTS) $(libstrongswan_lookip_la_DEPENDENCIES) $(EXTRA_libstrongswan_lookip_la_DEPENDENCIES) 
+	$(libstrongswan_lookip_la_LINK) $(am_libstrongswan_lookip_la_rpath) $(libstrongswan_lookip_la_OBJECTS) $(libstrongswan_lookip_la_LIBADD) $(LIBS)
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+lookip$(EXEEXT): $(lookip_OBJECTS) $(lookip_DEPENDENCIES) $(EXTRA_lookip_DEPENDENCIES) 
+	@rm -f lookip$(EXEEXT)
+	$(LINK) $(lookip_OBJECTS) $(lookip_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lookip.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lookip_listener.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lookip_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lookip_socket.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
+	clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipsecPROGRAMS install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-ipsecPROGRAMS uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-ipsecPROGRAMS clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES ctags distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-ipsecPROGRAMS install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-ipsecPROGRAMS \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/lookip/lookip.c b/src/libcharon/plugins/lookip/lookip.c
new file mode 100644
index 000000000..9887a3a92
--- /dev/null
+++ b/src/libcharon/plugins/lookip/lookip.c
@@ -0,0 +1,261 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "lookip_msg.h"
+
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <errno.h>
+#include <getopt.h>
+
+/**
+ * Connect to the daemon, return FD
+ */
+static int make_connection()
+{
+	struct sockaddr_un addr;
+	int fd;
+
+	addr.sun_family = AF_UNIX;
+	strcpy(addr.sun_path, LOOKIP_SOCKET);
+
+	fd = socket(AF_UNIX, SOCK_SEQPACKET, 0);
+	if (fd < 0)
+	{
+		fprintf(stderr, "opening socket failed: %s\n", strerror(errno));
+		return -1;
+	}
+	if (connect(fd, (struct sockaddr *)&addr,
+			offsetof(struct sockaddr_un, sun_path) + strlen(addr.sun_path)) < 0)
+	{
+		fprintf(stderr, "connecting to %s failed: %s\n",
+				LOOKIP_SOCKET, strerror(errno));
+		close(fd);
+		return -1;
+	}
+	return fd;
+}
+
+/**
+ * Send a request message
+ */
+static int send_request(int fd, int type, char *vip)
+{
+	lookip_request_t req = {
+		.type = type,
+	};
+
+	if (vip)
+	{
+		snprintf(req.vip, sizeof(req.vip), "%s", vip);
+	}
+	if (send(fd, &req, sizeof(req), 0) != sizeof(req))
+	{
+		fprintf(stderr, "writing to socket failed: %s\n", strerror(errno));
+		return 2;
+	}
+	return 0;
+}
+
+/**
+ * Receive entries from fd. If block is != 0, the call blocks until closed
+ */
+static int receive(int fd, int block, int loop)
+{
+	lookip_response_t resp;
+	char *label, name[32];
+	int res;
+
+	do
+	{
+		res = recv(fd, &resp, sizeof(resp), block ? 0 : MSG_DONTWAIT);
+		if (res == 0)
+		{	/* closed by server */
+			return 0;
+		}
+		if (res != sizeof(resp))
+		{
+			if (!block && (errno == EAGAIN || errno == EWOULDBLOCK))
+			{	/* call would block, but we don't */
+				return 0;
+			}
+			fprintf(stderr, "reading from socket failed: %s\n", strerror(errno));
+			return 1;
+		}
+		switch (resp.type)
+		{
+			case LOOKIP_ENTRY:
+				label = "lookup:";
+				break;
+			case LOOKIP_NOT_FOUND:
+				label = "not found:";
+				break;
+			case LOOKIP_NOTIFY_UP:
+				label = "up:";
+				break;
+			case LOOKIP_NOTIFY_DOWN:
+				label = "down:";
+				break;
+			default:
+				fprintf(stderr, "received invalid message type: %d\n", resp.type);
+				return 1;
+		}
+		resp.vip[sizeof(resp.vip) - 1] = '\0';
+		resp.ip[sizeof(resp.ip) - 1] = '\0';
+		resp.id[sizeof(resp.id) - 1] = '\0';
+		resp.name[sizeof(resp.name) - 1] = '\0';
+
+		snprintf(name, sizeof(name), "%s[%u]", resp.name, resp.unique_id);
+		printf("%-12s %16s %16s %20s %s\n",
+			   label, resp.vip, resp.ip, name, resp.id);
+	}
+	while (loop);
+
+	return 0;
+}
+
+/**
+ * Interactive IP lookup shell
+ */
+static int interactive(int fd)
+{
+	printf("Enter IP address or 'quit'\n");
+
+	while (1)
+	{
+		char line[64], *pos;
+		int res;
+
+		printf("> ");
+		fflush(stdout);
+
+		if (fgets(line, sizeof(line), stdin))
+		{
+			pos = strchr(line, '\n');
+			if (pos)
+			{
+				*pos = '\0';
+			}
+			if (strlen(line) == 0)
+			{
+				continue;
+			}
+			if (strcmp(line, "quit") == 0)
+			{
+				return send_request(fd, LOOKIP_END, NULL);
+			}
+			res = send_request(fd, LOOKIP_LOOKUP, line);
+			if (res != 0)
+			{
+				return res;
+			}
+			res = receive(fd, 1, 0);
+			if (res != 0)
+			{
+				return res;
+			}
+		}
+	}
+}
+
+/**
+ * Print usage information
+ */
+static void usage(char *cmd)
+{
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "  %s --help\n", cmd);
+	fprintf(stderr, "  %s --dump\n", cmd);
+	fprintf(stderr, "  %s --lookup <IP>\n", cmd);
+	fprintf(stderr, "  %s --listen-up\n", cmd);
+	fprintf(stderr, "  %s --listen-down\n", cmd);
+	fprintf(stderr, "Any combination of options is allowed.\n");
+}
+
+int main(int argc, char *argv[])
+{
+	int fd, res = 0, end = 0;
+	struct option long_opts[] = {
+		{ "help", no_argument, NULL, 'h' },
+		{ "dump", no_argument, NULL, 'd' },
+		{ "lookup", required_argument, NULL, 'l' },
+		{ "listen-up", no_argument, NULL, 'u' },
+		{ "listen-down", no_argument, NULL, 'c' },
+		{ 0,0,0,0 }
+	};
+
+	fd = make_connection();
+	if (fd == -1)
+	{
+		return 1;
+	}
+
+	if (argc == 1)
+	{
+		res = interactive(fd);
+		close(fd);
+		return res;
+	}
+
+	while (res == 0)
+	{
+		switch (getopt_long(argc, argv, "", long_opts, NULL))
+		{
+			case EOF:
+				end = 1;
+				break;
+			case 'h':
+				usage(argv[0]);
+				break;
+			case 'd':
+				res = send_request(fd, LOOKIP_DUMP, NULL);
+				break;
+			case 'l':
+				res = send_request(fd, LOOKIP_LOOKUP, optarg);
+				break;
+			case 'u':
+				res = send_request(fd, LOOKIP_REGISTER_UP, NULL);
+				break;
+			case 'c':
+				res = send_request(fd, LOOKIP_REGISTER_DOWN, NULL);
+				break;
+			default:
+				usage(argv[0]);
+				res = 1;
+				break;
+		}
+		if (end)
+		{
+			break;
+		}
+		if (res == 0)
+		{	/* read all currently available results */
+			res = receive(fd, 0, 1);
+		}
+	}
+	if (res == 0)
+	{
+		/* send close message */
+		send_request(fd, LOOKIP_END, NULL);
+		/* read until socket gets closed */
+		res = receive(fd, 1, 1);
+	}
+	close(fd);
+
+	return res;
+}
diff --git a/src/libcharon/plugins/lookip/lookip_listener.c b/src/libcharon/plugins/lookip/lookip_listener.c
new file mode 100644
index 000000000..caf336a2e
--- /dev/null
+++ b/src/libcharon/plugins/lookip/lookip_listener.c
@@ -0,0 +1,327 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "lookip_listener.h"
+
+#include <daemon.h>
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
+#include <threading/rwlock.h>
+
+typedef struct private_lookip_listener_t private_lookip_listener_t;
+
+/**
+ * Private data of an lookip_listener_t object.
+ */
+struct private_lookip_listener_t {
+
+	/**
+	 * Public lookip_listener_t interface.
+	 */
+	lookip_listener_t public;
+
+	/**
+	 * Lock for hashtable
+	 */
+	rwlock_t *lock;
+
+	/**
+	 * Hashtable with entries: host_t => entry_t
+	 */
+	hashtable_t *entries;
+
+	/**
+	 * List of registered listeners
+	 */
+	linked_list_t *listeners;
+};
+
+/**
+ * Listener entry
+ */
+typedef struct {
+	/** callback function */
+	lookip_callback_t cb;
+	/** user data for callback */
+	void *user;
+} listener_entry_t;
+
+/**
+ * Hashtable entry
+ */
+typedef struct {
+	/** virtual IP, serves as lookup key */
+	host_t *vip;
+	/** peers external address */
+	host_t *other;
+	/** peer (EAP-)Identity */
+	identification_t *id;
+	/** associated connection name */
+	char *name;
+	/** IKE_SA unique identifier */
+	u_int unique_id;
+} entry_t;
+
+/**
+ * Destroy a hashtable entry
+ */
+static void entry_destroy(entry_t *entry)
+{
+	entry->vip->destroy(entry->vip);
+	entry->other->destroy(entry->other);
+	entry->id->destroy(entry->id);
+	free(entry->name);
+	free(entry);
+}
+
+/**
+ * Hashtable hash function
+ */
+static u_int hash(host_t *key)
+{
+	return chunk_hash(key->get_address(key));
+}
+
+/**
+ * Hashtable equals function
+ */
+static bool equals(host_t *a, host_t *b)
+{
+	return a->ip_equals(a, b);
+}
+
+/**
+ * Compare callback that invokes up callback of all registered listeners
+ */
+static bool notify_up(listener_entry_t *listener, entry_t *entry)
+{
+	if (!listener->cb(listener->user, TRUE, entry->vip, entry->other,
+					  entry->id, entry->name, entry->unique_id))
+	{
+		free(listener);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Compare callback that invokes down callback of all registered listeners
+ */
+static bool notify_down(listener_entry_t *listener, entry_t *entry)
+{
+	if (!listener->cb(listener->user, FALSE, entry->vip, entry->other,
+					  entry->id, entry->name, entry->unique_id))
+	{
+		free(listener);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Add a new entry to the hashtable
+ */
+static void add_entry(private_lookip_listener_t *this, ike_sa_t *ike_sa)
+{
+	enumerator_t *enumerator;
+	host_t *vip, *other;
+	identification_t *id;
+	entry_t *entry;
+
+	enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
+	while (enumerator->enumerate(enumerator, &vip))
+	{
+		other = ike_sa->get_other_host(ike_sa);
+		id = ike_sa->get_other_eap_id(ike_sa);
+
+		INIT(entry,
+			.vip = vip->clone(vip),
+			.other = other->clone(other),
+			.id = id->clone(id),
+			.name = strdup(ike_sa->get_name(ike_sa)),
+			.unique_id = ike_sa->get_unique_id(ike_sa),
+		);
+
+		this->lock->read_lock(this->lock);
+		this->listeners->remove(this->listeners, entry, (void*)notify_up);
+		this->lock->unlock(this->lock);
+
+		this->lock->write_lock(this->lock);
+		entry = this->entries->put(this->entries, entry->vip, entry);
+		this->lock->unlock(this->lock);
+		if (entry)
+		{
+			entry_destroy(entry);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Remove an entry from the hashtable
+ */
+static void remove_entry(private_lookip_listener_t *this, ike_sa_t *ike_sa)
+{
+	enumerator_t *enumerator;
+	host_t *vip;
+	entry_t *entry;
+
+	enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
+	while (enumerator->enumerate(enumerator, &vip))
+	{
+		this->lock->write_lock(this->lock);
+		entry = this->entries->remove(this->entries, vip);
+		this->lock->unlock(this->lock);
+		if (entry)
+		{
+			this->lock->read_lock(this->lock);
+			this->listeners->remove(this->listeners, entry, (void*)notify_down);
+			this->lock->unlock(this->lock);
+
+			entry_destroy(entry);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(listener_t, message_hook, bool,
+	private_lookip_listener_t *this, ike_sa_t *ike_sa,
+	message_t *message, bool incoming, bool plain)
+{
+	if (plain && ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
+		!incoming && !message->get_request(message))
+	{
+		if (ike_sa->get_version(ike_sa) == IKEV1 &&
+			message->get_exchange_type(message) == TRANSACTION)
+		{
+			add_entry(this, ike_sa);
+		}
+		if (ike_sa->get_version(ike_sa) == IKEV2 &&
+			message->get_exchange_type(message) == IKE_AUTH)
+		{
+			add_entry(this, ike_sa);
+		}
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, ike_updown, bool,
+	private_lookip_listener_t *this, ike_sa_t *ike_sa, bool up)
+{
+	if (!up)
+	{
+		remove_entry(this, ike_sa);
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, ike_rekey, bool,
+	private_lookip_listener_t *this, ike_sa_t *old, ike_sa_t *new)
+{
+	/* During IKE_SA rekey, the unique identifier changes. Fire update events
+	 * and update the cached entry. During the invocation of this hook, the
+	 * virtual IPs have been migrated to new, hence remove that entry. */
+	remove_entry(this, new);
+	add_entry(this, new);
+
+	return TRUE;
+}
+
+METHOD(lookip_listener_t, lookup, int,
+	private_lookip_listener_t *this, host_t *vip,
+	lookip_callback_t cb, void *user)
+{
+	entry_t *entry;
+	int matches = 0;
+
+	this->lock->read_lock(this->lock);
+	if (vip)
+	{
+		entry = this->entries->get(this->entries, vip);
+		if (entry)
+		{
+			cb(user, TRUE, entry->vip, entry->other, entry->id,
+			   entry->name, entry->unique_id);
+			matches ++;
+		}
+	}
+	else
+	{
+		enumerator_t *enumerator;
+
+		enumerator = this->entries->create_enumerator(this->entries);
+		while (enumerator->enumerate(enumerator, &vip, &entry))
+		{
+			cb(user, TRUE, entry->vip, entry->other, entry->id,
+			   entry->name, entry->unique_id);
+			matches++;
+		}
+		enumerator->destroy(enumerator);
+	}
+	this->lock->unlock(this->lock);
+
+	return matches;
+}
+
+METHOD(lookip_listener_t, add_listener, void,
+	private_lookip_listener_t *this, lookip_callback_t cb, void *user)
+{
+	listener_entry_t *listener;
+
+	INIT(listener,
+		.cb = cb,
+		.user = user,
+	);
+
+	this->lock->write_lock(this->lock);
+	this->listeners->insert_last(this->listeners, listener);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(lookip_listener_t, destroy, void,
+	private_lookip_listener_t *this)
+{
+	this->listeners->destroy_function(this->listeners, free);
+	this->entries->destroy(this->entries);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * See header
+ */
+lookip_listener_t *lookip_listener_create()
+{
+	private_lookip_listener_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.message = _message_hook,
+				.ike_updown = _ike_updown,
+				.ike_rekey = _ike_rekey,
+			},
+			.lookup = _lookup,
+			.add_listener = _add_listener,
+			.destroy = _destroy,
+		},
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.entries = hashtable_create((hashtable_hash_t)hash,
+									(hashtable_equals_t)equals, 32),
+		.listeners = linked_list_create(),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/lookip/lookip_listener.h b/src/libcharon/plugins/lookip/lookip_listener.h
new file mode 100644
index 000000000..56f74ed48
--- /dev/null
+++ b/src/libcharon/plugins/lookip/lookip_listener.h
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup lookip_listener lookip_listener
+ * @{ @ingroup lookip
+ */
+
+#ifndef LOOKIP_LISTENER_H_
+#define LOOKIP_LISTENER_H_
+
+#include <bus/listeners/listener.h>
+
+typedef struct lookip_listener_t lookip_listener_t;
+
+/**
+ * Callback function to query virtual IP entries
+ *
+ * @param user		user supplied pointer
+ * @param up		TRUE if tunnels established, FALSE if closed
+ * @param vip		virtual IP of remote peer
+ * @param other		peer external IP
+ * @param id		peer identity
+ * @param name		associated connection name
+ * @param unique_id	unique IKE_SA identifier
+ * @return			TRUE to receive more results, FALSE to cancel
+ */
+typedef bool (*lookip_callback_t)(void *user, bool up, host_t *vip,
+								  host_t *other, identification_t *id,
+								  char *name, u_int unique_id);
+
+/**
+ * Listener collecting virtual IPs.
+ */
+struct lookip_listener_t {
+
+	/**
+	 * Implements listener_t interface.
+	 */
+	listener_t listener;
+
+	/**
+	 * Perform a lookup for a given virtual IP, invoke callback for matches.
+	 *
+	 * The "up" parameter is always TRUE when the callback is invoked using
+	 * lookup().
+	 *
+	 * @param vip		virtual IP to look up, NULL to get all entries
+	 * @param cb		callback function to invoke
+	 * @param user		user data to pass to callback function
+	 * @return			number of matches
+	 */
+	int (*lookup)(lookip_listener_t *this, host_t *vip,
+				  lookip_callback_t cb, void *user);
+
+	/**
+	 * Register a listener function that gets notified about virtual IP changes.
+	 *
+	 * @param cb		callback function to invoke
+	 * @param user		user data to pass to callback function
+	 */
+	void (*add_listener)(lookip_listener_t *this,
+						 lookip_callback_t cb, void *user);
+
+	/**
+	 * Destroy a lookip_listener_t.
+	 */
+	void (*destroy)(lookip_listener_t *this);
+};
+
+/**
+ * Create a lookip_listener instance.
+ */
+lookip_listener_t *lookip_listener_create();
+
+#endif /** LOOKIP_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/lookip/lookip_msg.h b/src/libcharon/plugins/lookip/lookip_msg.h
new file mode 100644
index 000000000..d5789c29f
--- /dev/null
+++ b/src/libcharon/plugins/lookip/lookip_msg.h
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup lookip_msg lookip_msg
+ * @{ @ingroup lookip
+ */
+
+#ifndef LOOKIP_MSG_H_
+#define LOOKIP_MSG_H_
+
+#define LOOKIP_SOCKET IPSEC_PIDDIR "/charon.lkp"
+
+typedef struct lookip_request_t lookip_request_t;
+typedef struct lookip_response_t lookip_response_t;
+
+/**
+ * Message type.
+ *
+ * The client can send a batch of request messages, containing DUMP, LOOKUP or
+ * REGISTER_* messages. The server immediately starts sending responses for
+ * these messages, using ENTRY or NOTIFY_* messages.
+ * A client MUST send an END message to complete a batch. The server will
+ * send any remaining responses, but will not accept new requests and closes
+ * the connection when complete.
+ */
+enum {
+	/** request a dump of all entries */
+	LOOKIP_DUMP = 1,
+	/** lookup a specific virtual IP */
+	LOOKIP_LOOKUP,
+	/** reply message for DUMP and LOOKUP */
+	LOOKIP_ENTRY,
+	/** reply message for LOOKUP if no such IP found */
+	LOOKIP_NOT_FOUND,
+	/** register for notifications about new virtual IPs */
+	LOOKIP_REGISTER_UP,
+	/** register for notifications about virtual IPs released */
+	LOOKIP_REGISTER_DOWN,
+	/** notify reply message for REGISTER_UP */
+	LOOKIP_NOTIFY_UP,
+	/** notify reply message for REGISTER_DOWN */
+	LOOKIP_NOTIFY_DOWN,
+	/** end of request batch */
+	LOOKIP_END,
+};
+
+/**
+ * Request message sent from client.
+ *
+ * Valid request message types are DUMP, LOOKUP, REGISTER_UP/DOWN and END.
+ *
+ * The vip field is used only in LOOKUP requests, but ignored otherwise.
+ */
+struct lookip_request_t {
+	/** request message type */
+	int type;
+	/** null terminated string representation of virtual IP */
+	char vip[40];
+};
+
+/**
+ * Response message sent to client.
+ *
+ * Valid response message types are ENTRY, NOT_FOUND and NOTIFY_UP/DOWN.
+ *
+ * All fields are set in all messages, except in NOT_FOUND: Only vip is set.
+ */
+struct lookip_response_t {
+	/** response message type */
+	int type;
+	/** null terminated string representation of virtual IP */
+	char vip[40];
+	/** null terminated string representation of outer IP */
+	char ip[40];
+	/** null terminated peer identity */
+	char id[128];
+	/** null terminated connection name */
+	char name[40];
+	/** unique connection id */
+	unsigned int unique_id;
+};
+
+#endif /** LOOKIP_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/lookip/lookip_plugin.c b/src/libcharon/plugins/lookip/lookip_plugin.c
new file mode 100644
index 000000000..360864849
--- /dev/null
+++ b/src/libcharon/plugins/lookip/lookip_plugin.c
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "lookip_plugin.h"
+
+#include "lookip_listener.h"
+#include "lookip_socket.h"
+
+#include <daemon.h>
+
+typedef struct private_lookip_plugin_t private_lookip_plugin_t;
+
+/**
+ * private data of lookip plugin
+ */
+struct private_lookip_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	lookip_plugin_t public;
+
+	/**
+	 * Listener collecting virtual IP assignements
+	 */
+	lookip_listener_t *listener;
+
+	/**
+	 * UNIX socket to serve client queries
+	 */
+	lookip_socket_t *socket;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_lookip_plugin_t *this)
+{
+	return "lookip";
+}
+
+METHOD(plugin_t, destroy, void,
+	private_lookip_plugin_t *this)
+{
+	this->socket->destroy(this->socket);
+	charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	this->listener->destroy(this->listener);
+	free(this);
+}
+
+/**
+ * Plugin constructor
+ */
+plugin_t *lookip_plugin_create()
+{
+	private_lookip_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.reload = (void*)return_false,
+				.destroy = _destroy,
+			},
+		},
+		.listener = lookip_listener_create(),
+	);
+
+	charon->bus->add_listener(charon->bus, &this->listener->listener);
+	this->socket = lookip_socket_create(this->listener);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/lookip/lookip_plugin.h b/src/libcharon/plugins/lookip/lookip_plugin.h
new file mode 100644
index 000000000..ea780ebe7
--- /dev/null
+++ b/src/libcharon/plugins/lookip/lookip_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup lookip lookip
+ * @ingroup cplugins
+ *
+ * @defgroup lookip_plugin lookip_plugin
+ * @{ @ingroup lookip
+ */
+
+#ifndef LOOKIP_PLUGIN_H_
+#define LOOKIP_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct lookip_plugin_t lookip_plugin_t;
+
+/**
+ * Plugin providing fast connection lookup and notification for virtual IPs.
+ */
+struct lookip_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** LOOKIP_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/lookip/lookip_socket.c b/src/libcharon/plugins/lookip/lookip_socket.c
new file mode 100644
index 000000000..f2a469e92
--- /dev/null
+++ b/src/libcharon/plugins/lookip/lookip_socket.c
@@ -0,0 +1,461 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "lookip_socket.h"
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <daemon.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
+#include <collections/linked_list.h>
+#include <processing/jobs/callback_job.h>
+
+#include "lookip_msg.h"
+
+typedef struct private_lookip_socket_t private_lookip_socket_t;
+
+/**
+ * Private data of an lookip_socket_t object.
+ */
+struct private_lookip_socket_t {
+
+	/**
+	 * Public lookip_socket_t interface.
+	 */
+	lookip_socket_t public;
+
+	/**
+	 * lookip
+	 */
+	lookip_listener_t *listener;
+
+	/**
+	 * lookip unix socket file descriptor
+	 */
+	int socket;
+
+	/**
+	 * List of registered listeners, as entry_t
+	 */
+	linked_list_t *registered;
+
+	/**
+	 * List of connected clients, as uintptr_t FD
+	 */
+	linked_list_t *connected;
+
+	/**
+	 * Mutex to lock clients list
+	 */
+	mutex_t *mutex;
+};
+
+/**
+ * Open lookip unix socket
+ */
+static bool open_socket(private_lookip_socket_t *this)
+{
+	struct sockaddr_un addr;
+	mode_t old;
+
+	addr.sun_family = AF_UNIX;
+	strcpy(addr.sun_path, LOOKIP_SOCKET);
+
+	this->socket = socket(AF_UNIX, SOCK_SEQPACKET, 0);
+	if (this->socket == -1)
+	{
+		DBG1(DBG_CFG, "creating lookip socket failed");
+		return FALSE;
+	}
+	unlink(addr.sun_path);
+	old = umask(~(S_IRWXU | S_IRWXG));
+	if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)) < 0)
+	{
+		DBG1(DBG_CFG, "binding lookip socket failed: %s", strerror(errno));
+		close(this->socket);
+		return FALSE;
+	}
+	umask(old);
+	if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
+			  charon->caps->get_gid(charon->caps)) != 0)
+	{
+		DBG1(DBG_CFG, "changing lookip socket permissions failed: %s",
+			 strerror(errno));
+	}
+	if (listen(this->socket, 10) < 0)
+	{
+		DBG1(DBG_CFG, "listening on lookip socket failed: %s", strerror(errno));
+		close(this->socket);
+		unlink(addr.sun_path);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Listener callback entry
+ */
+typedef struct {
+	/* FD to write to */
+	int fd;
+	/* message type to send */
+	int type;
+	/* back pointer to socket, only for subscriptions */
+	private_lookip_socket_t *this;
+} entry_t;
+
+/**
+ * Destroy entry
+ */
+static void entry_destroy(entry_t *this)
+{
+	close(this->fd);
+	free(this);
+}
+
+/**
+ * Callback function for listener
+ */
+static bool listener_cb(entry_t *entry, bool up, host_t *vip,
+						host_t *other, identification_t *id,
+						char *name, u_int unique_id)
+{
+	lookip_response_t resp = {
+		.type = entry->type,
+		.unique_id = unique_id,
+	};
+
+	/* filter events */
+	if (up && entry->type == LOOKIP_NOTIFY_DOWN)
+	{
+		return TRUE;
+	}
+	if (!up && entry->type == LOOKIP_NOTIFY_UP)
+	{
+		return TRUE;
+	}
+
+	snprintf(resp.vip, sizeof(resp.vip), "%H", vip);
+	snprintf(resp.ip, sizeof(resp.ip), "%H", other);
+	snprintf(resp.id, sizeof(resp.id), "%Y", id);
+	snprintf(resp.name, sizeof(resp.name), "%s", name);
+
+	switch (send(entry->fd, &resp, sizeof(resp), 0))
+	{
+		case sizeof(resp):
+			return TRUE;
+		case 0:
+			/* client disconnected, adios */
+			break;
+		default:
+			DBG1(DBG_CFG, "sending lookip response failed: %s", strerror(errno));
+			break;
+	}
+	if (entry->this)
+	{	/* unregister listener */
+		entry->this->mutex->lock(entry->this->mutex);
+		entry->this->registered->remove(entry->this->registered, entry, NULL);
+		entry->this->mutex->unlock(entry->this->mutex);
+
+		entry_destroy(entry);
+	}
+	return FALSE;
+}
+
+/**
+ * Perform a entry lookup
+ */
+static void query(private_lookip_socket_t *this, int fd, lookip_request_t *req)
+{
+	entry_t entry = {
+		.fd = fd,
+		.type = LOOKIP_ENTRY,
+	};
+	host_t *vip = NULL;
+	int matches = 0;
+
+	if (req)
+	{	/* lookup */
+		req->vip[sizeof(req->vip) - 1] = 0;
+		vip = host_create_from_string(req->vip, 0);
+		if (vip)
+		{
+			matches = this->listener->lookup(this->listener, vip,
+											 (void*)listener_cb, &entry);
+			vip->destroy(vip);
+		}
+		if (matches == 0)
+		{
+			lookip_response_t resp = {
+				.type = LOOKIP_NOT_FOUND,
+			};
+
+			snprintf(resp.vip, sizeof(resp.vip), "%s", req->vip);
+			if (send(fd, &resp, sizeof(resp), 0) < 0)
+			{
+				DBG1(DBG_CFG, "sending lookip not-found failed: %s",
+					 strerror(errno));
+			}
+		}
+	}
+	else
+	{	/* dump */
+		this->listener->lookup(this->listener, NULL,
+							   (void*)listener_cb, &entry);
+	}
+}
+
+/**
+ * Subscribe to virtual IP events
+ */
+static void subscribe(private_lookip_socket_t *this, int fd, int type)
+{
+	entry_t *entry;
+
+	INIT(entry,
+		.fd = fd,
+		.type = type,
+		.this = this,
+	);
+
+	this->mutex->lock(this->mutex);
+	this->registered->insert_last(this->registered, entry);
+	this->mutex->unlock(this->mutex);
+
+	this->listener->add_listener(this->listener, (void*)listener_cb, entry);
+}
+
+/**
+ * Check if a client is subscribed for notifications
+ */
+static bool subscribed(private_lookip_socket_t *this, int fd)
+{
+	enumerator_t *enumerator;
+	bool subscribed = FALSE;
+	entry_t *entry;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->registered->create_enumerator(this->registered);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->fd == fd)
+		{
+			subscribed = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+
+	return subscribed;
+}
+
+/**
+ * Create a fd_set from all bound sockets
+ */
+static int build_fds(private_lookip_socket_t *this, fd_set *fds)
+{
+	enumerator_t *enumerator;
+	uintptr_t fd;
+	int maxfd;
+
+	FD_ZERO(fds);
+	FD_SET(this->socket, fds);
+	maxfd = this->socket;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->connected->create_enumerator(this->connected);
+	while (enumerator->enumerate(enumerator, &fd))
+	{
+		FD_SET(fd, fds);
+		maxfd = max(maxfd, fd);
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+
+	return maxfd + 1;
+}
+
+/**
+ * Find the socket select()ed
+ */
+static int scan_fds(private_lookip_socket_t *this, fd_set *fds)
+{
+	enumerator_t *enumerator;
+	uintptr_t fd;
+	int selected = -1;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->connected->create_enumerator(this->connected);
+	while (enumerator->enumerate(enumerator, &fd))
+	{
+		if (FD_ISSET(fd, fds))
+		{
+			selected = fd;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+
+	return selected;
+}
+
+/**
+ * Dispatch from a socket, return TRUE to end communication
+ */
+static bool dispatch(private_lookip_socket_t *this, int fd)
+{
+	lookip_request_t req;
+	int len;
+
+	len = recv(fd, &req, sizeof(req), 0);
+	if (len != sizeof(req))
+	{
+		if (len != 0)
+		{
+			DBG1(DBG_CFG, "receiving lookip request failed: %s",
+				 strerror(errno));
+		}
+		return TRUE;
+	}
+	switch (req.type)
+	{
+		case LOOKIP_LOOKUP:
+			query(this, fd, &req);
+			return FALSE;
+		case LOOKIP_DUMP:
+			query(this, fd, NULL);
+			return FALSE;
+		case LOOKIP_REGISTER_UP:
+			subscribe(this, fd, LOOKIP_NOTIFY_UP);
+			return FALSE;
+		case LOOKIP_REGISTER_DOWN:
+			subscribe(this, fd, LOOKIP_NOTIFY_DOWN);
+			return FALSE;
+		case LOOKIP_END:
+			return TRUE;
+		default:
+			DBG1(DBG_CFG, "received unknown lookip command");
+			return TRUE;
+	}
+}
+
+/**
+ * Accept client connections, dispatch
+ */
+static job_requeue_t receive(private_lookip_socket_t *this)
+{
+	struct sockaddr_un addr;
+	int fd, maxfd, len;
+	bool oldstate;
+	fd_set fds;
+
+	while (TRUE)
+	{
+		maxfd = build_fds(this, &fds);
+		oldstate = thread_cancelability(TRUE);
+		if (select(maxfd, &fds, NULL, NULL, NULL) <= 0)
+		{
+			thread_cancelability(oldstate);
+			DBG1(DBG_CFG, "selecting lookip sockets failed: %s",
+				 strerror(errno));
+			break;
+		}
+		thread_cancelability(oldstate);
+
+		if (FD_ISSET(this->socket, &fds))
+		{	/* new connection, accept() */
+			len = sizeof(addr);
+			fd = accept(this->socket, (struct sockaddr*)&addr, &len);
+			if (fd != -1)
+			{
+				this->mutex->lock(this->mutex);
+				this->connected->insert_last(this->connected,
+											 (void*)(uintptr_t)fd);
+				this->mutex->unlock(this->mutex);
+			}
+			else
+			{
+				DBG1(DBG_CFG, "accepting lookip connection failed: %s",
+					 strerror(errno));
+			}
+			continue;
+		}
+
+		fd = scan_fds(this, &fds);
+		if (fd == -1)
+		{
+			continue;
+		}
+		if (dispatch(this, fd))
+		{
+			this->mutex->lock(this->mutex);
+			this->connected->remove(this->connected, (void*)(uintptr_t)fd, NULL);
+			this->mutex->unlock(this->mutex);
+			if (!subscribed(this, fd))
+			{
+				close(fd);
+			}
+		}
+	}
+	return JOB_REQUEUE_FAIR;
+}
+
+METHOD(lookip_socket_t, destroy, void,
+	private_lookip_socket_t *this)
+{
+	this->registered->destroy_function(this->registered, (void*)entry_destroy);
+	this->connected->destroy(this->connected);
+	this->mutex->destroy(this->mutex);
+	close(this->socket);
+	free(this);
+}
+
+/**
+ * See header
+ */
+lookip_socket_t *lookip_socket_create(lookip_listener_t *listener)
+{
+	private_lookip_socket_t *this;
+
+	INIT(this,
+		.public = {
+			.destroy = _destroy,
+		},
+		.listener = listener,
+		.registered = linked_list_create(),
+		.connected = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+	);
+
+	if (!open_socket(this))
+	{
+		free(this);
+		return NULL;
+	}
+
+	lib->processor->queue_job(lib->processor,
+		(job_t*)callback_job_create_with_prio((callback_job_cb_t)receive, this,
+				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/lookip/lookip_socket.h b/src/libcharon/plugins/lookip/lookip_socket.h
new file mode 100644
index 000000000..c1c50246d
--- /dev/null
+++ b/src/libcharon/plugins/lookip/lookip_socket.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup lookip_socket lookip_socket
+ * @{ @ingroup lookip
+ */
+
+#ifndef LOOKIP_SOCKET_H_
+#define LOOKIP_SOCKET_H_
+
+#include "lookip_listener.h"
+
+typedef struct lookip_socket_t lookip_socket_t;
+
+/**
+ * Lookip plugin UNIX query socket.
+ */
+struct lookip_socket_t {
+
+	/**
+	 * Destroy a lookip_socket_t.
+	 */
+	void (*destroy)(lookip_socket_t *this);
+};
+
+/**
+ * Create a lookip_socket instance.
+ */
+lookip_socket_t *lookip_socket_create(lookip_listener_t *listener);
+
+#endif /** LOOKIP_SOCKET_H_ @}*/
diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in
index dfcd1f6ef..bd6f08e9b 100644
--- a/src/libcharon/plugins/maemo/Makefile.in
+++ b/src/libcharon/plugins/maemo/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -74,6 +74,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)" \
 	"$(DESTDIR)$(dbusservicedir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
@@ -125,6 +131,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -152,6 +159,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -179,6 +187,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -191,6 +200,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -244,7 +254,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -380,7 +389,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-maemo.la: $(libstrongswan_maemo_la_OBJECTS) $(libstrongswan_maemo_la_DEPENDENCIES) 
+libstrongswan-maemo.la: $(libstrongswan_maemo_la_OBJECTS) $(libstrongswan_maemo_la_DEPENDENCIES) $(EXTRA_libstrongswan_maemo_la_DEPENDENCIES) 
 	$(libstrongswan_maemo_la_LINK) $(am_libstrongswan_maemo_la_rpath) $(libstrongswan_maemo_la_OBJECTS) $(libstrongswan_maemo_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -435,9 +444,7 @@ uninstall-dbusserviceDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(dbusservice_DATA)'; test -n "$(dbusservicedir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(dbusservicedir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(dbusservicedir)" && rm -f $$files
+	dir='$(DESTDIR)$(dbusservicedir)'; $(am__uninstall_files_from_dir)
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -538,10 +545,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/maemo/maemo_service.c b/src/libcharon/plugins/maemo/maemo_service.c
index cb2fc9ebb..806e4cd65 100644
--- a/src/libcharon/plugins/maemo/maemo_service.c
+++ b/src/libcharon/plugins/maemo/maemo_service.c
@@ -323,12 +323,12 @@ static gboolean initiate_connection(private_maemo_service_t *this,
 								NULL);
 	}
 
-	ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", FALSE,
+	ike_cfg = ike_cfg_create(IKEV2, TRUE, FALSE, "0.0.0.0", FALSE,
 							 charon->socket->get_port(charon->socket, FALSE),
-							 hostname, FALSE, IKEV2_UDP_PORT);
+							 hostname, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
 
-	peer_cfg = peer_cfg_create(this->current, IKEV2, ike_cfg,
+	peer_cfg = peer_cfg_create(this->current, ike_cfg,
 							   CERT_SEND_IF_ASKED,
 							   UNIQUE_REPLACE, 1, /* keyingtries */
 							   36000, 0, /* rekey 10h, reauth none */
diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in
index 359533a60..afccfee91 100644
--- a/src/libcharon/plugins/medcli/Makefile.in
+++ b/src/libcharon/plugins/medcli/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_medcli_la_LIBADD =
@@ -123,6 +129,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -150,6 +157,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,6 +185,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -189,6 +198,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -242,7 +252,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -376,7 +385,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-medcli.la: $(libstrongswan_medcli_la_OBJECTS) $(libstrongswan_medcli_la_DEPENDENCIES) 
+libstrongswan-medcli.la: $(libstrongswan_medcli_la_OBJECTS) $(libstrongswan_medcli_la_DEPENDENCIES) $(EXTRA_libstrongswan_medcli_la_DEPENDENCIES) 
 	$(libstrongswan_medcli_la_LINK) $(am_libstrongswan_medcli_la_rpath) $(libstrongswan_medcli_la_OBJECTS) $(libstrongswan_medcli_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -516,10 +525,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c
index a1825effc..4be3dea02 100644
--- a/src/libcharon/plugins/medcli/medcli_config.c
+++ b/src/libcharon/plugins/medcli/medcli_config.c
@@ -61,28 +61,12 @@ static traffic_selector_t *ts_from_string(char *str)
 {
 	if (str)
 	{
-		int netbits = 32;
-		host_t *net;
-		char *pos;
+		traffic_selector_t *ts;
 
-		str = strdupa(str);
-		pos = strchr(str, '/');
-		if (pos)
+		ts = traffic_selector_create_from_cidr(str, 0, 0);
+		if (ts)
 		{
-			*pos++ = '\0';
-			netbits = atoi(pos);
-		}
-		else
-		{
-			if (strchr(str, ':'))
-			{
-				netbits = 128;
-			}
-		}
-		net = host_create_from_string(str, 0);
-		if (net)
-		{
-			return traffic_selector_create_from_subnet(net, netbits, 0, 0);
+			return ts;
 		}
 	}
 	return traffic_selector_create_dynamic(0, 0, 65535);
@@ -118,12 +102,13 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
 		DESTROY_IF(e);
 		return NULL;
 	}
-	ike_cfg = ike_cfg_create(FALSE, FALSE,
-							 "0.0.0.0", FALSE, charon->socket->get_port(charon->socket, FALSE),
-							 address, FALSE, IKEV2_UDP_PORT);
+	ike_cfg = ike_cfg_create(IKEV2, FALSE, FALSE,
+							 "0.0.0.0", FALSE,
+							 charon->socket->get_port(charon->socket, FALSE),
+							 address, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
 	med_cfg = peer_cfg_create(
-		"mediation", IKEV2, ike_cfg,
+		"mediation", ike_cfg,
 		CERT_NEVER_SEND, UNIQUE_REPLACE,
 		1, this->rekey*60, 0,			/* keytries, rekey, reauth */
 		this->rekey*5, this->rekey*3,	/* jitter, overtime */
@@ -160,7 +145,7 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
 		return NULL;
 	}
 	peer_cfg = peer_cfg_create(
-		name, IKEV2, this->ike->get_ref(this->ike),
+		name, this->ike->get_ref(this->ike),
 		CERT_NEVER_SEND, UNIQUE_REPLACE,
 		1, this->rekey*60, 0,			/* keytries, rekey, reauth */
 		this->rekey*5, this->rekey*3,	/* jitter, overtime */
@@ -235,7 +220,7 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool,
 		return FALSE;
 	}
 	this->current = peer_cfg_create(
-				name, IKEV2, this->ike->get_ref(this->ike),
+				name, this->ike->get_ref(this->ike),
 				CERT_NEVER_SEND, UNIQUE_REPLACE,
 				1, this->rekey*60, 0,			/* keytries, rekey, reauth */
 				this->rekey*5, this->rekey*3,	/* jitter, overtime */
@@ -392,9 +377,11 @@ medcli_config_t *medcli_config_create(database_t *db)
 		.db = db,
 		.rekey = lib->settings->get_time(lib->settings, "medcli.rekey", 1200),
 		.dpd = lib->settings->get_time(lib->settings, "medcli.dpd", 300),
-		.ike = ike_cfg_create(FALSE, FALSE,
-							  "0.0.0.0", FALSE, charon->socket->get_port(charon->socket, FALSE),
-							  "0.0.0.0", FALSE, IKEV2_UDP_PORT),
+		.ike = ike_cfg_create(IKEV2, FALSE, FALSE,
+							  "0.0.0.0", FALSE,
+							  charon->socket->get_port(charon->socket, FALSE),
+							  "0.0.0.0", FALSE, IKEV2_UDP_PORT,
+							  FRAGMENTATION_NO),
 	);
 	this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
 
diff --git a/src/libcharon/plugins/medcli/medcli_creds.c b/src/libcharon/plugins/medcli/medcli_creds.c
index 9c4a0b756..677229b9f 100644
--- a/src/libcharon/plugins/medcli/medcli_creds.c
+++ b/src/libcharon/plugins/medcli/medcli_creds.c
@@ -17,7 +17,7 @@
 
 #include <daemon.h>
 #include <library.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 typedef struct private_medcli_creds_t private_medcli_creds_t;
 
diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in
index ba27b8570..5d65aadc5 100644
--- a/src/libcharon/plugins/medsrv/Makefile.in
+++ b/src/libcharon/plugins/medsrv/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_medsrv_la_LIBADD =
@@ -123,6 +129,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -150,6 +157,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,6 +185,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -189,6 +198,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -242,7 +252,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -375,7 +384,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-medsrv.la: $(libstrongswan_medsrv_la_OBJECTS) $(libstrongswan_medsrv_la_DEPENDENCIES) 
+libstrongswan-medsrv.la: $(libstrongswan_medsrv_la_OBJECTS) $(libstrongswan_medsrv_la_DEPENDENCIES) $(EXTRA_libstrongswan_medsrv_la_DEPENDENCIES) 
 	$(libstrongswan_medsrv_la_LINK) $(am_libstrongswan_medsrv_la_rpath) $(libstrongswan_medsrv_la_OBJECTS) $(libstrongswan_medsrv_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -514,10 +523,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/medsrv/medsrv_config.c b/src/libcharon/plugins/medsrv/medsrv_config.c
index ff33c53e1..be14380ea 100644
--- a/src/libcharon/plugins/medsrv/medsrv_config.c
+++ b/src/libcharon/plugins/medsrv/medsrv_config.c
@@ -88,7 +88,7 @@ METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*,
 		if (e->enumerate(e, &name))
 		{
 			peer_cfg = peer_cfg_create(
-				name, IKEV2, this->ike->get_ref(this->ike),
+				name, this->ike->get_ref(this->ike),
 				CERT_NEVER_SEND, UNIQUE_REPLACE,
 				1, this->rekey*60, 0,			/* keytries, rekey, reauth */
 				this->rekey*5, this->rekey*3,	/* jitter, overtime */
@@ -139,9 +139,11 @@ medsrv_config_t *medsrv_config_create(database_t *db)
 		.db = db,
 		.rekey = lib->settings->get_time(lib->settings, "medsrv.rekey", 1200),
 		.dpd = lib->settings->get_time(lib->settings, "medsrv.dpd", 300),
-		.ike = ike_cfg_create(FALSE, FALSE,
-							  "0.0.0.0", FALSE, charon->socket->get_port(charon->socket, FALSE),
-							  "0.0.0.0", FALSE, IKEV2_UDP_PORT),
+		.ike = ike_cfg_create(IKEV2, FALSE, FALSE,
+							  "0.0.0.0", FALSE,
+							  charon->socket->get_port(charon->socket, FALSE),
+							  "0.0.0.0", FALSE, IKEV2_UDP_PORT,
+							  FRAGMENTATION_NO),
 	);
 	this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
 
diff --git a/src/libcharon/plugins/medsrv/medsrv_creds.c b/src/libcharon/plugins/medsrv/medsrv_creds.c
index 3ae80f64c..0d99c4f77 100644
--- a/src/libcharon/plugins/medsrv/medsrv_creds.c
+++ b/src/libcharon/plugins/medsrv/medsrv_creds.c
@@ -17,7 +17,7 @@
 
 #include <daemon.h>
 #include <library.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 typedef struct private_medsrv_creds_t private_medsrv_creds_t;
 
diff --git a/src/libcharon/plugins/radattr/Makefile.in b/src/libcharon/plugins/radattr/Makefile.in
index 32bdad00c..b22a74e94 100644
--- a/src/libcharon/plugins/radattr/Makefile.in
+++ b/src/libcharon/plugins/radattr/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_radattr_la_DEPENDENCIES =  \
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -375,7 +384,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-radattr.la: $(libstrongswan_radattr_la_OBJECTS) $(libstrongswan_radattr_la_DEPENDENCIES) 
+libstrongswan-radattr.la: $(libstrongswan_radattr_la_OBJECTS) $(libstrongswan_radattr_la_DEPENDENCIES) $(EXTRA_libstrongswan_radattr_la_DEPENDENCIES) 
 	$(libstrongswan_radattr_la_LINK) $(am_libstrongswan_radattr_la_rpath) $(libstrongswan_radattr_la_OBJECTS) $(libstrongswan_radattr_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -513,10 +522,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in
index 19cb7987b..433d019c1 100644
--- a/src/libcharon/plugins/smp/Makefile.in
+++ b/src/libcharon/plugins/smp/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 am__DEPENDENCIES_1 =
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -372,7 +381,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-smp.la: $(libstrongswan_smp_la_OBJECTS) $(libstrongswan_smp_la_DEPENDENCIES) 
+libstrongswan-smp.la: $(libstrongswan_smp_la_OBJECTS) $(libstrongswan_smp_la_DEPENDENCIES) $(EXTRA_libstrongswan_smp_la_DEPENDENCIES) 
 	$(libstrongswan_smp_la_LINK) $(am_libstrongswan_smp_la_rpath) $(libstrongswan_smp_la_OBJECTS) $(libstrongswan_smp_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -509,10 +518,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in
index 3919e053a..5e947a7e9 100644
--- a/src/libcharon/plugins/socket_default/Makefile.in
+++ b/src/libcharon/plugins/socket_default/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_socket_default_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -375,7 +384,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-socket-default.la: $(libstrongswan_socket_default_la_OBJECTS) $(libstrongswan_socket_default_la_DEPENDENCIES) 
+libstrongswan-socket-default.la: $(libstrongswan_socket_default_la_OBJECTS) $(libstrongswan_socket_default_la_DEPENDENCIES) $(EXTRA_libstrongswan_socket_default_la_DEPENDENCIES) 
 	$(libstrongswan_socket_default_la_LINK) $(am_libstrongswan_socket_default_la_rpath) $(libstrongswan_socket_default_la_OBJECTS) $(libstrongswan_socket_default_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -513,10 +522,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in
index dfde282b2..e3fe4334a 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.in
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_socket_dynamic_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -375,7 +384,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-socket-dynamic.la: $(libstrongswan_socket_dynamic_la_OBJECTS) $(libstrongswan_socket_dynamic_la_DEPENDENCIES) 
+libstrongswan-socket-dynamic.la: $(libstrongswan_socket_dynamic_la_OBJECTS) $(libstrongswan_socket_dynamic_la_DEPENDENCIES) $(EXTRA_libstrongswan_socket_dynamic_la_DEPENDENCIES) 
 	$(libstrongswan_socket_dynamic_la_LINK) $(am_libstrongswan_socket_dynamic_la_rpath) $(libstrongswan_socket_dynamic_la_OBJECTS) $(libstrongswan_socket_dynamic_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -513,10 +522,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
index 33f16cc45..a5e919348 100644
--- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
+++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
@@ -40,7 +40,7 @@
 #include <daemon.h>
 #include <threading/thread.h>
 #include <threading/rwlock.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 
 /* Maximum size of a packet */
 #define MAX_PACKET 10000
diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in
index a6c6cbe1e..22868fce7 100644
--- a/src/libcharon/plugins/sql/Makefile.in
+++ b/src/libcharon/plugins/sql/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_sql_la_LIBADD =
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -371,7 +380,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-sql.la: $(libstrongswan_sql_la_OBJECTS) $(libstrongswan_sql_la_DEPENDENCIES) 
+libstrongswan-sql.la: $(libstrongswan_sql_la_OBJECTS) $(libstrongswan_sql_la_DEPENDENCIES) $(EXTRA_libstrongswan_sql_la_DEPENDENCIES) 
 	$(libstrongswan_sql_la_LINK) $(am_libstrongswan_sql_la_rpath) $(libstrongswan_sql_la_OBJECTS) $(libstrongswan_sql_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -511,10 +520,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/sql/sql_config.c b/src/libcharon/plugins/sql/sql_config.c
index c614c679e..37bd86671 100644
--- a/src/libcharon/plugins/sql/sql_config.c
+++ b/src/libcharon/plugins/sql/sql_config.c
@@ -258,9 +258,11 @@ static ike_cfg_t *build_ike_cfg(private_sql_config_t *this, enumerator_t *e,
 	{
 		ike_cfg_t *ike_cfg;
 
-		ike_cfg = ike_cfg_create(certreq, force_encap,
-								 local, FALSE, charon->socket->get_port(charon->socket, FALSE),
-								 remote, FALSE, IKEV2_UDP_PORT);
+		ike_cfg = ike_cfg_create(IKEV2, certreq, force_encap,
+								 local, FALSE,
+								 charon->socket->get_port(charon->socket, FALSE),
+								 remote, FALSE, IKEV2_UDP_PORT,
+								 FRAGMENTATION_NO);
 		add_ike_proposals(this, ike_cfg, id);
 		return ike_cfg;
 	}
@@ -370,7 +372,7 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
 		if (ike)
 		{
 			peer_cfg = peer_cfg_create(
-					name, IKEV2, ike, cert_policy, uniqueid,
+					name, ike, cert_policy, uniqueid,
 					keyingtries, rekeytime, reauthtime, jitter, overtime,
 					mobike, FALSE, dpd_delay, 0,
 					mediation, mediated_cfg, peer_id);
diff --git a/src/libcharon/plugins/sql/sql_logger.c b/src/libcharon/plugins/sql/sql_logger.c
index 6db3258d2..547e7691e 100644
--- a/src/libcharon/plugins/sql/sql_logger.c
+++ b/src/libcharon/plugins/sql/sql_logger.c
@@ -102,7 +102,8 @@ METHOD(logger_t, log_, void,
 						  DB_BLOB, local_host->get_address(local_host),
 						  DB_BLOB, remote_host->get_address(remote_host));
 		this->db->execute(this->db, NULL, "INSERT INTO logs ("
-						  "local_spi, signal, level, msg) VALUES (?, ?, ?, ?)",
+						  "local_spi, `signal`, level, msg) "
+						  "VALUES (?, ?, ?, ?)",
 						  DB_BLOB, local_spi, DB_INT, group, DB_INT, level,
 						  DB_TEXT, message);
 	}
diff --git a/src/libcharon/plugins/stroke/Makefile.am b/src/libcharon/plugins/stroke/Makefile.am
index cebcd984f..39b3e79d2 100644
--- a/src/libcharon/plugins/stroke/Makefile.am
+++ b/src/libcharon/plugins/stroke/Makefile.am
@@ -22,6 +22,7 @@ libstrongswan_stroke_la_SOURCES = \
 	stroke_ca.h stroke_ca.c \
 	stroke_attribute.h stroke_attribute.c \
 	stroke_handler.h stroke_handler.c \
+	stroke_counter.h stroke_counter.c \
 	stroke_list.h stroke_list.c
 
 libstrongswan_stroke_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index f0db20c42..38924708a 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,12 +73,19 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_stroke_la_LIBADD =
 am_libstrongswan_stroke_la_OBJECTS = stroke_plugin.lo stroke_socket.lo \
 	stroke_config.lo stroke_control.lo stroke_cred.lo stroke_ca.lo \
-	stroke_attribute.lo stroke_handler.lo stroke_list.lo
+	stroke_attribute.lo stroke_handler.lo stroke_counter.lo \
+	stroke_list.lo
 libstrongswan_stroke_la_OBJECTS =  \
 	$(am_libstrongswan_stroke_la_OBJECTS)
 libstrongswan_stroke_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
@@ -124,6 +131,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +159,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +187,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +200,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +254,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -309,6 +319,7 @@ libstrongswan_stroke_la_SOURCES = \
 	stroke_ca.h stroke_ca.c \
 	stroke_attribute.h stroke_attribute.c \
 	stroke_handler.h stroke_handler.c \
+	stroke_counter.h stroke_counter.c \
 	stroke_list.h stroke_list.c
 
 libstrongswan_stroke_la_LDFLAGS = -module -avoid-version
@@ -386,7 +397,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-stroke.la: $(libstrongswan_stroke_la_OBJECTS) $(libstrongswan_stroke_la_DEPENDENCIES) 
+libstrongswan-stroke.la: $(libstrongswan_stroke_la_OBJECTS) $(libstrongswan_stroke_la_DEPENDENCIES) $(EXTRA_libstrongswan_stroke_la_DEPENDENCIES) 
 	$(libstrongswan_stroke_la_LINK) $(am_libstrongswan_stroke_la_rpath) $(libstrongswan_stroke_la_OBJECTS) $(libstrongswan_stroke_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -399,6 +410,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_ca.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_config.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_control.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_counter.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_cred.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_handler.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_list.Plo@am__quote@
@@ -531,10 +543,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/stroke/stroke_attribute.c b/src/libcharon/plugins/stroke/stroke_attribute.c
index 85fb94e9e..0f3c38986 100644
--- a/src/libcharon/plugins/stroke/stroke_attribute.c
+++ b/src/libcharon/plugins/stroke/stroke_attribute.c
@@ -17,7 +17,7 @@
 #include "stroke_attribute.h"
 
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 typedef struct private_stroke_attribute_t private_stroke_attribute_t;
diff --git a/src/libcharon/plugins/stroke/stroke_ca.c b/src/libcharon/plugins/stroke/stroke_ca.c
index 763b4cc0f..f8026875f 100644
--- a/src/libcharon/plugins/stroke/stroke_ca.c
+++ b/src/libcharon/plugins/stroke/stroke_ca.c
@@ -18,7 +18,7 @@
 #include "stroke_cred.h"
 
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <crypto/hashers/hasher.h>
 
 #include <daemon.h>
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index e43672b18..9f6124dc9 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -225,14 +225,16 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg
 	ikeport = msg->add_conn.me.ikeport;
 	ikeport = (ikeport == IKEV2_UDP_PORT) ?
 			   charon->socket->get_port(charon->socket, FALSE) : ikeport;
-	ike_cfg = ike_cfg_create(msg->add_conn.other.sendcert != CERT_NEVER_SEND,
+	ike_cfg = ike_cfg_create(msg->add_conn.version,
+							 msg->add_conn.other.sendcert != CERT_NEVER_SEND,
 							 msg->add_conn.force_encap,
 							 msg->add_conn.me.address,
 							 msg->add_conn.me.allow_any,
 							 ikeport,
 							 msg->add_conn.other.address,
 							 msg->add_conn.other.allow_any,
-							 msg->add_conn.other.ikeport);
+							 msg->add_conn.other.ikeport,
+							 msg->add_conn.fragmentation);
 	add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL);
 	return ike_cfg;
 }
@@ -412,7 +414,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 			ca = other_end->ca2;
 		}
 	}
-	if (id && *id == '%' && !streq(id, "%any"))
+	if (id && *id == '%' && !streq(id, "%any") && !streq(id, "%any6"))
 	{	/* has only an effect on rightid/2 */
 		loose = !local;
 		id++;
@@ -441,7 +443,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 
 	cfg = auth_cfg_create();
 
-	/* add identity and peer certifcate */
+	/* add identity and peer certificate */
 	identity = identification_create_from_string(id);
 	if (cert)
 	{
@@ -707,8 +709,7 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 	/* other.sourceip is managed in stroke_attributes. If it is set, we define
 	 * the pool name as the connection name, which the attribute provider
 	 * uses to serve pool addresses. */
-	peer_cfg = peer_cfg_create(msg->add_conn.name,
-		msg->add_conn.version, ike_cfg,
+	peer_cfg = peer_cfg_create(msg->add_conn.name, ike_cfg,
 		msg->add_conn.me.sendcert, unique,
 		msg->add_conn.rekey.tries, rekey, reauth, jitter, over,
 		msg->add_conn.mobike, msg->add_conn.aggressive,
@@ -881,10 +882,10 @@ static void add_ts(private_stroke_config_t *this,
 	}
 	else
 	{
-		host_t *net;
-
 		if (!end->subnets)
 		{
+			host_t *net;
+
 			net = host_create_from_string(end->address, 0);
 			if (net)
 			{
@@ -895,39 +896,24 @@ static void add_ts(private_stroke_config_t *this,
 		}
 		else
 		{
-			char *del, *start, *bits;
+			enumerator_t *enumerator;
+			char *subnet;
 
-			start = end->subnets;
-			do
+			enumerator = enumerator_create_token(end->subnets, ",", " ");
+			while (enumerator->enumerate(enumerator, &subnet))
 			{
-				int intbits = 0;
-
-				del = strchr(start, ',');
-				if (del)
-				{
-					*del = '\0';
-				}
-				bits = strchr(start, '/');
-				if (bits)
+				ts = traffic_selector_create_from_cidr(subnet,
+													end->protocol, end->port);
+				if (ts)
 				{
-					*bits = '\0';
-					intbits = atoi(bits + 1);
-				}
-
-				net = host_create_from_string(start, 0);
-				if (net)
-				{
-					ts = traffic_selector_create_from_subnet(net, intbits,
-												end->protocol, end->port);
 					child_cfg->add_traffic_selector(child_cfg, local, ts);
 				}
 				else
 				{
-					DBG1(DBG_CFG, "invalid subnet: %s, skipped", start);
+					DBG1(DBG_CFG, "invalid subnet: %s, skipped", subnet);
 				}
-				start = del + 1;
 			}
-			while (del);
+			enumerator->destroy(enumerator);
 		}
 	}
 }
@@ -1326,4 +1312,3 @@ stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred,
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/stroke/stroke_counter.c b/src/libcharon/plugins/stroke/stroke_counter.c
new file mode 100644
index 000000000..56eda945a
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_counter.c
@@ -0,0 +1,254 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "stroke_counter.h"
+
+#include <threading/spinlock.h>
+
+ENUM(stroke_counter_type_names,
+	COUNTER_INIT_IKE_SA_REKEY, COUNTER_OUT_INFORMATIONAL_RSP,
+	"ikeInitRekey",
+	"ikeRspRekey",
+	"ikeChildSaRekey",
+	"ikeInInvalid",
+	"ikeInInvalidSpi",
+	"ikeInInitReq",
+	"ikeInInitRsp",
+	"ikeOutInitReq",
+	"ikeOutInitRsp",
+	"ikeInAuthReq",
+	"ikeInAuthRsp",
+	"ikeOutAuthReq",
+	"ikeOutAuthRsp",
+	"ikeInCrChildReq",
+	"ikeInCrChildRsp",
+	"ikeOutCrChildReq",
+	"ikeOutCrChildRsp",
+	"ikeInInfoReq",
+	"ikeInInfoRsp",
+	"ikeOutInfoReq",
+	"ikeOutInfoRsp",
+);
+
+typedef struct private_stroke_counter_t private_stroke_counter_t;
+
+/**
+ * Private data of an stroke_counter_t object.
+ */
+struct private_stroke_counter_t {
+
+	/**
+	 * Public stroke_counter_t interface.
+	 */
+	stroke_counter_t public;
+
+	/**
+	 * Counter values
+	 */
+	u_int64_t counter[COUNTER_MAX];
+
+	/**
+	 * Lock for counter values
+	 */
+	spinlock_t *lock;
+};
+
+METHOD(listener_t, alert, bool,
+	private_stroke_counter_t *this, ike_sa_t *ike_sa,
+	alert_t alert, va_list args)
+{
+	stroke_counter_type_t type;
+
+	switch (alert)
+	{
+		case ALERT_INVALID_IKE_SPI:
+			type = COUNTER_IN_INVALID_IKE_SPI;
+			break;
+		case ALERT_PARSE_ERROR_HEADER:
+		case ALERT_PARSE_ERROR_BODY:
+			type = COUNTER_IN_INVALID;
+			break;
+		default:
+			return TRUE;
+	}
+
+	this->lock->lock(this->lock);
+	this->counter[type]++;
+	this->lock->unlock(this->lock);
+
+	return TRUE;
+}
+
+METHOD(listener_t, ike_rekey, bool,
+	private_stroke_counter_t *this, ike_sa_t *old, ike_sa_t *new)
+{
+	stroke_counter_type_t type;
+	ike_sa_id_t *id;
+
+	id = new->get_id(new);
+	if (id->is_initiator(id))
+	{
+		type = COUNTER_INIT_IKE_SA_REKEY;
+	}
+	else
+	{
+		type = COUNTER_RESP_IKE_SA_REKEY;
+	}
+
+	this->lock->lock(this->lock);
+	this->counter[type]++;
+	this->lock->unlock(this->lock);
+
+	return TRUE;
+}
+
+METHOD(listener_t, child_rekey, bool,
+	private_stroke_counter_t *this, ike_sa_t *ike_sa,
+	child_sa_t *old, child_sa_t *new)
+{
+	this->lock->lock(this->lock);
+	this->counter[COUNTER_CHILD_SA_REKEY]++;
+	this->lock->unlock(this->lock);
+
+	return TRUE;
+}
+
+METHOD(listener_t, message_hook, bool,
+	private_stroke_counter_t *this, ike_sa_t *ike_sa, message_t *message,
+	bool incoming, bool plain)
+{
+	stroke_counter_type_t type;
+	bool request;
+
+	if ((incoming && !plain) || (!incoming && !plain))
+	{	/* handle each message only once */
+		return TRUE;
+	}
+
+	request = message->get_request(message);
+	switch (message->get_exchange_type(message))
+	{
+		case IKE_SA_INIT:
+			if (incoming)
+			{
+				type = request ? COUNTER_IN_IKE_SA_INIT_REQ
+							   : COUNTER_IN_IKE_SA_INIT_RSP;
+			}
+			else
+			{
+				type = request ? COUNTER_OUT_IKE_SA_INIT_REQ
+							   : COUNTER_OUT_IKE_SA_INIT_RES;
+			}
+			break;
+		case IKE_AUTH:
+			if (incoming)
+			{
+				type = request ? COUNTER_IN_IKE_AUTH_REQ
+							   : COUNTER_IN_IKE_AUTH_RSP;
+			}
+			else
+			{
+				type = request ? COUNTER_OUT_IKE_AUTH_REQ
+							   : COUNTER_OUT_IKE_AUTH_RSP;
+			}
+			break;
+		case CREATE_CHILD_SA:
+			if (incoming)
+			{
+				type = request ? COUNTER_IN_CREATE_CHILD_SA_REQ
+							   : COUNTER_IN_CREATE_CHILD_SA_RSP;
+			}
+			else
+			{
+				type = request ? COUNTER_OUT_CREATE_CHILD_SA_REQ
+							   : COUNTER_OUT_CREATE_CHILD_SA_RSP;
+			}
+			break;
+		case INFORMATIONAL:
+			if (incoming)
+			{
+				type = request ? COUNTER_IN_INFORMATIONAL_REQ
+							   : COUNTER_IN_INFORMATIONAL_RSP;
+			}
+			else
+			{
+				type = request ? COUNTER_OUT_INFORMATIONAL_REQ
+							   : COUNTER_OUT_INFORMATIONAL_RSP;
+			}
+			break;
+		default:
+			return TRUE;
+	}
+
+	this->lock->lock(this->lock);
+	this->counter[type]++;
+	this->lock->unlock(this->lock);
+
+	return TRUE;
+}
+
+METHOD(stroke_counter_t, print, void,
+	private_stroke_counter_t *this, FILE *out)
+{
+	u_int64_t counter[COUNTER_MAX];
+	int i;
+
+	/* Take a snapshot to have congruent results, */
+	this->lock->lock(this->lock);
+	for (i = 0; i < countof(this->counter); i++)
+	{
+		counter[i] = this->counter[i];
+	}
+	this->lock->unlock(this->lock);
+
+	fprintf(out, "\nList of IKE counters:\n\n");
+
+	/* but do blocking write without the lock. */
+	for (i = 0; i < countof(this->counter); i++)
+	{
+		fprintf(out, "%-18N %12llu\n", stroke_counter_type_names, i, counter[i]);
+	}
+}
+
+METHOD(stroke_counter_t, destroy, void,
+	private_stroke_counter_t *this)
+{
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * See header
+ */
+stroke_counter_t *stroke_counter_create()
+{
+	private_stroke_counter_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.alert = _alert,
+				.ike_rekey = _ike_rekey,
+				.child_rekey = _child_rekey,
+				.message = _message_hook,
+			},
+			.print = _print,
+			.destroy = _destroy,
+		},
+		.lock = spinlock_create(),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/stroke/stroke_counter.h b/src/libcharon/plugins/stroke/stroke_counter.h
new file mode 100644
index 000000000..efaae0d6f
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_counter.h
@@ -0,0 +1,104 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup stroke_counter stroke_counter
+ * @{ @ingroup stroke
+ */
+
+#ifndef STROKE_COUNTER_H_
+#define STROKE_COUNTER_H_
+
+#include <bus/listeners/listener.h>
+
+typedef struct stroke_counter_t stroke_counter_t;
+typedef enum stroke_counter_type_t stroke_counter_type_t;
+
+enum stroke_counter_type_t {
+	/** initiated IKE_SA rekeyings */
+	COUNTER_INIT_IKE_SA_REKEY,
+	/** responded IKE_SA rekeyings */
+	COUNTER_RESP_IKE_SA_REKEY,
+	/** completed CHILD_SA rekeyings */
+	COUNTER_CHILD_SA_REKEY,
+	/** messages with invalid types, length, or a value out of range */
+	COUNTER_IN_INVALID,
+	/** messages with an invalid IKE SPI */
+	COUNTER_IN_INVALID_IKE_SPI,
+	/** received IKE_SA_INIT requests */
+	COUNTER_IN_IKE_SA_INIT_REQ,
+	/** received IKE_SA_INIT responses */
+	COUNTER_IN_IKE_SA_INIT_RSP,
+	/** sent IKE_SA_INIT requests */
+	COUNTER_OUT_IKE_SA_INIT_REQ,
+	/** sent IKE_SA_INIT responses */
+	COUNTER_OUT_IKE_SA_INIT_RES,
+	/** received IKE_AUTH requests */
+	COUNTER_IN_IKE_AUTH_REQ,
+	/** received IKE_AUTH responses */
+	COUNTER_IN_IKE_AUTH_RSP,
+	/** sent IKE_AUTH requests */
+	COUNTER_OUT_IKE_AUTH_REQ,
+	/** sent IKE_AUTH responses */
+	COUNTER_OUT_IKE_AUTH_RSP,
+	/** received CREATE_CHILD_SA requests */
+	COUNTER_IN_CREATE_CHILD_SA_REQ,
+	/** received CREATE_CHILD_SA responses */
+	COUNTER_IN_CREATE_CHILD_SA_RSP,
+	/** sent CREATE_CHILD_SA requests */
+	COUNTER_OUT_CREATE_CHILD_SA_REQ,
+	/** sent CREATE_CHILD_SA responses */
+	COUNTER_OUT_CREATE_CHILD_SA_RSP,
+	/** received INFORMATIONAL requests */
+	COUNTER_IN_INFORMATIONAL_REQ,
+	/** received INFORMATIONAL responses */
+	COUNTER_IN_INFORMATIONAL_RSP,
+	/** sent INFORMATIONAL requests */
+	COUNTER_OUT_INFORMATIONAL_REQ,
+	/** sent INFORMATIONAL responses */
+	COUNTER_OUT_INFORMATIONAL_RSP,
+	/** number of counter types */
+	COUNTER_MAX
+};
+
+/**
+ * Collection of counter values for different IKE events.
+ */
+struct stroke_counter_t {
+
+	/**
+	 * Implements listener_t.
+	 */
+	listener_t listener;
+
+	/**
+	 * Print counter values to an output stream.
+	 *
+	 * @param out		output stream to write to
+	 */
+	void (*print)(stroke_counter_t *this, FILE *out);
+
+	/**
+	 * Destroy a stroke_counter_t.
+	 */
+	void (*destroy)(stroke_counter_t *this);
+};
+
+/**
+ * Create a stroke_counter instance.
+ */
+stroke_counter_t *stroke_counter_create();
+
+#endif /** STROKE_COUNTER_H_ @}*/
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index ebc09c0d5..c401bc6f1 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -34,7 +34,7 @@
 #include <credentials/certificates/ac.h>
 #include <credentials/sets/mem_cred.h>
 #include <credentials/sets/callback_cred.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/lexparser.h>
 #include <threading/rwlock.h>
 #include <daemon.h>
@@ -82,35 +82,137 @@ struct private_stroke_cred_t {
 	bool cachecrl;
 };
 
-METHOD(stroke_cred_t, load_ca, certificate_t*,
-	private_stroke_cred_t *this, char *filename)
+/** Length of smartcard specifier parts (module, keyid) */
+#define SC_PART_LEN 128
+
+/**
+ * Kind of smartcard specifier token
+ */
+typedef enum {
+	SC_FORMAT_SLOT_MODULE_KEYID,
+	SC_FORMAT_SLOT_KEYID,
+	SC_FORMAT_KEYID,
+	SC_FORMAT_INVALID,
+} smartcard_format_t;
+
+/**
+ * Parse a smartcard specifier token
+ */
+static smartcard_format_t parse_smartcard(char *smartcard, u_int *slot,
+										  char *module, char *keyid)
 {
-	certificate_t *cert;
-	char path[PATH_MAX];
+	/* The token has one of the following three formats:
+	 * - %smartcard<slot>@<module>:<keyid>
+	 * - %smartcard<slot>:<keyid>
+	 * - %smartcard:<keyid>
+	 */
+	char buf[2 * SC_PART_LEN], *pos;
 
-	if (*filename == '/')
+	if (sscanf(smartcard, "%%smartcard%u@%255s", slot, buf) == 2)
+	{
+		pos = strchr(buf, ':');
+		if (!pos)
+		{
+			return SC_FORMAT_INVALID;
+		}
+		*pos++ = '\0';
+		snprintf(module, SC_PART_LEN, "%s", buf);
+		snprintf(keyid, SC_PART_LEN, "%s", pos);
+		return SC_FORMAT_SLOT_MODULE_KEYID;
+	}
+	if (sscanf(smartcard, "%%smartcard%u:%127s", slot, keyid) == 2)
 	{
-		snprintf(path, sizeof(path), "%s", filename);
+		return SC_FORMAT_SLOT_KEYID;
 	}
-	else
+	if (sscanf(smartcard, "%%smartcard:%127s", keyid) == 1)
 	{
-		snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename);
+		return SC_FORMAT_KEYID;
 	}
+	return SC_FORMAT_INVALID;
+}
 
-	if (this->force_ca_cert)
-	{	/* we treat this certificate as a CA certificate even if it has no
-		 * CA basic constraint */
-		cert = lib->creds->create(lib->creds,
-							  CRED_CERTIFICATE, CERT_X509,
-							  BUILD_FROM_FILE, path, BUILD_X509_FLAG, X509_CA,
-							  BUILD_END);
+/**
+ * Load a credential from a smartcard
+ */
+static certificate_t *load_from_smartcard(smartcard_format_t format,
+										  u_int slot, char *module, char *keyid,
+										  credential_type_t type, int subtype)
+{
+	chunk_t chunk;
+	void *cred;
+
+	chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
+	switch (format)
+	{
+		case SC_FORMAT_SLOT_MODULE_KEYID:
+			cred = lib->creds->create(lib->creds, type, subtype,
+							BUILD_PKCS11_SLOT, slot,
+							BUILD_PKCS11_MODULE, module,
+							BUILD_PKCS11_KEYID, chunk, BUILD_END);
+			break;
+		case SC_FORMAT_SLOT_KEYID:
+			cred = lib->creds->create(lib->creds, type, subtype,
+							BUILD_PKCS11_SLOT, slot,
+							BUILD_PKCS11_KEYID, chunk, BUILD_END);
+			break;
+		case SC_FORMAT_KEYID:
+			cred = lib->creds->create(lib->creds, type, subtype,
+							BUILD_PKCS11_KEYID, chunk, BUILD_END);
+			break;
+		default:
+			cred = NULL;
+			break;
+	}
+	free(chunk.ptr);
+
+	return cred;
+}
+
+METHOD(stroke_cred_t, load_ca, certificate_t*,
+	private_stroke_cred_t *this, char *filename)
+{
+	certificate_t *cert = NULL;
+	char path[PATH_MAX];
+
+	if (strneq(filename, "%smartcard", strlen("%smartcard")))
+	{
+		smartcard_format_t format;
+		char module[SC_PART_LEN], keyid[SC_PART_LEN];
+		u_int slot;
+
+		format = parse_smartcard(filename, &slot, module, keyid);
+		if (format != SC_FORMAT_INVALID)
+		{
+			cert = (certificate_t*)load_from_smartcard(format,
+							slot, module, keyid, CRED_CERTIFICATE, CERT_X509);
+		}
 	}
 	else
 	{
-		cert = lib->creds->create(lib->creds,
-							  CRED_CERTIFICATE, CERT_X509,
-							  BUILD_FROM_FILE, path,
-							  BUILD_END);
+		if (*filename == '/')
+		{
+			snprintf(path, sizeof(path), "%s", filename);
+		}
+		else
+		{
+			snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename);
+		}
+
+		if (this->force_ca_cert)
+		{	/* we treat this certificate as a CA certificate even if it has no
+			 * CA basic constraint */
+			cert = lib->creds->create(lib->creds,
+								  CRED_CERTIFICATE, CERT_X509,
+								  BUILD_FROM_FILE, path, BUILD_X509_FLAG, X509_CA,
+								  BUILD_END);
+		}
+		else
+		{
+			cert = lib->creds->create(lib->creds,
+								  CRED_CERTIFICATE, CERT_X509,
+								  BUILD_FROM_FILE, path,
+								  BUILD_END);
+		}
 	}
 	if (cert)
 	{
@@ -123,6 +225,8 @@ METHOD(stroke_cred_t, load_ca, certificate_t*,
 			cert->destroy(cert);
 			return NULL;
 		}
+		DBG1(DBG_CFG, "  loaded ca certificate \"%Y\" from '%s",
+			 cert->get_subject(cert), filename);
 		return this->creds->add_cert_ref(this->creds, TRUE, cert);
 	}
 	return NULL;
@@ -131,22 +235,38 @@ METHOD(stroke_cred_t, load_ca, certificate_t*,
 METHOD(stroke_cred_t, load_peer, certificate_t*,
 	private_stroke_cred_t *this, char *filename)
 {
-	certificate_t *cert;
+	certificate_t *cert = NULL;
 	char path[PATH_MAX];
 
-	if (*filename == '/')
+	if (strneq(filename, "%smartcard", strlen("%smartcard")))
 	{
-		snprintf(path, sizeof(path), "%s", filename);
+		smartcard_format_t format;
+		char module[SC_PART_LEN], keyid[SC_PART_LEN];
+		u_int slot;
+
+		format = parse_smartcard(filename, &slot, module, keyid);
+		if (format != SC_FORMAT_INVALID)
+		{
+			cert = (certificate_t*)load_from_smartcard(format,
+							slot, module, keyid, CRED_CERTIFICATE, CERT_X509);
+		}
 	}
 	else
 	{
-		snprintf(path, sizeof(path), "%s/%s", CERTIFICATE_DIR, filename);
-	}
+		if (*filename == '/')
+		{
+			snprintf(path, sizeof(path), "%s", filename);
+		}
+		else
+		{
+			snprintf(path, sizeof(path), "%s/%s", CERTIFICATE_DIR, filename);
+		}
 
-	cert = lib->creds->create(lib->creds,
-							  CRED_CERTIFICATE, CERT_ANY,
-							  BUILD_FROM_FILE, path,
-							  BUILD_END);
+		cert = lib->creds->create(lib->creds,
+								  CRED_CERTIFICATE, CERT_ANY,
+								  BUILD_FROM_FILE, path,
+								  BUILD_END);
+	}
 	if (cert)
 	{
 		cert = this->creds->add_cert_ref(this->creds, TRUE, cert);
@@ -585,7 +705,7 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
 					 FILE *prompt)
 {
 	chunk_t sc = chunk_empty, secret = chunk_empty;
-	char smartcard[64], keyid[64], module[64], *pos;
+	char smartcard[BUF_LEN], keyid[SC_PART_LEN], module[SC_PART_LEN];
 	private_key_t *key = NULL;
 	u_int slot;
 	chunk_t chunk;
@@ -594,11 +714,7 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
 	mem_cred_t *mem = NULL;
 	callback_cred_t *cb = NULL;
 	pin_cb_data_t pin_data;
-	enum {
-		SC_FORMAT_SLOT_MODULE_KEYID,
-		SC_FORMAT_SLOT_KEYID,
-		SC_FORMAT_KEYID,
-	} format;
+	smartcard_format_t format;
 
 	err_t ugh = extract_value(&sc, &line);
 
@@ -615,33 +731,8 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
 	snprintf(smartcard, sizeof(smartcard), "%.*s", (int)sc.len, sc.ptr);
 	smartcard[sizeof(smartcard) - 1] = '\0';
 
-	/* parse slot and key id. Three formats are supported:
-	 * - %smartcard<slot>@<module>:<keyid>
-	 * - %smartcard<slot>:<keyid>
-	 * - %smartcard:<keyid>
-	 */
-	if (sscanf(smartcard, "%%smartcard%u@%s", &slot, module) == 2)
-	{
-		pos = strchr(module, ':');
-		if (!pos)
-		{
-			DBG1(DBG_CFG, "line %d: the given %%smartcard specifier is "
-				 "invalid", line_nr);
-			return FALSE;
-		}
-		*pos = '\0';
-		strncpy(keyid, pos + 1, sizeof(keyid));
-		format = SC_FORMAT_SLOT_MODULE_KEYID;
-	}
-	else if (sscanf(smartcard, "%%smartcard%u:%s", &slot, keyid) == 2)
-	{
-		format = SC_FORMAT_SLOT_KEYID;
-	}
-	else if (sscanf(smartcard, "%%smartcard:%s", keyid) == 1)
-	{
-		format = SC_FORMAT_KEYID;
-	}
-	else
+	format = parse_smartcard(smartcard, &slot, module, keyid);
+	if (format == SC_FORMAT_INVALID)
 	{
 		DBG1(DBG_CFG, "line %d: the given %%smartcard specifier is not"
 				" supported or invalid", line_nr);
@@ -666,7 +757,7 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
 		free(secret.ptr);
 		if (!prompt)
 		{	/* no IO channel to prompt, skip */
-			free(chunk.ptr);
+			chunk_clear(&chunk);
 			return TRUE;
 		}
 		/* use callback credential set to prompt for the pin */
@@ -688,27 +779,8 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
 	}
 
 	/* unlock: smartcard needs the pin and potentially calls public set */
-	switch (format)
-	{
-		case SC_FORMAT_SLOT_MODULE_KEYID:
-			key = lib->creds->create(lib->creds,
-							CRED_PRIVATE_KEY, KEY_ANY,
-							BUILD_PKCS11_SLOT, slot,
-							BUILD_PKCS11_MODULE, module,
-							BUILD_PKCS11_KEYID, chunk, BUILD_END);
-			break;
-		case SC_FORMAT_SLOT_KEYID:
-			key = lib->creds->create(lib->creds,
-							CRED_PRIVATE_KEY, KEY_ANY,
-							BUILD_PKCS11_SLOT, slot,
-							BUILD_PKCS11_KEYID, chunk, BUILD_END);
-			break;
-		case SC_FORMAT_KEYID:
-			key = lib->creds->create(lib->creds,
-							CRED_PRIVATE_KEY, KEY_ANY,
-							BUILD_PKCS11_KEYID, chunk, BUILD_END);
-			break;
-	}
+	key = (private_key_t*)load_from_smartcard(format, slot, module, keyid,
+											  CRED_PRIVATE_KEY, KEY_ANY);
 	if (mem)
 	{
 		lib->credmgr->remove_local_set(lib->credmgr, &mem->set);
@@ -719,6 +791,7 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
 		lib->credmgr->remove_local_set(lib->credmgr, &cb->set);
 		cb->destroy(cb);
 	}
+	chunk_clear(&chunk);
 
 	if (key)
 	{
diff --git a/src/libcharon/plugins/stroke/stroke_cred.h b/src/libcharon/plugins/stroke/stroke_cred.h
index 83e648819..c37d05808 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.h
+++ b/src/libcharon/plugins/stroke/stroke_cred.h
@@ -27,7 +27,7 @@
 #include <stroke_msg.h>
 #include <credentials/credential_set.h>
 #include <credentials/certificates/certificate.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct stroke_cred_t stroke_cred_t;
 
diff --git a/src/libcharon/plugins/stroke/stroke_handler.c b/src/libcharon/plugins/stroke/stroke_handler.c
index 523151efb..fef8cab67 100644
--- a/src/libcharon/plugins/stroke/stroke_handler.c
+++ b/src/libcharon/plugins/stroke/stroke_handler.c
@@ -16,7 +16,7 @@
 #include "stroke_handler.h"
 
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 typedef struct private_stroke_handler_t private_stroke_handler_t;
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index c012ff25d..b3a20a6c7 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -25,7 +25,7 @@
 
 #include <hydra.h>
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <plugins/plugin.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/ac.h>
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 241f0fbf6..2771f0146 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -29,7 +29,7 @@
 #include <threading/mutex.h>
 #include <threading/thread.h>
 #include <threading/condvar.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <processing/jobs/callback_job.h>
 
 #include "stroke_config.h"
@@ -39,6 +39,7 @@
 #include "stroke_attribute.h"
 #include "stroke_handler.h"
 #include "stroke_list.h"
+#include "stroke_counter.h"
 
 /**
  * To avoid clogging the thread pool with (blocking) jobs, we limit the number
@@ -123,6 +124,11 @@ struct private_stroke_socket_t {
 	 * status information logging
 	 */
 	stroke_list_t *list;
+
+	/**
+	 * Counter values for IKE events
+	 */
+	stroke_counter_t *counter;
 };
 
 /**
@@ -389,6 +395,10 @@ static void stroke_list(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *
 		this->ca->list(this->ca, msg, out);
 	}
 	this->list->list(this->list, msg, out);
+	if (msg->list.flags & LIST_COUNTERS)
+	{
+		this->counter->print(this->counter, out);
+	}
 }
 
 /**
@@ -500,9 +510,6 @@ static void stroke_user_creds(private_stroke_socket_t *this,
 static void stroke_loglevel(private_stroke_socket_t *this,
 							stroke_msg_t *msg, FILE *out)
 {
-	enumerator_t *enumerator;
-	sys_logger_t *sys_logger;
-	file_logger_t *file_logger;
 	debug_t group;
 
 	pop_string(msg, &(msg->loglevel.type));
@@ -515,21 +522,7 @@ static void stroke_loglevel(private_stroke_socket_t *this,
 		fprintf(out, "invalid type (%s)!\n", msg->loglevel.type);
 		return;
 	}
-	/* we set the loglevel on ALL sys- and file-loggers */
-	enumerator = charon->sys_loggers->create_enumerator(charon->sys_loggers);
-	while (enumerator->enumerate(enumerator, &sys_logger))
-	{
-		sys_logger->set_level(sys_logger, group, msg->loglevel.level);
-		charon->bus->add_logger(charon->bus, &sys_logger->logger);
-	}
-	enumerator->destroy(enumerator);
-	enumerator = charon->file_loggers->create_enumerator(charon->file_loggers);
-	while (enumerator->enumerate(enumerator, &file_logger))
-	{
-		file_logger->set_level(file_logger, group, msg->loglevel.level);
-		charon->bus->add_logger(charon->bus, &file_logger->logger);
-	}
-	enumerator->destroy(enumerator);
+	charon->set_level(charon, group, msg->loglevel.level);
 }
 
 /**
@@ -798,6 +791,7 @@ METHOD(stroke_socket_t, destroy, void,
 	charon->backends->remove_backend(charon->backends, &this->config->backend);
 	hydra->attributes->remove_provider(hydra->attributes, &this->attribute->provider);
 	hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler);
+	charon->bus->remove_listener(charon->bus, &this->counter->listener);
 	this->cred->destroy(this->cred);
 	this->ca->destroy(this->ca);
 	this->config->destroy(this->config);
@@ -805,6 +799,7 @@ METHOD(stroke_socket_t, destroy, void,
 	this->handler->destroy(this->handler);
 	this->control->destroy(this->control);
 	this->list->destroy(this->list);
+	this->counter->destroy(this->counter);
 	free(this);
 }
 
@@ -834,6 +829,7 @@ stroke_socket_t *stroke_socket_create()
 	this->config = stroke_config_create(this->ca, this->cred, this->attribute);
 	this->control = stroke_control_create();
 	this->list = stroke_list_create(this->attribute);
+	this->counter = stroke_counter_create();
 
 	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
@@ -847,6 +843,7 @@ stroke_socket_t *stroke_socket_create()
 	charon->backends->add_backend(charon->backends, &this->config->backend);
 	hydra->attributes->add_provider(hydra->attributes, &this->attribute->provider);
 	hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
+	charon->bus->add_listener(charon->bus, &this->counter->listener);
 
 	lib->processor->queue_job(lib->processor,
 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)receive, this,
diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.in b/src/libcharon/plugins/tnc_ifmap/Makefile.in
index 5ead4379a..6d2802c65 100644
--- a/src/libcharon/plugins/tnc_ifmap/Makefile.in
+++ b/src/libcharon/plugins/tnc_ifmap/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 am__DEPENDENCIES_1 =
@@ -125,6 +131,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -152,6 +159,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -179,6 +187,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -191,6 +200,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -244,7 +254,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -378,7 +387,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-tnc-ifmap.la: $(libstrongswan_tnc_ifmap_la_OBJECTS) $(libstrongswan_tnc_ifmap_la_DEPENDENCIES) 
+libstrongswan-tnc-ifmap.la: $(libstrongswan_tnc_ifmap_la_OBJECTS) $(libstrongswan_tnc_ifmap_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnc_ifmap_la_DEPENDENCIES) 
 	$(libstrongswan_tnc_ifmap_la_LINK) $(am_libstrongswan_tnc_ifmap_la_rpath) $(libstrongswan_tnc_ifmap_la_OBJECTS) $(libstrongswan_tnc_ifmap_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -517,10 +526,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
index eac285ca3..9cd1ec381 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
@@ -18,7 +18,7 @@
 
 #include <daemon.h>
 #include <hydra.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tnc_ifmap_listener_t private_tnc_ifmap_listener_t;
 
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
index b13193612..33480bb85 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
@@ -15,7 +15,7 @@
 
 #include "tnc_ifmap_soap.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <daemon.h>
 
 #include <axis2_util.h>
@@ -584,7 +584,7 @@ METHOD(tnc_ifmap_soap_t, publish_ike_sa, bool,
 	 * update or delete capability metadata
 	 */
 	e1 = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE);
-	while (e1->enumerate(e1, &auth))
+	while (e1->enumerate(e1, &auth) && (first || up))
 	{
 		e2 = auth->create_enumerator(auth);
 		while (e2->enumerate(e2, &type, &group))
@@ -621,10 +621,6 @@ METHOD(tnc_ifmap_soap_t, publish_ike_sa, bool,
 				axiom_node_add_child(node2, this->env,
 									 create_capability(this, group));
 			}
-			if (!first && !up)
-			{
-				break;
-			}
 		}
 		e2->destroy(e2);
 	}
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h
index 4bf421e33..4efdc779f 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h
@@ -15,14 +15,14 @@
 
 /**
  * @defgroup tnc_ifmap_soap tnc_ifmap_soap
- * @{ @ingroup tnc_ifmap 
+ * @{ @ingroup tnc_ifmap
  */
 
 #ifndef TNC_IFMAP_SOAP_H_
 #define TNC_IFMAP_SOAP_H_
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <sa/ike_sa.h>
 
 typedef struct tnc_ifmap_soap_t tnc_ifmap_soap_t;
@@ -47,7 +47,7 @@ struct tnc_ifmap_soap_t {
 	bool (*purgePublisher)(tnc_ifmap_soap_t *this);
 
 	/**
-	 * Publish metadata about established/deleted IKE_SAs 
+	 * Publish metadata about established/deleted IKE_SAs
 	 *
 	 * @param ike_sa		IKE_SA for which metadate is published
 	 * @param up			TRUE if IKE_SEA is up, FALSE if down
@@ -56,7 +56,7 @@ struct tnc_ifmap_soap_t {
 	bool (*publish_ike_sa)(tnc_ifmap_soap_t *this, ike_sa_t *ike_sa, bool up);
 
 	/**
-	 * Publish PEP device-ip metadata 
+	 * Publish PEP device-ip metadata
 	 *
 	 * @param host			IP address of local endpoint
 	 * @return				TRUE if command was successful
diff --git a/src/libcharon/plugins/tnc_imc/Makefile.in b/src/libcharon/plugins/tnc_imc/Makefile.in
index 00c0d0d61..b21cbb348 100644
--- a/src/libcharon/plugins/tnc_imc/Makefile.in
+++ b/src/libcharon/plugins/tnc_imc/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_tnc_imc_la_DEPENDENCIES =  \
@@ -125,6 +131,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -152,6 +159,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -179,6 +187,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -191,6 +200,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -244,7 +254,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -384,7 +393,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-tnc-imc.la: $(libstrongswan_tnc_imc_la_OBJECTS) $(libstrongswan_tnc_imc_la_DEPENDENCIES) 
+libstrongswan-tnc-imc.la: $(libstrongswan_tnc_imc_la_OBJECTS) $(libstrongswan_tnc_imc_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnc_imc_la_DEPENDENCIES) 
 	$(libstrongswan_tnc_imc_la_LINK) $(am_libstrongswan_tnc_imc_la_rpath) $(libstrongswan_tnc_imc_la_OBJECTS) $(libstrongswan_tnc_imc_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -524,10 +533,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc.c b/src/libcharon/plugins/tnc_imc/tnc_imc.c
index a1f2d770f..9ac578401 100644
--- a/src/libcharon/plugins/tnc_imc/tnc_imc.c
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc.c
@@ -20,9 +20,10 @@
 
 #include <tncif_pa_subtypes.h>
 
-#include <debug.h>
+#include <utils/debug.h>
+#include <daemon.h>
 #include <library.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/mutex.h>
 
 typedef struct private_tnc_imc_t private_tnc_imc_t;
@@ -38,11 +39,6 @@ struct private_tnc_imc_t {
 	imc_t public;
 
 	/**
-	 * Path of loaded IMC
-	 */
-	char *path;
-
-	/**
 	 * Name of loaded IMC
 	 */
 	char *name;
@@ -291,10 +287,10 @@ METHOD(imc_t, type_supported, bool,
 
 	for (i = 0; i < this->type_count; i++)
 	{
-	    vid = this->supported_vids[i];
-	    subtype = this->supported_subtypes[i];
+		vid = this->supported_vids[i];
+		subtype = this->supported_subtypes[i];
 
-	    if ((vid == TNC_VENDORID_ANY && subtype == TNC_SUBTYPE_ANY) ||
+		if ((vid == TNC_VENDORID_ANY && subtype == TNC_SUBTYPE_ANY) ||
 			(vid == msg_vid && (subtype == TNC_SUBTYPE_ANY ||
 			 subtype == msg_subtype)))
 		{
@@ -307,20 +303,23 @@ METHOD(imc_t, type_supported, bool,
 METHOD(imc_t, destroy, void,
 	private_tnc_imc_t *this)
 {
-	dlclose(this->handle);
+	if (this->handle && lib->settings->get_bool(lib->settings,
+		"%s.plugins.tnc-imc.dlclose", TRUE, charon->name))
+	{
+		dlclose(this->handle);
+	}
 	this->mutex->destroy(this->mutex);
 	this->additional_ids->destroy(this->additional_ids);
 	free(this->supported_vids);
 	free(this->supported_subtypes);
 	free(this->name);
-	free(this->path);
 	free(this);
 }
 
 /**
- * Described in header.
+ * Generic constructor
  */
-imc_t* tnc_imc_create(char *name, char *path)
+static private_tnc_imc_t* tnc_imc_create_empty(char *name)
 {
 	private_tnc_imc_t *this;
 
@@ -335,59 +334,96 @@ imc_t* tnc_imc_create(char *name, char *path)
 			.set_message_types_long = _set_message_types_long,
 			.type_supported = _type_supported,
 			.destroy = _destroy,
-        },
-		.name = name,
-		.path = path,
+		},
+		.name = strdup(name),
 		.additional_ids = linked_list_create(),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 	);
 
+	return this;
+}
+
+/**
+ * See header
+ */
+imc_t* tnc_imc_create(char *name, char *path)
+{
+	private_tnc_imc_t *this;
+
+	this = tnc_imc_create_empty(name);
+
 	this->handle = dlopen(path, RTLD_LAZY);
 	if (!this->handle)
 	{
 		DBG1(DBG_TNC, "IMC \"%s\" failed to load: %s", name, dlerror());
-		free(this);
+		destroy(this);
 		return NULL;
 	}
 
 	this->public.initialize = dlsym(this->handle, "TNC_IMC_Initialize");
 	if (!this->public.initialize)
-    {
+	{
 		DBG1(DBG_TNC, "could not resolve TNC_IMC_Initialize in %s: %s\n",
 					   path, dlerror());
-		dlclose(this->handle);
-		free(this);
+		destroy(this);
 		return NULL;
 	}
 	this->public.notify_connection_change =
 						 dlsym(this->handle, "TNC_IMC_NotifyConnectionChange");
-    this->public.begin_handshake = dlsym(this->handle, "TNC_IMC_BeginHandshake");
+	this->public.begin_handshake = dlsym(this->handle, "TNC_IMC_BeginHandshake");
 	if (!this->public.begin_handshake)
-    {
+	{
 		DBG1(DBG_TNC, "could not resolve TNC_IMC_BeginHandshake in %s: %s\n",
 					   path, dlerror());
-		dlclose(this->handle);
-		free(this);
+		destroy(this);
 		return NULL;
 	}
-    this->public.receive_message =
+	this->public.receive_message =
 						dlsym(this->handle, "TNC_IMC_ReceiveMessage");
-    this->public.receive_message_long =
+	this->public.receive_message_long =
 						dlsym(this->handle, "TNC_IMC_ReceiveMessageLong");
-    this->public.batch_ending =
+	this->public.batch_ending =
 						dlsym(this->handle, "TNC_IMC_BatchEnding");
-    this->public.terminate =
+	this->public.terminate =
 						dlsym(this->handle, "TNC_IMC_Terminate");
-    this->public.provide_bind_function =
+	this->public.provide_bind_function =
 						dlsym(this->handle, "TNC_IMC_ProvideBindFunction");
-    if (!this->public.provide_bind_function)
+	if (!this->public.provide_bind_function)
 	{
 		DBG1(DBG_TNC, "could not resolve TNC_IMC_ProvideBindFunction in %s: %s\n",
 					  path, dlerror());
-		dlclose(this->handle);
-		free(this);
+		destroy(this);
 		return NULL;
 	}
 
 	return &this->public;
 }
+
+/**
+ * See header
+ */
+imc_t* tnc_imc_create_from_functions(char *name,
+				TNC_IMC_InitializePointer initialize,
+				TNC_IMC_NotifyConnectionChangePointer notify_connection_change,
+				TNC_IMC_BeginHandshakePointer begin_handshake,
+				TNC_IMC_ReceiveMessagePointer receive_message,
+				TNC_IMC_ReceiveMessageLongPointer receive_message_long,
+				TNC_IMC_BatchEndingPointer batch_ending,
+				TNC_IMC_TerminatePointer terminate,
+				TNC_IMC_ProvideBindFunctionPointer provide_bind_function)
+{
+	private_tnc_imc_t *this;
+
+	this = tnc_imc_create_empty(name);
+
+	this->public.initialize = initialize;
+	this->public.notify_connection_change = notify_connection_change;
+	this->public.begin_handshake = begin_handshake;
+	this->public.receive_message = receive_message;
+	this->public.receive_message_long = receive_message_long;
+	this->public.batch_ending = batch_ending;
+	this->public.terminate = terminate;
+	this->public.provide_bind_function = provide_bind_function;
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc.h b/src/libcharon/plugins/tnc_imc/tnc_imc.h
index 10a67f90b..2d4607e77 100644
--- a/src/libcharon/plugins/tnc_imc/tnc_imc.h
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc.h
@@ -25,7 +25,7 @@
 #include <tnc/imc/imc.h>
 
 /**
- * Create an Integrity Measurement Collector.
+ * Create an Integrity Measurement Collector loaded from a library.
  *
  * @param name			name of the IMC
  * @param filename		path to the dynamic IMC library
@@ -33,4 +33,28 @@
  */
 imc_t* tnc_imc_create(char *name, char *filename);
 
+/**
+ * Create an Integrity Measurement Collector from a set of IMC functions.
+ *
+ * @param name						name of the IMC
+ * @param initialize				TNC_IMC_InitializePointer
+ * @param notify_connection_change	TNC_IMC_NotifyConnectionChangePointer
+ * @param begin_handshake			TNC_IMC_BeginHandshakePointer
+ * @param receive_message			TNC_IMC_ReceiveMessagePointer
+ * @param receive_message_long		TNC_IMC_ReceiveMessageLongPointer
+ * @param batch_ending				TNC_IMC_BatchEndingPointer
+ * @param terminate					TNC_IMC_TerminatePointer
+ * @param provide_bind_function		TNC_IMC_ProvideBindFunctionPointer
+ * @return							instance of the imc_t interface
+ */
+imc_t* tnc_imc_create_from_functions(char *name,
+				TNC_IMC_InitializePointer initialize,
+				TNC_IMC_NotifyConnectionChangePointer notify_connection_change,
+				TNC_IMC_BeginHandshakePointer begin_handshake,
+				TNC_IMC_ReceiveMessagePointer receive_message,
+				TNC_IMC_ReceiveMessageLongPointer receive_message_long,
+				TNC_IMC_BatchEndingPointer batch_ending,
+				TNC_IMC_TerminatePointer terminate,
+				TNC_IMC_ProvideBindFunctionPointer provide_bind_function);
+
 #endif /** TNC_IMC_H_ @}*/
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c b/src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c
index 90a607ccc..26a5ed2b4 100644
--- a/src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c
@@ -17,7 +17,7 @@
 #include <tnc/imc/imc_manager.h>
 #include <tnc/tnccs/tnccs_manager.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * Called by the IMC to inform a TNCC about the set of message types the IMC
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_manager.c b/src/libcharon/plugins/tnc_imc/tnc_imc_manager.c
index 65ec81dae..078f7bc34 100644
--- a/src/libcharon/plugins/tnc_imc/tnc_imc_manager.c
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc_manager.c
@@ -19,9 +19,11 @@
 
 #include <tncifimc.h>
 
-#include <utils/linked_list.h>
-#include <debug.h>
 #include <daemon.h>
+#include <utils/debug.h>
+#include <threading/rwlock.h>
+#include <threading/mutex.h>
+#include <collections/linked_list.h>
 
 typedef struct private_tnc_imc_manager_t private_tnc_imc_manager_t;
 
@@ -41,36 +43,56 @@ struct private_tnc_imc_manager_t {
 	linked_list_t *imcs;
 
 	/**
+	 * Lock to access IMC list
+	 */
+	rwlock_t *lock;
+
+	/**
 	 * Next IMC ID to be assigned
 	 */
 	TNC_IMCID next_imc_id;
+
+	/**
+	 * Mutex to access next IMC ID
+	 */
+	mutex_t *id_mutex;
 };
 
 METHOD(imc_manager_t, add, bool,
 	private_tnc_imc_manager_t *this, imc_t *imc)
 {
 	TNC_Version version;
+	TNC_IMCID imc_id;
+
+	this->id_mutex->lock(this->id_mutex);
+	imc_id = this->next_imc_id++;
+	this->id_mutex->unlock(this->id_mutex);
 
-	/* Initialize the module */
-	imc->set_id(imc, this->next_imc_id);
-	if (imc->initialize(imc->get_id(imc), TNC_IFIMC_VERSION_1,
-			TNC_IFIMC_VERSION_1, &version) != TNC_RESULT_SUCCESS)
+	imc->set_id(imc, imc_id);
+	if (imc->initialize(imc_id, TNC_IFIMC_VERSION_1,
+						TNC_IFIMC_VERSION_1, &version) != TNC_RESULT_SUCCESS)
 	{
 		DBG1(DBG_TNC, "IMC \"%s\" failed to initialize", imc->get_name(imc));
 		return FALSE;
 	}
+	this->lock->write_lock(this->lock);
 	this->imcs->insert_last(this->imcs, imc);
-	this->next_imc_id++;
+	this->lock->unlock(this->lock);
 
-	if (imc->provide_bind_function(imc->get_id(imc), TNC_TNCC_BindFunction)
-			!= TNC_RESULT_SUCCESS)
+	if (imc->provide_bind_function(imc->get_id(imc),
+								   TNC_TNCC_BindFunction) != TNC_RESULT_SUCCESS)
 	{
+		if (imc->terminate)
+		{
+			imc->terminate(imc->get_id(imc));
+		}
 		DBG1(DBG_TNC, "IMC \"%s\" failed to obtain bind function",
-					   imc->get_name(imc));
+			 imc->get_name(imc));
+		this->lock->write_lock(this->lock);
 		this->imcs->remove_last(this->imcs, (void**)&imc);
+		this->lock->unlock(this->lock);
 		return FALSE;
 	}
-
 	return TRUE;
 }
 
@@ -80,6 +102,7 @@ METHOD(imc_manager_t, remove_, imc_t*,
 	enumerator_t *enumerator;
 	imc_t *imc, *removed_imc = NULL;
 
+	this->lock->write_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
@@ -91,6 +114,7 @@ METHOD(imc_manager_t, remove_, imc_t*,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 
 	return removed_imc;
 }
@@ -103,18 +127,10 @@ METHOD(imc_manager_t, load, bool,
 	imc = tnc_imc_create(name, path);
 	if (!imc)
 	{
-		free(name);
-		free(path);
 		return FALSE;
 	}
 	if (!add(this, imc))
 	{
-		if (imc->terminate &&
-			imc->terminate(imc->get_id(imc)) != TNC_RESULT_SUCCESS)
-		{
-			DBG1(DBG_TNC, "IMC \"%s\" not terminated successfully",
-						   imc->get_name(imc));
-		}
 		imc->destroy(imc);
 		return FALSE;
 	}
@@ -122,6 +138,37 @@ METHOD(imc_manager_t, load, bool,
 	return TRUE;
 }
 
+METHOD(imc_manager_t, load_from_functions, bool,
+	private_tnc_imc_manager_t *this, char *name,
+	TNC_IMC_InitializePointer initialize,
+	TNC_IMC_NotifyConnectionChangePointer notify_connection_change,
+	TNC_IMC_BeginHandshakePointer begin_handshake,
+	TNC_IMC_ReceiveMessagePointer receive_message,
+	TNC_IMC_ReceiveMessageLongPointer receive_message_long,
+	TNC_IMC_BatchEndingPointer batch_ending,
+	TNC_IMC_TerminatePointer terminate,
+	TNC_IMC_ProvideBindFunctionPointer provide_bind_function)
+{
+	imc_t *imc;
+
+	imc = tnc_imc_create_from_functions(name,
+										initialize, notify_connection_change,
+										begin_handshake, receive_message,
+										receive_message_long, batch_ending,
+										terminate, provide_bind_function);
+	if (!imc)
+	{
+		return FALSE;
+	}
+	if (!add(this, imc))
+	{
+		imc->destroy(imc);
+		return FALSE;
+	}
+	DBG1(DBG_TNC, "IMC %u \"%s\" loaded", imc->get_id(imc), name);
+	return TRUE;
+}
+
 METHOD(imc_manager_t, is_registered, bool,
 	private_tnc_imc_manager_t *this, TNC_IMCID id)
 {
@@ -129,6 +176,7 @@ METHOD(imc_manager_t, is_registered, bool,
 	imc_t *imc;
 	bool found = FALSE;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
@@ -139,6 +187,7 @@ METHOD(imc_manager_t, is_registered, bool,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 
 	return found;
 }
@@ -150,13 +199,16 @@ METHOD(imc_manager_t, reserve_id, bool,
 	imc_t *imc;
 	bool found = FALSE;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
-		if (imc->get_id(imc))
+		if (id == imc->get_id(imc))
 		{
 			found = TRUE;
+			this->id_mutex->lock(this->id_mutex);
 			*new_id = this->next_imc_id++;
+			this->id_mutex->unlock(this->id_mutex);
 			imc->add_id(imc, *new_id);
 			DBG2(DBG_TNC, "additional ID %u reserved for IMC with primary ID %u",
 						  *new_id, id);
@@ -164,6 +216,7 @@ METHOD(imc_manager_t, reserve_id, bool,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 
 	return found;
 }
@@ -182,6 +235,7 @@ METHOD(imc_manager_t, notify_connection_change, void,
 	enumerator_t *enumerator;
 	imc_t *imc;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
@@ -191,6 +245,7 @@ METHOD(imc_manager_t, notify_connection_change, void,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 }
 
 METHOD(imc_manager_t, begin_handshake, void,
@@ -199,12 +254,14 @@ METHOD(imc_manager_t, begin_handshake, void,
 	enumerator_t *enumerator;
 	imc_t *imc;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
 		imc->begin_handshake(imc->get_id(imc), id);
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 }
 
 METHOD(imc_manager_t, set_message_types, TNC_Result,
@@ -216,6 +273,7 @@ METHOD(imc_manager_t, set_message_types, TNC_Result,
 	imc_t *imc;
 	TNC_Result result = TNC_RESULT_FATAL;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
@@ -227,6 +285,7 @@ METHOD(imc_manager_t, set_message_types, TNC_Result,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 	return result;
 }
 
@@ -240,6 +299,7 @@ METHOD(imc_manager_t, set_message_types_long, TNC_Result,
 	imc_t *imc;
 	TNC_Result result = TNC_RESULT_FATAL;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
@@ -252,6 +312,7 @@ METHOD(imc_manager_t, set_message_types_long, TNC_Result,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 	return result;
 }
 
@@ -271,11 +332,12 @@ METHOD(imc_manager_t, receive_message, void,
 	enumerator_t *enumerator;
 	imc_t *imc;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
 		if (imc->type_supported(imc, msg_vid, msg_subtype) &&
-		   (!excl || (excl && imc->has_id(imc, dst_imc_id)) ))
+			(!excl || (excl && imc->has_id(imc, dst_imc_id))))
 		{
 			if (imc->receive_message_long && src_imv_id)
 			{
@@ -297,6 +359,8 @@ METHOD(imc_manager_t, receive_message, void,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
 	if (!type_supported)
 	{
 		DBG2(DBG_TNC, "message type 0x%06x/0x%08x not supported by any IMC",
@@ -310,6 +374,7 @@ METHOD(imc_manager_t, batch_ending, void,
 	enumerator_t *enumerator;
 	imc_t *imc;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
@@ -319,6 +384,7 @@ METHOD(imc_manager_t, batch_ending, void,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 }
 
 METHOD(imc_manager_t, destroy, void,
@@ -337,6 +403,8 @@ METHOD(imc_manager_t, destroy, void,
 		imc->destroy(imc);
 	}
 	this->imcs->destroy(this->imcs);
+	this->lock->destroy(this->lock);
+	this->id_mutex->destroy(this->id_mutex);
 	free(this);
 }
 
@@ -352,6 +420,7 @@ imc_manager_t* tnc_imc_manager_create(void)
 			.add = _add,
 			.remove = _remove_, /* avoid name conflict with stdio.h */
 			.load = _load,
+			.load_from_functions = _load_from_functions,
 			.is_registered = _is_registered,
 			.reserve_id = _reserve_id,
 			.get_preferred_language = _get_preferred_language,
@@ -364,6 +433,8 @@ imc_manager_t* tnc_imc_manager_create(void)
 			.destroy = _destroy,
 		},
 		.imcs = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.id_mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.next_imc_id = 1,
 	);
 
diff --git a/src/libcharon/plugins/tnc_imv/Makefile.in b/src/libcharon/plugins/tnc_imv/Makefile.in
index 13b011101..6e0133c2d 100644
--- a/src/libcharon/plugins/tnc_imv/Makefile.in
+++ b/src/libcharon/plugins/tnc_imv/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_tnc_imv_la_DEPENDENCIES =  \
@@ -126,6 +132,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -153,6 +160,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -180,6 +188,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -192,6 +201,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -245,7 +255,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -386,7 +395,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-tnc-imv.la: $(libstrongswan_tnc_imv_la_OBJECTS) $(libstrongswan_tnc_imv_la_DEPENDENCIES) 
+libstrongswan-tnc-imv.la: $(libstrongswan_tnc_imv_la_OBJECTS) $(libstrongswan_tnc_imv_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnc_imv_la_DEPENDENCIES) 
 	$(libstrongswan_tnc_imv_la_LINK) $(am_libstrongswan_tnc_imv_la_rpath) $(libstrongswan_tnc_imv_la_OBJECTS) $(libstrongswan_tnc_imv_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -527,10 +536,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv.c b/src/libcharon/plugins/tnc_imv/tnc_imv.c
index f0b150743..ef0387d70 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv.c
@@ -20,9 +20,10 @@
 
 #include <tncif_pa_subtypes.h>
 
-#include <debug.h>
+#include <utils/debug.h>
+#include <daemon.h>
 #include <library.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/mutex.h>
 
 typedef struct private_tnc_imv_t private_tnc_imv_t;
@@ -38,11 +39,6 @@ struct private_tnc_imv_t {
 	imv_t public;
 
 	/**
-	 * Path of loaded IMV
-	 */
-	char *path;
-
-	/**
 	 * Name of loaded IMV
 	 */
 	char *name;
@@ -287,10 +283,10 @@ METHOD(imv_t, type_supported, bool,
 
 	for (i = 0; i < this->type_count; i++)
 	{
-	    vid = this->supported_vids[i];
-	    subtype = this->supported_subtypes[i];
+		vid = this->supported_vids[i];
+		subtype = this->supported_subtypes[i];
 
-	    if ((vid == TNC_VENDORID_ANY && subtype == TNC_SUBTYPE_ANY) ||
+		if ((vid == TNC_VENDORID_ANY && subtype == TNC_SUBTYPE_ANY) ||
 			(vid == msg_vid && (subtype == TNC_SUBTYPE_ANY ||
 			 subtype == msg_subtype)))
 		{
@@ -303,20 +299,23 @@ METHOD(imv_t, type_supported, bool,
 METHOD(imv_t, destroy, void,
 	private_tnc_imv_t *this)
 {
-	dlclose(this->handle);
+	if (this->handle && lib->settings->get_bool(lib->settings,
+		"%s.plugins.tnc-imv.dlclose", TRUE, charon->name))
+	{
+		dlclose(this->handle);
+	}
 	this->mutex->destroy(this->mutex);
 	this->additional_ids->destroy_function(this->additional_ids, free);
 	free(this->supported_vids);
 	free(this->supported_subtypes);
 	free(this->name);
-	free(this->path);
 	free(this);
 }
 
 /**
- * Described in header.
+ * Generic constructor.
  */
-imv_t* tnc_imv_create(char *name, char *path)
+static private_tnc_imv_t* tnc_imv_create_empty(char *name)
 {
 	private_tnc_imv_t *this;
 
@@ -332,17 +331,28 @@ imv_t* tnc_imv_create(char *name, char *path)
 			.type_supported = _type_supported,
 			.destroy = _destroy,
 		},
-		.name = name,
-		.path = path,
+		.name = strdup(name),
 		.additional_ids = linked_list_create(),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 	);
 
+	return this;
+}
+
+/**
+ * Described in header.
+ */
+imv_t* tnc_imv_create(char *name, char *path)
+{
+	private_tnc_imv_t *this;
+
+	this = tnc_imv_create_empty(name);
+
 	this->handle = dlopen(path, RTLD_LAZY);
 	if (!this->handle)
 	{
 		DBG1(DBG_TNC, "IMV \"%s\" failed to load: %s", name, dlerror());
-		free(this);
+		destroy(this);
 		return NULL;
 	}
 
@@ -351,8 +361,7 @@ imv_t* tnc_imv_create(char *name, char *path)
 	{
 		DBG1(DBG_TNC, "could not resolve TNC_IMV_Initialize in %s: %s\n",
 					   path, dlerror());
-		dlclose(this->handle);
-		free(this);
+		destroy(this);
 		return NULL;
 	}
 	this->public.notify_connection_change =
@@ -363,8 +372,7 @@ imv_t* tnc_imv_create(char *name, char *path)
 	{
 		DBG1(DBG_TNC, "could not resolve TNC_IMV_SolicitRecommendation in %s: %s\n",
 					   path, dlerror());
-		dlclose(this->handle);
-		free(this);
+		destroy(this);
 		return NULL;
 	}
 	this->public.receive_message =
@@ -381,10 +389,38 @@ imv_t* tnc_imv_create(char *name, char *path)
 	{
 		DBG1(DBG_TNC, "could not resolve TNC_IMV_ProvideBindFunction in %s: %s\n",
 					  path, dlerror());
-		dlclose(this->handle);
-		free(this);
+		destroy(this);
 		return NULL;
 	}
 
 	return &this->public;
 }
+
+/**
+ * Described in header.
+ */
+imv_t* tnc_imv_create_from_functions(char *name,
+				TNC_IMV_InitializePointer initialize,
+				TNC_IMV_NotifyConnectionChangePointer notify_connection_change,
+				TNC_IMV_ReceiveMessagePointer receive_message,
+				TNC_IMV_ReceiveMessageLongPointer receive_message_long,
+				TNC_IMV_SolicitRecommendationPointer solicit_recommendation,
+				TNC_IMV_BatchEndingPointer batch_ending,
+				TNC_IMV_TerminatePointer terminate,
+				TNC_IMV_ProvideBindFunctionPointer provide_bind_function)
+{
+	private_tnc_imv_t *this;
+
+	this = tnc_imv_create_empty(name);
+
+	this->public.initialize = initialize;
+	this->public.notify_connection_change = notify_connection_change;
+	this->public.receive_message = receive_message;
+	this->public.receive_message_long = receive_message_long;
+	this->public.solicit_recommendation = solicit_recommendation;
+	this->public.batch_ending = batch_ending;
+	this->public.terminate = terminate;
+	this->public.provide_bind_function = provide_bind_function;
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv.h b/src/libcharon/plugins/tnc_imv/tnc_imv.h
index 75939e54c..e7c7b8b4f 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv.h
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv.h
@@ -25,7 +25,7 @@
 #include <tnc/imv/imv.h>
 
 /**
- * Create an Integrity Measurement Verifier.
+ * Create an Integrity Measurement Verifier loaded from a library.
  *
  * @param name			name of the IMV
  * @param filename		path to the dynamic IMV library
@@ -33,4 +33,28 @@
  */
 imv_t* tnc_imv_create(char *name, char *filename);
 
+/**
+ * Create an Integrity Measurement Verifier from a set of IMV functions.
+ *
+ * @param name						name of the IMV
+ * @param initialize				TNC_IMV_InitializePointer
+ * @param notify_connection_change	TNC_IMV_NotifyConnectionChangePointer
+ * @param receive_message			TNC_IMV_ReceiveMessagePointer
+ * @param receive_message_long		TNC_IMV_ReceiveMessageLongPointer
+ * @param solicit_recommendation	TNC_IMV_SolicitRecommendationPointer
+ * @param batch_ending				TNC_IMV_BatchEndingPointer
+ * @param terminate					TNC_IMV_TerminatePointer
+ * @param provide_bind_function		TNC_IMV_ProvideBindFunctionPointer
+ * @return							instance of the imv_t interface
+ */
+imv_t* tnc_imv_create_from_functions(char *name,
+				TNC_IMV_InitializePointer initialize,
+				TNC_IMV_NotifyConnectionChangePointer notify_connection_change,
+				TNC_IMV_ReceiveMessagePointer receive_message,
+				TNC_IMV_ReceiveMessageLongPointer receive_message_long,
+				TNC_IMV_SolicitRecommendationPointer solicit_recommendation,
+				TNC_IMV_BatchEndingPointer batch_ending,
+				TNC_IMV_TerminatePointer terminate,
+				TNC_IMV_ProvideBindFunctionPointer provide_bind_function);
+
 #endif /** TNC_IMV_H_ @}*/
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c b/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c
index dd11c5009..36cdb7fbb 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c
@@ -18,7 +18,7 @@
 #include <tnc/imv/imv_manager.h>
 #include <tnc/tnccs/tnccs_manager.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * Called by the IMV to inform a TNCS about the set of message types the IMV
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
index 0985a47a8..b950e3119 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
@@ -29,13 +29,13 @@
 #include <fcntl.h>
 
 #include <daemon.h>
-#include <utils/lexparser.h>
-#include <debug.h>
+#include <utils/debug.h>
+#include <threading/rwlock.h>
 #include <threading/mutex.h>
+#include <collections/linked_list.h>
 
 typedef struct private_tnc_imv_manager_t private_tnc_imv_manager_t;
 
-
 /**
  * Private data of an imv_manager_t object.
  */
@@ -52,11 +52,21 @@ struct private_tnc_imv_manager_t {
 	linked_list_t *imvs;
 
 	/**
+	 * Lock for IMV list
+	 */
+	rwlock_t *lock;
+
+	/**
 	 * Next IMV ID to be assigned
 	 */
 	TNC_IMVID next_imv_id;
 
 	/**
+	 * Mutex to access next IMV ID
+	 */
+	mutex_t *id_mutex;
+
+	/**
 	 * Policy defining how to derive final recommendation from individual ones
 	 */
 	recommendation_policy_t policy;
@@ -66,27 +76,37 @@ METHOD(imv_manager_t, add, bool,
 	private_tnc_imv_manager_t *this, imv_t *imv)
 {
 	TNC_Version version;
+	TNC_IMVID imv_id;
 
-	/* Initialize the IMV module */
-	imv->set_id(imv, this->next_imv_id);
-	if (imv->initialize(imv->get_id(imv), TNC_IFIMV_VERSION_1,
-		TNC_IFIMV_VERSION_1, &version) != TNC_RESULT_SUCCESS)
+	this->id_mutex->lock(this->id_mutex);
+	imv_id = this->next_imv_id++;
+	this->id_mutex->unlock(this->id_mutex);
+
+	imv->set_id(imv, imv_id);
+	if (imv->initialize(imv_id, TNC_IFIMV_VERSION_1,
+						TNC_IFIMV_VERSION_1, &version) != TNC_RESULT_SUCCESS)
 	{
 		DBG1(DBG_TNC, "IMV \"%s\" failed to initialize", imv->get_name(imv));
 		return FALSE;
 	}
+	this->lock->write_lock(this->lock);
 	this->imvs->insert_last(this->imvs, imv);
-	this->next_imv_id++;
+	this->lock->unlock(this->lock);
 
-	if (imv->provide_bind_function(imv->get_id(imv), TNC_TNCS_BindFunction)
-			!= TNC_RESULT_SUCCESS)
+	if (imv->provide_bind_function(imv->get_id(imv),
+								   TNC_TNCS_BindFunction) != TNC_RESULT_SUCCESS)
 	{
-		DBG1(DBG_TNC, "IMV \"%s\" could failed to obtain bind function",
-					   imv->get_name(imv));
+		if (imv->terminate)
+		{
+			imv->terminate(imv->get_id(imv));
+		}
+		DBG1(DBG_TNC, "IMV \"%s\" failed to obtain bind function",
+			 imv->get_name(imv));
+		this->lock->write_lock(this->lock);
 		this->imvs->remove_last(this->imvs, (void**)&imv);
+		this->lock->unlock(this->lock);
 		return FALSE;
 	}
-
 	return TRUE;
 }
 
@@ -96,6 +116,7 @@ METHOD(imv_manager_t, remove_, imv_t*,
 	enumerator_t *enumerator;
 	imv_t *imv, *removed_imv = NULL;
 
+	this->lock->write_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
@@ -107,6 +128,7 @@ METHOD(imv_manager_t, remove_, imv_t*,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 
 	return removed_imv;
 }
@@ -119,18 +141,10 @@ METHOD(imv_manager_t, load, bool,
 	imv = tnc_imv_create(name, path);
 	if (!imv)
 	{
-		free(name);
-		free(path);
 		return FALSE;
 	}
 	if (!add(this, imv))
 	{
-		if (imv->terminate &&
-			imv->terminate(imv->get_id(imv)) != TNC_RESULT_SUCCESS)
-		{
-			DBG1(DBG_TNC, "IMV \"%s\" not terminated successfully",
-						   imv->get_name(imv));
-		}
 		imv->destroy(imv);
 		return FALSE;
 	}
@@ -138,6 +152,37 @@ METHOD(imv_manager_t, load, bool,
 	return TRUE;
 }
 
+METHOD(imv_manager_t, load_from_functions, bool,
+	private_tnc_imv_manager_t *this, char *name,
+	TNC_IMV_InitializePointer initialize,
+	TNC_IMV_NotifyConnectionChangePointer notify_connection_change,
+	TNC_IMV_ReceiveMessagePointer receive_message,
+	TNC_IMV_ReceiveMessageLongPointer receive_message_long,
+	TNC_IMV_SolicitRecommendationPointer solicit_recommendation,
+	TNC_IMV_BatchEndingPointer batch_ending,
+	TNC_IMV_TerminatePointer terminate,
+	TNC_IMV_ProvideBindFunctionPointer provide_bind_function)
+{
+	imv_t *imv;
+
+	imv = tnc_imv_create_from_functions(name,
+										initialize,notify_connection_change,
+										receive_message, receive_message_long,
+										solicit_recommendation, batch_ending,
+										terminate, provide_bind_function);
+	if (!imv)
+	{
+		return FALSE;
+	}
+	if (!add(this, imv))
+	{
+		imv->destroy(imv);
+		return FALSE;
+	}
+	DBG1(DBG_TNC, "IMV %u \"%s\" loaded", imv->get_id(imv), name);
+	return TRUE;
+}
+
 METHOD(imv_manager_t, is_registered, bool,
 	private_tnc_imv_manager_t *this, TNC_IMVID id)
 {
@@ -145,6 +190,7 @@ METHOD(imv_manager_t, is_registered, bool,
 	imv_t *imv;
 	bool found = FALSE;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
@@ -155,6 +201,7 @@ METHOD(imv_manager_t, is_registered, bool,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 
 	return found;
 }
@@ -166,13 +213,16 @@ METHOD(imv_manager_t, reserve_id, bool,
 	imv_t *imv;
 	bool found = FALSE;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
-		if (imv->get_id(imv))
+		if (id == imv->get_id(imv))
 		{
 			found = TRUE;
+			this->id_mutex->lock(this->id_mutex);
 			*new_id = this->next_imv_id++;
+			this->id_mutex->unlock(this->id_mutex);
 			imv->add_id(imv, *new_id);
 			DBG2(DBG_TNC, "additional ID %u reserved for IMV with primary ID %u",
 						  *new_id, id);
@@ -180,6 +230,7 @@ METHOD(imv_manager_t, reserve_id, bool,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 
 	return found;
 }
@@ -259,6 +310,7 @@ METHOD(imv_manager_t, notify_connection_change, void,
 	enumerator_t *enumerator;
 	imv_t *imv;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
@@ -268,6 +320,7 @@ METHOD(imv_manager_t, notify_connection_change, void,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 }
 
 METHOD(imv_manager_t, set_message_types, TNC_Result,
@@ -279,6 +332,7 @@ METHOD(imv_manager_t, set_message_types, TNC_Result,
 	imv_t *imv;
 	TNC_Result result = TNC_RESULT_FATAL;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
@@ -290,6 +344,7 @@ METHOD(imv_manager_t, set_message_types, TNC_Result,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 	return result;
 }
 
@@ -303,6 +358,7 @@ METHOD(imv_manager_t, set_message_types_long, TNC_Result,
 	imv_t *imv;
 	TNC_Result result = TNC_RESULT_FATAL;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
@@ -315,6 +371,7 @@ METHOD(imv_manager_t, set_message_types_long, TNC_Result,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 	return result;
 }
 
@@ -324,12 +381,14 @@ METHOD(imv_manager_t, solicit_recommendation, void,
 	enumerator_t *enumerator;
 	imv_t *imv;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
 		imv->solicit_recommendation(imv->get_id(imv), id);
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 }
 
 METHOD(imv_manager_t, receive_message, void,
@@ -350,11 +409,12 @@ METHOD(imv_manager_t, receive_message, void,
 
 	msg_type = (msg_vid << 8) | msg_subtype;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
 		if (imv->type_supported(imv, msg_vid, msg_subtype) &&
-		   (!excl || (excl && imv->has_id(imv, dst_imv_id)) ))
+			(!excl || (excl && imv->has_id(imv, dst_imv_id))))
 		{
 			if (imv->receive_message_long && src_imc_id)
 			{
@@ -376,6 +436,8 @@ METHOD(imv_manager_t, receive_message, void,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
 	if (!type_supported)
 	{
 		DBG2(DBG_TNC, "message type 0x%06x/0x%08x not supported by any IMV",
@@ -389,6 +451,7 @@ METHOD(imv_manager_t, batch_ending, void,
 	enumerator_t *enumerator;
 	imv_t *imv;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
@@ -398,9 +461,9 @@ METHOD(imv_manager_t, batch_ending, void,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 }
 
-
 METHOD(imv_manager_t, destroy, void,
 	private_tnc_imv_manager_t *this)
 {
@@ -417,6 +480,8 @@ METHOD(imv_manager_t, destroy, void,
 		imv->destroy(imv);
 	}
 	this->imvs->destroy(this->imvs);
+	this->lock->destroy(this->lock);
+	this->id_mutex->destroy(this->id_mutex);
 	free(this);
 }
 
@@ -433,6 +498,7 @@ imv_manager_t* tnc_imv_manager_create(void)
 			.add = _add,
 			.remove = _remove_, /* avoid name conflict with stdio.h */
 			.load = _load,
+			.load_from_functions = _load_from_functions,
 			.is_registered = _is_registered,
 			.reserve_id = _reserve_id,
 			.get_recommendation_policy = _get_recommendation_policy,
@@ -447,6 +513,8 @@ imv_manager_t* tnc_imv_manager_create(void)
 			.destroy = _destroy,
 		},
 		.imvs = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.id_mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.next_imv_id = 1,
 	);
 
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c
index 396d5d854..b39d9cbc9 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c
@@ -21,8 +21,8 @@
 #include <tnc/imv/imv_manager.h>
 #include <tnc/imv/imv_recommendations.h>
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 typedef struct private_tnc_imv_recommendations_t private_tnc_imv_recommendations_t;
 typedef struct recommendation_entry_t recommendation_entry_t;
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h
index 6d65a2521..66d03b2f8 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h
@@ -23,7 +23,7 @@
 #define TNC_IMV_RECOMMENDATIONS_H_
 
 #include <tnc/imv/imv_recommendations.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /**
  * Create an IMV empty recommendations instance
diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.in b/src/libcharon/plugins/tnc_pdp/Makefile.in
index 2b3fbd42b..ac764a163 100644
--- a/src/libcharon/plugins/tnc_pdp/Makefile.in
+++ b/src/libcharon/plugins/tnc_pdp/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_tnc_pdp_la_DEPENDENCIES =  \
@@ -126,6 +132,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -153,6 +160,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -180,6 +188,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -192,6 +201,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -245,7 +255,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -385,7 +394,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-tnc-pdp.la: $(libstrongswan_tnc_pdp_la_OBJECTS) $(libstrongswan_tnc_pdp_la_DEPENDENCIES) 
+libstrongswan-tnc-pdp.la: $(libstrongswan_tnc_pdp_la_OBJECTS) $(libstrongswan_tnc_pdp_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnc_pdp_la_DEPENDENCIES) 
 	$(libstrongswan_tnc_pdp_la_LINK) $(am_libstrongswan_tnc_pdp_la_rpath) $(libstrongswan_tnc_pdp_la_OBJECTS) $(libstrongswan_tnc_pdp_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -524,10 +533,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
index 77eaa0e05..39939d34e 100644
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
@@ -23,7 +23,7 @@
 #include <radius_mppe.h>
 
 #include <daemon.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <pen/pen.h>
 #include <threading/thread.h>
 #include <processing/jobs/callback_job.h>
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
index bca43985f..0a960635b 100644
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
@@ -15,8 +15,8 @@
 
 #include "tnc_pdp_connections.h"
 
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 typedef struct private_tnc_pdp_connections_t private_tnc_pdp_connections_t;
 typedef struct entry_t entry_t;
diff --git a/src/libcharon/plugins/tnc_tnccs/Makefile.in b/src/libcharon/plugins/tnc_tnccs/Makefile.in
index 3ef913e7b..f4bc7a6e5 100644
--- a/src/libcharon/plugins/tnc_tnccs/Makefile.in
+++ b/src/libcharon/plugins/tnc_tnccs/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_tnc_tnccs_la_DEPENDENCIES =  \
@@ -126,6 +132,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -153,6 +160,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -180,6 +188,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -192,6 +201,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -245,7 +255,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -383,7 +392,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-tnc-tnccs.la: $(libstrongswan_tnc_tnccs_la_OBJECTS) $(libstrongswan_tnc_tnccs_la_DEPENDENCIES) 
+libstrongswan-tnc-tnccs.la: $(libstrongswan_tnc_tnccs_la_OBJECTS) $(libstrongswan_tnc_tnccs_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnc_tnccs_la_DEPENDENCIES) 
 	$(libstrongswan_tnc_tnccs_la_LINK) $(am_libstrongswan_tnc_tnccs_la_rpath) $(libstrongswan_tnc_tnccs_la_OBJECTS) $(libstrongswan_tnc_tnccs_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -521,10 +530,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c b/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c
index 515e85804..0b623d6ff 100644
--- a/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c
+++ b/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c
@@ -20,8 +20,8 @@
 #include <tnc/imc/imc_manager.h>
 #include <tnc/imv/imv_manager.h>
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 typedef struct private_tnc_tnccs_manager_t private_tnc_tnccs_manager_t;
@@ -454,7 +454,7 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 	enumerator_t *enumerator;
 	tnccs_connection_entry_t *entry;
 	bool attribute_match = FALSE, entry_found = FALSE;
-	
+
 	if (is_imc)
 	{
 		switch (attribute_id)
@@ -520,7 +520,7 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 				return TNC_RESULT_INVALID_PARAMETER;
 		}
 	}
-	
+
 	/* attributes specific to the TNCC or TNCS are unsupported */
 	if (id == TNC_CONNECTIONID_ANY)
 	{
@@ -577,10 +577,10 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 								  entry->max_msg_len);
 		case TNC_ATTRIBUTEID_HAS_LONG_TYPES:
 		case TNC_ATTRIBUTEID_HAS_EXCLUSIVE:
-			return bool_attribute(buffer_len, buffer, value_len, 
+			return bool_attribute(buffer_len, buffer, value_len,
 								  entry->type == TNCCS_2_0);
 		case TNC_ATTRIBUTEID_HAS_SOH:
-			return bool_attribute(buffer_len, buffer, value_len, 
+			return bool_attribute(buffer_len, buffer, value_len,
 								  entry->type == TNCCS_SOH);
 		case TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL:
 		{
diff --git a/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_plugin.c b/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_plugin.c
index a44319ed1..1e4ddc195 100644
--- a/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_plugin.c
+++ b/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_plugin.c
@@ -18,7 +18,7 @@
 
 #include <tnc/tnc.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tnc_tnccs_plugin_t private_tnc_tnccs_plugin_t;
 
diff --git a/src/libcharon/plugins/tnccs_11/Makefile.in b/src/libcharon/plugins/tnccs_11/Makefile.in
index 3a506e672..be091b134 100644
--- a/src/libcharon/plugins/tnccs_11/Makefile.in
+++ b/src/libcharon/plugins/tnccs_11/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -77,6 +77,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 am__DEPENDENCIES_1 =
@@ -132,6 +138,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -159,6 +166,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -186,6 +194,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -198,6 +207,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -251,7 +261,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -397,7 +406,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-tnccs-11.la: $(libstrongswan_tnccs_11_la_OBJECTS) $(libstrongswan_tnccs_11_la_DEPENDENCIES) 
+libstrongswan-tnccs-11.la: $(libstrongswan_tnccs_11_la_OBJECTS) $(libstrongswan_tnccs_11_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnccs_11_la_DEPENDENCIES) 
 	$(libstrongswan_tnccs_11_la_LINK) $(am_libstrongswan_tnccs_11_la_rpath) $(libstrongswan_tnccs_11_la_OBJECTS) $(libstrongswan_tnccs_11_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -599,10 +608,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c b/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c
index c9397722b..b27458fde 100644
--- a/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c
+++ b/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c
@@ -18,8 +18,8 @@
 
 #include <tnc/tnccs/tnccs.h>
 
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 #include <libxml/parser.h>
 
diff --git a/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c b/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c
index fa570aae9..cf3e58451 100644
--- a/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c
@@ -18,7 +18,7 @@
 #include <tnc/tnccs/tnccs.h>
 
 #include <utils/lexparser.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_imc_imv_msg_t private_imc_imv_msg_t;
 
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c
index d0df4e7ca..ba92c26b1 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c
@@ -15,7 +15,7 @@
 
 #include "tnccs_error_msg.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(tnccs_error_type_names, TNCCS_ERROR_BATCH_TOO_LONG, TNCCS_ERROR_OTHER,
 	"batch-too-long",
@@ -108,7 +108,7 @@ tnccs_msg_t *tnccs_error_msg_create_from_node(xmlNodePtr node)
 {
 	private_tnccs_error_msg_t *this;
 	xmlChar *error_type_name, *error_msg;
-	
+
 	INIT(this,
 		.public = {
 			.tnccs_msg_interface = {
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c
index 5a050393a..79c663905 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c
@@ -22,7 +22,7 @@
 #include "tnccs_tncs_contact_info_msg.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(tnccs_msg_type_names, IMC_IMV_MSG, TNCCS_MSG_ROOF,
 	"IMC-IMV",
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.h b/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.h
index e0b54449a..88d6f07aa 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.h
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.h
@@ -25,7 +25,7 @@ typedef enum tnccs_msg_type_t tnccs_msg_type_t;
 typedef struct tnccs_msg_t tnccs_msg_t;
 
 #include <library.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <libxml/parser.h>
 
 /**
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c
index fd85350b5..e1c193e18 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c
@@ -15,7 +15,7 @@
 
 #include "tnccs_preferred_language_msg.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tnccs_preferred_language_msg_t private_tnccs_preferred_language_msg_t;
 
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c
index af60a4b3a..cf3c367d8 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c
@@ -16,7 +16,7 @@
 #include "tnccs_reason_strings_msg.h"
 #include "tnccs_error_msg.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tnccs_reason_strings_msg_t private_tnccs_reason_strings_msg_t;
 
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c
index 610224242..32e123b2e 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c
@@ -16,7 +16,7 @@
 #include "tnccs_recommendation_msg.h"
 #include "tnccs_error_msg.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tnccs_recommendation_msg_t private_tnccs_recommendation_msg_t;
 
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c
index b8aac30fa..fe288f01d 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c
@@ -14,7 +14,7 @@
 
 #include "tnccs_tncs_contact_info_msg.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tnccs_tncs_contact_info_msg_t private_tnccs_tncs_contact_info_msg_t;
 
diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11.c b/src/libcharon/plugins/tnccs_11/tnccs_11.c
index 56858a8b4..cfc29d6ab 100644
--- a/src/libcharon/plugins/tnccs_11/tnccs_11.c
+++ b/src/libcharon/plugins/tnccs_11/tnccs_11.c
@@ -31,7 +31,7 @@
 #include <tnc/tnccs/tnccs.h>
 #include <tnc/tnccs/tnccs_manager.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <daemon.h>
 #include <threading/mutex.h>
 
diff --git a/src/libcharon/plugins/tnccs_20/Makefile.in b/src/libcharon/plugins/tnccs_20/Makefile.in
index 26d26dbd9..60c8e562e 100644
--- a/src/libcharon/plugins/tnccs_20/Makefile.in
+++ b/src/libcharon/plugins/tnccs_20/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_tnccs_20_la_DEPENDENCIES =  \
@@ -130,6 +136,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -157,6 +164,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -184,6 +192,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -196,6 +205,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -249,7 +259,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -400,7 +409,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-tnccs-20.la: $(libstrongswan_tnccs_20_la_OBJECTS) $(libstrongswan_tnccs_20_la_DEPENDENCIES) 
+libstrongswan-tnccs-20.la: $(libstrongswan_tnccs_20_la_OBJECTS) $(libstrongswan_tnccs_20_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnccs_20_la_DEPENDENCIES) 
 	$(libstrongswan_tnccs_20_la_LINK) $(am_libstrongswan_tnccs_20_la_rpath) $(libstrongswan_tnccs_20_la_OBJECTS) $(libstrongswan_tnccs_20_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -626,10 +635,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c
index 2f932637a..3a2c70f5a 100644
--- a/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c
+++ b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c
@@ -20,11 +20,11 @@
 
 #include <tnc/tnccs/tnccs.h>
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
 #include <pen/pen.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(pb_tnc_batch_type_names, PB_BATCH_CDATA, PB_BATCH_CLOSE,
 	"CDATA",
@@ -172,12 +172,12 @@ METHOD(pb_tnc_batch_t, build, void,
 	bio_writer_t *writer;
 
 	/* build PB-TNC batch header */
-	writer = bio_writer_create(this->batch_len);	
+	writer = bio_writer_create(this->batch_len);
 	writer->write_uint8 (writer, PB_TNC_VERSION);
 	writer->write_uint8 (writer, this->is_server ?
 								 PB_TNC_BATCH_FLAG_D : PB_TNC_BATCH_FLAG_NONE);
 	writer->write_uint16(writer, this->type);
-	writer->write_uint32(writer, this->batch_len); 
+	writer->write_uint32(writer, this->batch_len);
 
 	/* build PB-TNC messages */
 	enumerator = this->messages->create_enumerator(this->messages);
@@ -297,7 +297,7 @@ static status_t process_batch_header(private_pb_tnc_batch_t *this,
 
 fatal:
 	this->errors->insert_last(this->errors, msg);
-	return FAILED;	
+	return FAILED;
 }
 
 static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
@@ -329,7 +329,7 @@ static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
 	reader->destroy(reader);
 
 	noskip_flag = (flags & PB_TNC_FLAG_NOSKIP) != PB_TNC_FLAG_NONE;
-	
+
 	if (msg_len > data.len)
 	{
 		DBG1(DBG_TNC, "%u bytes insufficient to parse PB-TNC message", data.len);
@@ -455,7 +455,7 @@ static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
 
 fatal:
 	this->errors->insert_last(this->errors, msg);
-	return FAILED;	
+	return FAILED;
 }
 
 METHOD(pb_tnc_batch_t, process, status_t,
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c
index 974db4d70..cdd0d0d0d 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c
@@ -17,7 +17,7 @@
 
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(pb_access_recommendation_code_names, PB_REC_ACCESS_ALLOWED, PB_REC_QUARANTINED,
 	"Access Allowed",
@@ -113,7 +113,7 @@ METHOD(pb_tnc_msg_t, process, status_t,
 		*offset = 2;
 		return FAILED;
 	}
-		
+
 	return SUCCESS;
 }
 
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c
index ee06575b4..4e50446be 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c
@@ -19,7 +19,7 @@
 
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pb_assessment_result_msg_t private_pb_assessment_result_msg_t;
 
@@ -106,7 +106,7 @@ METHOD(pb_tnc_msg_t, process, status_t,
 		*offset = 0;
 		return FAILED;
 	}
-		
+
 	return SUCCESS;
 }
 
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c
index 457d3da21..d048f437c 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c
@@ -20,7 +20,7 @@
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
 #include <pen/pen.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(pb_tnc_error_code_names, PB_ERROR_UNEXPECTED_BATCH_TYPE,
 							  PB_ERROR_VERSION_NOT_SUPPORTED,
@@ -88,7 +88,7 @@ struct private_pb_error_msg_t {
 	u_int32_t error_offset;
 
 	/**
-	 * Bad PB-TNC version received 
+	 * Bad PB-TNC version received
 	 */
 	u_int8_t bad_version;
 
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c
index 46df54486..70a03cdc5 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c
@@ -17,7 +17,7 @@
 
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pb_language_preference_msg_t private_pb_language_preference_msg_t;
 
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c
index bbad9bf55..2d2c1316b 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c
@@ -22,7 +22,7 @@
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
 #include <pen/pen.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pb_pa_msg_t private_pb_pa_msg_t;
 
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c
index 511b45402..935c52d7b 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c
@@ -17,7 +17,7 @@
 
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pb_reason_string_msg_t private_pb_reason_string_msg_t;
 
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c
index c853f03a3..63d94b94d 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c
@@ -17,7 +17,7 @@
 
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(pb_tnc_remed_param_type_names, PB_REMEDIATION_URI, PB_REMEDIATION_STRING,
 	"Remediation-URI",
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.h
index e20c8d8ff..97ebed27f 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.h
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.h
@@ -56,7 +56,7 @@ struct pb_tnc_msg_info_t {
 	u_int32_t min_size;
 	bool exact_size;
 	bool in_result_batch;
-	bool has_noskip_flag;
+	signed char has_noskip_flag;
 };
 
 #define	TRUE_OR_FALSE	2
diff --git a/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c b/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c
index 5e95131a8..43f185440 100644
--- a/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c
+++ b/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c
@@ -15,7 +15,7 @@
 
 #include "pb_tnc_state_machine.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(pb_tnc_state_names, PB_STATE_INIT, PB_STATE_END,
 	"Init",
diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20.c b/src/libcharon/plugins/tnccs_20/tnccs_20.c
index 44e1d278f..6239b152d 100644
--- a/src/libcharon/plugins/tnccs_20/tnccs_20.c
+++ b/src/libcharon/plugins/tnccs_20/tnccs_20.c
@@ -34,10 +34,10 @@
 #include <tnc/imc/imc_manager.h>
 #include <tnc/imv/imv_manager.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <daemon.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <pen/pen.h>
 
 typedef struct private_tnccs_20_t private_tnccs_20_t;
@@ -369,10 +369,9 @@ static void handle_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg)
 			reason_msg = (pb_reason_string_msg_t*)msg;
 			reason_string = reason_msg->get_reason_string(reason_msg);
 			language_code = reason_msg->get_language_code(reason_msg);
-			DBG2(DBG_TNC, "reason string is '%.*s'", (int)reason_string.len,
-													 reason_string.ptr);
-			DBG2(DBG_TNC, "language code is '%.*s'", (int)language_code.len,
-													 language_code.ptr);
+			DBG1(DBG_TNC, "reason string is '%.*s' [%.*s]",
+				 (int)reason_string.len, reason_string.ptr,
+				 (int)language_code.len, language_code.ptr);
 			break;
 		}
 		default:
@@ -647,28 +646,40 @@ METHOD(tls_t, build, status_t,
 
 	if (this->batch_type == PB_BATCH_NONE)
 	{
-		if (this->is_server && state == PB_STATE_SERVER_WORKING)
+		if (this->is_server)
 		{
-			if (this->state_machine->get_empty_cdata(this->state_machine))
-			{
-				check_and_build_recommendation(this);
-			}
-			else
+			if (state == PB_STATE_SERVER_WORKING)
 			{
-				DBG2(DBG_TNC, "no recommendation available yet, "
-							  "sending empty PB-TNC SDATA batch");
-				this->batch_type = PB_BATCH_SDATA;
+				if (this->state_machine->get_empty_cdata(this->state_machine))
+				{
+					check_and_build_recommendation(this);
+				}
+				else
+				{
+					DBG2(DBG_TNC, "no recommendation available yet, "
+								  "sending empty PB-TNC SDATA batch");
+					this->batch_type = PB_BATCH_SDATA;
+				}
 			}
 		}
 		else
-        {
-			/**
-			 * In the DECIDED state and if no CRETRY is under way,
-			 * a PB-TNC client replies with an empty CLOSE batch.
-			 */
-			if (state == PB_STATE_DECIDED)
+		{
+			switch (state)
 			{
-				this->batch_type = PB_BATCH_CLOSE;
+				case PB_STATE_CLIENT_WORKING:
+					DBG2(DBG_TNC, "no client data to send, "
+								  "sending empty PB-TNC CDATA batch");
+					this->batch_type = PB_BATCH_CDATA;
+					break;
+				case PB_STATE_DECIDED:
+					/**
+					 * In the DECIDED state and if no CRETRY is under way,
+					 * a PB-TNC client replies with an empty CLOSE batch.
+					 */
+					this->batch_type = PB_BATCH_CLOSE;
+					break;
+				default:
+					break;
 			}
 		}
 	}
diff --git a/src/libcharon/plugins/tnccs_dynamic/Makefile.in b/src/libcharon/plugins/tnccs_dynamic/Makefile.in
index f08d00dab..b17afda82 100644
--- a/src/libcharon/plugins/tnccs_dynamic/Makefile.in
+++ b/src/libcharon/plugins/tnccs_dynamic/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_tnccs_dynamic_la_DEPENDENCIES =  \
@@ -126,6 +132,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -153,6 +160,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -180,6 +188,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -192,6 +201,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -245,7 +255,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -383,7 +392,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-tnccs-dynamic.la: $(libstrongswan_tnccs_dynamic_la_OBJECTS) $(libstrongswan_tnccs_dynamic_la_DEPENDENCIES) 
+libstrongswan-tnccs-dynamic.la: $(libstrongswan_tnccs_dynamic_la_OBJECTS) $(libstrongswan_tnccs_dynamic_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnccs_dynamic_la_DEPENDENCIES) 
 	$(libstrongswan_tnccs_dynamic_la_LINK) $(am_libstrongswan_tnccs_dynamic_la_rpath) $(libstrongswan_tnccs_dynamic_la_OBJECTS) $(libstrongswan_tnccs_dynamic_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -521,10 +530,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c
index b68d2dd6b..03795a947 100644
--- a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c
+++ b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c
@@ -17,7 +17,7 @@
 
 #include <tnc/tnc.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tnccs_dynamic_t private_tnccs_dynamic_t;
 
@@ -120,7 +120,7 @@ METHOD(tls_t, destroy, void,
 	private_tnccs_dynamic_t *this)
 {
 	DESTROY_IF(this->tls);
-	free(this);	
+	free(this);
 }
 
 /**
diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in
index da9310aa0..aff566c08 100644
--- a/src/libcharon/plugins/uci/Makefile.in
+++ b/src/libcharon/plugins/uci/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_uci_la_DEPENDENCIES =
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -374,7 +383,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-uci.la: $(libstrongswan_uci_la_OBJECTS) $(libstrongswan_uci_la_DEPENDENCIES) 
+libstrongswan-uci.la: $(libstrongswan_uci_la_OBJECTS) $(libstrongswan_uci_la_DEPENDENCIES) $(EXTRA_libstrongswan_uci_la_DEPENDENCIES) 
 	$(libstrongswan_uci_la_LINK) $(am_libstrongswan_uci_la_rpath) $(libstrongswan_uci_la_OBJECTS) $(libstrongswan_uci_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -515,10 +524,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/uci/uci_config.c b/src/libcharon/plugins/uci/uci_config.c
index 1201f568e..de0bf91af 100644
--- a/src/libcharon/plugins/uci/uci_config.c
+++ b/src/libcharon/plugins/uci/uci_config.c
@@ -87,28 +87,12 @@ static traffic_selector_t *create_ts(char *string)
 {
 	if (string)
 	{
-		int netbits = 32;
-		host_t *net;
-		char *pos;
+		traffic_selector_t *ts;
 
-		string = strdupa(string);
-		pos = strchr(string, '/');
-		if (pos)
+		ts = traffic_selector_create_from_cidr(string, 0, 0);
+		if (ts)
 		{
-			*pos++ = '\0';
-			netbits = atoi(pos);
-		}
-		else
-		{
-			if (strchr(string, ':'))
-			{
-				netbits = 128;
-			}
-		}
-		net = host_create_from_string(string, 0);
-		if (net)
-		{
-			return traffic_selector_create_from_subnet(net, netbits, 0, 0);
+			return ts;
 		}
 	}
 	return traffic_selector_create_dynamic(0, 0, 65535);
@@ -168,12 +152,14 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool,
 			&ike_proposal, &esp_proposal, &ike_rekey, &esp_rekey))
 	{
 		DESTROY_IF(this->peer_cfg);
-		ike_cfg = ike_cfg_create(FALSE, FALSE,
-								 local_addr, FALSE, charon->socket->get_port(charon->socket, FALSE),
-								 remote_addr, FALSE, IKEV2_UDP_PORT);
+		ike_cfg = ike_cfg_create(IKEV2, FALSE, FALSE,
+								 local_addr, FALSE,
+								 charon->socket->get_port(charon->socket, FALSE),
+								 remote_addr, FALSE, IKEV2_UDP_PORT,
+								 FRAGMENTATION_NO);
 		ike_cfg->add_proposal(ike_cfg, create_proposal(ike_proposal, PROTO_IKE));
 		this->peer_cfg = peer_cfg_create(
-					name, IKEV2, ike_cfg, CERT_SEND_IF_ASKED, UNIQUE_NO,
+					name, ike_cfg, CERT_SEND_IF_ASKED, UNIQUE_NO,
 					1, create_rekey(ike_rekey), 0,  /* keytries, rekey, reauth */
 					1800, 900,						/* jitter, overtime */
 					TRUE, FALSE,				/* mobike, aggressive */
@@ -265,9 +251,11 @@ METHOD(enumerator_t, ike_enumerator_enumerate, bool,
 							   &local_addr, &remote_addr, &ike_proposal))
 	{
 		DESTROY_IF(this->ike_cfg);
-		this->ike_cfg = ike_cfg_create(FALSE, FALSE,
-									   local_addr, FALSE, charon->socket->get_port(charon->socket, FALSE),
-									   remote_addr, FALSE, IKEV2_UDP_PORT);
+		this->ike_cfg = ike_cfg_create(IKEV2, FALSE, FALSE,
+								local_addr, FALSE,
+								charon->socket->get_port(charon->socket, FALSE),
+								remote_addr, FALSE, IKEV2_UDP_PORT,
+								FRAGMENTATION_NO);
 		this->ike_cfg->add_proposal(this->ike_cfg,
 									create_proposal(ike_proposal, PROTO_IKE));
 
diff --git a/src/libcharon/plugins/uci/uci_parser.h b/src/libcharon/plugins/uci/uci_parser.h
index 7217e507a..230c35e86 100644
--- a/src/libcharon/plugins/uci/uci_parser.h
+++ b/src/libcharon/plugins/uci/uci_parser.h
@@ -22,7 +22,7 @@
 #ifndef UCI_PARSER_H_
 #define UCI_PARSER_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 typedef struct uci_parser_t uci_parser_t;
 
diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in
index 9d936a273..8e60d97b2 100644
--- a/src/libcharon/plugins/unit_tester/Makefile.in
+++ b/src/libcharon/plugins/unit_tester/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_unit_tester_la_LIBADD =
@@ -127,6 +133,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -154,6 +161,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -181,6 +189,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -193,6 +202,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -246,7 +256,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -391,7 +400,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-unit-tester.la: $(libstrongswan_unit_tester_la_OBJECTS) $(libstrongswan_unit_tester_la_DEPENDENCIES) 
+libstrongswan-unit-tester.la: $(libstrongswan_unit_tester_la_OBJECTS) $(libstrongswan_unit_tester_la_DEPENDENCIES) $(EXTRA_libstrongswan_unit_tester_la_DEPENDENCIES) 
 	$(libstrongswan_unit_tester_la_LINK) $(am_libstrongswan_unit_tester_la_rpath) $(libstrongswan_unit_tester_la_OBJECTS) $(libstrongswan_unit_tester_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -640,10 +649,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/unit_tester/tests/test_enumerator.c b/src/libcharon/plugins/unit_tester/tests/test_enumerator.c
index edbf0f5bb..83b78c092 100644
--- a/src/libcharon/plugins/unit_tester/tests/test_enumerator.c
+++ b/src/libcharon/plugins/unit_tester/tests/test_enumerator.c
@@ -13,7 +13,7 @@
  * for more details.
  */
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 
 /*******************************************************************************
diff --git a/src/libcharon/plugins/unit_tester/tests/test_hashtable.c b/src/libcharon/plugins/unit_tester/tests/test_hashtable.c
index bd79e12f7..5513f6707 100644
--- a/src/libcharon/plugins/unit_tester/tests/test_hashtable.c
+++ b/src/libcharon/plugins/unit_tester/tests/test_hashtable.c
@@ -14,7 +14,7 @@
  */
 
 #include <library.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 
 static u_int hash(char *key)
 {
diff --git a/src/libcharon/plugins/unit_tester/tests/test_med_db.c b/src/libcharon/plugins/unit_tester/tests/test_med_db.c
index ae1d08e15..75244ab8f 100644
--- a/src/libcharon/plugins/unit_tester/tests/test_med_db.c
+++ b/src/libcharon/plugins/unit_tester/tests/test_med_db.c
@@ -15,7 +15,7 @@
 
 #include <library.h>
 #include <daemon.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 #include <unistd.h>
 
diff --git a/src/libcharon/plugins/unit_tester/tests/test_mysql.c b/src/libcharon/plugins/unit_tester/tests/test_mysql.c
index 252441ef8..eda238623 100644
--- a/src/libcharon/plugins/unit_tester/tests/test_mysql.c
+++ b/src/libcharon/plugins/unit_tester/tests/test_mysql.c
@@ -15,7 +15,7 @@
 
 #include <library.h>
 #include <daemon.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 /*******************************************************************************
  * mysql simple test
diff --git a/src/libcharon/plugins/unit_tester/tests/test_sqlite.c b/src/libcharon/plugins/unit_tester/tests/test_sqlite.c
index dd8d1955e..99490b566 100644
--- a/src/libcharon/plugins/unit_tester/tests/test_sqlite.c
+++ b/src/libcharon/plugins/unit_tester/tests/test_sqlite.c
@@ -15,7 +15,7 @@
 
 #include <library.h>
 #include <daemon.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 #include <unistd.h>
 
diff --git a/src/libcharon/plugins/unity/Makefile.in b/src/libcharon/plugins/unity/Makefile.in
index 3b74530b3..5cb81fd51 100644
--- a/src/libcharon/plugins/unity/Makefile.in
+++ b/src/libcharon/plugins/unity/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_unity_la_LIBADD =
@@ -122,6 +128,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -149,6 +156,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,6 +184,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -188,6 +197,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -241,7 +251,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -375,7 +384,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-unity.la: $(libstrongswan_unity_la_OBJECTS) $(libstrongswan_unity_la_DEPENDENCIES) 
+libstrongswan-unity.la: $(libstrongswan_unity_la_OBJECTS) $(libstrongswan_unity_la_DEPENDENCIES) $(EXTRA_libstrongswan_unity_la_DEPENDENCIES) 
 	$(libstrongswan_unity_la_LINK) $(am_libstrongswan_unity_la_rpath) $(libstrongswan_unity_la_OBJECTS) $(libstrongswan_unity_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -515,10 +524,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/unity/unity_handler.c b/src/libcharon/plugins/unity/unity_handler.c
index b2aeba605..31d13add2 100644
--- a/src/libcharon/plugins/unity/unity_handler.c
+++ b/src/libcharon/plugins/unity/unity_handler.c
@@ -17,7 +17,7 @@
 
 #include <daemon.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <processing/jobs/callback_job.h>
 
 typedef struct private_unity_handler_t private_unity_handler_t;
@@ -115,7 +115,7 @@ static bool add_include(private_unity_handler_t *this, chunk_t subnet)
 }
 
 /**
- * Rempve a subnet from the inclusion list for this IKE_SA
+ * Remove a subnet from the inclusion list for this IKE_SA
  */
 static bool remove_include(private_unity_handler_t *this, chunk_t subnet)
 {
@@ -170,7 +170,7 @@ static job_requeue_t add_exclude_async(entry_t *entry)
 {
 	enumerator_t *enumerator;
 	child_cfg_t *child_cfg;
-	lifetime_cfg_t lft = {};
+	lifetime_cfg_t lft = { .time = { .life = 0 } };
 	ike_sa_t *ike_sa;
 	char name[128];
 	host_t *host;
diff --git a/src/libcharon/plugins/unity/unity_provider.c b/src/libcharon/plugins/unity/unity_provider.c
index c7feb090c..655b8724a 100644
--- a/src/libcharon/plugins/unity/unity_provider.c
+++ b/src/libcharon/plugins/unity/unity_provider.c
@@ -58,10 +58,8 @@ METHOD(enumerator_t, attribute_enumerate, bool,
 		{
 			return FALSE;
 		}
-		if (ts->get_type(ts) == TS_IPV4_ADDR_RANGE &&
-			ts->to_subnet(ts, &net, &mask))
+		if (ts->to_subnet(ts, &net, &mask))
 		{
-			ts->destroy(ts);
 			break;
 		}
 		ts->destroy(ts);
@@ -94,6 +92,30 @@ METHOD(enumerator_t, attribute_destroy, void,
 	free(this);
 }
 
+/**
+ * Check if we should send a configured TS as Split-Include attribute
+ */
+static bool use_ts(traffic_selector_t *ts)
+{
+	u_int8_t mask;
+	host_t *net;
+
+	if (ts->get_type(ts) != TS_IPV4_ADDR_RANGE)
+	{
+		return FALSE;
+	}
+	if (ts->is_dynamic(ts))
+	{
+		return FALSE;
+	}
+	if (!ts->to_subnet(ts, &net, &mask))
+	{
+		return FALSE;
+	}
+	net->destroy(net);
+	return mask > 0;
+}
+
 METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
 	private_unity_provider_t *this, linked_list_t *pools, identification_t *id,
 	linked_list_t *vips)
@@ -122,7 +144,14 @@ METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
 		current = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
 		while (current->remove_first(current, (void**)&ts) == SUCCESS)
 		{
-			list->insert_last(list, ts);
+			if (use_ts(ts))
+			{
+				list->insert_last(list, ts);
+			}
+			else
+			{
+				ts->destroy(ts);
+			}
 		}
 		current->destroy(current);
 	}
diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in
index 0f3463704..f8df24116 100644
--- a/src/libcharon/plugins/updown/Makefile.in
+++ b/src/libcharon/plugins/updown/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_updown_la_LIBADD =
@@ -123,6 +129,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -150,6 +157,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,6 +185,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -189,6 +198,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -242,7 +252,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -375,7 +384,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-updown.la: $(libstrongswan_updown_la_OBJECTS) $(libstrongswan_updown_la_DEPENDENCIES) 
+libstrongswan-updown.la: $(libstrongswan_updown_la_OBJECTS) $(libstrongswan_updown_la_DEPENDENCIES) $(EXTRA_libstrongswan_updown_la_DEPENDENCIES) 
 	$(libstrongswan_updown_la_LINK) $(am_libstrongswan_updown_la_rpath) $(libstrongswan_updown_la_OBJECTS) $(libstrongswan_updown_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -514,10 +523,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/updown/updown_handler.c b/src/libcharon/plugins/updown/updown_handler.c
index b2ac02e85..3a644380a 100644
--- a/src/libcharon/plugins/updown/updown_handler.c
+++ b/src/libcharon/plugins/updown/updown_handler.c
@@ -16,7 +16,7 @@
 #include "updown_handler.h"
 
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 typedef struct private_updown_handler_t private_updown_handler_t;
diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c
index 8b2af05b6..617618057 100644
--- a/src/libcharon/plugins/updown/updown_listener.c
+++ b/src/libcharon/plugins/updown/updown_listener.c
@@ -200,7 +200,7 @@ METHOD(listener_t, child_updown, bool,
 		char command[1024];
 		host_t *my_client, *other_client;
 		u_int8_t my_client_mask, other_client_mask;
-		char *virtual_ip, *iface, *mark_in, *mark_out, *udp_enc, *dns;
+		char *virtual_ip, *iface, *mark_in, *mark_out, *udp_enc, *dns, *xauth;
 		mark_t mark;
 		bool is_host, is_ipv6;
 		FILE *shell;
@@ -265,6 +265,23 @@ METHOD(listener_t, child_updown, bool,
 
 		}
 
+		if (ike_sa->has_condition(ike_sa, COND_EAP_AUTHENTICATED) ||
+			ike_sa->has_condition(ike_sa, COND_XAUTH_AUTHENTICATED))
+		{
+			if (asprintf(&xauth, "PLUTO_XAUTH_ID='%Y' ",
+						 ike_sa->get_other_eap_id(ike_sa)) < 0)
+			{
+				xauth = NULL;
+			}
+		}
+		else
+		{
+			if (asprintf(&xauth, "") < 0)
+			{
+				xauth = NULL;
+			}
+		}
+
 		if (up)
 		{
 			if (hydra->kernel_interface->get_interface(hydra->kernel_interface,
@@ -311,6 +328,7 @@ METHOD(listener_t, child_updown, bool,
 				"%s"
 				"%s"
 				"%s"
+				"%s"
 				"%s",
 				 up ? "up" : "down",
 				 is_host ? "-host" : "-client",
@@ -326,6 +344,7 @@ METHOD(listener_t, child_updown, bool,
 				 other_client, other_client_mask,
 				 other_ts->get_from_port(other_ts),
 				 other_ts->get_protocol(other_ts),
+				 xauth,
 				 virtual_ip,
 				 mark_in,
 				 mark_out,
@@ -341,6 +360,7 @@ METHOD(listener_t, child_updown, bool,
 		free(udp_enc);
 		free(dns);
 		free(iface);
+		free(xauth);
 
 		DBG3(DBG_CHD, "running updown script: %s", command);
 		shell = popen(command, "r");
diff --git a/src/libcharon/plugins/whitelist/Makefile.in b/src/libcharon/plugins/whitelist/Makefile.in
index 80f12df47..5ca4fd36d 100644
--- a/src/libcharon/plugins/whitelist/Makefile.in
+++ b/src/libcharon/plugins/whitelist/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -75,6 +75,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_whitelist_la_LIBADD =
@@ -131,6 +137,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -158,6 +165,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -185,6 +193,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -197,6 +206,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -250,7 +260,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -385,7 +394,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-whitelist.la: $(libstrongswan_whitelist_la_OBJECTS) $(libstrongswan_whitelist_la_DEPENDENCIES) 
+libstrongswan-whitelist.la: $(libstrongswan_whitelist_la_OBJECTS) $(libstrongswan_whitelist_la_DEPENDENCIES) $(EXTRA_libstrongswan_whitelist_la_DEPENDENCIES) 
 	$(libstrongswan_whitelist_la_LINK) $(am_libstrongswan_whitelist_la_rpath) $(libstrongswan_whitelist_la_OBJECTS) $(libstrongswan_whitelist_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
@@ -430,7 +439,7 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-whitelist$(EXEEXT): $(whitelist_OBJECTS) $(whitelist_DEPENDENCIES) 
+whitelist$(EXEEXT): $(whitelist_OBJECTS) $(whitelist_DEPENDENCIES) $(EXTRA_whitelist_DEPENDENCIES) 
 	@rm -f whitelist$(EXEEXT)
 	$(LINK) $(whitelist_OBJECTS) $(whitelist_LDADD) $(LIBS)
 
@@ -571,10 +580,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/whitelist/whitelist_listener.c b/src/libcharon/plugins/whitelist/whitelist_listener.c
index 64ef04800..382ee3b8b 100644
--- a/src/libcharon/plugins/whitelist/whitelist_listener.c
+++ b/src/libcharon/plugins/whitelist/whitelist_listener.c
@@ -16,7 +16,7 @@
 #include "whitelist_listener.h"
 
 #include <daemon.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 #include <threading/rwlock.h>
 
 typedef struct private_whitelist_listener_t private_whitelist_listener_t;
diff --git a/src/libcharon/plugins/xauth_eap/Makefile.in b/src/libcharon/plugins/xauth_eap/Makefile.in
index 709e2be03..f5edbaeeb 100644
--- a/src/libcharon/plugins/xauth_eap/Makefile.in
+++ b/src/libcharon/plugins/xauth_eap/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_xauth_eap_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -375,7 +384,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-xauth-eap.la: $(libstrongswan_xauth_eap_la_OBJECTS) $(libstrongswan_xauth_eap_la_DEPENDENCIES) 
+libstrongswan-xauth-eap.la: $(libstrongswan_xauth_eap_la_OBJECTS) $(libstrongswan_xauth_eap_la_DEPENDENCIES) $(EXTRA_libstrongswan_xauth_eap_la_DEPENDENCIES) 
 	$(libstrongswan_xauth_eap_la_LINK) $(am_libstrongswan_xauth_eap_la_rpath) $(libstrongswan_xauth_eap_la_OBJECTS) $(libstrongswan_xauth_eap_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -513,10 +522,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/xauth_generic/Makefile.in b/src/libcharon/plugins/xauth_generic/Makefile.in
index 9f9743ef1..ecd480fb5 100644
--- a/src/libcharon/plugins/xauth_generic/Makefile.in
+++ b/src/libcharon/plugins/xauth_generic/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_xauth_generic_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -375,7 +384,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-xauth-generic.la: $(libstrongswan_xauth_generic_la_OBJECTS) $(libstrongswan_xauth_generic_la_DEPENDENCIES) 
+libstrongswan-xauth-generic.la: $(libstrongswan_xauth_generic_la_OBJECTS) $(libstrongswan_xauth_generic_la_DEPENDENCIES) $(EXTRA_libstrongswan_xauth_generic_la_DEPENDENCIES) 
 	$(libstrongswan_xauth_generic_la_LINK) $(am_libstrongswan_xauth_generic_la_rpath) $(libstrongswan_xauth_generic_la_OBJECTS) $(libstrongswan_xauth_generic_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -513,10 +522,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.in b/src/libcharon/plugins/xauth_pam/Makefile.in
index c3514473c..b249b418f 100644
--- a/src/libcharon/plugins/xauth_pam/Makefile.in
+++ b/src/libcharon/plugins/xauth_pam/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_xauth_pam_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -375,7 +384,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-xauth-pam.la: $(libstrongswan_xauth_pam_la_OBJECTS) $(libstrongswan_xauth_pam_la_DEPENDENCIES) 
+libstrongswan-xauth-pam.la: $(libstrongswan_xauth_pam_la_OBJECTS) $(libstrongswan_xauth_pam_la_DEPENDENCIES) $(EXTRA_libstrongswan_xauth_pam_la_DEPENDENCIES) 
 	$(libstrongswan_xauth_pam_la_LINK) $(am_libstrongswan_xauth_pam_la_rpath) $(libstrongswan_xauth_pam_la_OBJECTS) $(libstrongswan_xauth_pam_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -513,10 +522,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/processing/jobs/delete_ike_sa_job.c b/src/libcharon/processing/jobs/delete_ike_sa_job.c
index 08b41af8c..3a8c2e1cd 100644
--- a/src/libcharon/processing/jobs/delete_ike_sa_job.c
+++ b/src/libcharon/processing/jobs/delete_ike_sa_job.c
@@ -84,6 +84,7 @@ METHOD(job_t, execute, job_requeue_t,
 			else
 			{
 				DBG1(DBG_JOB, "deleting half open IKE_SA after timeout");
+				charon->bus->alert(charon->bus, ALERT_HALF_OPEN_TIMEOUT);
 				charon->ike_sa_manager->checkin_and_destroy(
 												charon->ike_sa_manager, ike_sa);
 			}
diff --git a/src/libcharon/processing/jobs/dpd_timeout_job.c b/src/libcharon/processing/jobs/dpd_timeout_job.c
index 91a76bbaf..64a9785a6 100644
--- a/src/libcharon/processing/jobs/dpd_timeout_job.c
+++ b/src/libcharon/processing/jobs/dpd_timeout_job.c
@@ -77,6 +77,7 @@ METHOD(job_t, execute, job_requeue_t,
 		if (use_time < this->check)
 		{
 			DBG1(DBG_JOB, "DPD check timed out, enforcing DPD action");
+			charon->bus->ike_updown(charon->bus, ike_sa, FALSE);
 			ike_sa->reestablish(ike_sa);
 			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
 														ike_sa);
diff --git a/src/libcharon/processing/jobs/mediation_job.h b/src/libcharon/processing/jobs/mediation_job.h
index 41485cbc6..6a1475102 100644
--- a/src/libcharon/processing/jobs/mediation_job.h
+++ b/src/libcharon/processing/jobs/mediation_job.h
@@ -26,7 +26,7 @@ typedef struct mediation_job_t mediation_job_t;
 #include <library.h>
 #include <processing/jobs/job.h>
 #include <utils/identification.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /**
  * Class representing a MEDIATION Job.
diff --git a/src/libcharon/processing/jobs/migrate_job.h b/src/libcharon/processing/jobs/migrate_job.h
index 09679c734..30c0ad0ac 100644
--- a/src/libcharon/processing/jobs/migrate_job.h
+++ b/src/libcharon/processing/jobs/migrate_job.h
@@ -24,7 +24,7 @@
 typedef struct migrate_job_t migrate_job_t;
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <selectors/traffic_selector.h>
 #include <kernel/kernel_ipsec.h>
 #include <processing/jobs/job.h>
diff --git a/src/libcharon/processing/jobs/process_message_job.c b/src/libcharon/processing/jobs/process_message_job.c
index 71a2cb45d..606135b0b 100644
--- a/src/libcharon/processing/jobs/process_message_job.c
+++ b/src/libcharon/processing/jobs/process_message_job.c
@@ -67,9 +67,10 @@ METHOD(job_t, execute, job_requeue_t,
 														 this->message);
 	if (ike_sa)
 	{
-		DBG1(DBG_NET, "received packet: from %#H to %#H",
+		DBG1(DBG_NET, "received packet: from %#H to %#H (%zu bytes)",
 			 this->message->get_source(this->message),
-			 this->message->get_destination(this->message));
+			 this->message->get_destination(this->message),
+			 this->message->get_packet_data(this->message).len);
 		if (ike_sa->process_message(ike_sa, this->message) == DESTROY_ME)
 		{
 			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
diff --git a/src/libcharon/processing/jobs/update_sa_job.h b/src/libcharon/processing/jobs/update_sa_job.h
index e2344fcc4..55a3df83e 100644
--- a/src/libcharon/processing/jobs/update_sa_job.h
+++ b/src/libcharon/processing/jobs/update_sa_job.h
@@ -24,7 +24,7 @@
 typedef struct update_sa_job_t update_sa_job_t;
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <processing/jobs/job.h>
 
 /**
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 1245734c9..f02d836cf 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -824,8 +824,15 @@ METHOD(child_sa_t, add_policies, status_t,
  */
 static void reinstall_vip(host_t *vip, host_t *me)
 {
-	hydra->kernel_interface->del_ip(hydra->kernel_interface, vip);
-	hydra->kernel_interface->add_ip(hydra->kernel_interface, vip, me);
+	char *iface;
+
+	if (hydra->kernel_interface->get_interface(hydra->kernel_interface,
+											   me, &iface))
+	{
+		hydra->kernel_interface->del_ip(hydra->kernel_interface, vip, -1, TRUE);
+		hydra->kernel_interface->add_ip(hydra->kernel_interface, vip, -1, iface);
+		free(iface);
+	}
 }
 
 METHOD(child_sa_t, update, status_t,
diff --git a/src/libcharon/sa/eap/eap_manager.c b/src/libcharon/sa/eap/eap_manager.c
index 520c0ce56..1886307e9 100644
--- a/src/libcharon/sa/eap/eap_manager.c
+++ b/src/libcharon/sa/eap/eap_manager.c
@@ -16,7 +16,7 @@
 
 #include "eap_manager.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 typedef struct private_eap_manager_t private_eap_manager_t;
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 1d49acb52..4029db11d 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -26,7 +26,7 @@
 #include <library.h>
 #include <hydra.h>
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/lexparser.h>
 #include <processing/jobs/retransmit_job.h>
 #include <processing/jobs/delete_ike_sa_job.h>
@@ -741,15 +741,26 @@ METHOD(ike_sa_t, add_virtual_ip, void,
 {
 	if (local)
 	{
-		DBG1(DBG_IKE, "installing new virtual IP %H", ip);
-		if (hydra->kernel_interface->add_ip(hydra->kernel_interface, ip,
-											this->my_host) == SUCCESS)
+		char *iface;
+
+		if (hydra->kernel_interface->get_interface(hydra->kernel_interface,
+												   this->my_host, &iface))
 		{
-			this->my_vips->insert_last(this->my_vips, ip->clone(ip));
+			DBG1(DBG_IKE, "installing new virtual IP %H", ip);
+			if (hydra->kernel_interface->add_ip(hydra->kernel_interface,
+												ip, -1, iface) == SUCCESS)
+			{
+				this->my_vips->insert_last(this->my_vips, ip->clone(ip));
+			}
+			else
+			{
+				DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
+			}
+			free(iface);
 		}
 		else
 		{
-			DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
+			DBG1(DBG_IKE, "looking up interface for virtual IP %H failed", ip);
 		}
 	}
 	else
@@ -769,7 +780,8 @@ METHOD(ike_sa_t, clear_virtual_ips, void,
 	{
 		if (local)
 		{
-			hydra->kernel_interface->del_ip(hydra->kernel_interface, vip);
+			hydra->kernel_interface->del_ip(hydra->kernel_interface,
+											vip, -1, TRUE);
 		}
 		vip->destroy(vip);
 	}
@@ -1220,7 +1232,8 @@ METHOD(ike_sa_t, process_message, status_t,
 		case IKE_SA_INIT:
 		case IKE_AUTH:
 			if (this->state != IKE_CREATED &&
-				this->state != IKE_CONNECTING)
+				this->state != IKE_CONNECTING &&
+				message->get_first_payload_type(message) != FRAGMENT_V1)
 			{
 				DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
 					 exchange_type_names, message->get_exchange_type(message));
@@ -1690,6 +1703,8 @@ METHOD(ike_sa_t, retransmit, status_t,
 			{
 				/* retry IKE_SA_INIT/Main Mode if we have multiple keyingtries */
 				u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
+				charon->bus->alert(charon->bus, ALERT_PEER_INIT_UNREACHABLE,
+								   this->keyingtry);
 				this->keyingtry++;
 				if (tries == 0 || tries > this->keyingtry)
 				{
@@ -1965,14 +1980,14 @@ METHOD(ike_sa_t, inherit, void,
 	this->other_id = other->other_id->clone(other->other_id);
 
 	/* apply assigned virtual IPs... */
-	while (this->my_vips->remove_last(this->my_vips, (void**)&vip) == SUCCESS)
+	while (other->my_vips->remove_last(other->my_vips, (void**)&vip) == SUCCESS)
 	{
-		other->my_vips->insert_first(other->my_vips, vip);
+		this->my_vips->insert_first(this->my_vips, vip);
 	}
-	while (this->other_vips->remove_last(this->other_vips,
-										 (void**)&vip) == SUCCESS)
+	while (other->other_vips->remove_last(other->other_vips,
+										  (void**)&vip) == SUCCESS)
 	{
-		other->other_vips->insert_first(other->other_vips, vip);
+		this->other_vips->insert_first(this->other_vips, vip);
 	}
 
 	/* authentication information */
@@ -2074,7 +2089,7 @@ METHOD(ike_sa_t, destroy, void,
 
 	while (this->my_vips->remove_last(this->my_vips, (void**)&vip) == SUCCESS)
 	{
-		hydra->kernel_interface->del_ip(hydra->kernel_interface, vip);
+		hydra->kernel_interface->del_ip(hydra->kernel_interface, vip, -1, TRUE);
 		vip->destroy(vip);
 	}
 	this->my_vips->destroy(this->my_vips);
diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index af741c799..625859a3f 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -43,7 +43,7 @@ typedef struct ike_sa_t ike_sa_t;
 #include <config/peer_cfg.h>
 #include <config/ike_cfg.h>
 #include <credentials/auth_cfg.h>
-#include <utils/packet.h>
+#include <networking/packet.h>
 
 /**
  * Timeout in seconds after that a half open IKE_SA gets deleted.
@@ -72,6 +72,7 @@ enum ike_extension_t {
 
 	/**
 	 * peer supports NAT traversal as specified in RFC4306 or RFC3947
+	 * including some RFC3947 drafts
 	 */
 	EXT_NATT = (1<<0),
 
@@ -119,6 +120,17 @@ enum ike_extension_t {
 	 * peer supports Cisco Unity configuration attributes
 	 */
 	EXT_CISCO_UNITY = (1<<9),
+
+	/**
+	 * peer supports NAT traversal as specified in
+	 * draft-ietf-ipsec-nat-t-ike-02 .. -03
+	 */
+	EXT_NATT_DRAFT_02_03 = (1<<10),
+
+	/**
+	 * peer support proprietary IKE fragmentation
+	 */
+	EXT_IKE_FRAGMENTATION = (1<<11),
 };
 
 /**
@@ -1014,9 +1026,8 @@ struct ike_sa_t {
 	 *
 	 * When rekeying is completed, all CHILD_SAs, the virtual IP and all
 	 * outstanding tasks are moved from other to this.
-	 * As this call may initiate inherited tasks, a status is returned.
 	 *
-	 * @param other			other task to inherit from
+	 * @param other			other IKE SA to inherit from
 	 */
 	void (*inherit) (ike_sa_t *this, ike_sa_t *other);
 
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index a396235c2..2ac8c3123 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -26,7 +26,7 @@
 #include <threading/condvar.h>
 #include <threading/mutex.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <crypto/hashers/hasher.h>
 
 /* the default size of the hash table (MUST be a power of 2) */
@@ -397,6 +397,11 @@ struct private_ike_sa_manager_t {
 	 * reuse existing IKE_SAs in checkout_by_config
 	 */
 	bool reuse_ikesa;
+
+	/**
+	 * Configured IKE_SA limit, if any
+	 */
+	u_int ikesa_limit;
 };
 
 /**
@@ -963,14 +968,37 @@ static u_int64_t get_spi(private_ike_sa_manager_t *this)
 static bool get_init_hash(private_ike_sa_manager_t *this, message_t *message,
 						  chunk_t *hash)
 {
+	host_t *src;
+
 	if (!this->hasher)
 	{	/* this might be the case when flush() has been called */
 		return FALSE;
 	}
+	if (message->get_first_payload_type(message) == FRAGMENT_V1)
+	{	/* only hash the source IP, port and SPI for fragmented init messages */
+		u_int16_t port;
+		u_int64_t spi;
+
+		src = message->get_source(message);
+		if (!this->hasher->allocate_hash(this->hasher,
+										 src->get_address(src), NULL))
+		{
+			return FALSE;
+		}
+		port = src->get_port(src);
+		if (!this->hasher->allocate_hash(this->hasher,
+										 chunk_from_thing(port), NULL))
+		{
+			return FALSE;
+		}
+		spi = message->get_initiator_spi(message);
+		return this->hasher->allocate_hash(this->hasher,
+										   chunk_from_thing(spi), hash);
+	}
 	if (message->get_exchange_type(message) == ID_PROT)
 	{	/* include the source for Main Mode as the hash will be the same if
 		 * SPIs are reused by two initiators that use the same proposal */
-		host_t *src = message->get_source(message);
+		src = message->get_source(message);
 
 		if (!this->hasher->allocate_hash(this->hasher,
 										 src->get_address(src), NULL))
@@ -1203,34 +1231,46 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 		{
 			case NOT_FOUND:
 			{	/* we've not seen this packet yet, create a new IKE_SA */
-				id->set_responder_spi(id, our_spi);
-				ike_sa = ike_sa_create(id, FALSE, ike_version);
-				if (ike_sa)
+				if (!this->ikesa_limit ||
+					this->public.get_count(&this->public) < this->ikesa_limit)
 				{
-					entry = entry_create();
-					entry->ike_sa = ike_sa;
-					entry->ike_sa_id = id->clone(id);
+					id->set_responder_spi(id, our_spi);
+					ike_sa = ike_sa_create(id, FALSE, ike_version);
+					if (ike_sa)
+					{
+						entry = entry_create();
+						entry->ike_sa = ike_sa;
+						entry->ike_sa_id = id;
 
-					segment = put_entry(this, entry);
-					entry->checked_out = TRUE;
-					unlock_single_segment(this, segment);
+						segment = put_entry(this, entry);
+						entry->checked_out = TRUE;
+						unlock_single_segment(this, segment);
 
-					entry->message_id = message->get_message_id(message);
-					entry->init_hash = hash;
+						entry->message_id = message->get_message_id(message);
+						entry->init_hash = hash;
 
-					DBG2(DBG_MGR, "created IKE_SA %s[%u]",
-						 ike_sa->get_name(ike_sa),
-						 ike_sa->get_unique_id(ike_sa));
+						DBG2(DBG_MGR, "created IKE_SA %s[%u]",
+							 ike_sa->get_name(ike_sa),
+							 ike_sa->get_unique_id(ike_sa));
+
+						charon->bus->set_sa(charon->bus, ike_sa);
+						return ike_sa;
+					}
+					else
+					{
+						DBG1(DBG_MGR, "creating IKE_SA failed, ignoring message");
+					}
 				}
 				else
 				{
-					remove_init_hash(this, hash);
-					chunk_free(&hash);
-					DBG1(DBG_MGR, "ignoring message, no such IKE_SA");
+					DBG1(DBG_MGR, "ignoring %N, hitting IKE_SA limit (%u)",
+						 exchange_type_names, message->get_exchange_type(message),
+						 this->ikesa_limit);
 				}
+				remove_init_hash(this, hash);
+				chunk_free(&hash);
 				id->destroy(id);
-				charon->bus->set_sa(charon->bus, ike_sa);
-				return ike_sa;
+				return NULL;
 			}
 			case FAILED:
 			{	/* we failed to allocate an SPI */
@@ -1263,7 +1303,10 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 
 			ike_id = entry->ike_sa->get_id(entry->ike_sa);
 			entry->checked_out = TRUE;
-			entry->message_id = message->get_message_id(message);
+			if (message->get_first_payload_type(message) != FRAGMENT_V1)
+			{
+				entry->message_id = message->get_message_id(message);
+			}
 			if (ike_id->get_responder_spi(ike_id) == 0)
 			{
 				ike_id->set_responder_spi(ike_id, id->get_responder_spi(id));
@@ -1274,6 +1317,10 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 		}
 		unlock_single_segment(this, segment);
 	}
+	else
+	{
+		charon->bus->alert(charon->bus, ALERT_INVALID_IKE_SPI, message);
+	}
 	id->destroy(id);
 	charon->bus->set_sa(charon->bus, ike_sa);
 	return ike_sa;
@@ -1748,6 +1795,7 @@ METHOD(ike_sa_manager_t, check_uniqueness, bool,
 					switch (policy)
 					{
 						case UNIQUE_REPLACE:
+							charon->bus->alert(charon->bus, ALERT_UNIQUE_REPLACE);
 							DBG1(DBG_IKE, "deleting duplicate IKE_SA for peer "
 									"'%Y' due to uniqueness policy", other);
 							status = duplicate->delete(duplicate);
@@ -2045,6 +2093,9 @@ ike_sa_manager_t *ike_sa_manager_create()
 		return NULL;
 	}
 
+	this->ikesa_limit = lib->settings->get_int(lib->settings,
+									"%s.ikesa_limit", 0, charon->name);
+
 	this->table_size = get_nearest_powerof2(lib->settings->get_int(
 									lib->settings, "%s.ikesa_table_size",
 									DEFAULT_HASHTABLE_SIZE, charon->name));
diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c
index cff344a34..eb642109b 100644
--- a/src/libcharon/sa/ikev1/keymat_v1.c
+++ b/src/libcharon/sa/ikev1/keymat_v1.c
@@ -18,7 +18,7 @@
 #include <daemon.h>
 #include <encoding/generator.h>
 #include <encoding/payloads/nonce_payload.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_keymat_v1_t private_keymat_v1_t;
 
diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c
index 4096141ec..1189d3c69 100644
--- a/src/libcharon/sa/ikev1/phase1.c
+++ b/src/libcharon/sa/ikev1/phase1.c
@@ -22,7 +22,7 @@
 #include <sa/ikev1/keymat_v1.h>
 #include <encoding/payloads/ke_payload.h>
 #include <encoding/payloads/nonce_payload.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_phase1_t private_phase1_t;
 
@@ -186,7 +186,7 @@ static shared_key_t *lookup_shared_key(private_phase1_t *this,
 		}
 	}
 	enumerator->destroy(enumerator);
-	if (!peer_cfg)
+	if (!shared_key)
 	{
 		DBG1(DBG_IKE, "no shared key found for %H - %H", me, other);
 	}
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index fd0ad235a..8a4761d5c 100644
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2011 Tobias Brunner
+ * Copyright (C) 2007-2013 Tobias Brunner
  * Copyright (C) 2007-2011 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -36,6 +36,10 @@
 #include <processing/jobs/retransmit_job.h>
 #include <processing/jobs/delete_ike_sa_job.h>
 #include <processing/jobs/dpd_timeout_job.h>
+#include <processing/jobs/process_message_job.h>
+
+#include <encoding/payloads/fragment_payload.h>
+#include <bio/bio_writer.h>
 
 /**
  * Number of old messages hashes we keep for retransmission.
@@ -47,6 +51,20 @@
 #define MAX_OLD_HASHES 2
 
 /**
+ * Maximum packet size for fragmented packets (same as in sockets)
+ */
+#define MAX_PACKET 10000
+
+/**
+ * Maximum size of fragment data when sending packets (currently the same is
+ * used for IPv4 and IPv6, even though the latter has a higher minimum datagram
+ * size).  576 (= min. IPv4) - 20 (= IP header) - 8 (= UDP header) -
+ *  - 28 (= IKE header) - 8 (= fragment header) = 512
+ * This is reduced by 4 in case of NAT-T (due to the non-ESP marker).
+ */
+#define MAX_FRAGMENT_SIZE 512
+
+/**
  * First sequence number of responding packets.
  *
  * To distinguish retransmission jobs for initiating and responding packets,
@@ -160,19 +178,65 @@ struct private_task_manager_t {
 		packet_t *packet;
 
 		/**
-		 * type of the initated exchange
+		 * type of the initiated exchange
 		 */
 		exchange_type_t type;
 
 	} initiating;
 
 	/**
+	 * Data used to reassemble a fragmented message
+	 */
+	struct {
+
+		/**
+		 * Fragment ID (currently only one is supported at a time)
+		 */
+		u_int16_t id;
+
+		/**
+		 * The number of the last fragment (in case we receive the fragments out
+		 * of order), since the first starts with 1 this defines the number of
+		 * fragments we expect
+		 */
+		u_int8_t last;
+
+		/**
+		 * List of fragments (fragment_t*)
+		 */
+		linked_list_t *list;
+
+		/**
+		 * Length of all currently received fragments
+		 */
+		size_t len;
+
+		/**
+		 * Maximum length of a fragmented packet
+		 */
+		size_t max_packet;
+
+		/**
+		 * Maximum length of a single fragment (when sending)
+		 */
+		size_t size;
+
+		/**
+		 * The exchange type we use for fragments. Always the initial type even
+		 * for fragmented quick mode or transaction messages (i.e. either
+		 * ID_PROT or AGGRESSIVE)
+		 */
+		exchange_type_t exchange;
+
+	} frag;
+
+	/**
 	 * List of queued tasks not yet in action
 	 */
 	linked_list_t *queued_tasks;
 
 	/**
-	 * List of active tasks, initiated by ourselve
+	 * List of active tasks, initiated by ourselves
 	 */
 	linked_list_t *active_tasks;
 
@@ -212,6 +276,34 @@ struct private_task_manager_t {
 	u_int32_t dpd_recv;
 };
 
+/**
+ * A single fragment within a fragmented message
+ */
+typedef struct {
+
+	/** fragment number */
+	u_int8_t num;
+
+	/** fragment data */
+	chunk_t data;
+
+} fragment_t;
+
+static void fragment_destroy(fragment_t *this)
+{
+	chunk_free(&this->data);
+	free(this);
+}
+
+static void clear_fragments(private_task_manager_t *this, u_int16_t id)
+{
+	DESTROY_FUNCTION_IF(this->frag.list, (void*)fragment_destroy);
+	this->frag.list = NULL;
+	this->frag.last = 0;
+	this->frag.len = 0;
+	this->frag.id = id;
+}
+
 METHOD(task_manager_t, flush_queue, void,
 	private_task_manager_t *this, task_queue_t queue)
 {
@@ -283,16 +375,103 @@ static bool activate_task(private_task_manager_t *this, task_type_t type)
 }
 
 /**
+ * Send a single fragment with the given data
+ */
+static bool send_fragment(private_task_manager_t *this, bool request,
+					host_t *src, host_t *dst, fragment_payload_t *fragment)
+{
+	message_t *message;
+	packet_t *packet;
+	status_t status;
+
+	message = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
+	/* other implementations seem to just use 0 as message ID, so here we go */
+	message->set_message_id(message, 0);
+	message->set_request(message, request);
+	message->set_source(message, src->clone(src));
+	message->set_destination(message, dst->clone(dst));
+	message->set_exchange_type(message, this->frag.exchange);
+	message->add_payload(message, (payload_t*)fragment);
+
+	status = this->ike_sa->generate_message(this->ike_sa, message, &packet);
+	if (status != SUCCESS)
+	{
+		DBG1(DBG_IKE, "failed to generate IKE fragment");
+		message->destroy(message);
+		return FALSE;
+	}
+	charon->sender->send(charon->sender, packet);
+	message->destroy(message);
+	return TRUE;
+}
+
+/**
+ * Send a packet, if supported and required do so in fragments
+ */
+static bool send_packet(private_task_manager_t *this, bool request,
+						packet_t *packet)
+{
+	fragmentation_t fragmentation = FRAGMENTATION_NO;
+	ike_cfg_t *ike_cfg;
+	host_t *src, *dst;
+	chunk_t data;
+
+	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
+	if (ike_cfg)
+	{
+		fragmentation = ike_cfg->fragmentation(ike_cfg);
+	}
+	data = packet->get_data(packet);
+	if (data.len > this->frag.size && (fragmentation == FRAGMENTATION_FORCE ||
+	   (this->ike_sa->supports_extension(this->ike_sa, EXT_IKE_FRAGMENTATION) &&
+		fragmentation == FRAGMENTATION_YES)))
+	{
+		fragment_payload_t *fragment;
+		u_int8_t num, count;
+		size_t len, frag_size;
+		bool nat;
+
+		/* reduce size due to non-ESP marker */
+		nat = this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY);
+		frag_size = this->frag.size - (nat ? 4 : 0);
+
+		src = packet->get_source(packet);
+		dst = packet->get_destination(packet);
+		count = (data.len / (frag_size + 1)) + 1;
+
+		DBG1(DBG_IKE, "sending IKE message with length of %zu bytes in "
+			 "%hhu fragments", data.len, count);
+		for (num = 1; num <= count; num++)
+		{
+			len = min(data.len, frag_size);
+			fragment = fragment_payload_create_from_data(num, num == count,
+												chunk_create(data.ptr, len));
+			if (!send_fragment(this, request, src, dst, fragment))
+			{
+				packet->destroy(packet);
+				return FALSE;
+			}
+			data = chunk_skip(data, len);
+		}
+		packet->destroy(packet);
+		return TRUE;
+	}
+	charon->sender->send(charon->sender, packet);
+	return TRUE;
+}
+
+/**
  * Retransmit a packet, either as initiator or as responder
  */
-static status_t retransmit_packet(private_task_manager_t *this, u_int32_t seqnr,
-							u_int mid, u_int retransmitted, packet_t *packet)
+static status_t retransmit_packet(private_task_manager_t *this, bool request,
+			u_int32_t seqnr, u_int mid, u_int retransmitted, packet_t *packet)
 {
 	u_int32_t t;
 
 	if (retransmitted > this->retransmit_tries)
 	{
 		DBG1(DBG_IKE, "giving up after %u retransmits", retransmitted - 1);
+		charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT, packet);
 		return DESTROY_ME;
 	}
 	t = (u_int32_t)(this->retransmit_timeout * 1000.0 *
@@ -302,8 +481,12 @@ static status_t retransmit_packet(private_task_manager_t *this, u_int32_t seqnr,
 		DBG1(DBG_IKE, "sending retransmit %u of %s message ID %u, seq %u",
 			 retransmitted, seqnr < RESPONDING_SEQ ? "request" : "response",
 			 mid, seqnr < RESPONDING_SEQ ? seqnr : seqnr - RESPONDING_SEQ);
+		charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, packet);
+	}
+	if (!send_packet(this, request, packet->clone(packet)))
+	{
+		return DESTROY_ME;
 	}
-	charon->sender->send(charon->sender, packet->clone(packet));
 	lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)
 			retransmit_job_create(seqnr, this->ike_sa->get_id(this->ike_sa)), t);
 	return NEED_MORE;
@@ -316,7 +499,7 @@ METHOD(task_manager_t, retransmit, status_t,
 
 	if (seqnr == this->initiating.seqnr && this->initiating.packet)
 	{
-		status = retransmit_packet(this, seqnr, this->initiating.mid,
+		status = retransmit_packet(this, TRUE, seqnr, this->initiating.mid,
 					this->initiating.retransmitted, this->initiating.packet);
 		if (status == NEED_MORE)
 		{
@@ -326,7 +509,7 @@ METHOD(task_manager_t, retransmit, status_t,
 	}
 	if (seqnr == this->responding.seqnr && this->responding.packet)
 	{
-		status = retransmit_packet(this, seqnr, this->responding.mid,
+		status = retransmit_packet(this, FALSE, seqnr, this->responding.mid,
 					this->responding.retransmitted, this->responding.packet);
 		if (status == NEED_MORE)
 		{
@@ -602,12 +785,12 @@ METHOD(task_manager_t, initiate, status_t,
 	}
 	if (keep)
 	{	/* keep the packet for retransmission, the responder might request it */
-		charon->sender->send(charon->sender,
+		send_packet(this, TRUE,
 					this->initiating.packet->clone(this->initiating.packet));
 	}
 	else
 	{
-		charon->sender->send(charon->sender, this->initiating.packet);
+		send_packet(this, TRUE, this->initiating.packet);
 		this->initiating.packet = NULL;
 	}
 	message->destroy(message);
@@ -711,8 +894,8 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	{
 		return retransmit(this, this->responding.seqnr);
 	}
-	charon->sender->send(charon->sender,
-					this->responding.packet->clone(this->responding.packet));
+	send_packet(this, FALSE,
+				this->responding.packet->clone(this->responding.packet));
 	if (delete)
 	{
 		return DESTROY_ME;
@@ -767,7 +950,7 @@ static void send_notify(private_task_manager_t *this, message_t *request,
 	if (this->ike_sa->generate_message(this->ike_sa, response,
 									   &packet) == SUCCESS)
 	{
-		charon->sender->send(charon->sender, packet);
+		send_packet(this, TRUE, packet);
 	}
 	response->destroy(response);
 }
@@ -866,6 +1049,7 @@ static status_t process_request(private_task_manager_t *this,
 				this->passive_tasks->insert_last(this->passive_tasks, task);
 				task = (task_t *)isakmp_natd_create(this->ike_sa, FALSE);
 				this->passive_tasks->insert_last(this->passive_tasks, task);
+				this->frag.exchange = AGGRESSIVE;
 				break;
 			case QUICK_MODE:
 				if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
@@ -1036,6 +1220,114 @@ static status_t process_response(private_task_manager_t *this,
 	return initiate(this);
 }
 
+static status_t handle_fragment(private_task_manager_t *this, message_t *msg)
+{
+	fragment_payload_t *payload;
+	enumerator_t *enumerator;
+	fragment_t *fragment;
+	status_t status = SUCCESS;
+	chunk_t data;
+	u_int8_t num;
+
+	payload = (fragment_payload_t*)msg->get_payload(msg, FRAGMENT_V1);
+	if (!payload)
+	{
+		return FAILED;
+	}
+
+	if (this->frag.id != payload->get_id(payload))
+	{
+		clear_fragments(this, payload->get_id(payload));
+		this->frag.list = linked_list_create();
+	}
+
+	num = payload->get_number(payload);
+	if (!this->frag.last && payload->is_last(payload))
+	{
+		this->frag.last = num;
+	}
+
+	enumerator = this->frag.list->create_enumerator(this->frag.list);
+	while (enumerator->enumerate(enumerator, &fragment))
+	{
+		if (fragment->num == num)
+		{	/* ignore a duplicate fragment */
+			DBG1(DBG_IKE, "received duplicate fragment #%hhu", num);
+			enumerator->destroy(enumerator);
+			return NEED_MORE;
+		}
+		if (fragment->num > num)
+		{
+			break;
+		}
+	}
+
+	data = payload->get_data(payload);
+	this->frag.len += data.len;
+	if (this->frag.len > this->frag.max_packet)
+	{
+		DBG1(DBG_IKE, "fragmented IKE message is too large");
+		enumerator->destroy(enumerator);
+		clear_fragments(this, 0);
+		return FAILED;
+	}
+
+	INIT(fragment,
+		.num = num,
+		.data = chunk_clone(data),
+	);
+
+	this->frag.list->insert_before(this->frag.list, enumerator, fragment);
+	enumerator->destroy(enumerator);
+
+	if (this->frag.list->get_count(this->frag.list) == this->frag.last)
+	{
+		message_t *message;
+		packet_t *pkt;
+		host_t *src, *dst;
+		bio_writer_t *writer;
+
+		writer = bio_writer_create(this->frag.len);
+		DBG1(DBG_IKE, "received fragment #%hhu, reassembling fragmented IKE "
+			 "message", num);
+		enumerator = this->frag.list->create_enumerator(this->frag.list);
+		while (enumerator->enumerate(enumerator, &fragment))
+		{
+			writer->write_data(writer, fragment->data);
+		}
+		enumerator->destroy(enumerator);
+
+		src = msg->get_source(msg);
+		dst = msg->get_destination(msg);
+		pkt = packet_create_from_data(src->clone(src), dst->clone(dst),
+									  writer->extract_buf(writer));
+		writer->destroy(writer);
+
+		message = message_create_from_packet(pkt);
+		if (message->parse_header(message) != SUCCESS)
+		{
+			DBG1(DBG_IKE, "failed to parse header of reassembled IKE message");
+			message->destroy(message);
+			status = FAILED;
+		}
+		else
+		{
+			lib->processor->queue_job(lib->processor,
+								(job_t*)process_message_job_create(message));
+			status = NEED_MORE;
+
+		}
+		clear_fragments(this, 0);
+	}
+	else
+	{	/* there are some fragments missing */
+		DBG1(DBG_IKE, "received fragment #%hhu, waiting for complete IKE "
+			 "message", num);
+		status = NEED_MORE;
+	}
+	return status;
+}
+
 /**
  * Parse the given message and verify that it is valid.
  */
@@ -1076,11 +1368,18 @@ static status_t parse_message(private_task_manager_t *this, message_t *msg)
 			 msg->get_request(msg) ? "request" : "response",
 			 msg->get_message_id(msg));
 
+		charon->bus->alert(charon->bus, ALERT_PARSE_ERROR_BODY, msg, status);
+
 		if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED)
 		{	/* invalid initiation attempt, close SA */
 			return DESTROY_ME;
 		}
 	}
+
+	if (msg->get_first_payload_type(msg) == FRAGMENT_V1)
+	{
+		return handle_fragment(this, msg);
+	}
 	return status;
 }
 
@@ -1107,8 +1406,8 @@ METHOD(task_manager_t, process_message, status_t,
 			{
 				DBG1(DBG_IKE, "received retransmit of response with ID %u, "
 					 "resending last request", mid);
-				charon->sender->send(charon->sender,
-						this->initiating.packet->clone(this->initiating.packet));
+				send_packet(this, TRUE,
+					this->initiating.packet->clone(this->initiating.packet));
 				return SUCCESS;
 			}
 			DBG1(DBG_IKE, "received retransmit of response with ID %u, "
@@ -1125,6 +1424,10 @@ METHOD(task_manager_t, process_message, status_t,
 		msg->set_request(msg, FALSE);
 		charon->bus->message(charon->bus, msg, TRUE, FALSE);
 		status = parse_message(this, msg);
+		if (status == NEED_MORE)
+		{
+			return SUCCESS;
+		}
 		if (status != SUCCESS)
 		{
 			return status;
@@ -1149,7 +1452,7 @@ METHOD(task_manager_t, process_message, status_t,
 			{
 				DBG1(DBG_IKE, "received retransmit of request with ID %u, "
 					 "retransmitting response", mid);
-				charon->sender->send(charon->sender,
+				send_packet(this, FALSE,
 						this->responding.packet->clone(this->responding.packet));
 			}
 			else if (this->initiating.packet &&
@@ -1157,7 +1460,7 @@ METHOD(task_manager_t, process_message, status_t,
 			{
 				DBG1(DBG_IKE, "received retransmit of DPD request, "
 					 "retransmitting response");
-				charon->sender->send(charon->sender,
+				send_packet(this, TRUE,
 						this->initiating.packet->clone(this->initiating.packet));
 			}
 			else
@@ -1165,6 +1468,7 @@ METHOD(task_manager_t, process_message, status_t,
 				DBG1(DBG_IKE, "received retransmit of request with ID %u, "
 					 "but no response to retransmit", mid);
 			}
+			charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg);
 			return SUCCESS;
 		}
 		if (msg->get_exchange_type(msg) == TRANSACTION &&
@@ -1191,6 +1495,10 @@ METHOD(task_manager_t, process_message, status_t,
 		msg->set_request(msg, TRUE);
 		charon->bus->message(charon->bus, msg, TRUE, FALSE);
 		status = parse_message(this, msg);
+		if (status == NEED_MORE)
+		{
+			return SUCCESS;
+		}
 		if (status != SUCCESS)
 		{
 			return status;
@@ -1202,7 +1510,8 @@ METHOD(task_manager_t, process_message, status_t,
 			ike_cfg_t *ike_cfg;
 			job_t *job;
 
-			ike_cfg = charon->backends->get_ike_cfg(charon->backends, me, other);
+			ike_cfg = charon->backends->get_ike_cfg(charon->backends,
+													me, other, IKEV1);
 			if (ike_cfg == NULL)
 			{
 				/* no config found for these hosts, destroy */
@@ -1282,6 +1591,7 @@ METHOD(task_manager_t, queue_ike, void,
 		{
 			queue_task(this, (task_t*)aggressive_mode_create(this->ike_sa, TRUE));
 		}
+		this->frag.exchange = AGGRESSIVE;
 	}
 	else
 	{
@@ -1585,6 +1895,7 @@ METHOD(task_manager_t, reset, void,
 	this->initiating.seqnr = 0;
 	this->initiating.retransmitted = 0;
 	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
+	clear_fragments(this, 0);
 	if (initiate != UINT_MAX)
 	{
 		this->dpd_send = initiate;
@@ -1635,6 +1946,7 @@ METHOD(task_manager_t, destroy, void,
 	this->active_tasks->destroy(this->active_tasks);
 	this->queued_tasks->destroy(this->queued_tasks);
 	this->passive_tasks->destroy(this->passive_tasks);
+	clear_fragments(this, 0);
 
 	DESTROY_IF(this->queued);
 	DESTROY_IF(this->responding.packet);
@@ -1681,6 +1993,13 @@ task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
 		.responding = {
 			.seqnr = RESPONDING_SEQ,
 		},
+		.frag = {
+			.exchange = ID_PROT,
+			.max_packet = lib->settings->get_int(lib->settings,
+					"%s.max_packet", MAX_PACKET, charon->name),
+			.size = lib->settings->get_int(lib->settings,
+					"%s.fragment_size", MAX_FRAGMENT_SIZE, charon->name),
+		},
 		.ike_sa = ike_sa,
 		.rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK),
 		.queued_tasks = linked_list_create(),
diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
index 954dea880..7336d5d64 100644
--- a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
@@ -235,7 +235,8 @@ METHOD(task_t, build_i, status_t,
 			this->lifetime += this->peer_cfg->get_over_time(this->peer_cfg);
 			proposals = this->ike_cfg->get_proposals(this->ike_cfg);
 			sa_payload = sa_payload_create_from_proposals_v1(proposals,
-						this->lifetime, 0, this->method, MODE_NONE, FALSE, 0);
+									this->lifetime, 0, this->method, MODE_NONE,
+									ENCAP_NONE, 0);
 			proposals->destroy_offset(proposals, offsetof(proposal_t, destroy));
 
 			message->add_payload(message, &sa_payload->payload_interface);
@@ -520,7 +521,8 @@ METHOD(task_t, build_r, status_t,
 		identification_t *id;
 
 		sa_payload = sa_payload_create_from_proposal_v1(this->proposal,
-						this->lifetime, 0, this->method, MODE_NONE, FALSE, 0);
+									this->lifetime, 0, this->method, MODE_NONE,
+									ENCAP_NONE, 0);
 		message->add_payload(message, &sa_payload->payload_interface);
 
 		if (!this->ph1->add_nonce_ke(this->ph1, message))
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c b/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c
index d48484f09..43a0aaa36 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c
@@ -13,6 +13,28 @@
  * for more details.
  */
 
+/*
+ * Copyright (C) 2013 Volker Rümelin
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 #include "isakmp_cert_pre.h"
 
 #include <daemon.h>
@@ -21,6 +43,7 @@
 #include <encoding/payloads/sa_payload.h>
 #include <encoding/payloads/certreq_payload.h>
 #include <credentials/certificates/x509.h>
+#include <credentials/containers/pkcs7.h>
 
 
 typedef struct private_isakmp_cert_pre_t private_isakmp_cert_pre_t;
@@ -132,7 +155,106 @@ static void process_certreqs(private_isakmp_cert_pre_t *this, message_t *message
 }
 
 /**
- * Import receuved certificates
+ * Process an X509 certificate payload
+ */
+static void process_x509(cert_payload_t *payload, auth_cfg_t *auth, bool *first)
+{
+	certificate_t *cert;
+
+	cert = payload->get_cert(payload);
+	if (cert)
+	{
+		if (*first)
+		{	/* the first is an end entity certificate */
+			DBG1(DBG_IKE, "received end entity cert \"%Y\"",
+				 cert->get_subject(cert));
+			auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert);
+			*first = FALSE;
+		}
+		else
+		{
+			DBG1(DBG_IKE, "received issuer cert \"%Y\"",
+				 cert->get_subject(cert));
+			auth->add(auth, AUTH_HELPER_IM_CERT, cert);
+		}
+	}
+}
+
+/**
+ * Process a CRL certificate payload
+ */
+static void process_crl(cert_payload_t *payload, auth_cfg_t *auth)
+{
+	certificate_t *cert;
+
+	cert = payload->get_cert(payload);
+	if (cert)
+	{
+		DBG1(DBG_IKE, "received CRL \"%Y\"", cert->get_subject(cert));
+		auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert);
+	}
+}
+
+/**
+ * Process a PKCS7 certificate payload
+ */
+static void process_pkcs7(cert_payload_t *payload, auth_cfg_t *auth)
+{
+	enumerator_t *enumerator;
+	container_t *container;
+	certificate_t *cert;
+	pkcs7_t *pkcs7;
+
+	container = payload->get_container(payload);
+	if (!container)
+	{
+		return;
+	}
+	switch (container->get_type(container))
+	{
+		case CONTAINER_PKCS7_DATA:
+		case CONTAINER_PKCS7_SIGNED_DATA:
+		case CONTAINER_PKCS7_ENVELOPED_DATA:
+			break;
+		default:
+			container->destroy(container);
+			return;
+	}
+
+	pkcs7 = (pkcs7_t *)container;
+	enumerator = pkcs7->create_cert_enumerator(pkcs7);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		if (cert->get_type(cert) == CERT_X509)
+		{
+			x509_t *x509 = (x509_t*)cert;
+
+			if (x509->get_flags(x509) & X509_CA)
+			{
+				DBG1(DBG_IKE, "received issuer cert \"%Y\"",
+					 cert->get_subject(cert));
+				auth->add(auth, AUTH_HELPER_IM_CERT, cert->get_ref(cert));
+			}
+			else
+			{
+				DBG1(DBG_IKE, "received end entity cert \"%Y\"",
+					 cert->get_subject(cert));
+				auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert->get_ref(cert));
+			}
+		}
+		else
+		{
+			DBG1(DBG_IKE, "received unsupported cert type %N",
+				 certificate_type_names, cert->get_type(cert));
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	container->destroy(container);
+}
+
+/**
+ * Import received certificates
  */
 static void process_certs(private_isakmp_cert_pre_t *this, message_t *message)
 {
@@ -150,7 +272,6 @@ static void process_certs(private_isakmp_cert_pre_t *this, message_t *message)
 		{
 			cert_payload_t *cert_payload;
 			cert_encoding_t encoding;
-			certificate_t *cert;
 
 			cert_payload = (cert_payload_t*)payload;
 			encoding = cert_payload->get_cert_encoding(cert_payload);
@@ -158,36 +279,14 @@ static void process_certs(private_isakmp_cert_pre_t *this, message_t *message)
 			switch (encoding)
 			{
 				case ENC_X509_SIGNATURE:
-				{
-					cert = cert_payload->get_cert(cert_payload);
-					if (cert)
-					{
-						if (first)
-						{	/* the first is an end entity certificate */
-							DBG1(DBG_IKE, "received end entity cert \"%Y\"",
-								 cert->get_subject(cert));
-							auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert);
-							first = FALSE;
-						}
-						else
-						{
-							DBG1(DBG_IKE, "received issuer cert \"%Y\"",
-								 cert->get_subject(cert));
-							auth->add(auth, AUTH_HELPER_IM_CERT, cert);
-						}
-					}
+					process_x509(cert_payload, auth, &first);
 					break;
-				}
 				case ENC_CRL:
-					cert = cert_payload->get_cert(cert_payload);
-					if (cert)
-					{
-						DBG1(DBG_IKE, "received CRL \"%Y\"",
-							 cert->get_subject(cert));
-						auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert);
-					}
+					process_crl(cert_payload, auth);
 					break;
 				case ENC_PKCS7_WRAPPED_X509:
+					process_pkcs7(cert_payload, auth);
+					break;
 				case ENC_PGP:
 				case ENC_DNS_SIGNED_KEY:
 				case ENC_KERBEROS_TOKEN:
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
index 50bf1612d..5a779ff62 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
@@ -15,6 +15,28 @@
  * for more details.
  */
 
+/*
+ * Copyright (C) 2012 Volker Rümelin
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 #include "isakmp_natd.h"
 
 #include <string.h>
@@ -75,6 +97,18 @@ struct private_isakmp_natd_t {
 };
 
 /**
+ * Get NAT-D payload type (RFC 3947 or RFC 3947 drafts).
+ */
+static payload_type_t get_nat_d_payload_type(ike_sa_t *ike_sa)
+{
+	if (ike_sa->supports_extension(ike_sa, EXT_NATT_DRAFT_02_03))
+	{
+		return NAT_D_DRAFT_00_03_V1;
+	}
+	return NAT_D_V1;
+}
+
+/**
  * Build NAT detection hash for a host.
  */
 static chunk_t generate_natd_hash(private_isakmp_natd_t *this,
@@ -162,7 +196,7 @@ static hash_payload_t *build_natd_payload(private_isakmp_natd_t *this, bool src,
 	{
 		return NULL;
 	}
-	payload = hash_payload_create(NAT_D_V1);
+	payload = hash_payload_create(get_nat_d_payload_type(this->ike_sa));
 	payload->set_hash(payload, hash);
 	chunk_free(&hash);
 	return payload;
@@ -221,7 +255,8 @@ static void process_payloads(private_isakmp_natd_t *this, message_t *message)
 	enumerator = message->create_payload_enumerator(message);
 	while (enumerator->enumerate(enumerator, &payload))
 	{
-		if (payload->get_type(payload) != NAT_D_V1)
+		if (payload->get_type(payload) != NAT_D_V1 &&
+			payload->get_type(payload) != NAT_D_DRAFT_00_03_V1)
 		{
 			continue;
 		}
@@ -350,7 +385,7 @@ METHOD(task_t, process_r, status_t,
 	switch (message->get_exchange_type(message))
 	{
 		case AGGRESSIVE:
-		{	/* proccess NAT-D payloads in the second request, already added ours
+		{	/* process NAT-D payloads in the second request, already added ours
 			 * in the first response */
 			result = SUCCESS;
 			/* fall */
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
index 4fd0ef39b..2ff2b55e9 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012-2013 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -13,6 +14,28 @@
  * for more details.
  */
 
+/*
+ * Copyright (C) 2012 Volker Rümelin
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 #include "isakmp_vendor.h"
 
 #include <daemon.h>
@@ -39,6 +62,11 @@ struct private_isakmp_vendor_t {
 	 * Are we the inititator of this task
 	 */
 	bool initiator;
+
+	/**
+	 * Index of best nat traversal VID found
+	 */
+	int best_natt_ext;
 };
 
 /**
@@ -65,76 +93,132 @@ static struct {
 	{ "XAuth", EXT_XAUTH, TRUE, 8,
 	  "\x09\x00\x26\x89\xdf\xd6\xb7\x12"},
 
-	/* NAT-Traversal, MD5("RFC 3947") */
-	{ "NAT-T (RFC 3947)", EXT_NATT, TRUE, 16,
-	  "\x4a\x13\x1c\x81\x07\x03\x58\x45\x5c\x57\x28\xf2\x0e\x95\x45\x2f"},
-
 	/* Dead peer detection, RFC 3706 */
 	{ "DPD", EXT_DPD, TRUE, 16,
 	  "\xaf\xca\xd7\x13\x68\xa1\xf1\xc9\x6b\x86\x96\xfc\x77\x57\x01\x00"},
 
-	{ "draft-stenberg-ipsec-nat-traversal-01", 0, FALSE, 16,
-	  "\x27\xba\xb5\xdc\x01\xea\x07\x60\xea\x4e\x31\x90\xac\x27\xc0\xd0"},
+	{ "Cisco Unity", EXT_CISCO_UNITY, FALSE, 16,
+	  "\x12\xf5\xf2\x8c\x45\x71\x68\xa9\x70\x2d\x9f\xe2\x74\xcc\x01\x00"},
 
-	{ "draft-stenberg-ipsec-nat-traversal-02", 0, FALSE, 16,
-	  "\x61\x05\xc4\x22\xe7\x68\x47\xe4\x3f\x96\x84\x80\x12\x92\xae\xcd"},
+	/* Proprietary IKE fragmentation extension. Capabilities are handled
+	 * specially on receipt of this VID. */
+	{ "FRAGMENTATION", EXT_IKE_FRAGMENTATION, FALSE, 20,
+	  "\x40\x48\xb7\xd5\x6e\xbc\xe8\x85\x25\xe7\xde\x7f\x00\xd6\xc2\xd3\x80\x00\x00\x00"},
 
-	{ "draft-ietf-ipsec-nat-t-ike", 0, FALSE, 16,
-	  "\x4d\xf3\x79\x28\xe9\xfc\x4f\xd1\xb3\x26\x21\x70\xd5\x15\xc6\x62"},
+}, vendor_natt_ids[] = {
 
-	{ "draft-ietf-ipsec-nat-t-ike-00", 0, FALSE, 16,
-	  "\x44\x85\x15\x2d\x18\xb6\xbb\xcd\x0b\xe8\xa8\x46\x95\x79\xdd\xcc"},
+	/* NAT-Traversal VIDs ordered by preference */
+
+	/* NAT-Traversal, MD5("RFC 3947") */
+	{ "NAT-T (RFC 3947)", EXT_NATT, TRUE, 16,
+	  "\x4a\x13\x1c\x81\x07\x03\x58\x45\x5c\x57\x28\xf2\x0e\x95\x45\x2f"},
 
-	{ "draft-ietf-ipsec-nat-t-ike-02", 0, FALSE, 16,
+	{ "draft-ietf-ipsec-nat-t-ike-03", EXT_NATT | EXT_NATT_DRAFT_02_03,
+	  FALSE, 16,
+	  "\x7d\x94\x19\xa6\x53\x10\xca\x6f\x2c\x17\x9d\x92\x15\x52\x9d\x56"},
+
+	{ "draft-ietf-ipsec-nat-t-ike-02", EXT_NATT | EXT_NATT_DRAFT_02_03,
+	  FALSE, 16,
 	  "\xcd\x60\x46\x43\x35\xdf\x21\xf8\x7c\xfd\xb2\xfc\x68\xb6\xa4\x48"},
 
-	{ "draft-ietf-ipsec-nat-t-ike-02\\n", 0, FALSE, 16,
+	{ "draft-ietf-ipsec-nat-t-ike-02\\n", EXT_NATT | EXT_NATT_DRAFT_02_03,
+	  TRUE, 16,
 	  "\x90\xcb\x80\x91\x3e\xbb\x69\x6e\x08\x63\x81\xb5\xec\x42\x7b\x1f"},
 
-	{ "draft-ietf-ipsec-nat-t-ike-03", 0, FALSE, 16,
-	  "\x7d\x94\x19\xa6\x53\x10\xca\x6f\x2c\x17\x9d\x92\x15\x52\x9d\x56"},
+	{ "draft-ietf-ipsec-nat-t-ike-08", 0, FALSE, 16,
+	  "\x8f\x8d\x83\x82\x6d\x24\x6b\x6f\xc7\xa8\xa6\xa4\x28\xc1\x1d\xe8"},
 
-	{ "draft-ietf-ipsec-nat-t-ike-04", 0, FALSE, 16,
-	  "\x99\x09\xb6\x4e\xed\x93\x7c\x65\x73\xde\x52\xac\xe9\x52\xfa\x6b"},
+	{ "draft-ietf-ipsec-nat-t-ike-07", 0, FALSE, 16,
+	  "\x43\x9b\x59\xf8\xba\x67\x6c\x4c\x77\x37\xae\x22\xea\xb8\xf5\x82"},
+
+	{ "draft-ietf-ipsec-nat-t-ike-06", 0, FALSE, 16,
+	  "\x4d\x1e\x0e\x13\x6d\xea\xfa\x34\xc4\xf3\xea\x9f\x02\xec\x72\x85"},
 
 	{ "draft-ietf-ipsec-nat-t-ike-05", 0, FALSE, 16,
 	  "\x80\xd0\xbb\x3d\xef\x54\x56\x5e\xe8\x46\x45\xd4\xc8\x5c\xe3\xee"},
 
-	{ "draft-ietf-ipsec-nat-t-ike-06", 0, FALSE, 16,
-	  "\x4d\x1e\x0e\x13\x6d\xea\xfa\x34\xc4\xf3\xea\x9f\x02\xec\x72\x85"},
+	{ "draft-ietf-ipsec-nat-t-ike-04", 0, FALSE, 16,
+	  "\x99\x09\xb6\x4e\xed\x93\x7c\x65\x73\xde\x52\xac\xe9\x52\xfa\x6b"},
 
-	{ "draft-ietf-ipsec-nat-t-ike-07", 0, FALSE, 16,
-	  "\x43\x9b\x59\xf8\xba\x67\x6c\x4c\x77\x37\xae\x22\xea\xb8\xf5\x82"},
+	{ "draft-ietf-ipsec-nat-t-ike-00", 0, FALSE, 16,
+	  "\x44\x85\x15\x2d\x18\xb6\xbb\xcd\x0b\xe8\xa8\x46\x95\x79\xdd\xcc"},
 
-	{ "draft-ietf-ipsec-nat-t-ike-08", 0, FALSE, 16,
-	  "\x8f\x8d\x83\x82\x6d\x24\x6b\x6f\xc7\xa8\xa6\xa4\x28\xc1\x1d\xe8"},
+	{ "draft-ietf-ipsec-nat-t-ike", 0, FALSE, 16,
+	  "\x4d\xf3\x79\x28\xe9\xfc\x4f\xd1\xb3\x26\x21\x70\xd5\x15\xc6\x62"},
+
+	{ "draft-stenberg-ipsec-nat-traversal-02", 0, FALSE, 16,
+	  "\x61\x05\xc4\x22\xe7\x68\x47\xe4\x3f\x96\x84\x80\x12\x92\xae\xcd"},
+
+	{ "draft-stenberg-ipsec-nat-traversal-01", 0, FALSE, 16,
+	  "\x27\xba\xb5\xdc\x01\xea\x07\x60\xea\x4e\x31\x90\xac\x27\xc0\xd0"},
 
-	{ "Cisco Unity", EXT_CISCO_UNITY, FALSE, 16,
-	  "\x12\xf5\xf2\x8c\x45\x71\x68\xa9\x70\x2d\x9f\xe2\x74\xcc\x01\x00"},
 };
 
+/**
+ * According to racoon 0x80000000 seems to indicate support for fragmentation
+ * of Aggressive and Main mode messages.  0x40000000 seems to indicate support
+ * for fragmentation of base ISAKMP messages (Cisco adds that and thus sends
+ * 0xc0000000)
+ */
+static const u_int32_t fragmentation_ike = 0x80000000;
+
+/**
+ * Check if the given vendor ID indicate support for fragmentation
+ */
+static bool fragmentation_supported(chunk_t data, int i)
+{
+	if (vendor_ids[i].extension  == EXT_IKE_FRAGMENTATION &&
+		data.len == 20 && memeq(data.ptr, vendor_ids[i].id, 16))
+	{
+		return untoh32(&data.ptr[16]) & fragmentation_ike;
+	}
+	return FALSE;
+}
+
 METHOD(task_t, build, status_t,
 	private_isakmp_vendor_t *this, message_t *message)
 {
 	vendor_id_payload_t *vid_payload;
-	bool strongswan, cisco_unity;
+	bool strongswan, cisco_unity, fragmentation;
+	ike_cfg_t *ike_cfg;
 	int i;
 
 	strongswan = lib->settings->get_bool(lib->settings,
-									"%s.send_vendor_id", FALSE, charon->name);
+								"%s.send_vendor_id", FALSE, charon->name);
 	cisco_unity = lib->settings->get_bool(lib->settings,
-									"%s.cisco_unity", FALSE, charon->name);
+								"%s.cisco_unity", FALSE, charon->name);
+	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
+	fragmentation = ike_cfg->fragmentation(ike_cfg) != FRAGMENTATION_NO;
+	if (!this->initiator && fragmentation)
+	{
+		fragmentation = this->ike_sa->supports_extension(this->ike_sa,
+														 EXT_IKE_FRAGMENTATION);
+	}
 	for (i = 0; i < countof(vendor_ids); i++)
 	{
 		if (vendor_ids[i].send ||
 		   (vendor_ids[i].extension == EXT_STRONGSWAN && strongswan) ||
-		   (vendor_ids[i].extension == EXT_CISCO_UNITY && cisco_unity))
+		   (vendor_ids[i].extension == EXT_CISCO_UNITY && cisco_unity) ||
+		   (vendor_ids[i].extension == EXT_IKE_FRAGMENTATION && fragmentation))
 		{
+			DBG2(DBG_IKE, "sending %s vendor ID", vendor_ids[i].desc);
 			vid_payload = vendor_id_payload_create_data(VENDOR_ID_V1,
 				chunk_clone(chunk_create(vendor_ids[i].id, vendor_ids[i].len)));
 			message->add_payload(message, &vid_payload->payload_interface);
 		}
 	}
+	for (i = 0; i < countof(vendor_natt_ids); i++)
+	{
+		if ((this->initiator && vendor_natt_ids[i].send) ||
+			this->best_natt_ext == i)
+		{
+			DBG2(DBG_IKE, "sending %s vendor ID", vendor_natt_ids[i].desc);
+			vid_payload = vendor_id_payload_create_data(VENDOR_ID_V1,
+							chunk_clone(chunk_create(vendor_natt_ids[i].id,
+													 vendor_natt_ids[i].len)));
+			message->add_payload(message, &vid_payload->payload_interface);
+		}
+	}
 	return this->initiator ? NEED_MORE : SUCCESS;
 }
 
@@ -160,7 +244,8 @@ METHOD(task_t, process, status_t,
 			for (i = 0; i < countof(vendor_ids); i++)
 			{
 				if (chunk_equals(data, chunk_create(vendor_ids[i].id,
-													vendor_ids[i].len)))
+													vendor_ids[i].len)) ||
+					fragmentation_supported(data, i))
 				{
 					DBG1(DBG_IKE, "received %s vendor ID", vendor_ids[i].desc);
 					if (vendor_ids[i].extension)
@@ -169,6 +254,26 @@ METHOD(task_t, process, status_t,
 													   vendor_ids[i].extension);
 					}
 					found = TRUE;
+					break;
+				}
+			}
+			if (!found)
+			{
+				for (i = 0; i < countof(vendor_natt_ids); i++)
+				{
+					if (chunk_equals(data, chunk_create(vendor_natt_ids[i].id,
+													vendor_natt_ids[i].len)))
+					{
+						DBG1(DBG_IKE, "received %s vendor ID",
+							 vendor_natt_ids[i].desc);
+						if (vendor_natt_ids[i].extension &&
+						   (i < this->best_natt_ext || this->best_natt_ext < 0))
+						{
+							this->best_natt_ext = i;
+						}
+						found = TRUE;
+						break;
+					}
 				}
 			}
 			if (!found)
@@ -179,6 +284,12 @@ METHOD(task_t, process, status_t,
 	}
 	enumerator->destroy(enumerator);
 
+	if (this->best_natt_ext >= 0)
+	{
+		this->ike_sa->enable_extension(this->ike_sa,
+								vendor_natt_ids[this->best_natt_ext].extension);
+	}
+
 	return this->initiator ? SUCCESS : NEED_MORE;
 }
 
@@ -219,6 +330,7 @@ isakmp_vendor_t *isakmp_vendor_create(ike_sa_t *ike_sa, bool initiator)
 		},
 		.initiator = initiator,
 		.ike_sa = ike_sa,
+		.best_natt_ext = -1,
 	);
 
 	return &this->public;
diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c
index 9ccf9abf5..bc9d4bbc3 100644
--- a/src/libcharon/sa/ikev1/tasks/main_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/main_mode.c
@@ -241,7 +241,8 @@ METHOD(task_t, build_i, status_t,
 			this->lifetime += this->peer_cfg->get_over_time(this->peer_cfg);
 			proposals = this->ike_cfg->get_proposals(this->ike_cfg);
 			sa_payload = sa_payload_create_from_proposals_v1(proposals,
-						this->lifetime, 0, this->method, MODE_NONE, FALSE, 0);
+									this->lifetime, 0, this->method, MODE_NONE,
+									ENCAP_NONE, 0);
 			proposals->destroy_offset(proposals, offsetof(proposal_t, destroy));
 
 			message->add_payload(message, &sa_payload->payload_interface);
@@ -455,7 +456,8 @@ METHOD(task_t, build_r, status_t,
 			sa_payload_t *sa_payload;
 
 			sa_payload = sa_payload_create_from_proposal_v1(this->proposal,
-						this->lifetime, 0, this->method, MODE_NONE, FALSE, 0);
+									this->lifetime, 0, this->method, MODE_NONE,
+									ENCAP_NONE, 0);
 			message->add_payload(message, &sa_payload->payload_interface);
 
 			return NEED_MORE;
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 82a7238c3..1eae6aa93 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -16,6 +16,28 @@
  * for more details.
  */
 
+/*
+ * Copyright (C) 2012 Volker Rümelin
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 #include "quick_mode.h"
 
 #include <string.h>
@@ -561,7 +583,7 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
 		tsr = traffic_selector_create_from_subnet(hsr->clone(hsr),
 							hsr->get_family(hsr) == AF_INET ? 32 : 128, 0, 0);
 	}
-	if (!this->initiator && this->mode == MODE_TRANSPORT && this->udp &&
+	if (this->mode == MODE_TRANSPORT && this->udp &&
 	   (!tsi->is_host(tsi, hsi) || !tsr->is_host(tsr, hsr)))
 	{	/* change TS in case of a NAT in transport mode */
 		DBG2(DBG_IKE, "changing received traffic selectors %R=== %R due to NAT",
@@ -572,11 +594,11 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
 
 	if (this->initiator)
 	{
-		/* check if peer selection valid */
+		/* check if peer selection is valid */
 		if (!tsr->is_contained_in(tsr, this->tsr) ||
 			!tsi->is_contained_in(tsi, this->tsi))
 		{
-			DBG1(DBG_IKE, "peer selected invalid traffic selectors: ",
+			DBG1(DBG_IKE, "peer selected invalid traffic selectors: "
 				 "%R for %R, %R for %R", tsi, this->tsi, tsr, this->tsr);
 			tsi->destroy(tsi);
 			tsr->destroy(tsr);
@@ -596,6 +618,34 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
 }
 
 /**
+ * Get encap
+ */
+static encap_t get_encap(ike_sa_t* ike_sa, bool udp)
+{
+	if (!udp)
+	{
+		return ENCAP_NONE;
+	}
+	if (ike_sa->supports_extension(ike_sa, EXT_NATT_DRAFT_02_03))
+	{
+		return ENCAP_UDP_DRAFT_00_03;
+	}
+	return ENCAP_UDP;
+}
+
+/**
+ * Get NAT-OA payload type (RFC 3947 or RFC 3947 drafts).
+ */
+static payload_type_t get_nat_oa_payload_type(ike_sa_t *ike_sa)
+{
+	if (ike_sa->supports_extension(ike_sa, EXT_NATT_DRAFT_02_03))
+	{
+		return NAT_OA_DRAFT_00_03_V1;
+	}
+	return NAT_OA_V1;
+}
+
+/**
  * Add NAT-OA payloads
  */
 static void add_nat_oa_payloads(private_quick_mode_t *this, message_t *message)
@@ -603,6 +653,7 @@ static void add_nat_oa_payloads(private_quick_mode_t *this, message_t *message)
 	identification_t *id;
 	id_payload_t *nat_oa;
 	host_t *src, *dst;
+	payload_type_t nat_oa_payload_type;
 
 	src = message->get_source(message);
 	dst = message->get_destination(message);
@@ -610,15 +661,17 @@ static void add_nat_oa_payloads(private_quick_mode_t *this, message_t *message)
 	src = this->initiator ? src : dst;
 	dst = this->initiator ? dst : src;
 
+	nat_oa_payload_type = get_nat_oa_payload_type(this->ike_sa);
+
 	/* first NAT-OA is the initiator's address */
 	id = identification_create_from_sockaddr(src->get_sockaddr(src));
-	nat_oa = id_payload_create_from_identification(NAT_OA_V1, id);
+	nat_oa = id_payload_create_from_identification(nat_oa_payload_type, id);
 	message->add_payload(message, (payload_t*)nat_oa);
 	id->destroy(id);
 
 	/* second NAT-OA is that of the responder */
 	id = identification_create_from_sockaddr(dst->get_sockaddr(dst));
-	nat_oa = id_payload_create_from_identification(NAT_OA_V1, id);
+	nat_oa = id_payload_create_from_identification(nat_oa_payload_type, id);
 	message->add_payload(message, (payload_t*)nat_oa);
 	id->destroy(id);
 }
@@ -697,6 +750,7 @@ METHOD(task_t, build_i, status_t,
 			linked_list_t *list, *tsi, *tsr;
 			proposal_t *proposal;
 			diffie_hellman_group_t group;
+			encap_t encap;
 
 			this->udp = this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY);
 			this->mode = this->config->get_mode(this->config);
@@ -735,19 +789,42 @@ METHOD(task_t, build_i, status_t,
 				DBG1(DBG_IKE, "allocating SPI from kernel failed");
 				return FAILED;
 			}
+			group = this->config->get_dh_group(this->config);
+			if (group != MODP_NONE)
+			{
+				this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
+														  group);
+				if (!this->dh)
+				{
+					DBG1(DBG_IKE, "configured DH group %N not supported",
+						 diffie_hellman_group_names, group);
+					return FAILED;
+				}
+			}
 
 			list = this->config->get_proposals(this->config, FALSE);
 			enumerator = list->create_enumerator(list);
 			while (enumerator->enumerate(enumerator, &proposal))
 			{
+				if (group != MODP_NONE)
+				{
+					if (!proposal->has_dh_group(proposal, group))
+					{
+						list->remove_at(list, enumerator);
+						proposal->destroy(proposal);
+						continue;
+					}
+					proposal->strip_dh(proposal, group);
+				}
 				proposal->set_spi(proposal, this->spi_i);
 			}
 			enumerator->destroy(enumerator);
 
 			get_lifetimes(this);
+			encap = get_encap(this->ike_sa, this->udp);
 			sa_payload = sa_payload_create_from_proposals_v1(list,
 								this->lifetime, this->lifebytes, AUTH_NONE,
-								this->mode, this->udp, this->cpi_i);
+								this->mode, encap, this->cpi_i);
 			list->destroy_offset(list, offsetof(proposal_t, destroy));
 			message->add_payload(message, &sa_payload->payload_interface);
 
@@ -755,18 +832,8 @@ METHOD(task_t, build_i, status_t,
 			{
 				return FAILED;
 			}
-
-			group = this->config->get_dh_group(this->config);
 			if (group != MODP_NONE)
 			{
-				this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
-														  group);
-				if (!this->dh)
-				{
-					DBG1(DBG_IKE, "configured DH group %N not supported",
-						 diffie_hellman_group_names, group);
-					return FAILED;
-				}
 				add_ke(this, message);
 			}
 			if (!this->tsi)
@@ -1048,6 +1115,7 @@ METHOD(task_t, build_r, status_t,
 		case QM_INIT:
 		{
 			sa_payload_t *sa_payload;
+			encap_t encap;
 
 			this->spi_r = this->child_sa->alloc_spi(this->child_sa, PROTO_ESP);
 			if (!this->spi_r)
@@ -1074,9 +1142,10 @@ METHOD(task_t, build_r, status_t,
 				add_nat_oa_payloads(this, message);
 			}
 
+			encap = get_encap(this->ike_sa, this->udp);
 			sa_payload = sa_payload_create_from_proposal_v1(this->proposal,
 								this->lifetime, this->lifebytes, AUTH_NONE,
-								this->mode, this->udp, this->cpi_r);
+								this->mode, encap, this->cpi_r);
 			message->add_payload(message, &sa_payload->payload_interface);
 
 			if (!add_nonce(this, &this->nonce_r, message))
diff --git a/src/libcharon/sa/ikev2/connect_manager.c b/src/libcharon/sa/ikev2/connect_manager.c
index 5fdcea1ab..c4e5ea7a0 100644
--- a/src/libcharon/sa/ikev2/connect_manager.c
+++ b/src/libcharon/sa/ikev2/connect_manager.c
@@ -19,7 +19,7 @@
 
 #include <daemon.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <crypto/hashers/hasher.h>
 
 #include <processing/jobs/callback_job.h>
diff --git a/src/libcharon/sa/ikev2/mediation_manager.c b/src/libcharon/sa/ikev2/mediation_manager.c
index 60eeb5d4b..bf5b2f4b3 100644
--- a/src/libcharon/sa/ikev2/mediation_manager.c
+++ b/src/libcharon/sa/ikev2/mediation_manager.c
@@ -17,7 +17,7 @@
 
 #include <daemon.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <processing/jobs/mediation_job.h>
 
 typedef struct peer_t peer_t;
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index 53051fab4..ea0117c54 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -257,6 +257,8 @@ METHOD(task_manager_t, retransmit, status_t,
 			{
 				DBG1(DBG_IKE, "giving up after %d retransmits",
 					 this->initiating.retransmitted - 1);
+				charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT,
+								   this->initiating.packet);
 				return DESTROY_ME;
 			}
 
@@ -264,6 +266,8 @@ METHOD(task_manager_t, retransmit, status_t,
 			{
 				DBG1(DBG_IKE, "retransmit %d of request with message ID %d",
 					 this->initiating.retransmitted, message_id);
+				charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND,
+								   this->initiating.packet);
 			}
 			packet = this->initiating.packet->clone(this->initiating.packet);
 			charon->sender->send(charon->sender, packet);
@@ -626,6 +630,8 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	message_t *message;
 	host_t *me, *other;
 	bool delete = FALSE, hook = FALSE;
+	ike_sa_id_t *id = NULL;
+	u_int64_t responder_spi;
 	status_t status;
 
 	me = request->get_destination(request);
@@ -676,10 +682,15 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	}
 	enumerator->destroy(enumerator);
 
-	/* remove resonder SPI if IKE_SA_INIT failed */
+	/* RFC 5996, section 2.6 mentions that in the event of a failure during
+	 * IKE_SA_INIT the responder's SPI will be 0 in the response, while it
+	 * actually explicitly allows it to be non-zero.  Since we use the responder
+	 * SPI to create hashes in the IKE_SA manager we can only set the SPI to
+	 * zero temporarily, otherwise checking the SA in would fail. */
 	if (delete && request->get_exchange_type(request) == IKE_SA_INIT)
 	{
-		ike_sa_id_t *id = this->ike_sa->get_id(this->ike_sa);
+		id = this->ike_sa->get_id(this->ike_sa);
+		responder_spi = id->get_responder_spi(id);
 		id->set_responder_spi(id, 0);
 	}
 
@@ -689,6 +700,10 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	status = this->ike_sa->generate_message(this->ike_sa, message,
 											&this->responding.packet);
 	message->destroy(message);
+	if (id)
+	{
+		id->set_responder_spi(id, responder_spi);
+	}
 	if (status != SUCCESS)
 	{
 		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
@@ -1045,6 +1060,8 @@ static status_t parse_message(private_task_manager_t *this, message_t *msg)
 			 is_request ? "request" : "response",
 			 msg->get_message_id(msg));
 
+		charon->bus->alert(charon->bus, ALERT_PARSE_ERROR_BODY, msg, status);
+
 		if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED)
 		{	/* invalid initiation attempt, close SA */
 			return DESTROY_ME;
@@ -1077,7 +1094,8 @@ METHOD(task_manager_t, process_message, status_t,
 		ike_sa_id_t *ike_sa_id;
 		ike_cfg_t *ike_cfg;
 		job_t *job;
-		ike_cfg = charon->backends->get_ike_cfg(charon->backends, me, other);
+		ike_cfg = charon->backends->get_ike_cfg(charon->backends,
+												me, other, IKEV2);
 		if (ike_cfg == NULL)
 		{
 			/* no config found for these hosts, destroy */
@@ -1133,6 +1151,7 @@ METHOD(task_manager_t, process_message, status_t,
 
 			DBG1(DBG_IKE, "received retransmit of request with ID %d, "
 				 "retransmitting response", mid);
+			charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg);
 			clone = this->responding.packet->clone(this->responding.packet);
 			host = msg->get_destination(msg);
 			clone->set_source(clone, host->clone(host));
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index 46a165546..eb3972c29 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -377,6 +377,8 @@ static status_t select_and_install(private_child_create_t *this,
 	if (this->proposal == NULL)
 	{
 		DBG1(DBG_IKE, "no acceptable proposal found");
+		charon->bus->alert(charon->bus, ALERT_PROPOSAL_MISMATCH_CHILD,
+						   this->proposals);
 		return FAILED;
 	}
 	this->other_spi = this->proposal->get_spi(this->proposal);
@@ -452,6 +454,7 @@ static status_t select_and_install(private_child_create_t *this,
 
 	if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0)
 	{
+		charon->bus->alert(charon->bus, ALERT_TS_MISMATCH, this->tsi, this->tsr);
 		my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
 		other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
 		DBG1(DBG_IKE, "no acceptable traffic selectors found");
@@ -549,6 +552,8 @@ static status_t select_and_install(private_child_create_t *this,
 			(status_i != SUCCESS) ? "inbound " : "",
 			(status_i != SUCCESS && status_o != SUCCESS) ? "and ": "",
 			(status_o != SUCCESS) ? "outbound " : "");
+		charon->bus->alert(charon->bus, ALERT_INSTALL_CHILD_SA_FAILED,
+						   this->child_sa);
 		return FAILED;
 	}
 
@@ -581,6 +586,8 @@ static status_t select_and_install(private_child_create_t *this,
 	if (status != SUCCESS)
 	{
 		DBG1(DBG_IKE, "unable to install IPsec policies (SPD) in kernel");
+		charon->bus->alert(charon->bus, ALERT_INSTALL_CHILD_POLICY_FAILED,
+						   this->child_sa);
 		return NOT_FOUND;
 	}
 
@@ -982,6 +989,7 @@ static void handle_child_sa_failure(private_child_create_t *this,
 	else
 	{
 		DBG1(DBG_IKE, "failed to establish CHILD_SA, keeping IKE_SA");
+		charon->bus->alert(charon->bus, ALERT_KEEP_ON_CHILD_SA_FAILURE);
 	}
 }
 
@@ -1040,6 +1048,7 @@ METHOD(task_t, build_r, status_t,
 	{
 		DBG1(DBG_IKE, "traffic selectors %#R=== %#R inacceptable",
 			 this->tsr, this->tsi);
+		charon->bus->alert(charon->bus, ALERT_TS_MISMATCH, this->tsi, this->tsr);
 		message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
 		handle_child_sa_failure(this, message);
 		return SUCCESS;
@@ -1154,7 +1163,7 @@ METHOD(task_t, process_i, status_t,
 			break;
 	}
 
-	/* check for erronous notifies */
+	/* check for erroneous notifies */
 	enumerator = message->create_payload_enumerator(message);
 	while (enumerator->enumerate(enumerator, &payload))
 	{
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index cd94ccd9e..70efcd7af 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -12,7 +12,7 @@
  * This program is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details
+ * for more details.
  */
 
 #include "ike_auth.h"
@@ -457,6 +457,7 @@ METHOD(task_t, build_i, status_t,
 							this->reserved);
 		if (!this->my_auth)
 		{
+			charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
 			return FAILED;
 		}
 	}
@@ -473,6 +474,7 @@ METHOD(task_t, build_i, status_t,
 		case NEED_MORE:
 			break;
 		default:
+			charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
 			return FAILED;
 	}
 
@@ -748,7 +750,7 @@ METHOD(task_t, build_r, status_t,
 								this->reserved);
 			if (!this->my_auth)
 			{
-				goto peer_auth_failed;
+				goto local_auth_failed;
 			}
 		}
 	}
@@ -786,9 +788,7 @@ METHOD(task_t, build_r, status_t,
 			case NEED_MORE:
 				break;
 			default:
-				message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
-									chunk_empty);
-				return FAILED;
+				goto local_auth_failed;
 		}
 	}
 
@@ -807,6 +807,7 @@ METHOD(task_t, build_r, status_t,
 													 this->ike_sa, FALSE))
 		{
 			DBG1(DBG_IKE, "cancelling IKE_SA setup due to uniqueness policy");
+			charon->bus->alert(charon->bus, ALERT_UNIQUE_KEEP);
 			message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
 								chunk_empty);
 			return FAILED;
@@ -830,11 +831,14 @@ METHOD(task_t, build_r, status_t,
 	return NEED_MORE;
 
 peer_auth_failed:
-	message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
-						chunk_empty);
+	message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
 peer_auth_failed_no_notify:
 	charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
 	return FAILED;
+local_auth_failed:
+	message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
+	charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
+	return FAILED;
 }
 
 METHOD(task_t, process_i, status_t,
@@ -987,6 +991,7 @@ METHOD(task_t, process_i, status_t,
 			case NEED_MORE:
 				break;
 			default:
+				charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
 				return FAILED;
 		}
 	}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
index 60e878777..2cbe8f8c5 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
@@ -57,6 +57,72 @@ struct private_ike_cert_pre_t {
 };
 
 /**
+ * Process a single certificate request payload
+ */
+static void process_certreq(private_ike_cert_pre_t *this,
+							certreq_payload_t *certreq, auth_cfg_t *auth)
+{
+	enumerator_t *enumerator;
+	u_int unknown = 0;
+	chunk_t keyid;
+
+	this->ike_sa->set_condition(this->ike_sa, COND_CERTREQ_SEEN, TRUE);
+
+	if (certreq->get_cert_type(certreq) != CERT_X509)
+	{
+		DBG1(DBG_IKE, "cert payload %N not supported - ignored",
+			 certificate_type_names, certreq->get_cert_type(certreq));
+		return;
+	}
+
+	enumerator = certreq->create_keyid_enumerator(certreq);
+	while (enumerator->enumerate(enumerator, &keyid))
+	{
+		identification_t *id;
+		certificate_t *cert;
+
+		id = identification_create_from_encoding(ID_KEY_ID, keyid);
+		cert = lib->credmgr->get_cert(lib->credmgr,
+									  CERT_X509, KEY_ANY, id, TRUE);
+		if (cert)
+		{
+			DBG1(DBG_IKE, "received cert request for \"%Y\"",
+				 cert->get_subject(cert));
+			auth->add(auth, AUTH_RULE_CA_CERT, cert);
+		}
+		else
+		{
+			DBG2(DBG_IKE, "received cert request for unknown ca with keyid %Y",
+				 id);
+			unknown++;
+		}
+		id->destroy(id);
+	}
+	enumerator->destroy(enumerator);
+	if (unknown)
+	{
+		DBG1(DBG_IKE, "received %u cert requests for an unknown ca",
+			 unknown);
+	}
+}
+
+/**
+ * Process a single notify payload
+ */
+static void process_notify(private_ike_cert_pre_t *this,
+						   notify_payload_t *notify)
+{
+	switch (notify->get_notify_type(notify))
+	{
+		case HTTP_CERT_LOOKUP_SUPPORTED:
+			this->ike_sa->enable_extension(this->ike_sa, EXT_HASH_AND_URL);
+			break;
+		default:
+			break;
+	}
+}
+
+/**
  * read certificate requests
  */
 static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
@@ -73,62 +139,11 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
 		switch (payload->get_type(payload))
 		{
 			case CERTIFICATE_REQUEST:
-			{
-				certreq_payload_t *certreq = (certreq_payload_t*)payload;
-				enumerator_t *enumerator;
-				u_int unknown = 0;
-				chunk_t keyid;
-
-				this->ike_sa->set_condition(this->ike_sa, COND_CERTREQ_SEEN, TRUE);
-
-				if (certreq->get_cert_type(certreq) != CERT_X509)
-				{
-					DBG1(DBG_IKE, "cert payload %N not supported - ignored",
-						 certificate_type_names, certreq->get_cert_type(certreq));
-					break;
-				}
-				enumerator = certreq->create_keyid_enumerator(certreq);
-				while (enumerator->enumerate(enumerator, &keyid))
-				{
-					identification_t *id;
-					certificate_t *cert;
-
-					id = identification_create_from_encoding(ID_KEY_ID, keyid);
-					cert = lib->credmgr->get_cert(lib->credmgr,
-												  CERT_X509, KEY_ANY, id, TRUE);
-					if (cert)
-					{
-						DBG1(DBG_IKE, "received cert request for \"%Y\"",
-							 cert->get_subject(cert));
-						auth->add(auth, AUTH_RULE_CA_CERT, cert);
-					}
-					else
-					{
-						DBG2(DBG_IKE, "received cert request for unknown ca "
-									  "with keyid %Y", id);
-						unknown++;
-					}
-					id->destroy(id);
-				}
-				enumerator->destroy(enumerator);
-				if (unknown)
-				{
-					DBG1(DBG_IKE, "received %u cert requests for an unknown ca",
-						 unknown);
-				}
+				process_certreq(this, (certreq_payload_t*)payload, auth);
 				break;
-			}
 			case NOTIFY:
-			{
-				notify_payload_t *notify = (notify_payload_t*)payload;
-
-				/* we only handle one type of notify here */
-				if (notify->get_notify_type(notify) == HTTP_CERT_LOOKUP_SUPPORTED)
-				{
-					this->ike_sa->enable_extension(this->ike_sa, EXT_HASH_AND_URL);
-				}
+				process_notify(this, (notify_payload_t*)payload);
 				break;
-			}
 			default:
 				/* ignore other payloads here, these are handled elsewhere */
 				break;
@@ -177,7 +192,75 @@ static certificate_t *try_get_cert(cert_payload_t *cert_payload)
 }
 
 /**
- * import certificates
+ * Process a X509 certificate payload
+ */
+static void process_x509(cert_payload_t *payload, auth_cfg_t *auth,
+						 cert_encoding_t encoding, bool *first)
+{
+	certificate_t *cert;
+	char *url;
+
+	cert = try_get_cert(payload);
+	if (cert)
+	{
+		if (*first)
+		{	/* the first is an end entity certificate */
+			DBG1(DBG_IKE, "received end entity cert \"%Y\"",
+				 cert->get_subject(cert));
+			auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert);
+			*first = FALSE;
+		}
+		else
+		{
+			DBG1(DBG_IKE, "received issuer cert \"%Y\"",
+				 cert->get_subject(cert));
+			auth->add(auth, AUTH_HELPER_IM_CERT, cert);
+		}
+	}
+	else if (encoding == ENC_X509_HASH_AND_URL)
+	{
+		/* we fetch the certificate not yet, but only if
+		 * it is really needed during authentication */
+		url = payload->get_url(payload);
+		if (!url)
+		{
+			DBG1(DBG_IKE, "received invalid hash-and-url "
+				 "encoded cert, ignore");
+			return;
+		}
+		url = strdup(url);
+		if (first)
+		{	/* first URL is for an end entity certificate */
+			DBG1(DBG_IKE, "received hash-and-url for end entity cert \"%s\"",
+				 url);
+			auth->add(auth, AUTH_HELPER_SUBJECT_HASH_URL, url);
+			first = FALSE;
+		}
+		else
+		{
+			DBG1(DBG_IKE, "received hash-and-url for issuer cert \"%s\"", url);
+			auth->add(auth, AUTH_HELPER_IM_HASH_URL, url);
+		}
+	}
+}
+
+/**
+ * Process a CRL certificate payload
+ */
+static void process_crl(cert_payload_t *payload, auth_cfg_t *auth)
+{
+	certificate_t *cert;
+
+	cert = payload->get_cert(payload);
+	if (cert)
+	{
+		DBG1(DBG_IKE, "received CRL \"%Y\"", cert->get_subject(cert));
+		auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert);
+	}
+}
+
+/**
+ * Process certificate payloads
  */
 static void process_certs(private_ike_cert_pre_t *this, message_t *message)
 {
@@ -195,8 +278,6 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message)
 		{
 			cert_payload_t *cert_payload;
 			cert_encoding_t encoding;
-			certificate_t *cert;
-			char *url;
 
 			cert_payload = (cert_payload_t*)payload;
 			encoding = cert_payload->get_cert_encoding(cert_payload);
@@ -204,70 +285,18 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message)
 			switch (encoding)
 			{
 				case ENC_X509_HASH_AND_URL:
-				{
 					if (!this->do_http_lookup)
 					{
-						DBG1(DBG_IKE, "received hash-and-url encoded cert, but"
-								" we don't accept them, ignore");
+						DBG1(DBG_IKE, "received hash-and-url encoded cert, but "
+							 "we don't accept them, ignore");
 						break;
 					}
 					/* FALL */
-				}
 				case ENC_X509_SIGNATURE:
-				{
-					cert = try_get_cert(cert_payload);
-					if (cert)
-					{
-						if (first)
-						{	/* the first is an end entity certificate */
-							DBG1(DBG_IKE, "received end entity cert \"%Y\"",
-								 cert->get_subject(cert));
-							auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert);
-							first = FALSE;
-						}
-						else
-						{
-							DBG1(DBG_IKE, "received issuer cert \"%Y\"",
-								 cert->get_subject(cert));
-							auth->add(auth, AUTH_HELPER_IM_CERT, cert);
-						}
-					}
-					else if (encoding == ENC_X509_HASH_AND_URL)
-					{
-						/* we fetch the certificate not yet, but only if
-						 * it is really needed during authentication */
-						url = cert_payload->get_url(cert_payload);
-						if (!url)
-						{
-							DBG1(DBG_IKE, "received invalid hash-and-url "
-								 "encoded cert, ignore");
-							break;
-						}
-						url = strdup(url);
-						if (first)
-						{	/* first URL is for an end entity certificate */
-							DBG1(DBG_IKE, "received hash-and-url for end"
-								 " entity cert \"%s\"", url);
-							auth->add(auth, AUTH_HELPER_SUBJECT_HASH_URL, url);
-							first = FALSE;
-						}
-						else
-						{
-							DBG1(DBG_IKE, "received hash-and-url for issuer"
-									" cert \"%s\"", url);
-							auth->add(auth, AUTH_HELPER_IM_HASH_URL, url);
-						}
-					}
+					process_x509(cert_payload, auth, encoding, &first);
 					break;
-				}
 				case ENC_CRL:
-					cert = cert_payload->get_cert(cert_payload);
-					if (cert)
-					{
-						DBG1(DBG_IKE, "received CRL \"%Y\"",
-							 cert->get_subject(cert));
-						auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert);
-					}
+					process_crl(cert_payload, auth);
 					break;
 				case ENC_PKCS7_WRAPPED_X509:
 				case ENC_PGP:
diff --git a/src/libcharon/sa/ikev2/tasks/ike_config.c b/src/libcharon/sa/ikev2/tasks/ike_config.c
index c44f0452c..d637c26fe 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_config.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_config.c
@@ -380,6 +380,7 @@ METHOD(task_t, build_r, status_t,
 		{
 			DBG1(DBG_IKE, "no virtual IP found, sending %N",
 				 notify_type_names, INTERNAL_ADDRESS_FAILURE);
+			charon->bus->alert(charon->bus, ALERT_VIP_FAILURE, this->vips);
 			message->add_notify(message, FALSE, INTERNAL_ADDRESS_FAILURE,
 								chunk_empty);
 			vips->destroy_offset(vips, offsetof(host_t, destroy));
@@ -390,6 +391,7 @@ METHOD(task_t, build_r, status_t,
 		{
 			DBG1(DBG_IKE, "expected a virtual IP request, sending %N",
 				 notify_type_names, FAILED_CP_REQUIRED);
+			charon->bus->alert(charon->bus, ALERT_VIP_FAILURE, this->vips);
 			message->add_notify(message, FALSE, FAILED_CP_REQUIRED, chunk_empty);
 			vips->destroy_offset(vips, offsetof(host_t, destroy));
 			pools->destroy(pools);
diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index f2a06735e..7542937b3 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -187,6 +187,11 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 														   EXT_STRONGSWAN);
 				this->proposal = this->config->select_proposal(this->config,
 														proposal_list, private);
+				if (!this->proposal)
+				{
+					charon->bus->alert(charon->bus, ALERT_PROPOSAL_MISMATCH_IKE,
+									   proposal_list);
+				}
 				proposal_list->destroy_offset(proposal_list,
 											  offsetof(proposal_t, destroy));
 				break;
@@ -421,7 +426,7 @@ METHOD(task_t, process_i, status_t,
 	enumerator_t *enumerator;
 	payload_t *payload;
 
-	/* check for erronous notifies */
+	/* check for erroneous notifies */
 	enumerator = message->create_payload_enumerator(message);
 	while (enumerator->enumerate(enumerator, &payload))
 	{
diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.h b/src/libcharon/sa/ikev2/tasks/ike_mobike.h
index 3b447af51..b145a9a8b 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_mobike.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.h
@@ -26,7 +26,7 @@ typedef struct ike_mobike_t ike_mobike_t;
 #include <library.h>
 #include <sa/ike_sa.h>
 #include <sa/task.h>
-#include <utils/packet.h>
+#include <networking/packet.h>
 
 /**
  * Task of type ike_mobike, detects and handles MOBIKE extension.
diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c
index 5af43fb91..94be7d433 100644
--- a/src/libcharon/sa/shunt_manager.c
+++ b/src/libcharon/sa/shunt_manager.c
@@ -18,7 +18,7 @@
 #include <hydra.h>
 #include <daemon.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 
 typedef struct private_shunt_manager_t private_shunt_manager_t;
diff --git a/src/libcharon/sa/shunt_manager.h b/src/libcharon/sa/shunt_manager.h
index 12ff08558..28a795dc9 100644
--- a/src/libcharon/sa/shunt_manager.h
+++ b/src/libcharon/sa/shunt_manager.h
@@ -22,7 +22,7 @@
 #define SHUNT_MANAGER_H_
 
 #include <library.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <config/child_cfg.h>
 
 typedef struct shunt_manager_t shunt_manager_t;
diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
index fdcfa0a20..6c0ae19c7 100644
--- a/src/libcharon/sa/trap_manager.c
+++ b/src/libcharon/sa/trap_manager.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Tobias Brunner
+ * Copyright (C) 2011-2012 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -19,7 +19,7 @@
 #include <hydra.h>
 #include <daemon.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 
 typedef struct private_trap_manager_t private_trap_manager_t;
@@ -94,36 +94,14 @@ static void destroy_entry(entry_t *entry)
 METHOD(trap_manager_t, install, u_int32_t,
 	private_trap_manager_t *this, peer_cfg_t *peer, child_cfg_t *child)
 {
-	entry_t *entry;
+	entry_t *entry, *found = NULL;
 	ike_cfg_t *ike_cfg;
 	child_sa_t *child_sa;
 	host_t *me, *other;
 	linked_list_t *my_ts, *other_ts, *list;
 	enumerator_t *enumerator;
-	bool found = FALSE;
 	status_t status;
-	u_int32_t reqid;
-
-	/* check if not already done */
-	this->lock->read_lock(this->lock);
-	enumerator = this->traps->create_enumerator(this->traps);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (streq(entry->child_sa->get_name(entry->child_sa),
-				  child->get_name(child)))
-		{
-			found = TRUE;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-	if (found)
-	{
-		DBG1(DBG_CFG, "CHILD_SA named '%s' already routed",
-			 child->get_name(child));
-		return 0;
-	}
+	u_int32_t reqid = 0;
 
 	/* try to resolve addresses */
 	ike_cfg = peer->get_ike_cfg(peer);
@@ -150,8 +128,28 @@ METHOD(trap_manager_t, install, u_int32_t,
 		me->set_port(me, ike_cfg->get_my_port(ike_cfg));
 	}
 
+	this->lock->write_lock(this->lock);
+	enumerator = this->traps->create_enumerator(this->traps);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (streq(entry->child_sa->get_name(entry->child_sa),
+				  child->get_name(child)))
+		{
+			this->traps->remove_at(this->traps, enumerator);
+			found = entry;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (found)
+	{	/* config might have changed so update everything */
+		DBG1(DBG_CFG, "updating already routed CHILD_SA '%s'",
+			 child->get_name(child));
+		reqid = found->child_sa->get_reqid(found->child_sa);
+	}
+
 	/* create and route CHILD_SA */
-	child_sa = child_sa_create(me, other, child, 0, FALSE);
+	child_sa = child_sa_create(me, other, child, reqid, FALSE);
 
 	list = linked_list_create_with_items(me, NULL);
 	my_ts = child->get_traffic_selectors(child, TRUE, NULL, list);
@@ -171,21 +169,29 @@ METHOD(trap_manager_t, install, u_int32_t,
 	other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
 	if (status != SUCCESS)
 	{
-		child_sa->destroy(child_sa);
 		DBG1(DBG_CFG, "installing trap failed");
-		return 0;
+		reqid = 0;
+		/* hold off destroying the CHILD_SA until we released the lock */
+	}
+	else
+	{
+		INIT(entry,
+			.child_sa = child_sa,
+			.peer_cfg = peer->get_ref(peer),
+		);
+		this->traps->insert_last(this->traps, entry);
+		reqid = child_sa->get_reqid(child_sa);
 	}
-
-	reqid = child_sa->get_reqid(child_sa);
-	INIT(entry,
-		.child_sa = child_sa,
-		.peer_cfg = peer->get_ref(peer),
-	);
-
-	this->lock->write_lock(this->lock);
-	this->traps->insert_last(this->traps, entry);
 	this->lock->unlock(this->lock);
 
+	if (status != SUCCESS)
+	{
+		child_sa->destroy(child_sa);
+	}
+	if (found)
+	{
+		destroy_entry(found);
+	}
 	return reqid;
 }
 
diff --git a/src/libcharon/sa/trap_manager.h b/src/libcharon/sa/trap_manager.h
index 928b2a49f..e3d355662 100644
--- a/src/libcharon/sa/trap_manager.h
+++ b/src/libcharon/sa/trap_manager.h
@@ -22,7 +22,7 @@
 #define TRAP_MANAGER_H_
 
 #include <library.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <config/peer_cfg.h>
 
 typedef struct trap_manager_t trap_manager_t;
diff --git a/src/libcharon/sa/xauth/xauth_manager.c b/src/libcharon/sa/xauth/xauth_manager.c
index 432c9c0ab..f0602a673 100644
--- a/src/libcharon/sa/xauth/xauth_manager.c
+++ b/src/libcharon/sa/xauth/xauth_manager.c
@@ -15,7 +15,7 @@
 
 #include "xauth_manager.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 typedef struct private_xauth_manager_t private_xauth_manager_t;
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index 78341c7e7..906ea2119 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -75,6 +75,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)" \
 	"$(DESTDIR)$(fast_includedir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -368,7 +377,7 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libfast.la: $(libfast_la_OBJECTS) $(libfast_la_DEPENDENCIES) 
+libfast.la: $(libfast_la_OBJECTS) $(libfast_la_DEPENDENCIES) $(EXTRA_libfast_la_DEPENDENCIES) 
 	$(LINK) -rpath $(ipseclibdir) $(libfast_la_OBJECTS) $(libfast_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -428,9 +437,7 @@ uninstall-nobase_fast_includeHEADERS:
 	@$(NORMAL_UNINSTALL)
 	@list='$(nobase_fast_include_HEADERS)'; test -n "$(fast_includedir)" || list=; \
 	$(am__nobase_strip_setup); files=`$(am__nobase_strip)`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(fast_includedir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(fast_includedir)" && rm -f $$files
+	dir='$(DESTDIR)$(fast_includedir)'; $(am__uninstall_files_from_dir)
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -531,10 +538,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libfast/dispatcher.c b/src/libfast/dispatcher.c
index 63c872e35..e5a02c63b 100644
--- a/src/libfast/dispatcher.c
+++ b/src/libfast/dispatcher.c
@@ -22,12 +22,12 @@
 #include <signal.h>
 #include <unistd.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/thread.h>
 #include <threading/condvar.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
-#include <utils/hashtable.h>
+#include <collections/linked_list.h>
+#include <collections/hashtable.h>
 
 /** Intervall to check for expired sessions, in seconds */
 #define CLEANUP_INTERVAL 30
diff --git a/src/libfast/request.c b/src/libfast/request.c
index 6ca474037..5d03227af 100644
--- a/src/libfast/request.c
+++ b/src/libfast/request.c
@@ -18,7 +18,7 @@
 #include "request.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <stdlib.h>
 #include <pthread.h>
 #include <string.h>
diff --git a/src/libfast/session.c b/src/libfast/session.c
index cf14dbeb6..87a157b61 100644
--- a/src/libfast/session.c
+++ b/src/libfast/session.c
@@ -21,7 +21,7 @@
 #include <fcgiapp.h>
 #include <stdio.h>
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 #define COOKIE_LEN 16
 
diff --git a/src/libfast/smtp.c b/src/libfast/smtp.c
index 1375c2944..a6ca67ddc 100644
--- a/src/libfast/smtp.c
+++ b/src/libfast/smtp.c
@@ -18,7 +18,7 @@
 #include <unistd.h>
 #include <errno.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_smtp_t private_smtp_t;
 
diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in
index a10981a94..f433b24dc 100644
--- a/src/libhydra/Makefile.in
+++ b/src/libhydra/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -87,6 +87,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libhydra_la_DEPENDENCIES = $(am__append_2) $(am__append_4) \
@@ -172,6 +178,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -199,6 +206,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -226,6 +234,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -238,6 +247,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -291,7 +301,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -436,7 +445,7 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libhydra.la: $(libhydra_la_OBJECTS) $(libhydra_la_DEPENDENCIES) 
+libhydra.la: $(libhydra_la_OBJECTS) $(libhydra_la_DEPENDENCIES) $(EXTRA_libhydra_la_DEPENDENCIES) 
 	$(LINK) -rpath $(ipseclibdir) $(libhydra_la_OBJECTS) $(libhydra_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -733,10 +742,15 @@ install-am: all-am
 
 installcheck: installcheck-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libhydra/attributes/attribute_handler.h b/src/libhydra/attributes/attribute_handler.h
index 6014ef0fa..bc488f6cb 100644
--- a/src/libhydra/attributes/attribute_handler.h
+++ b/src/libhydra/attributes/attribute_handler.h
@@ -21,9 +21,9 @@
 #ifndef ATTRIBUTE_HANDLER_H_
 #define ATTRIBUTE_HANDLER_H_
 
-#include <chunk.h>
+#include <utils/chunk.h>
 #include <utils/identification.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 #include "attributes.h"
 
diff --git a/src/libhydra/attributes/attribute_manager.c b/src/libhydra/attributes/attribute_manager.c
index 000d2e082..5fda8b426 100644
--- a/src/libhydra/attributes/attribute_manager.c
+++ b/src/libhydra/attributes/attribute_manager.c
@@ -15,8 +15,8 @@
 
 #include "attribute_manager.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 typedef struct private_attribute_manager_t private_attribute_manager_t;
diff --git a/src/libhydra/attributes/attribute_provider.h b/src/libhydra/attributes/attribute_provider.h
index e5e556fc4..adfd4a516 100644
--- a/src/libhydra/attributes/attribute_provider.h
+++ b/src/libhydra/attributes/attribute_provider.h
@@ -21,9 +21,9 @@
 #ifndef ATTRIBUTE_PROVIDER_H_
 #define ATTRIBUTE_PROVIDER_H_
 
-#include <utils/host.h>
+#include <networking/host.h>
 #include <utils/identification.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct attribute_provider_t attribute_provider_t;
 
diff --git a/src/libhydra/attributes/attributes.h b/src/libhydra/attributes/attributes.h
index 8ff774b64..c3c37cfc4 100644
--- a/src/libhydra/attributes/attributes.h
+++ b/src/libhydra/attributes/attributes.h
@@ -24,7 +24,7 @@
 
 typedef enum configuration_attribute_type_t configuration_attribute_type_t;
 
-#include <enum.h>
+#include <utils/enum.h>
 
 /**
  * Type of the attribute, as in IKEv2 RFC 3.15.1 or IKEv1 ModeConfig.
diff --git a/src/libhydra/attributes/mem_pool.c b/src/libhydra/attributes/mem_pool.c
index 1e150c794..af53e10de 100644
--- a/src/libhydra/attributes/mem_pool.c
+++ b/src/libhydra/attributes/mem_pool.c
@@ -16,9 +16,9 @@
 
 #include "mem_pool.h"
 
-#include <debug.h>
-#include <utils/hashtable.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
 #include <threading/mutex.h>
 
 #define POOL_LIMIT (sizeof(uintptr_t)*8)
diff --git a/src/libhydra/attributes/mem_pool.h b/src/libhydra/attributes/mem_pool.h
index fa4e6485c..692885ecd 100644
--- a/src/libhydra/attributes/mem_pool.h
+++ b/src/libhydra/attributes/mem_pool.h
@@ -24,7 +24,7 @@
 typedef struct mem_pool_t mem_pool_t;
 typedef enum mem_pool_op_t mem_pool_op_t;
 
-#include <utils/host.h>
+#include <networking/host.h>
 #include <utils/identification.h>
 
 /**
diff --git a/src/libhydra/hydra.c b/src/libhydra/hydra.c
index 7d6256598..b199b2ffb 100644
--- a/src/libhydra/hydra.c
+++ b/src/libhydra/hydra.c
@@ -15,7 +15,7 @@
 
 #include "hydra.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_hydra_t private_hydra_t;
 
@@ -28,12 +28,22 @@ struct private_hydra_t {
 	 * Public members of hydra_t.
 	 */
 	hydra_t public;
+
+	/**
+	 * Integrity check failed?
+	 */
+	bool integrity_failed;
+
+	/**
+	 * Number of times we have been initialized
+	 */
+	refcount_t ref;
 };
 
 /**
  * Single instance of hydra_t.
  */
-hydra_t *hydra;
+hydra_t *hydra = NULL;
 
 /**
  * Described in header.
@@ -41,6 +51,12 @@ hydra_t *hydra;
 void libhydra_deinit()
 {
 	private_hydra_t *this = (private_hydra_t*)hydra;
+
+	if (!this || !ref_put(&this->ref))
+	{	/* have more users */
+		return;
+	}
+
 	this->public.attributes->destroy(this->public.attributes);
 	this->public.kernel_interface->destroy(this->public.kernel_interface);
 	free((void*)this->public.daemon);
@@ -55,11 +71,19 @@ bool libhydra_init(const char *daemon)
 {
 	private_hydra_t *this;
 
+	if (hydra)
+	{	/* already initialized, increase refcount */
+		this = (private_hydra_t*)hydra;
+		ref_get(&this->ref);
+		return !this->integrity_failed;
+	}
+
 	INIT(this,
 		.public = {
 			.attributes = attribute_manager_create(),
 			.daemon = strdup(daemon ?: "libhydra"),
 		},
+		.ref = 1,
 	);
 	hydra = &this->public;
 
@@ -69,8 +93,8 @@ bool libhydra_init(const char *daemon)
 		!lib->integrity->check(lib->integrity, "libhydra", libhydra_init))
 	{
 		DBG1(DBG_LIB, "integrity check of libhydra failed");
-		return FALSE;
+		this->integrity_failed = TRUE;
 	}
-	return TRUE;
+	return !this->integrity_failed;
 }
 
diff --git a/src/libhydra/hydra.h b/src/libhydra/hydra.h
index d7a7d8de4..2a8709d72 100644
--- a/src/libhydra/hydra.h
+++ b/src/libhydra/hydra.h
@@ -72,6 +72,9 @@ extern hydra_t *hydra;
  *
  * The daemon's name is used to load daemon-specific settings.
  *
+ * libhydra_init() may be called multiple times in a single process, but each
+ * caller should call libhydra_deinit() for each call to libhydra_init().
+ *
  * @param daemon		name of the daemon that initializes the library
  * @return				FALSE if integrity check failed
  */
diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c
index 5320ee2e9..8948e0561 100644
--- a/src/libhydra/kernel/kernel_interface.c
+++ b/src/libhydra/kernel/kernel_interface.c
@@ -40,9 +40,9 @@
 #include "kernel_interface.h"
 
 #include <hydra.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_kernel_interface_t private_kernel_interface_t;
 
@@ -312,23 +312,24 @@ METHOD(kernel_interface_t, create_address_enumerator, enumerator_t*,
 }
 
 METHOD(kernel_interface_t, add_ip, status_t,
-	private_kernel_interface_t *this, host_t *virtual_ip, host_t *iface_ip)
+	private_kernel_interface_t *this, host_t *virtual_ip, int prefix,
+	char *iface)
 {
 	if (!this->net)
 	{
 		return NOT_SUPPORTED;
 	}
-	return this->net->add_ip(this->net, virtual_ip, iface_ip);
+	return this->net->add_ip(this->net, virtual_ip, prefix, iface);
 }
 
 METHOD(kernel_interface_t, del_ip, status_t,
-	private_kernel_interface_t *this, host_t *virtual_ip)
+	private_kernel_interface_t *this, host_t *virtual_ip, int prefix, bool wait)
 {
 	if (!this->net)
 	{
 		return NOT_SUPPORTED;
 	}
-	return this->net->del_ip(this->net, virtual_ip);
+	return this->net->del_ip(this->net, virtual_ip, prefix, wait);
 }
 
 METHOD(kernel_interface_t, add_route, status_t,
diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h
index 88d4a5bce..8d8ef2e83 100644
--- a/src/libhydra/kernel/kernel_interface.h
+++ b/src/libhydra/kernel/kernel_interface.h
@@ -48,7 +48,7 @@
 
 typedef struct kernel_interface_t kernel_interface_t;
 
-#include <utils/host.h>
+#include <networking/host.h>
 #include <crypto/prf_plus.h>
 
 #include <kernel/kernel_listener.h>
@@ -333,14 +333,14 @@ struct kernel_interface_t {
 	 * Virtual IPs are attached to an interface. If an IP is added multiple
 	 * times, the IP is refcounted and not removed until del_ip() was called
 	 * as many times as add_ip().
-	 * The virtual IP is attached to the interface where the iface_ip is found.
 	 *
 	 * @param virtual_ip	virtual ip address to assign
-	 * @param iface_ip		IP of an interface to attach virtual IP
+	 * @param prefix		prefix length to install IP with, -1 for auto
+	 * @param iface			interface to install virtual IP on
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*add_ip) (kernel_interface_t *this, host_t *virtual_ip,
-						host_t *iface_ip);
+	status_t (*add_ip) (kernel_interface_t *this, host_t *virtual_ip, int prefix,
+						char *iface);
 
 	/**
 	 * Remove a virtual IP from an interface.
@@ -348,9 +348,12 @@ struct kernel_interface_t {
 	 * The kernel interface uses refcounting, see add_ip().
 	 *
 	 * @param virtual_ip	virtual ip address to assign
+	 * @param prefix		prefix length of the IP to uninstall, -1 for auto
+	 * @param wait			TRUE to wait untily IP is gone
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip);
+	status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip,
+						int prefix, bool wait);
 
 	/**
 	 * Add a route.
diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h
index ee0ade2aa..1da0805cb 100644
--- a/src/libhydra/kernel/kernel_ipsec.h
+++ b/src/libhydra/kernel/kernel_ipsec.h
@@ -26,7 +26,7 @@
 
 typedef struct kernel_ipsec_t kernel_ipsec_t;
 
-#include <utils/host.h>
+#include <networking/host.h>
 #include <ipsec/ipsec_types.h>
 #include <selectors/traffic_selector.h>
 #include <plugins/plugin.h>
diff --git a/src/libhydra/kernel/kernel_listener.h b/src/libhydra/kernel/kernel_listener.h
index 5db297b6f..27ea947eb 100644
--- a/src/libhydra/kernel/kernel_listener.h
+++ b/src/libhydra/kernel/kernel_listener.h
@@ -25,7 +25,7 @@ typedef struct kernel_listener_t kernel_listener_t;
 
 #include <kernel/kernel_ipsec.h>
 #include <selectors/traffic_selector.h>
-#include <utils/host.h>
+#include <networking/host.h>
 
 /**
  * Interface for components interested in kernel events.
diff --git a/src/libhydra/kernel/kernel_net.h b/src/libhydra/kernel/kernel_net.h
index 10350d644..6a3b2cee7 100644
--- a/src/libhydra/kernel/kernel_net.h
+++ b/src/libhydra/kernel/kernel_net.h
@@ -25,8 +25,8 @@
 typedef struct kernel_net_t kernel_net_t;
 typedef enum kernel_address_type_t kernel_address_type_t;
 
-#include <utils/enumerator.h>
-#include <utils/host.h>
+#include <collections/enumerator.h>
+#include <networking/host.h>
 #include <plugins/plugin.h>
 
 /**
@@ -112,14 +112,14 @@ struct kernel_net_t {
 	 * Virtual IPs are attached to an interface. If an IP is added multiple
 	 * times, the IP is refcounted and not removed until del_ip() was called
 	 * as many times as add_ip().
-	 * The virtual IP is attached to the interface where the iface_ip is found.
 	 *
 	 * @param virtual_ip	virtual ip address to assign
-	 * @param iface_ip		IP of an interface to attach virtual IP
+	 * @param prefix		prefix length to install with IP address, -1 for auto
+	 * @param iface			interface to install virtual IP on
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*add_ip) (kernel_net_t *this, host_t *virtual_ip,
-						host_t *iface_ip);
+	status_t (*add_ip) (kernel_net_t *this, host_t *virtual_ip, int prefix,
+						char *iface);
 
 	/**
 	 * Remove a virtual IP from an interface.
@@ -127,9 +127,12 @@ struct kernel_net_t {
 	 * The kernel interface uses refcounting, see add_ip().
 	 *
 	 * @param virtual_ip	virtual ip address to assign
+	 * @param prefix		prefix length of the IP to uninstall, -1 for auto
+	 * @param wait			TRUE to wait until IP is gone
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*del_ip) (kernel_net_t *this, host_t *virtual_ip);
+	status_t (*del_ip) (kernel_net_t *this, host_t *virtual_ip, int prefix,
+						bool wait);
 
 	/**
 	 * Add a route.
diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in
index 831adf9d6..9dc84880a 100644
--- a/src/libhydra/plugins/attr/Makefile.in
+++ b/src/libhydra/plugins/attr/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_attr_la_LIBADD =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -369,7 +378,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-attr.la: $(libstrongswan_attr_la_OBJECTS) $(libstrongswan_attr_la_DEPENDENCIES) 
+libstrongswan-attr.la: $(libstrongswan_attr_la_OBJECTS) $(libstrongswan_attr_la_DEPENDENCIES) $(EXTRA_libstrongswan_attr_la_DEPENDENCIES) 
 	$(libstrongswan_attr_la_LINK) $(am_libstrongswan_attr_la_rpath) $(libstrongswan_attr_la_OBJECTS) $(libstrongswan_attr_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -507,10 +516,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libhydra/plugins/attr/attr_provider.c b/src/libhydra/plugins/attr/attr_provider.c
index c1c3cd895..1f333d03f 100644
--- a/src/libhydra/plugins/attr/attr_provider.c
+++ b/src/libhydra/plugins/attr/attr_provider.c
@@ -19,8 +19,8 @@
 #include <time.h>
 
 #include <hydra.h>
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 #define SERVER_MAX		2
diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in
index 71810ae5e..416712f3d 100644
--- a/src/libhydra/plugins/attr_sql/Makefile.in
+++ b/src/libhydra/plugins/attr_sql/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -75,6 +75,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_attr_sql_la_LIBADD =
@@ -133,6 +139,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -160,6 +167,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -187,6 +195,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -199,6 +208,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -252,7 +262,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -391,7 +400,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-attr-sql.la: $(libstrongswan_attr_sql_la_OBJECTS) $(libstrongswan_attr_sql_la_DEPENDENCIES) 
+libstrongswan-attr-sql.la: $(libstrongswan_attr_sql_la_OBJECTS) $(libstrongswan_attr_sql_la_DEPENDENCIES) $(EXTRA_libstrongswan_attr_sql_la_DEPENDENCIES) 
 	$(libstrongswan_attr_sql_la_LINK) $(am_libstrongswan_attr_sql_la_rpath) $(libstrongswan_attr_sql_la_OBJECTS) $(libstrongswan_attr_sql_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
@@ -436,7 +445,7 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-pool$(EXEEXT): $(pool_OBJECTS) $(pool_DEPENDENCIES) 
+pool$(EXEEXT): $(pool_OBJECTS) $(pool_DEPENDENCIES) $(EXTRA_pool_DEPENDENCIES) 
 	@rm -f pool$(EXEEXT)
 	$(LINK) $(pool_OBJECTS) $(pool_LDADD) $(LIBS)
 
@@ -578,10 +587,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
index c04ec9a01..69e6f7be6 100644
--- a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
+++ b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
@@ -14,7 +14,7 @@
  */
 
 #include <hydra.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "attr_sql_plugin.h"
 #include "sql_attribute.h"
diff --git a/src/libhydra/plugins/attr_sql/pool.c b/src/libhydra/plugins/attr_sql/pool.c
index a2000cffe..f355e96e2 100644
--- a/src/libhydra/plugins/attr_sql/pool.c
+++ b/src/libhydra/plugins/attr_sql/pool.c
@@ -21,9 +21,9 @@
 #include <string.h>
 #include <errno.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <utils/identification.h>
 #include <attributes/attributes.h>
 
diff --git a/src/libhydra/plugins/attr_sql/pool_attributes.c b/src/libhydra/plugins/attr_sql/pool_attributes.c
index d3fc06eeb..5dcfe85ed 100644
--- a/src/libhydra/plugins/attr_sql/pool_attributes.c
+++ b/src/libhydra/plugins/attr_sql/pool_attributes.c
@@ -17,7 +17,7 @@
 #include <string.h>
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 
 #include "pool_attributes.h"
 #include "pool_usage.h"
diff --git a/src/libhydra/plugins/attr_sql/sql_attribute.c b/src/libhydra/plugins/attr_sql/sql_attribute.c
index a7d90e728..1a4ee7a51 100644
--- a/src/libhydra/plugins/attr_sql/sql_attribute.c
+++ b/src/libhydra/plugins/attr_sql/sql_attribute.c
@@ -15,7 +15,7 @@
 
 #include <time.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <library.h>
 
 #include "sql_attribute.h"
diff --git a/src/libhydra/plugins/kernel_klips/Makefile.in b/src/libhydra/plugins/kernel_klips/Makefile.in
index 1dd633ee2..d62261d0b 100644
--- a/src/libhydra/plugins/kernel_klips/Makefile.in
+++ b/src/libhydra/plugins/kernel_klips/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_kernel_klips_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -373,7 +382,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-kernel-klips.la: $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_DEPENDENCIES) 
+libstrongswan-kernel-klips.la: $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_DEPENDENCIES) $(EXTRA_libstrongswan_kernel_klips_la_DEPENDENCIES) 
 	$(libstrongswan_kernel_klips_la_LINK) $(am_libstrongswan_kernel_klips_la_rpath) $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -511,10 +520,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
index d875dab04..431174e72 100644
--- a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
+++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -29,8 +29,8 @@
 #include "kernel_klips_ipsec.h"
 
 #include <hydra.h>
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
 #include <processing/jobs/callback_job.h>
diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in
index d0adb3b1e..f0b3c9cfc 100644
--- a/src/libhydra/plugins/kernel_netlink/Makefile.in
+++ b/src/libhydra/plugins/kernel_netlink/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_kernel_netlink_la_LIBADD =
@@ -125,6 +131,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -152,6 +159,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -179,6 +187,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -191,6 +200,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -244,7 +254,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -381,7 +390,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-kernel-netlink.la: $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_DEPENDENCIES) 
+libstrongswan-kernel-netlink.la: $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_DEPENDENCIES) $(EXTRA_libstrongswan_kernel_netlink_la_DEPENDENCIES) 
 	$(libstrongswan_kernel_netlink_la_LINK) $(am_libstrongswan_kernel_netlink_la_rpath) $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -521,10 +530,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 4f5b6600d..f9b2634a0 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -36,11 +36,11 @@
 #include "kernel_netlink_shared.h"
 
 #include <hydra.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
-#include <utils/hashtable.h>
-#include <utils/linked_list.h>
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
 #include <processing/jobs/callback_job.h>
 
 /** Required for Linux 2.6.26 kernel and later */
@@ -1537,7 +1537,8 @@ failed:
  * Allocates into one the replay state structure we get from the kernel.
  */
 static void get_replay_state(private_kernel_netlink_ipsec_t *this,
-							 u_int32_t spi, u_int8_t protocol, host_t *dst,
+							 u_int32_t spi, u_int8_t protocol,
+							 host_t *dst, mark_t mark,
 							 struct xfrm_replay_state_esn **replay_esn,
 							 struct xfrm_replay_state **replay)
 {
@@ -1566,6 +1567,24 @@ static void get_replay_state(private_kernel_netlink_ipsec_t *this,
 	aevent_id->sa_id.proto = protocol;
 	aevent_id->sa_id.family = dst->get_family(dst);
 
+	if (mark.value)
+	{
+		struct xfrm_mark *mrk;
+		struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_aevent_id);
+
+		rthdr->rta_type = XFRMA_MARK;
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
+		hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return;
+		}
+
+		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
+		mrk->v = mark.value;
+		mrk->m = mark.mask;
+	}
+
 	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
 	{
 		hdr = out;
@@ -1834,6 +1853,24 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	sa_id->proto = protocol;
 	sa_id->family = dst->get_family(dst);
 
+	if (mark.value)
+	{
+		struct xfrm_mark *mrk;
+		struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id);
+
+		rthdr->rta_type = XFRMA_MARK;
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
+		hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+
+		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
+		mrk->v = mark.value;
+		mrk->m = mark.mask;
+	}
+
 	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
 	{
 		hdr = out;
@@ -1868,7 +1905,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 		goto failed;
 	}
 
-	get_replay_state(this, spi, protocol, dst, &replay_esn, &replay);
+	get_replay_state(this, spi, protocol, dst, mark, &replay_esn, &replay);
 
 	/* delete the old SA (without affecting the IPComp SA) */
 	if (del_sa(this, src, dst, spi, protocol, 0, mark) != SUCCESS)
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
index 3f63a8496..e47887859 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
@@ -49,14 +49,14 @@
 #include "kernel_netlink_shared.h"
 
 #include <hydra.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
 #include <threading/rwlock.h>
 #include <threading/rwlock_condvar.h>
 #include <threading/spinlock.h>
-#include <utils/hashtable.h>
-#include <utils/linked_list.h>
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
 #include <processing/jobs/callback_job.h>
 
 /** delay before firing roam events (ms) */
@@ -65,6 +65,9 @@
 /** delay before reinstalling routes (ms) */
 #define ROUTE_DELAY 100
 
+/** maximum recursion when searching for addresses in get_route() */
+#define MAX_ROUTE_RECURSION 2
+
 typedef struct addr_entry_t addr_entry_t;
 
 /**
@@ -543,12 +546,7 @@ static void queue_route_reinstall(private_kernel_netlink_net_t *this,
 	time_monotonic(&now);
 	if (timercmp(&now, &this->last_route_reinstall, >))
 	{
-		now.tv_usec += ROUTE_DELAY * 1000;
-		while (now.tv_usec > 1000000)
-		{
-			now.tv_sec++;
-			now.tv_usec -= 1000000;
-		}
+		timeval_add_ms(&now, ROUTE_DELAY);
 		this->last_route_reinstall = now;
 
 		job = (job_t*)callback_job_create((callback_job_cb_t)reinstall_routes,
@@ -704,12 +702,7 @@ static void fire_roam_event(private_kernel_netlink_net_t *this, bool address)
 		this->roam_lock->unlock(this->roam_lock);
 		return;
 	}
-	now.tv_usec += ROAM_DELAY * 1000;
-	while (now.tv_usec > 1000000)
-	{
-		now.tv_sec++;
-		now.tv_usec -= 1000000;
-	}
+	timeval_add_ms(&now, ROAM_DELAY);
 	this->next_roam = now;
 	this->roam_lock->unlock(this->roam_lock);
 
@@ -1236,6 +1229,19 @@ METHOD(kernel_net_t, get_interface_name, bool,
 		this->lock->unlock(this->lock);
 		return TRUE;
 	}
+	/* in a second step, consider virtual IPs installed by us */
+	entry = this->vips->get_match(this->vips, &lookup,
+								  (void*)addr_map_entry_match_up_and_usable);
+	if (entry)
+	{
+		if (name)
+		{
+			*name = strdup(entry->iface->ifname);
+			DBG2(DBG_KNL, "virtual %H is on interface %s", ip, *name);
+		}
+		this->lock->unlock(this->lock);
+		return TRUE;
+	}
 	/* maybe it is installed on an ignored interface */
 	entry = this->addrs->get_match(this->addrs, &lookup,
 								  (void*)addr_map_entry_match_up);
@@ -1400,7 +1406,7 @@ static rt_entry_t *parse_route(struct nlmsghdr *hdr, rt_entry_t *route)
  * Get a route: If "nexthop", the nexthop is returned. source addr otherwise.
  */
 static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
-						 bool nexthop, host_t *candidate)
+						 bool nexthop, host_t *candidate, u_int recursion)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *hdr, *out, *current;
@@ -1412,6 +1418,11 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 	enumerator_t *enumerator;
 	host_t *addr = NULL;
 
+	if (recursion > MAX_ROUTE_RECURSION)
+	{
+		return NULL;
+	}
+
 	memset(&request, 0, sizeof(request));
 
 	hdr = (struct nlmsghdr*)request;
@@ -1567,8 +1578,12 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 			host_t *gtw;
 
 			gtw = host_create_from_chunk(msg->rtm_family, route->gtw, 0);
-			route->src_host = get_route(this, gtw, FALSE, candidate);
-			gtw->destroy(gtw);
+			if (gtw && !gtw->ip_equals(gtw, dest))
+			{
+				route->src_host = get_route(this, gtw, FALSE, candidate,
+											recursion + 1);
+			}
+			DESTROY_IF(gtw);
 			if (route->src_host)
 			{	/* more of the same */
 				if (!candidate ||
@@ -1607,7 +1622,7 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 		DBG2(DBG_KNL, "using %H as %s to reach %H", addr,
 			 nexthop ? "nexthop" : "address", dest);
 	}
-	else
+	else if (!recursion)
 	{
 		DBG2(DBG_KNL, "no %s found to reach %H",
 			 nexthop ? "nexthop" : "address", dest);
@@ -1618,13 +1633,13 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 METHOD(kernel_net_t, get_source_addr, host_t*,
 	private_kernel_netlink_net_t *this, host_t *dest, host_t *src)
 {
-	return get_route(this, dest, FALSE, src);
+	return get_route(this, dest, FALSE, src, 0);
 }
 
 METHOD(kernel_net_t, get_nexthop, host_t*,
 	private_kernel_netlink_net_t *this, host_t *dest, host_t *src)
 {
-	return get_route(this, dest, TRUE, src);
+	return get_route(this, dest, TRUE, src, 0);
 }
 
 /**
@@ -1632,7 +1647,7 @@ METHOD(kernel_net_t, get_nexthop, host_t*,
  * By setting the appropriate nlmsg_type, the ip will be set or unset.
  */
 static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type,
-							  int flags, int if_index, host_t *ip)
+							  int flags, int if_index, host_t *ip, int prefix)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *hdr;
@@ -1651,7 +1666,7 @@ static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type
 	msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
 	msg->ifa_family = ip->get_family(ip);
 	msg->ifa_flags = 0;
-	msg->ifa_prefixlen = 8 * chunk.len;
+	msg->ifa_prefixlen = prefix < 0 ? chunk.len * 8 : prefix;
 	msg->ifa_scope = RT_SCOPE_UNIVERSE;
 	msg->ifa_index = if_index;
 
@@ -1661,7 +1676,8 @@ static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type
 }
 
 METHOD(kernel_net_t, add_ip, status_t,
-	private_kernel_netlink_net_t *this, host_t *virtual_ip, host_t *iface_ip)
+	private_kernel_netlink_net_t *this, host_t *virtual_ip, int prefix,
+	char *iface_name)
 {
 	addr_map_entry_t *entry, lookup = {
 		.ip = virtual_ip,
@@ -1712,17 +1728,11 @@ METHOD(kernel_net_t, add_ip, status_t,
 		 this->ifaces->find_first(this->ifaces, (void*)iface_entry_by_name,
 						(void**)&iface, this->install_virtual_ip_on) != SUCCESS)
 	{
-		lookup.ip = iface_ip;
-		entry = this->addrs->get_match(this->addrs, &lookup,
-									  (void*)addr_map_entry_match);
-		if (!entry)
+		if (this->ifaces->find_first(this->ifaces, (void*)iface_entry_by_name,
+									 (void**)&iface, iface_name) != SUCCESS)
 		{	/* if we don't find the requested interface we just use the first */
 			this->ifaces->get_first(this->ifaces, (void**)&iface);
 		}
-		else
-		{
-			iface = entry->iface;
-		}
 	}
 	if (iface)
 	{
@@ -1736,7 +1746,7 @@ METHOD(kernel_net_t, add_ip, status_t,
 		iface->addrs->insert_last(iface->addrs, addr);
 		addr_map_entry_add(this->vips, addr, iface);
 		if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
-						  iface->ifindex, virtual_ip) == SUCCESS)
+						  iface->ifindex, virtual_ip, prefix) == SUCCESS)
 		{
 			while (!is_vip_installed_or_gone(this, virtual_ip, &entry))
 			{	/* wait until address appears */
@@ -1761,7 +1771,8 @@ METHOD(kernel_net_t, add_ip, status_t,
 }
 
 METHOD(kernel_net_t, del_ip, status_t,
-	private_kernel_netlink_net_t *this, host_t *virtual_ip)
+	private_kernel_netlink_net_t *this, host_t *virtual_ip, int prefix,
+	bool wait)
 {
 	addr_map_entry_t *entry, lookup = {
 		.ip = virtual_ip,
@@ -1800,8 +1811,8 @@ METHOD(kernel_net_t, del_ip, status_t,
 		 * until the entry is gone, also so we can wait below */
 		entry->addr->installed = FALSE;
 		status = manage_ipaddr(this, RTM_DELADDR, 0, entry->iface->ifindex,
-							   virtual_ip);
-		if (status == SUCCESS)
+							   virtual_ip, prefix);
+		if (status == SUCCESS && wait)
 		{	/* wait until the address is really gone */
 			while (is_known_vip(this, virtual_ip))
 			{
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
index 285f6c8b2..561e8529d 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
@@ -21,7 +21,7 @@
 
 #include "kernel_netlink_shared.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/mutex.h>
 
 typedef struct private_netlink_socket_t private_netlink_socket_t;
diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.in b/src/libhydra/plugins/kernel_pfkey/Makefile.in
index aac85a4e6..5f3a3c590 100644
--- a/src/libhydra/plugins/kernel_pfkey/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfkey/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_kernel_pfkey_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -375,7 +384,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-kernel-pfkey.la: $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_DEPENDENCIES) 
+libstrongswan-kernel-pfkey.la: $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_DEPENDENCIES) $(EXTRA_libstrongswan_kernel_pfkey_la_DEPENDENCIES) 
 	$(libstrongswan_kernel_pfkey_la_LINK) $(am_libstrongswan_kernel_pfkey_la_rpath) $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -513,10 +522,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index b099bc714..71bdbbe2b 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -58,10 +58,10 @@
 #include "kernel_pfkey_ipsec.h"
 
 #include <hydra.h>
-#include <debug.h>
-#include <utils/host.h>
-#include <utils/linked_list.h>
-#include <utils/hashtable.h>
+#include <utils/debug.h>
+#include <networking/host.h>
+#include <collections/linked_list.h>
+#include <collections/hashtable.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
 #include <processing/jobs/callback_job.h>
diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.in b/src/libhydra/plugins/kernel_pfroute/Makefile.in
index 6fa2fc9c1..56ba5aac7 100644
--- a/src/libhydra/plugins/kernel_pfroute/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfroute/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_kernel_pfroute_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -375,7 +384,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-kernel-pfroute.la: $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_DEPENDENCIES) 
+libstrongswan-kernel-pfroute.la: $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_DEPENDENCIES) $(EXTRA_libstrongswan_kernel_pfroute_la_DEPENDENCIES) 
 	$(libstrongswan_kernel_pfroute_la_LINK) $(am_libstrongswan_kernel_pfroute_la_rpath) $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -513,10 +522,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
index 16a46bb56..7ac3e8a3c 100644
--- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -24,13 +24,13 @@
 #include "kernel_pfroute_net.h"
 
 #include <hydra.h>
-#include <debug.h>
-#include <utils/host.h>
+#include <utils/debug.h>
+#include <networking/host.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
 #include <threading/rwlock.h>
-#include <utils/hashtable.h>
-#include <utils/linked_list.h>
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
 #include <processing/jobs/callback_job.h>
 
 #ifndef HAVE_STRUCT_SOCKADDR_SA_LEN
@@ -285,12 +285,7 @@ static void fire_roam_event(private_kernel_pfroute_net_t *this, bool address)
 	time_monotonic(&now);
 	if (timercmp(&now, &this->last_roam, >))
 	{
-		now.tv_usec += ROAM_DELAY * 1000;
-		while (now.tv_usec > 1000000)
-		{
-			now.tv_sec++;
-			now.tv_usec -= 1000000;
-		}
+		timeval_add_ms(&now, ROAM_DELAY);
 		this->last_roam = now;
 
 		job = (job_t*)callback_job_create((callback_job_cb_t)roam_event,
@@ -645,13 +640,15 @@ METHOD(kernel_net_t, get_nexthop, host_t*,
 }
 
 METHOD(kernel_net_t, add_ip, status_t,
-	private_kernel_pfroute_net_t *this, host_t *virtual_ip, host_t *iface_ip)
+	private_kernel_pfroute_net_t *this, host_t *virtual_ip, int prefix,
+	char *iface)
 {
 	return FAILED;
 }
 
 METHOD(kernel_net_t, del_ip, status_t,
-	private_kernel_pfroute_net_t *this, host_t *virtual_ip)
+	private_kernel_pfroute_net_t *this, host_t *virtual_ip, int prefix,
+	bool wait)
 {
 	return FAILED;
 }
diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libhydra/plugins/resolve/Makefile.in
index aed5ee19d..f26c04fbe 100644
--- a/src/libhydra/plugins/resolve/Makefile.in
+++ b/src/libhydra/plugins/resolve/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_resolve_la_LIBADD =
@@ -123,6 +129,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -150,6 +157,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,6 +185,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -189,6 +198,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -242,7 +252,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -374,7 +383,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-resolve.la: $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_DEPENDENCIES) 
+libstrongswan-resolve.la: $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_DEPENDENCIES) $(EXTRA_libstrongswan_resolve_la_DEPENDENCIES) 
 	$(libstrongswan_resolve_la_LINK) $(am_libstrongswan_resolve_la_rpath) $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -512,10 +521,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libhydra/plugins/resolve/resolve_handler.c b/src/libhydra/plugins/resolve/resolve_handler.c
index 0a3094fd7..6b8d6be7f 100644
--- a/src/libhydra/plugins/resolve/resolve_handler.c
+++ b/src/libhydra/plugins/resolve/resolve_handler.c
@@ -21,7 +21,7 @@
 #include <unistd.h>
 
 #include <hydra.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/mutex.h>
 
 /* path to resolvconf executable */
diff --git a/src/libimcv/Makefile.am b/src/libimcv/Makefile.am
index e0e8f1017..51a7be046 100644
--- a/src/libimcv/Makefile.am
+++ b/src/libimcv/Makefile.am
@@ -8,16 +8,32 @@ libimcv_la_LIBADD = $(top_builddir)/src/libtncif/libtncif.la
 libimcv_la_SOURCES = \
 	imcv.h imcv.c \
 	imc/imc_agent.h imc/imc_agent.c imc/imc_state.h \
+	imc/imc_msg.h imc/imc_msg.c \
 	imv/imv_agent.h imv/imv_agent.c imv/imv_state.h \
+	imv/imv_msg.h imv/imv_msg.c \
+	imv/imv_lang_string.h imv/imv_lang_string.c \
+	imv/imv_reason_string.h imv/imv_reason_string.c \
+	imv/imv_remediation_string.h imv/imv_remediation_string.c \
 	ietf/ietf_attr.h ietf/ietf_attr.c \
+	ietf/ietf_attr_assess_result.h ietf/ietf_attr_assess_result.c \
+	ietf/ietf_attr_attr_request.h ietf/ietf_attr_attr_request.c \
+	ietf/ietf_attr_fwd_enabled.h ietf/ietf_attr_fwd_enabled.c \
+	ietf/ietf_attr_default_pwd_enabled.h ietf/ietf_attr_default_pwd_enabled.c \
+	ietf/ietf_attr_installed_packages.h ietf/ietf_attr_installed_packages.c \
+	ietf/ietf_attr_numeric_version.h ietf/ietf_attr_numeric_version.c \
+	ietf/ietf_attr_op_status.h ietf/ietf_attr_op_status.c \
 	ietf/ietf_attr_pa_tnc_error.h ietf/ietf_attr_pa_tnc_error.c \
 	ietf/ietf_attr_port_filter.h ietf/ietf_attr_port_filter.c \
 	ietf/ietf_attr_product_info.h ietf/ietf_attr_product_info.c \
-	ietf/ietf_attr_attr_request.h ietf/ietf_attr_attr_request.c \
-	ietf/ietf_attr_assess_result.h ietf/ietf_attr_assess_result.c \
+	ietf/ietf_attr_remediation_instr.h ietf/ietf_attr_remediation_instr.c \
+	ietf/ietf_attr_string_version.h ietf/ietf_attr_string_version.c \
 	ita/ita_attr.h ita/ita_attr.c \
 	ita/ita_attr_command.h ita/ita_attr_command.c \
 	ita/ita_attr_dummy.h ita/ita_attr_dummy.c \
+	ita/ita_attr_get_settings.h ita/ita_attr_get_settings.c \
+	ita/ita_attr_settings.h ita/ita_attr_settings.c \
+	ita/ita_attr_angel.h ita/ita_attr_angel.c \
+	os_info/os_info.h os_info/os_info.c \
 	pa_tnc/pa_tnc_attr.h \
 	pa_tnc/pa_tnc_msg.h pa_tnc/pa_tnc_msg.c \
 	pa_tnc/pa_tnc_attr_manager.h pa_tnc/pa_tnc_attr_manager.c
@@ -38,4 +54,12 @@ endif
 
 if USE_IMV_SCANNER
   SUBDIRS += plugins/imv_scanner
-endif 
+endif
+
+if USE_IMC_OS
+  SUBDIRS += plugins/imc_os
+endif
+
+if USE_IMV_OS
+  SUBDIRS += plugins/imv_os
+endif
diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in
index d1a1373af..4263d0a74 100644
--- a/src/libimcv/Makefile.in
+++ b/src/libimcv/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -38,6 +38,8 @@ host_triplet = @host@
 @USE_IMV_TEST_TRUE@am__append_2 = plugins/imv_test
 @USE_IMC_SCANNER_TRUE@am__append_3 = plugins/imc_scanner
 @USE_IMV_SCANNER_TRUE@am__append_4 = plugins/imv_scanner
+@USE_IMC_OS_TRUE@am__append_5 = plugins/imc_os
+@USE_IMV_OS_TRUE@am__append_6 = plugins/imv_os
 subdir = src/libimcv
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -77,14 +79,28 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libimcv_la_DEPENDENCIES = $(top_builddir)/src/libtncif/libtncif.la
-am_libimcv_la_OBJECTS = imcv.lo imc_agent.lo imv_agent.lo ietf_attr.lo \
-	ietf_attr_pa_tnc_error.lo ietf_attr_port_filter.lo \
-	ietf_attr_product_info.lo ietf_attr_attr_request.lo \
-	ietf_attr_assess_result.lo ita_attr.lo ita_attr_command.lo \
-	ita_attr_dummy.lo pa_tnc_msg.lo pa_tnc_attr_manager.lo
+am_libimcv_la_OBJECTS = imcv.lo imc_agent.lo imc_msg.lo imv_agent.lo \
+	imv_msg.lo imv_lang_string.lo imv_reason_string.lo \
+	imv_remediation_string.lo ietf_attr.lo \
+	ietf_attr_assess_result.lo ietf_attr_attr_request.lo \
+	ietf_attr_fwd_enabled.lo ietf_attr_default_pwd_enabled.lo \
+	ietf_attr_installed_packages.lo ietf_attr_numeric_version.lo \
+	ietf_attr_op_status.lo ietf_attr_pa_tnc_error.lo \
+	ietf_attr_port_filter.lo ietf_attr_product_info.lo \
+	ietf_attr_remediation_instr.lo ietf_attr_string_version.lo \
+	ita_attr.lo ita_attr_command.lo ita_attr_dummy.lo \
+	ita_attr_get_settings.lo ita_attr_settings.lo \
+	ita_attr_angel.lo os_info.lo pa_tnc_msg.lo \
+	pa_tnc_attr_manager.lo
 libimcv_la_OBJECTS = $(am_libimcv_la_OBJECTS)
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
@@ -116,7 +132,7 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
 ETAGS = etags
 CTAGS = ctags
 DIST_SUBDIRS = . plugins/imc_test plugins/imv_test plugins/imc_scanner \
-	plugins/imv_scanner
+	plugins/imv_scanner plugins/imc_os plugins/imv_os
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -162,6 +178,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -189,6 +206,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -216,6 +234,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -228,6 +247,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -281,7 +301,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -334,22 +353,38 @@ libimcv_la_LIBADD = $(top_builddir)/src/libtncif/libtncif.la
 libimcv_la_SOURCES = \
 	imcv.h imcv.c \
 	imc/imc_agent.h imc/imc_agent.c imc/imc_state.h \
+	imc/imc_msg.h imc/imc_msg.c \
 	imv/imv_agent.h imv/imv_agent.c imv/imv_state.h \
+	imv/imv_msg.h imv/imv_msg.c \
+	imv/imv_lang_string.h imv/imv_lang_string.c \
+	imv/imv_reason_string.h imv/imv_reason_string.c \
+	imv/imv_remediation_string.h imv/imv_remediation_string.c \
 	ietf/ietf_attr.h ietf/ietf_attr.c \
+	ietf/ietf_attr_assess_result.h ietf/ietf_attr_assess_result.c \
+	ietf/ietf_attr_attr_request.h ietf/ietf_attr_attr_request.c \
+	ietf/ietf_attr_fwd_enabled.h ietf/ietf_attr_fwd_enabled.c \
+	ietf/ietf_attr_default_pwd_enabled.h ietf/ietf_attr_default_pwd_enabled.c \
+	ietf/ietf_attr_installed_packages.h ietf/ietf_attr_installed_packages.c \
+	ietf/ietf_attr_numeric_version.h ietf/ietf_attr_numeric_version.c \
+	ietf/ietf_attr_op_status.h ietf/ietf_attr_op_status.c \
 	ietf/ietf_attr_pa_tnc_error.h ietf/ietf_attr_pa_tnc_error.c \
 	ietf/ietf_attr_port_filter.h ietf/ietf_attr_port_filter.c \
 	ietf/ietf_attr_product_info.h ietf/ietf_attr_product_info.c \
-	ietf/ietf_attr_attr_request.h ietf/ietf_attr_attr_request.c \
-	ietf/ietf_attr_assess_result.h ietf/ietf_attr_assess_result.c \
+	ietf/ietf_attr_remediation_instr.h ietf/ietf_attr_remediation_instr.c \
+	ietf/ietf_attr_string_version.h ietf/ietf_attr_string_version.c \
 	ita/ita_attr.h ita/ita_attr.c \
 	ita/ita_attr_command.h ita/ita_attr_command.c \
 	ita/ita_attr_dummy.h ita/ita_attr_dummy.c \
+	ita/ita_attr_get_settings.h ita/ita_attr_get_settings.c \
+	ita/ita_attr_settings.h ita/ita_attr_settings.c \
+	ita/ita_attr_angel.h ita/ita_attr_angel.c \
+	os_info/os_info.h os_info/os_info.c \
 	pa_tnc/pa_tnc_attr.h \
 	pa_tnc/pa_tnc_msg.h pa_tnc/pa_tnc_msg.c \
 	pa_tnc/pa_tnc_attr_manager.h pa_tnc/pa_tnc_attr_manager.c
 
 SUBDIRS = . $(am__append_1) $(am__append_2) $(am__append_3) \
-	$(am__append_4)
+	$(am__append_4) $(am__append_5) $(am__append_6)
 all: all-recursive
 
 .SUFFIXES:
@@ -415,7 +450,7 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libimcv.la: $(libimcv_la_OBJECTS) $(libimcv_la_DEPENDENCIES) 
+libimcv.la: $(libimcv_la_OBJECTS) $(libimcv_la_DEPENDENCIES) $(EXTRA_libimcv_la_DEPENDENCIES) 
 	$(LINK) -rpath $(ipseclibdir) $(libimcv_la_OBJECTS) $(libimcv_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -427,15 +462,31 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_assess_result.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_attr_request.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_default_pwd_enabled.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_fwd_enabled.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_installed_packages.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_numeric_version.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_op_status.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_pa_tnc_error.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_port_filter.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_product_info.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_remediation_instr.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_string_version.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_agent.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_msg.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imcv.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_agent.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_lang_string.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_msg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_reason_string.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_remediation_string.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ita_attr.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ita_attr_angel.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ita_attr_command.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ita_attr_dummy.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ita_attr_get_settings.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ita_attr_settings.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/os_info.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pa_tnc_attr_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pa_tnc_msg.Plo@am__quote@
 
@@ -467,6 +518,13 @@ imc_agent.lo: imc/imc_agent.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imc_agent.lo `test -f 'imc/imc_agent.c' || echo '$(srcdir)/'`imc/imc_agent.c
 
+imc_msg.lo: imc/imc_msg.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imc_msg.lo -MD -MP -MF $(DEPDIR)/imc_msg.Tpo -c -o imc_msg.lo `test -f 'imc/imc_msg.c' || echo '$(srcdir)/'`imc/imc_msg.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imc_msg.Tpo $(DEPDIR)/imc_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='imc/imc_msg.c' object='imc_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imc_msg.lo `test -f 'imc/imc_msg.c' || echo '$(srcdir)/'`imc/imc_msg.c
+
 imv_agent.lo: imv/imv_agent.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_agent.lo -MD -MP -MF $(DEPDIR)/imv_agent.Tpo -c -o imv_agent.lo `test -f 'imv/imv_agent.c' || echo '$(srcdir)/'`imv/imv_agent.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imv_agent.Tpo $(DEPDIR)/imv_agent.Plo
@@ -474,6 +532,34 @@ imv_agent.lo: imv/imv_agent.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_agent.lo `test -f 'imv/imv_agent.c' || echo '$(srcdir)/'`imv/imv_agent.c
 
+imv_msg.lo: imv/imv_msg.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_msg.lo -MD -MP -MF $(DEPDIR)/imv_msg.Tpo -c -o imv_msg.lo `test -f 'imv/imv_msg.c' || echo '$(srcdir)/'`imv/imv_msg.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imv_msg.Tpo $(DEPDIR)/imv_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='imv/imv_msg.c' object='imv_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_msg.lo `test -f 'imv/imv_msg.c' || echo '$(srcdir)/'`imv/imv_msg.c
+
+imv_lang_string.lo: imv/imv_lang_string.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_lang_string.lo -MD -MP -MF $(DEPDIR)/imv_lang_string.Tpo -c -o imv_lang_string.lo `test -f 'imv/imv_lang_string.c' || echo '$(srcdir)/'`imv/imv_lang_string.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imv_lang_string.Tpo $(DEPDIR)/imv_lang_string.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='imv/imv_lang_string.c' object='imv_lang_string.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_lang_string.lo `test -f 'imv/imv_lang_string.c' || echo '$(srcdir)/'`imv/imv_lang_string.c
+
+imv_reason_string.lo: imv/imv_reason_string.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_reason_string.lo -MD -MP -MF $(DEPDIR)/imv_reason_string.Tpo -c -o imv_reason_string.lo `test -f 'imv/imv_reason_string.c' || echo '$(srcdir)/'`imv/imv_reason_string.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imv_reason_string.Tpo $(DEPDIR)/imv_reason_string.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='imv/imv_reason_string.c' object='imv_reason_string.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_reason_string.lo `test -f 'imv/imv_reason_string.c' || echo '$(srcdir)/'`imv/imv_reason_string.c
+
+imv_remediation_string.lo: imv/imv_remediation_string.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_remediation_string.lo -MD -MP -MF $(DEPDIR)/imv_remediation_string.Tpo -c -o imv_remediation_string.lo `test -f 'imv/imv_remediation_string.c' || echo '$(srcdir)/'`imv/imv_remediation_string.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imv_remediation_string.Tpo $(DEPDIR)/imv_remediation_string.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='imv/imv_remediation_string.c' object='imv_remediation_string.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_remediation_string.lo `test -f 'imv/imv_remediation_string.c' || echo '$(srcdir)/'`imv/imv_remediation_string.c
+
 ietf_attr.lo: ietf/ietf_attr.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr.lo -MD -MP -MF $(DEPDIR)/ietf_attr.Tpo -c -o ietf_attr.lo `test -f 'ietf/ietf_attr.c' || echo '$(srcdir)/'`ietf/ietf_attr.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr.Tpo $(DEPDIR)/ietf_attr.Plo
@@ -481,6 +567,55 @@ ietf_attr.lo: ietf/ietf_attr.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr.lo `test -f 'ietf/ietf_attr.c' || echo '$(srcdir)/'`ietf/ietf_attr.c
 
+ietf_attr_assess_result.lo: ietf/ietf_attr_assess_result.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_assess_result.lo -MD -MP -MF $(DEPDIR)/ietf_attr_assess_result.Tpo -c -o ietf_attr_assess_result.lo `test -f 'ietf/ietf_attr_assess_result.c' || echo '$(srcdir)/'`ietf/ietf_attr_assess_result.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_assess_result.Tpo $(DEPDIR)/ietf_attr_assess_result.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_assess_result.c' object='ietf_attr_assess_result.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_assess_result.lo `test -f 'ietf/ietf_attr_assess_result.c' || echo '$(srcdir)/'`ietf/ietf_attr_assess_result.c
+
+ietf_attr_attr_request.lo: ietf/ietf_attr_attr_request.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_attr_request.lo -MD -MP -MF $(DEPDIR)/ietf_attr_attr_request.Tpo -c -o ietf_attr_attr_request.lo `test -f 'ietf/ietf_attr_attr_request.c' || echo '$(srcdir)/'`ietf/ietf_attr_attr_request.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_attr_request.Tpo $(DEPDIR)/ietf_attr_attr_request.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_attr_request.c' object='ietf_attr_attr_request.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_attr_request.lo `test -f 'ietf/ietf_attr_attr_request.c' || echo '$(srcdir)/'`ietf/ietf_attr_attr_request.c
+
+ietf_attr_fwd_enabled.lo: ietf/ietf_attr_fwd_enabled.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_fwd_enabled.lo -MD -MP -MF $(DEPDIR)/ietf_attr_fwd_enabled.Tpo -c -o ietf_attr_fwd_enabled.lo `test -f 'ietf/ietf_attr_fwd_enabled.c' || echo '$(srcdir)/'`ietf/ietf_attr_fwd_enabled.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_fwd_enabled.Tpo $(DEPDIR)/ietf_attr_fwd_enabled.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_fwd_enabled.c' object='ietf_attr_fwd_enabled.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_fwd_enabled.lo `test -f 'ietf/ietf_attr_fwd_enabled.c' || echo '$(srcdir)/'`ietf/ietf_attr_fwd_enabled.c
+
+ietf_attr_default_pwd_enabled.lo: ietf/ietf_attr_default_pwd_enabled.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_default_pwd_enabled.lo -MD -MP -MF $(DEPDIR)/ietf_attr_default_pwd_enabled.Tpo -c -o ietf_attr_default_pwd_enabled.lo `test -f 'ietf/ietf_attr_default_pwd_enabled.c' || echo '$(srcdir)/'`ietf/ietf_attr_default_pwd_enabled.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_default_pwd_enabled.Tpo $(DEPDIR)/ietf_attr_default_pwd_enabled.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_default_pwd_enabled.c' object='ietf_attr_default_pwd_enabled.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_default_pwd_enabled.lo `test -f 'ietf/ietf_attr_default_pwd_enabled.c' || echo '$(srcdir)/'`ietf/ietf_attr_default_pwd_enabled.c
+
+ietf_attr_installed_packages.lo: ietf/ietf_attr_installed_packages.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_installed_packages.lo -MD -MP -MF $(DEPDIR)/ietf_attr_installed_packages.Tpo -c -o ietf_attr_installed_packages.lo `test -f 'ietf/ietf_attr_installed_packages.c' || echo '$(srcdir)/'`ietf/ietf_attr_installed_packages.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_installed_packages.Tpo $(DEPDIR)/ietf_attr_installed_packages.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_installed_packages.c' object='ietf_attr_installed_packages.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_installed_packages.lo `test -f 'ietf/ietf_attr_installed_packages.c' || echo '$(srcdir)/'`ietf/ietf_attr_installed_packages.c
+
+ietf_attr_numeric_version.lo: ietf/ietf_attr_numeric_version.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_numeric_version.lo -MD -MP -MF $(DEPDIR)/ietf_attr_numeric_version.Tpo -c -o ietf_attr_numeric_version.lo `test -f 'ietf/ietf_attr_numeric_version.c' || echo '$(srcdir)/'`ietf/ietf_attr_numeric_version.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_numeric_version.Tpo $(DEPDIR)/ietf_attr_numeric_version.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_numeric_version.c' object='ietf_attr_numeric_version.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_numeric_version.lo `test -f 'ietf/ietf_attr_numeric_version.c' || echo '$(srcdir)/'`ietf/ietf_attr_numeric_version.c
+
+ietf_attr_op_status.lo: ietf/ietf_attr_op_status.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_op_status.lo -MD -MP -MF $(DEPDIR)/ietf_attr_op_status.Tpo -c -o ietf_attr_op_status.lo `test -f 'ietf/ietf_attr_op_status.c' || echo '$(srcdir)/'`ietf/ietf_attr_op_status.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_op_status.Tpo $(DEPDIR)/ietf_attr_op_status.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_op_status.c' object='ietf_attr_op_status.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_op_status.lo `test -f 'ietf/ietf_attr_op_status.c' || echo '$(srcdir)/'`ietf/ietf_attr_op_status.c
+
 ietf_attr_pa_tnc_error.lo: ietf/ietf_attr_pa_tnc_error.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_pa_tnc_error.lo -MD -MP -MF $(DEPDIR)/ietf_attr_pa_tnc_error.Tpo -c -o ietf_attr_pa_tnc_error.lo `test -f 'ietf/ietf_attr_pa_tnc_error.c' || echo '$(srcdir)/'`ietf/ietf_attr_pa_tnc_error.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_pa_tnc_error.Tpo $(DEPDIR)/ietf_attr_pa_tnc_error.Plo
@@ -502,19 +637,19 @@ ietf_attr_product_info.lo: ietf/ietf_attr_product_info.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_product_info.lo `test -f 'ietf/ietf_attr_product_info.c' || echo '$(srcdir)/'`ietf/ietf_attr_product_info.c
 
-ietf_attr_attr_request.lo: ietf/ietf_attr_attr_request.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_attr_request.lo -MD -MP -MF $(DEPDIR)/ietf_attr_attr_request.Tpo -c -o ietf_attr_attr_request.lo `test -f 'ietf/ietf_attr_attr_request.c' || echo '$(srcdir)/'`ietf/ietf_attr_attr_request.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_attr_request.Tpo $(DEPDIR)/ietf_attr_attr_request.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_attr_request.c' object='ietf_attr_attr_request.lo' libtool=yes @AMDEPBACKSLASH@
+ietf_attr_remediation_instr.lo: ietf/ietf_attr_remediation_instr.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_remediation_instr.lo -MD -MP -MF $(DEPDIR)/ietf_attr_remediation_instr.Tpo -c -o ietf_attr_remediation_instr.lo `test -f 'ietf/ietf_attr_remediation_instr.c' || echo '$(srcdir)/'`ietf/ietf_attr_remediation_instr.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_remediation_instr.Tpo $(DEPDIR)/ietf_attr_remediation_instr.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_remediation_instr.c' object='ietf_attr_remediation_instr.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_attr_request.lo `test -f 'ietf/ietf_attr_attr_request.c' || echo '$(srcdir)/'`ietf/ietf_attr_attr_request.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_remediation_instr.lo `test -f 'ietf/ietf_attr_remediation_instr.c' || echo '$(srcdir)/'`ietf/ietf_attr_remediation_instr.c
 
-ietf_attr_assess_result.lo: ietf/ietf_attr_assess_result.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_assess_result.lo -MD -MP -MF $(DEPDIR)/ietf_attr_assess_result.Tpo -c -o ietf_attr_assess_result.lo `test -f 'ietf/ietf_attr_assess_result.c' || echo '$(srcdir)/'`ietf/ietf_attr_assess_result.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_assess_result.Tpo $(DEPDIR)/ietf_attr_assess_result.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_assess_result.c' object='ietf_attr_assess_result.lo' libtool=yes @AMDEPBACKSLASH@
+ietf_attr_string_version.lo: ietf/ietf_attr_string_version.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_string_version.lo -MD -MP -MF $(DEPDIR)/ietf_attr_string_version.Tpo -c -o ietf_attr_string_version.lo `test -f 'ietf/ietf_attr_string_version.c' || echo '$(srcdir)/'`ietf/ietf_attr_string_version.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_string_version.Tpo $(DEPDIR)/ietf_attr_string_version.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_string_version.c' object='ietf_attr_string_version.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_assess_result.lo `test -f 'ietf/ietf_attr_assess_result.c' || echo '$(srcdir)/'`ietf/ietf_attr_assess_result.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_string_version.lo `test -f 'ietf/ietf_attr_string_version.c' || echo '$(srcdir)/'`ietf/ietf_attr_string_version.c
 
 ita_attr.lo: ita/ita_attr.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr.lo -MD -MP -MF $(DEPDIR)/ita_attr.Tpo -c -o ita_attr.lo `test -f 'ita/ita_attr.c' || echo '$(srcdir)/'`ita/ita_attr.c
@@ -537,6 +672,34 @@ ita_attr_dummy.lo: ita/ita_attr_dummy.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr_dummy.lo `test -f 'ita/ita_attr_dummy.c' || echo '$(srcdir)/'`ita/ita_attr_dummy.c
 
+ita_attr_get_settings.lo: ita/ita_attr_get_settings.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr_get_settings.lo -MD -MP -MF $(DEPDIR)/ita_attr_get_settings.Tpo -c -o ita_attr_get_settings.lo `test -f 'ita/ita_attr_get_settings.c' || echo '$(srcdir)/'`ita/ita_attr_get_settings.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ita_attr_get_settings.Tpo $(DEPDIR)/ita_attr_get_settings.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ita/ita_attr_get_settings.c' object='ita_attr_get_settings.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr_get_settings.lo `test -f 'ita/ita_attr_get_settings.c' || echo '$(srcdir)/'`ita/ita_attr_get_settings.c
+
+ita_attr_settings.lo: ita/ita_attr_settings.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr_settings.lo -MD -MP -MF $(DEPDIR)/ita_attr_settings.Tpo -c -o ita_attr_settings.lo `test -f 'ita/ita_attr_settings.c' || echo '$(srcdir)/'`ita/ita_attr_settings.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ita_attr_settings.Tpo $(DEPDIR)/ita_attr_settings.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ita/ita_attr_settings.c' object='ita_attr_settings.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr_settings.lo `test -f 'ita/ita_attr_settings.c' || echo '$(srcdir)/'`ita/ita_attr_settings.c
+
+ita_attr_angel.lo: ita/ita_attr_angel.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr_angel.lo -MD -MP -MF $(DEPDIR)/ita_attr_angel.Tpo -c -o ita_attr_angel.lo `test -f 'ita/ita_attr_angel.c' || echo '$(srcdir)/'`ita/ita_attr_angel.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ita_attr_angel.Tpo $(DEPDIR)/ita_attr_angel.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ita/ita_attr_angel.c' object='ita_attr_angel.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr_angel.lo `test -f 'ita/ita_attr_angel.c' || echo '$(srcdir)/'`ita/ita_attr_angel.c
+
+os_info.lo: os_info/os_info.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT os_info.lo -MD -MP -MF $(DEPDIR)/os_info.Tpo -c -o os_info.lo `test -f 'os_info/os_info.c' || echo '$(srcdir)/'`os_info/os_info.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/os_info.Tpo $(DEPDIR)/os_info.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='os_info/os_info.c' object='os_info.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o os_info.lo `test -f 'os_info/os_info.c' || echo '$(srcdir)/'`os_info/os_info.c
+
 pa_tnc_msg.lo: pa_tnc/pa_tnc_msg.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pa_tnc_msg.lo -MD -MP -MF $(DEPDIR)/pa_tnc_msg.Tpo -c -o pa_tnc_msg.lo `test -f 'pa_tnc/pa_tnc_msg.c' || echo '$(srcdir)/'`pa_tnc/pa_tnc_msg.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pa_tnc_msg.Tpo $(DEPDIR)/pa_tnc_msg.Plo
@@ -768,10 +931,15 @@ install-am: all-am
 
 installcheck: installcheck-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libimcv/ietf/ietf_attr.c b/src/libimcv/ietf/ietf_attr.c
index fc89c5716..2f3819898 100644
--- a/src/libimcv/ietf/ietf_attr.c
+++ b/src/libimcv/ietf/ietf_attr.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011-2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -13,11 +14,19 @@
  */
 
 #include "ietf_attr.h"
+#include "ietf/ietf_attr_assess_result.h"
+#include "ietf/ietf_attr_attr_request.h"
+#include "ietf/ietf_attr_fwd_enabled.h"
+#include "ietf/ietf_attr_default_pwd_enabled.h"
+#include "ietf/ietf_attr_installed_packages.h"
+#include "ietf/ietf_attr_numeric_version.h"
+#include "ietf/ietf_attr_op_status.h"
 #include "ietf/ietf_attr_pa_tnc_error.h"
 #include "ietf/ietf_attr_port_filter.h"
 #include "ietf/ietf_attr_product_info.h"
-#include "ietf/ietf_attr_attr_request.h"
-#include "ietf/ietf_attr_assess_result.h"
+#include "ietf/ietf_attr_remediation_instr.h"
+#include "ietf/ietf_attr_string_version.h"
+
 
 ENUM(ietf_attr_names, IETF_ATTR_TESTING, IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED,
 	"Testing",
@@ -46,20 +55,27 @@ pa_tnc_attr_t* ietf_attr_create_from_data(u_int32_t type, chunk_t value)
 			return ietf_attr_attr_request_create_from_data(value);
 		case IETF_ATTR_PRODUCT_INFORMATION:
 			return ietf_attr_product_info_create_from_data(value);
+		case IETF_ATTR_NUMERIC_VERSION:
+			return ietf_attr_numeric_version_create_from_data(value);
+		case IETF_ATTR_STRING_VERSION:
+			return ietf_attr_string_version_create_from_data(value);
+		case IETF_ATTR_OPERATIONAL_STATUS:
+			return ietf_attr_op_status_create_from_data(value);
 		case IETF_ATTR_PORT_FILTER:
 			return ietf_attr_port_filter_create_from_data(value);
+		case IETF_ATTR_INSTALLED_PACKAGES:
+			return ietf_attr_installed_packages_create_from_data(value);
 		case IETF_ATTR_PA_TNC_ERROR:
 			return ietf_attr_pa_tnc_error_create_from_data(value);
 		case IETF_ATTR_ASSESSMENT_RESULT:
 			return ietf_attr_assess_result_create_from_data(value);
-		case IETF_ATTR_TESTING:
-		case IETF_ATTR_NUMERIC_VERSION:
-		case IETF_ATTR_STRING_VERSION:
-		case IETF_ATTR_OPERATIONAL_STATUS:
-		case IETF_ATTR_INSTALLED_PACKAGES:
 		case IETF_ATTR_REMEDIATION_INSTRUCTIONS:
+			return ietf_attr_remediation_instr_create_from_data(value);
 		case IETF_ATTR_FORWARDING_ENABLED:
+			return ietf_attr_fwd_enabled_create_from_data(value);
 		case IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED:
+			return ietf_attr_default_pwd_enabled_create_from_data(value);
+		case IETF_ATTR_TESTING:
 		case IETF_ATTR_RESERVED:
 		default:
 			return NULL;
diff --git a/src/libimcv/ietf/ietf_attr_assess_result.c b/src/libimcv/ietf/ietf_attr_assess_result.c
index 6893730bf..1c0d6b0eb 100644
--- a/src/libimcv/ietf/ietf_attr_assess_result.c
+++ b/src/libimcv/ietf/ietf_attr_assess_result.c
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_ietf_attr_assess_result_t private_ietf_attr_assess_result_t;
 
@@ -192,6 +192,8 @@ pa_tnc_attr_t *ietf_attr_assess_result_create_from_data(chunk_t data)
 			.pa_tnc_attribute = {
 				.get_type = _get_type,
 				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
 				.get_ref = _get_ref,
diff --git a/src/libimcv/ietf/ietf_attr_attr_request.c b/src/libimcv/ietf/ietf_attr_attr_request.c
index c0dcd0983..c93c9276e 100644
--- a/src/libimcv/ietf/ietf_attr_attr_request.c
+++ b/src/libimcv/ietf/ietf_attr_attr_request.c
@@ -19,9 +19,9 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_ietf_attr_attr_request_t private_ietf_attr_attr_request_t;
 
@@ -114,12 +114,12 @@ METHOD(pa_tnc_attr_t, build, void,
 	{
 		return;
 	}
-	writer = bio_writer_create(ATTR_REQUEST_ENTRY_SIZE * 
+	writer = bio_writer_create(ATTR_REQUEST_ENTRY_SIZE *
 							   this->list->get_count(this->list));
 
 	enumerator = this->list->create_enumerator(this->list);
 	while (enumerator->enumerate(enumerator, &entry))
-	{	
+	{
 		writer->write_uint32(writer, entry->vendor_id);
 		writer->write_uint32(writer, entry->type);
 	}
@@ -161,7 +161,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	reader = bio_reader_create(this->value);
 	while (count--)
 	{
-		reader->read_uint8 (reader, &reserved);	
+		reader->read_uint8 (reader, &reserved);
 		reader->read_uint24(reader, &vendor_id);
 		reader->read_uint32(reader, &type);
 
@@ -251,6 +251,8 @@ pa_tnc_attr_t *ietf_attr_attr_request_create_from_data(chunk_t data)
 			.pa_tnc_attribute = {
 				.get_type = _get_type,
 				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
 				.get_ref = _get_ref,
@@ -259,7 +261,7 @@ pa_tnc_attr_t *ietf_attr_attr_request_create_from_data(chunk_t data)
 			.add = _add,
 			.create_enumerator = _create_enumerator,
 		},
-		.type = { PEN_IETF,IETF_ATTR_ATTRIBUTE_REQUEST },
+		.type = { PEN_IETF, IETF_ATTR_ATTRIBUTE_REQUEST },
 		.value = chunk_clone(data),
 		.list = linked_list_create(),
 		.ref = 1,
diff --git a/src/libimcv/ietf/ietf_attr_attr_request.h b/src/libimcv/ietf/ietf_attr_attr_request.h
index 22c5be0a0..387ba345d 100644
--- a/src/libimcv/ietf/ietf_attr_attr_request.h
+++ b/src/libimcv/ietf/ietf_attr_attr_request.h
@@ -50,7 +50,7 @@ struct ietf_attr_attr_request_t {
 	 * Creates an enumerator over all attribute types contained
 	 * in the attribute request
 	 *
-	 * @return				Attribute Type enumerator returns (vendor ID, type)
+	 * @return			Attribute Type enumerator returns { vendor ID, type }
 	 */
 	enumerator_t* (*create_enumerator)(ietf_attr_attr_request_t *this);
 };
diff --git a/src/libimcv/ietf/ietf_attr_default_pwd_enabled.c b/src/libimcv/ietf/ietf_attr_default_pwd_enabled.c
new file mode 100644
index 000000000..2022f45cf
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_default_pwd_enabled.c
@@ -0,0 +1,222 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ietf_attr_default_pwd_enabled.h"
+
+#include <pa_tnc/pa_tnc_msg.h>
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <utils/debug.h>
+
+typedef struct private_ietf_attr_default_pwd_enabled_t private_ietf_attr_default_pwd_enabled_t;
+
+/**
+ * PA-TNC Factory Default Password Enabled type (see section 4.2.12 of RFC 5792)
+ *
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |              Factory Default Password Enabled                 |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define DEFAULT_PWD_ENABLED_SIZE	4
+
+/**
+ * Private data of an ietf_attr_default_pwd_enabled_t object.
+ */
+struct private_ietf_attr_default_pwd_enabled_t {
+
+	/**
+	 * Public members of ietf_attr_default_pwd_enabled_t
+	 */
+	ietf_attr_default_pwd_enabled_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * Factory Default Password Enabled status
+	 */
+	bool status;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ietf_attr_default_pwd_enabled_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ietf_attr_default_pwd_enabled_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ietf_attr_default_pwd_enabled_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ietf_attr_default_pwd_enabled_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ietf_attr_default_pwd_enabled_t *this)
+{
+	bio_writer_t *writer;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+	writer = bio_writer_create(DEFAULT_PWD_ENABLED_SIZE);
+	writer->write_uint32(writer, this->status);
+
+	this->value = chunk_clone(writer->get_buf(writer));
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ietf_attr_default_pwd_enabled_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+	u_int32_t status;
+
+	*offset = 0;
+
+	if (this->value.len != DEFAULT_PWD_ENABLED_SIZE)
+	{
+		DBG1(DBG_TNC, "incorrect size for IETF factory default password "
+					  "enabled attribute");
+		return FAILED;
+	}
+	reader = bio_reader_create(this->value);
+	reader->read_uint32(reader, &status);
+	reader->destroy(reader);
+
+	if (status > TRUE)
+	{
+		DBG1(DBG_TNC, "IETF factory default password enabled field "
+					  "has unknown value %u", status);
+		return FAILED;
+	}
+	this->status = status;
+
+	return SUCCESS;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ietf_attr_default_pwd_enabled_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ietf_attr_default_pwd_enabled_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ietf_attr_default_pwd_enabled_t, get_status, bool,
+	private_ietf_attr_default_pwd_enabled_t *this)
+{
+	return this->status;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_default_pwd_enabled_create(bool status)
+{
+	private_ietf_attr_default_pwd_enabled_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_status = _get_status,
+		},
+		.type = { PEN_IETF, IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED },
+		.status = status,
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_default_pwd_enabled_create_from_data(chunk_t data)
+{
+	private_ietf_attr_default_pwd_enabled_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_status = _get_status,
+		},
+		.type = { PEN_IETF, IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED },
+		.value = chunk_clone(data),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
diff --git a/src/libimcv/ietf/ietf_attr_default_pwd_enabled.h b/src/libimcv/ietf/ietf_attr_default_pwd_enabled.h
new file mode 100644
index 000000000..f6026b0e8
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_default_pwd_enabled.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ietf_attr_default_pwd_enabled ietf_attr_default_pwd_enabled
+ * @{ @ingroup ietf
+ */
+
+#ifndef IETF_ATTR_PWD_ENABLED_H_
+#define IETF_ATTR_PWD_ENABLED_H_
+
+typedef struct ietf_attr_default_pwd_enabled_t ietf_attr_default_pwd_enabled_t;
+
+#include "ietf_attr.h"
+#include "pa_tnc/pa_tnc_attr.h"
+
+/**
+ * Class implementing the IETF PA-TNC Factory Default Password Enabled attribute.
+ *
+ */
+struct ietf_attr_default_pwd_enabled_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Gets the Factory Default Password Enabled status
+	 *
+	 * @return				Factory Default Password Enabled status
+	 */
+	bool (*get_status)(ietf_attr_default_pwd_enabled_t *this);
+
+};
+
+/**
+ * Creates an ietf_attr_default_pwd_enabled_t object
+ *
+ * @param status			Factory Default Password Enabled status
+ */
+pa_tnc_attr_t* ietf_attr_default_pwd_enabled_create(bool status);
+
+/**
+ * Creates an ietf_attr_default_pwd_enabled_t object from received data
+ *
+ * @param value				unparsed attribute value
+ */
+pa_tnc_attr_t* ietf_attr_default_pwd_enabled_create_from_data(chunk_t value);
+
+#endif /** IETF_ATTR_PWD_ENABLED_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_fwd_enabled.c b/src/libimcv/ietf/ietf_attr_fwd_enabled.c
new file mode 100644
index 000000000..911ee5b89
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_fwd_enabled.c
@@ -0,0 +1,221 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ietf_attr_fwd_enabled.h"
+
+#include <pa_tnc/pa_tnc_msg.h>
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <utils/debug.h>
+
+typedef struct private_ietf_attr_fwd_enabled_t private_ietf_attr_fwd_enabled_t;
+
+/**
+ * PA-TNC Forwarding Enabled type  (see section 4.2.11 of RFC 5792)
+ *
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                        Forwarding Enabled                     |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define FORWARDING_ENABLED_SIZE		4
+
+/**
+ * Private data of an ietf_attr_fwd_enabled_t object.
+ */
+struct private_ietf_attr_fwd_enabled_t {
+
+	/**
+	 * Public members of ietf_attr_fwd_enabled_t
+	 */
+	ietf_attr_fwd_enabled_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * Forwarding Enabled status
+	 */
+	os_fwd_status_t fwd_status;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ietf_attr_fwd_enabled_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ietf_attr_fwd_enabled_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ietf_attr_fwd_enabled_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ietf_attr_fwd_enabled_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ietf_attr_fwd_enabled_t *this)
+{
+	bio_writer_t *writer;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+	writer = bio_writer_create(FORWARDING_ENABLED_SIZE);
+	writer->write_uint32(writer, this->fwd_status);
+
+	this->value = chunk_clone(writer->get_buf(writer));
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ietf_attr_fwd_enabled_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+	u_int32_t fwd_status;
+
+	*offset = 0;
+
+	if (this->value.len != FORWARDING_ENABLED_SIZE)
+	{
+		DBG1(DBG_TNC, "incorrect size for IETF forwarding enabled attribute");
+		return FAILED;
+	}
+	reader = bio_reader_create(this->value);
+	reader->read_uint32(reader, &fwd_status);
+	reader->destroy(reader);
+
+	if (fwd_status > OS_FWD_UNKNOWN)
+	{
+		DBG1(DBG_TNC, "IETF forwarding enabled field has unknown value %u",
+					   fwd_status);
+		return FAILED;
+	}
+	this->fwd_status = fwd_status;
+
+	return SUCCESS;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ietf_attr_fwd_enabled_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ietf_attr_fwd_enabled_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ietf_attr_fwd_enabled_t, get_status, os_fwd_status_t,
+	private_ietf_attr_fwd_enabled_t *this)
+{
+	return this->fwd_status;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_fwd_enabled_create(os_fwd_status_t fwd_status)
+{
+	private_ietf_attr_fwd_enabled_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_status = _get_status,
+		},
+		.type = { PEN_IETF, IETF_ATTR_FORWARDING_ENABLED },
+		.fwd_status = fwd_status,
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_fwd_enabled_create_from_data(chunk_t data)
+{
+	private_ietf_attr_fwd_enabled_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_status = _get_status,
+		},
+		.type = { PEN_IETF, IETF_ATTR_FORWARDING_ENABLED },
+		.value = chunk_clone(data),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
diff --git a/src/libimcv/ietf/ietf_attr_fwd_enabled.h b/src/libimcv/ietf/ietf_attr_fwd_enabled.h
new file mode 100644
index 000000000..bfde1a7b1
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_fwd_enabled.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ietf_attr_fwd_enabled ietf_attr_fwd_enabled
+ * @{ @ingroup ietf
+ */
+
+#ifndef IETF_ATTR_FWD_ENABLED_H_
+#define IETF_ATTR_FWD_ENABLED_H_
+
+typedef struct ietf_attr_fwd_enabled_t ietf_attr_fwd_enabled_t;
+
+#include "ietf_attr.h"
+#include "pa_tnc/pa_tnc_attr.h"
+#include "os_info/os_info.h"
+
+/**
+ * Class implementing the IETF PA-TNC Forwarding Enabled attribute.
+ *
+ */
+struct ietf_attr_fwd_enabled_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Gets the Forwarding Enabled status
+	 *
+	 * @return				Forwarding Enabled status
+	 */
+	os_fwd_status_t (*get_status)(ietf_attr_fwd_enabled_t *this);
+
+};
+
+/**
+ * Creates an ietf_attr_fwd_enabled_t object
+ *
+ * @param fwd_status		Forwarding Enabled status
+ */
+pa_tnc_attr_t* ietf_attr_fwd_enabled_create(os_fwd_status_t fwd_status);
+
+/**
+ * Creates an ietf_attr_fwd_enabled_t object from received data
+ *
+ * @param value				unparsed attribute value
+ */
+pa_tnc_attr_t* ietf_attr_fwd_enabled_create_from_data(chunk_t value);
+
+#endif /** IETF_ATTR_FWD_ENABLED_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_installed_packages.c b/src/libimcv/ietf/ietf_attr_installed_packages.c
new file mode 100644
index 000000000..72a3c1344
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_installed_packages.c
@@ -0,0 +1,335 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ietf_attr_installed_packages.h"
+
+#include <string.h>
+
+#include <pa_tnc/pa_tnc_msg.h>
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
+
+
+typedef struct private_ietf_attr_installed_packages_t private_ietf_attr_installed_packages_t;
+typedef struct package_entry_t package_entry_t;
+
+/**
+ * PA-TNC Installed Packages Type  (see section 4.2.7 of RFC 5792)
+ *
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |          Reserved             |         Package Count         |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  | Pkg Name Len  |        Package Name (Variable Length)         |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |  Version Len  |    Package Version Number (Variable Length)   |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define INSTALLED_PACKAGES_MIN_SIZE		4
+
+/**
+ * Private data of an ietf_attr_installed_packages_t object.
+ */
+struct private_ietf_attr_installed_packages_t {
+
+	/**
+	 * Public members of ietf_attr_installed_packages_t
+	 */
+	ietf_attr_installed_packages_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * List of Installed Package entries
+	 */
+	linked_list_t *packages;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+/**
+ * Package entry
+ */
+struct package_entry_t {
+	chunk_t name;
+	chunk_t version;
+};
+
+/**
+ * Free a package entry
+ */
+static void free_package_entry(package_entry_t *entry)
+{
+	free(entry->name.ptr);
+	free(entry->version.ptr);
+	free(entry);
+}
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ietf_attr_installed_packages_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ietf_attr_installed_packages_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ietf_attr_installed_packages_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ietf_attr_installed_packages_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ietf_attr_installed_packages_t *this)
+{
+	bio_writer_t *writer;
+	enumerator_t *enumerator;
+	package_entry_t *entry;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+	writer = bio_writer_create(INSTALLED_PACKAGES_MIN_SIZE);
+	writer->write_uint16(writer, 0x0000);
+	writer->write_uint16(writer, this->packages->get_count(this->packages));
+
+	enumerator = this->packages->create_enumerator(this->packages);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		writer->write_data8(writer, entry->name);
+		writer->write_data8(writer, entry->version);
+	}
+	enumerator->destroy(enumerator);
+
+	this->value = chunk_clone(writer->get_buf(writer));
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ietf_attr_installed_packages_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+	package_entry_t *entry;
+	status_t status = FAILED;
+	chunk_t name, version;
+	u_int16_t reserved, count;
+	u_char *pos;
+
+	*offset = 0;
+
+	if (this->value.len < INSTALLED_PACKAGES_MIN_SIZE)
+	{
+		DBG1(DBG_TNC, "insufficient data for IETF installed packages");
+		return FAILED;
+	}
+	reader = bio_reader_create(this->value);
+	reader->read_uint16(reader, &reserved);
+	reader->read_uint16(reader, &count);
+	*offset = INSTALLED_PACKAGES_MIN_SIZE;
+
+	while (reader->remaining(reader))
+	{
+		if (!reader->read_data8(reader, &name))
+		{
+			DBG1(DBG_TNC, "insufficient data for IETF installed package name");
+			goto end;
+		}
+		pos = memchr(name.ptr, '\0', name.len);
+		if (pos)
+		{
+			DBG1(DBG_TNC, "nul termination in IETF installed package name");
+			*offset += 1 + (pos - name.ptr);
+			goto end;
+		}
+		*offset += 1 + name.len;
+
+		if (!reader->read_data8(reader, &version))
+		{
+			DBG1(DBG_TNC, "insufficient data for IETF installed package version");
+			goto end;
+		}
+		pos = memchr(version.ptr, '\0', version.len);
+		if (pos)
+		{
+			DBG1(DBG_TNC, "nul termination in IETF installed package version");
+			*offset += 1 + (pos - version.ptr);
+			goto end;
+		}
+		*offset += 1 + version.len;
+
+		entry = malloc_thing(package_entry_t);
+		entry->name = chunk_clone(name);
+		entry->version = chunk_clone(version);
+		this->packages->insert_last(this->packages, entry);
+	}
+
+	if (count != this->packages->get_count(this->packages))
+	{
+		DBG1(DBG_TNC, "IETF installed package count unequal to "
+					  "number of included packages");
+		goto end;
+	}
+	status = SUCCESS;
+
+end:
+	reader->destroy(reader);
+	return status;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ietf_attr_installed_packages_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ietf_attr_installed_packages_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		this->packages->destroy_function(this->packages, (void*)free_package_entry);
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ietf_attr_installed_packages_t, add, void,
+	private_ietf_attr_installed_packages_t *this, chunk_t name, chunk_t version)
+{
+	package_entry_t *entry;
+
+	/* restrict package name and package version number fields to 255 octets */
+	name.len = min(255, name.len);
+	version.len = min(255, version.len);
+
+	entry = malloc_thing(package_entry_t);
+	entry->name = chunk_clone(name);
+	entry->version = chunk_clone(version);
+	this->packages->insert_last(this->packages, entry);
+}
+
+/**
+ * Enumerate package filter entries
+ */
+static bool package_filter(void *null, package_entry_t **entry, chunk_t *name,
+						   void *i2, chunk_t *version)
+{
+	*name = (*entry)->name;
+	*version = (*entry)->version;
+	return TRUE;
+}
+
+METHOD(ietf_attr_installed_packages_t, create_enumerator, enumerator_t*,
+	private_ietf_attr_installed_packages_t *this)
+{
+	return enumerator_create_filter(
+						this->packages->create_enumerator(this->packages),
+						(void*)package_filter, NULL, NULL);
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_installed_packages_create(void)
+{
+	private_ietf_attr_installed_packages_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.add = _add,
+			.create_enumerator = _create_enumerator,
+		},
+		.type = { PEN_IETF, IETF_ATTR_INSTALLED_PACKAGES },
+		.packages = linked_list_create(),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_installed_packages_create_from_data(chunk_t data)
+{
+	private_ietf_attr_installed_packages_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.add = _add,
+			.create_enumerator = _create_enumerator,
+		},
+		.type = {PEN_IETF, IETF_ATTR_INSTALLED_PACKAGES },
+		.value = chunk_clone(data),
+		.packages = linked_list_create(),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+
diff --git a/src/libimcv/ietf/ietf_attr_installed_packages.h b/src/libimcv/ietf/ietf_attr_installed_packages.h
new file mode 100644
index 000000000..a9f6768e0
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_installed_packages.h
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ietf_attr_installed_packagest ietf_attr_installed_packages
+ * @{ @ingroup ietf_attr_installed_packages
+ */
+
+#ifndef IETF_ATTR_INSTALLED_PACKAGES_H_
+#define IETF_ATTR_INSTALLED_PACKAGES_H_
+
+typedef struct ietf_attr_installed_packages_t ietf_attr_installed_packages_t;
+
+#include "ietf_attr.h"
+#include "pa_tnc/pa_tnc_attr.h"
+
+
+/**
+ * Class implementing the IETF PA-TNC Installed Packages attribute.
+ *
+ */
+struct ietf_attr_installed_packages_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Add a package entry
+	 *
+	 * @param name			package name
+	 * @param version		package version number
+	 */
+	void (*add)(ietf_attr_installed_packages_t *this, chunk_t name,
+													  chunk_t version);
+
+	/**
+	 * Enumerates over all packages
+	 * Format:  chunk_t name, chunk_t version
+	 *
+	 * @return				enumerator
+	 */
+	enumerator_t* (*create_enumerator)(ietf_attr_installed_packages_t *this);
+
+};
+
+/**
+ * Creates an ietf_attr_installed_packages_t object
+ *
+ */
+pa_tnc_attr_t* ietf_attr_installed_packages_create(void);
+
+/**
+ * Creates an ietf_attr_installed_packages_t object from received data
+ *
+ * @param value				unparsed attribute value
+ */
+pa_tnc_attr_t* ietf_attr_installed_packages_create_from_data(chunk_t value);
+
+#endif /** IETF_ATTR_INSTALLED_PACKAGES_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_numeric_version.c b/src/libimcv/ietf/ietf_attr_numeric_version.c
new file mode 100644
index 000000000..797205473
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_numeric_version.c
@@ -0,0 +1,282 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ietf_attr_numeric_version.h"
+
+#include <pa_tnc/pa_tnc_msg.h>
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <utils/debug.h>
+
+typedef struct private_ietf_attr_numeric_version_t private_ietf_attr_numeric_version_t;
+
+/**
+ * PA-TNC Numeric Version type  (see section 4.2.3 of RFC 5792)
+ *
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                        Major Version Number                   |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                        Minor Version Number                   |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                            Build Number                       |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |      Service Pack Major       |      Service Pack Minor       |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define NUMERIC_VERSION_SIZE		16
+
+/**
+ * Private data of an ietf_attr_numeric_version_t object.
+ */
+struct private_ietf_attr_numeric_version_t {
+
+	/**
+	 * Public members of ietf_attr_numeric_version_t
+	 */
+	ietf_attr_numeric_version_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * Major Version Number
+	 */
+	u_int32_t major_version;
+
+	/**
+	 * Minor Version Number
+	 */
+	u_int32_t minor_version;
+
+	/**
+	 * IBuild Number
+	 */
+	u_int32_t build;
+
+	/**
+	 * Service Pack Major Number
+	 */
+	u_int16_t service_pack_major;
+
+	/**
+	 * Service Pack Minor Number
+	 */
+	u_int16_t service_pack_minor;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ietf_attr_numeric_version_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ietf_attr_numeric_version_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ietf_attr_numeric_version_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ietf_attr_numeric_version_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ietf_attr_numeric_version_t *this)
+{
+	bio_writer_t *writer;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+
+	writer = bio_writer_create(NUMERIC_VERSION_SIZE);
+	writer->write_uint32(writer, this->major_version);
+	writer->write_uint32(writer, this->minor_version);
+	writer->write_uint32(writer, this->build);
+	writer->write_uint16(writer, this->service_pack_major);
+	writer->write_uint16(writer, this->service_pack_minor);
+
+	this->value = chunk_clone(writer->get_buf(writer));
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ietf_attr_numeric_version_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+
+	if (this->value.len < NUMERIC_VERSION_SIZE)
+	{
+		DBG1(DBG_TNC, "insufficient data for IETF numeric version");
+		*offset = 0;
+		return FAILED;
+	}
+	reader = bio_reader_create(this->value);
+	reader->read_uint32(reader, &this->major_version);
+	reader->read_uint32(reader, &this->minor_version);
+	reader->read_uint32(reader, &this->build);
+	reader->read_uint16(reader, &this->service_pack_major);
+	reader->read_uint16(reader, &this->service_pack_minor);
+	reader->destroy(reader);
+
+	return SUCCESS;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ietf_attr_numeric_version_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ietf_attr_numeric_version_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ietf_attr_numeric_version_t, get_version, void,
+	private_ietf_attr_numeric_version_t *this, u_int32_t *major, u_int32_t *minor)
+{
+	if (major)
+	{
+		*major = this->major_version;
+	}
+	if (minor)
+	{
+		*minor = this->minor_version;
+	}
+}
+
+METHOD(ietf_attr_numeric_version_t, get_build, u_int32_t,
+	private_ietf_attr_numeric_version_t *this)
+{
+	return this->build;
+}
+
+METHOD(ietf_attr_numeric_version_t, get_service_pack, void,
+	private_ietf_attr_numeric_version_t *this, u_int16_t *major, u_int16_t *minor)
+{
+	if (major)
+	{
+		*major = this->service_pack_major;
+	}
+	if (minor)
+	{
+		*minor = this->service_pack_minor;
+	}
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_numeric_version_create(u_int32_t major, u_int32_t minor,
+												u_int32_t build,
+												u_int16_t service_pack_major,
+												u_int16_t service_pack_minor)
+{
+	private_ietf_attr_numeric_version_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_version = _get_version,
+			.get_build = _get_build,
+			.get_service_pack = _get_service_pack,
+		},
+		.type = { PEN_IETF, IETF_ATTR_NUMERIC_VERSION },
+		.major_version = major,
+		.minor_version = minor,
+		.build = build,
+		.service_pack_major = service_pack_major,
+		.service_pack_minor = service_pack_minor,
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_numeric_version_create_from_data(chunk_t data)
+{
+	private_ietf_attr_numeric_version_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_version = _get_version,
+			.get_build = _get_build,
+			.get_service_pack = _get_service_pack,
+		},
+		.type = { PEN_IETF, IETF_ATTR_NUMERIC_VERSION },
+		.value = chunk_clone(data),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
diff --git a/src/libimcv/ietf/ietf_attr_numeric_version.h b/src/libimcv/ietf/ietf_attr_numeric_version.h
new file mode 100644
index 000000000..f7d6c909d
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_numeric_version.h
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ietf_attr_numeric_versiont ietf_attr_numeric_version
+ * @{ @ingroup ietf
+ */
+
+#ifndef IETF_ATTR_NUMERIC_VERSION_H_
+#define IETF_ATTR_NUMERIC_VERSION_H_
+
+typedef struct ietf_attr_numeric_version_t ietf_attr_numeric_version_t;
+
+#include "ietf_attr.h"
+#include "pa_tnc/pa_tnc_attr.h"
+
+
+/**
+ * Class implementing the IETF PA-TNC String Version attribute.
+ *
+ */
+struct ietf_attr_numeric_version_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Gets the Major and Minor Version Numbers
+	 *
+	 * @param major			Major Version Number
+	 * @param minor			Minor Version Number
+	 */
+	void (*get_version)(ietf_attr_numeric_version_t *this,
+						u_int32_t *major, u_int32_t *minor);
+
+	/**
+	 * Gets the Build Number
+	 *
+	 * @param major			Major Version Number
+	 * @param minor			Minor Version Number
+	 */
+	u_int32_t (*get_build)(ietf_attr_numeric_version_t *this);
+
+	/**
+	 * Gets the Major and Minor Numbers of the Service Pack
+	 *
+	 * @param major			Service Pack Major Number
+	 * @param minor			Servcie Pack Minor Number
+	 */
+	void (*get_service_pack)(ietf_attr_numeric_version_t *this,
+							 u_int16_t *major, u_int16_t *minor);
+};
+
+/**
+ * Creates an ietf_attr_numeric_version_t object
+ *
+ */
+pa_tnc_attr_t* ietf_attr_numeric_version_create(u_int32_t major, u_int32_t minor,
+												u_int32_t build,
+												u_int16_t service_pack_major,
+												u_int16_t service_pack_minor);
+
+/**
+ * Creates an ietf_attr_numeric_version_t object from received data
+ *
+ * @param value				unparsed attribute value
+ */
+pa_tnc_attr_t* ietf_attr_numeric_version_create_from_data(chunk_t value);
+
+#endif /** IETF_ATTR_NUMERIC_VERSION_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_op_status.c b/src/libimcv/ietf/ietf_attr_op_status.c
new file mode 100644
index 000000000..d9610b29d
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_op_status.c
@@ -0,0 +1,314 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ietf_attr_op_status.h"
+
+#include <pa_tnc/pa_tnc_msg.h>
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <utils/debug.h>
+
+#include <time.h>
+
+typedef struct private_ietf_attr_op_status_t private_ietf_attr_op_status_t;
+
+ENUM(op_status_names, OP_STATUS_UNKNOWN, OP_STATUS_OPERATIONAL,
+	"unknown",
+	"not installed",
+	"installed",
+	"operational"
+);
+
+ENUM(op_result_names, OP_RESULT_UNKNOWN, OP_RESULT_UNSUCCESSFUL,
+	"unknown",
+	"successful",
+	"errored",
+	"unsuccessful"
+);
+
+/**
+ * PA-TNC Operational Status type  (see section 4.2.5 of RFC 5792)
+ *
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |    Status     |     Result    |         Reserved              |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                          Last Use                             |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                     Last Use (continued)                      |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                     Last Use (continued)                      |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                     Last Use (continued)                      |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                     Last Use (continued)                      |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define OP_STATUS_SIZE		24
+
+/**
+ * Private data of an ietf_attr_op_status_t object.
+ */
+struct private_ietf_attr_op_status_t {
+
+	/**
+	 * Public members of ietf_attr_op_status_t
+	 */
+	ietf_attr_op_status_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * Status
+	 */
+	u_int8_t status;
+
+	/**
+	 * Result
+	 */
+	u_int8_t result;
+
+	/**
+	 * Last Use
+	 */
+	time_t last_use;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ietf_attr_op_status_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ietf_attr_op_status_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ietf_attr_op_status_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ietf_attr_op_status_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ietf_attr_op_status_t *this)
+{
+	bio_writer_t *writer;
+	char last_use[24];
+	struct tm t;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+
+	/* Conversion from time_t to RFC 3339 ASCII string */
+	gmtime_r(&this->last_use, &t);
+	snprintf(last_use, 21, "%04d-%02d-%02dT%02d:%02d:%02dZ", 1900 + t.tm_year,
+			 t.tm_mon + 1, t.tm_mday, t.tm_hour, t.tm_min, t.tm_sec);
+
+	writer = bio_writer_create(OP_STATUS_SIZE);
+	writer->write_uint8 (writer, this->status);
+	writer->write_uint8 (writer, this->result);
+	writer->write_uint16(writer, 0x0000);
+	writer->write_data  (writer, chunk_create(last_use, 20));
+
+	this->value = chunk_clone(writer->get_buf(writer));
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ietf_attr_op_status_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+	chunk_t last_use;
+	u_int16_t reserved;
+	struct tm t;
+
+	*offset = 0;
+
+	if (this->value.len != OP_STATUS_SIZE)
+	{
+		DBG1(DBG_TNC, "incorrect size for IETF operational status");
+		return FAILED;
+	}
+	reader = bio_reader_create(this->value);
+	reader->read_uint8 (reader, &this->status);
+	reader->read_uint8 (reader, &this->result);
+	reader->read_uint16(reader, &reserved);
+	reader->read_data  (reader, 20, &last_use);
+	reader->destroy(reader);
+
+	if (this->status > OP_STATUS_ROOF)
+	{
+		DBG1(DBG_TNC, "invalid status value %c for IETF operational status",
+					   this->status);
+		return FAILED;
+	}
+
+	*offset = 1;
+
+	if (this->result > OP_RESULT_ROOF)
+	{
+		DBG1(DBG_TNC, "invalid result value %c for IETF operational status",
+					   this->result);
+		return FAILED;
+	}
+
+	*offset = 4;
+
+	/* Conversion from RFC 3339 ASCII string to time_t */
+	if (sscanf(last_use.ptr, "%4d-%2d-%2dT%2d:%2d:%2dZ", &t.tm_year, &t.tm_mon,
+			   &t.tm_mday, &t.tm_hour, &t.tm_min, &t.tm_sec) != 6)
+	{
+		DBG1(DBG_TNC, "invalid last_use time format in IETF operational status");
+		return FAILED;
+	}
+	t.tm_year -= 1900;
+	t.tm_mon -= 1;
+	t.tm_isdst = 0;
+	this->last_use = mktime(&t) - timezone;
+
+	return SUCCESS;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ietf_attr_op_status_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ietf_attr_op_status_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ietf_attr_op_status_t, get_status, u_int8_t,
+	private_ietf_attr_op_status_t *this)
+{
+	return this->status;
+}
+
+METHOD(ietf_attr_op_status_t, get_result, u_int8_t,
+	private_ietf_attr_op_status_t *this)
+{
+	return this->result;
+}
+
+METHOD(ietf_attr_op_status_t, get_last_use, time_t,
+	private_ietf_attr_op_status_t *this)
+{
+	return this->last_use;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_op_status_create(u_int8_t status, u_int8_t result,
+										  time_t last_use)
+{
+	private_ietf_attr_op_status_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_status = _get_status,
+			.get_result = _get_result,
+			.get_last_use = _get_last_use,
+		},
+		.type = { PEN_IETF, IETF_ATTR_OPERATIONAL_STATUS },
+		.status = status,
+		.result = result,
+		.last_use = last_use,
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_op_status_create_from_data(chunk_t data)
+{
+	private_ietf_attr_op_status_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_status = _get_status,
+			.get_result = _get_result,
+			.get_last_use = _get_last_use,
+		},
+		.type = { PEN_IETF, IETF_ATTR_OPERATIONAL_STATUS },
+		.value = chunk_clone(data),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
diff --git a/src/libimcv/ietf/ietf_attr_op_status.h b/src/libimcv/ietf/ietf_attr_op_status.h
new file mode 100644
index 000000000..2e14148c4
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_op_status.h
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ietf_attr_op_statust ietf_attr_op_status
+ * @{ @ingroup ietf
+ */
+
+#ifndef IETF_ATTR_OP_STATUS_H_
+#define IETF_ATTR_OP_STATUS_H_
+
+typedef struct ietf_attr_op_status_t ietf_attr_op_status_t;
+typedef enum op_status_t op_status_t;
+typedef enum op_result_t op_result_t;
+
+#include "ietf_attr.h"
+#include "pa_tnc/pa_tnc_attr.h"
+
+/**
+ * Operational Status type
+ */
+enum op_status_t {
+	OP_STATUS_UNKNOWN =       0,
+	OP_STATUS_NOT_INSTALLED = 1,
+	OP_STATUS_INSTALLED =     2,
+	OP_STATUS_OPERATIONAL =   3,
+	OP_STATUS_ROOF =          3
+};
+
+extern enum_name_t *op_status_names;
+ 
+/**
+ * Operational Result type
+ */
+enum op_result_t {
+	OP_RESULT_UNKNOWN =      0,
+	OP_RESULT_SUCCESSFUL =   1,
+	OP_RESULT_ERRORED =      2,
+	OP_RESULT_UNSUCCESSFUL = 3,
+	OP_RESULT_ROOF         = 3
+};
+
+extern enum_name_t *op_result_names;
+
+/**
+ * Class implementing the IETF PA-TNC Operational Status attribute.
+ *
+ */
+struct ietf_attr_op_status_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Gets the Operational Status
+	 *
+	 * @return				Operational Status
+	 */
+	u_int8_t (*get_status)(ietf_attr_op_status_t *this);
+
+	/**
+	 * Gets the Operational Result
+	 *
+	 * @return				Operational Result
+	 */
+	u_int8_t (*get_result)(ietf_attr_op_status_t *this);
+
+	/**
+	 * Gets the time of last use
+	 *
+	 * @return				Time of last use
+	 */
+	time_t (*get_last_use)(ietf_attr_op_status_t *this);
+};
+
+/**
+ * Creates an ietf_attr_op_status_t object
+ *
+ * @param status			Operational Status
+ * @param result			Operational Result
+ * @param last_use			Time of last use 
+ */
+pa_tnc_attr_t* ietf_attr_op_status_create(u_int8_t status, u_int8_t result,
+										  time_t last_use);
+
+/**
+ * Creates an ietf_attr_op_status_t object from received data
+ *
+ * @param value				unparsed attribute value
+ */
+pa_tnc_attr_t* ietf_attr_op_status_create_from_data(chunk_t value);
+
+#endif /** IETF_ATTR_OP_STATUS_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_pa_tnc_error.c b/src/libimcv/ietf/ietf_attr_pa_tnc_error.c
index 46f5d6716..f92022fe0 100644
--- a/src/libimcv/ietf/ietf_attr_pa_tnc_error.c
+++ b/src/libimcv/ietf/ietf_attr_pa_tnc_error.c
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(pa_tnc_error_code_names, PA_ERROR_RESERVED,
 							  PA_ERROR_ATTR_TYPE_NOT_SUPPORTED,
@@ -80,7 +80,7 @@ typedef struct private_ietf_attr_pa_tnc_error_t private_ietf_attr_pa_tnc_error_t
  *  |  Max Version  |  Min Version  |            Reserved           |
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  */
-	
+
 #define PA_ERROR_VERSION_RESERVED	0x0000
 
 /**
@@ -186,7 +186,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint24(writer, this->error_code.vendor_id);
 	writer->write_uint32(writer, this->error_code.type);
 	writer->write_data  (writer, this->msg_info);
-	
+
 	if (this->error_code.vendor_id == PEN_IETF)
 	{
 		switch (this->error_code.type)
@@ -272,7 +272,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	}
 	reader->destroy(reader);
 
-	return SUCCESS;	
+	return SUCCESS;
 }
 
 METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
@@ -420,6 +420,8 @@ pa_tnc_attr_t *ietf_attr_pa_tnc_error_create_from_data(chunk_t data)
 			.pa_tnc_attribute = {
 				.get_type = _get_type,
 				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
 				.get_ref = _get_ref,
diff --git a/src/libimcv/ietf/ietf_attr_pa_tnc_error.h b/src/libimcv/ietf/ietf_attr_pa_tnc_error.h
index d28c524aa..a5a10d470 100644
--- a/src/libimcv/ietf/ietf_attr_pa_tnc_error.h
+++ b/src/libimcv/ietf/ietf_attr_pa_tnc_error.h
@@ -55,13 +55,6 @@ struct ietf_attr_pa_tnc_error_t {
 	pa_tnc_attr_t pa_tnc_attribute;
 
 	/**
-	 * Get PA-TNC error code vendor ID
-	 *
-	 * @return				error code vendor ID
-	 */
-	pen_t (*get_vendor_id)(ietf_attr_pa_tnc_error_t *this);
-
-	/**
 	 * Get Vendor-specific PA-TNC error code
 	 *
 	 * @return				error code
diff --git a/src/libimcv/ietf/ietf_attr_port_filter.c b/src/libimcv/ietf/ietf_attr_port_filter.c
index 5ea52256b..8b8da3a41 100644
--- a/src/libimcv/ietf/ietf_attr_port_filter.c
+++ b/src/libimcv/ietf/ietf_attr_port_filter.c
@@ -17,8 +17,8 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 
 typedef struct private_ietf_attr_port_filter_t private_ietf_attr_port_filter_t;
@@ -36,8 +36,8 @@ struct port_entry_t {
 /**
  * PA-TNC Port Filter Type  (see section 4.2.6 of RFC 5792)
  *
- *                        1                   2                   3
- *    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |   Reserved  |B|    Protocol   |         Port Number           |
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@@ -152,7 +152,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 
 	while (reader->remaining(reader))
 	{
-		entry = malloc_thing(port_entry_t);	
+		entry = malloc_thing(port_entry_t);
 		reader->read_uint8 (reader, &blocked);
 		entry->blocked = blocked & 0x01;
 		reader->read_uint8 (reader, &entry->protocol);
@@ -161,7 +161,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	}
 	reader->destroy(reader);
 
-	return SUCCESS;	
+	return SUCCESS;
 }
 
 METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
@@ -192,7 +192,7 @@ METHOD(ietf_attr_port_filter_t, add_port, void,
 	entry->blocked = blocked;
 	entry->protocol = protocol;
 	entry->port = port;
-	this->ports->insert_last(this->ports, entry);	
+	this->ports->insert_last(this->ports, entry);
 }
 
 /**
@@ -257,6 +257,8 @@ pa_tnc_attr_t *ietf_attr_port_filter_create_from_data(chunk_t data)
 			.pa_tnc_attribute = {
 				.get_type = _get_type,
 				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
 				.get_ref = _get_ref,
diff --git a/src/libimcv/ietf/ietf_attr_product_info.c b/src/libimcv/ietf/ietf_attr_product_info.c
index dcc0e0294..115f00130 100644
--- a/src/libimcv/ietf/ietf_attr_product_info.c
+++ b/src/libimcv/ietf/ietf_attr_product_info.c
@@ -17,7 +17,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_ietf_attr_product_info_t private_ietf_attr_product_info_t;
 
@@ -73,7 +73,7 @@ struct private_ietf_attr_product_info_t {
 	/**
 	 * Product Name
 	 */
-	char *product_name;
+	chunk_t product_name;
 
 	/**
 	 * Reference count
@@ -109,18 +109,15 @@ METHOD(pa_tnc_attr_t, build, void,
 	private_ietf_attr_product_info_t *this)
 {
 	bio_writer_t *writer;
-	chunk_t product_name;
 
 	if (this->value.ptr)
 	{
 		return;
 	}
-	product_name = chunk_create(this->product_name, strlen(this->product_name));
-
 	writer = bio_writer_create(PRODUCT_INFO_MIN_SIZE);
 	writer->write_uint24(writer, this->product_vendor_id);
 	writer->write_uint16(writer, this->product_id);
-	writer->write_data  (writer, product_name);
+	writer->write_data  (writer, this->product_name);
 
 	this->value = chunk_clone(writer->get_buf(writer));
 	writer->destroy(writer);
@@ -144,9 +141,14 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	reader->read_data  (reader, reader->remaining(reader), &product_name);
 	reader->destroy(reader);
 
-	this->product_name = malloc(product_name.len + 1);
-	memcpy(this->product_name, product_name.ptr, product_name.len);
-	this->product_name[product_name.len] = '\0';
+	if (!this->product_vendor_id && this->product_id)
+	{
+		DBG1(DBG_TNC, "IETF product information vendor ID is 0 "
+					  "but product ID is not 0");
+		*offset = 3;
+		return FAILED;
+	}
+	this->product_name = chunk_clone(product_name);
 
 	return SUCCESS;
 }
@@ -163,13 +165,13 @@ METHOD(pa_tnc_attr_t, destroy, void,
 {
 	if (ref_put(&this->ref))
 	{
-		free(this->product_name);
+		free(this->product_name.ptr);
 		free(this->value.ptr);
 		free(this);
 	}
 }
 
-METHOD(ietf_attr_product_info_t, get_info, char*,
+METHOD(ietf_attr_product_info_t, get_info, chunk_t,
 	private_ietf_attr_product_info_t *this, pen_t *vendor_id, u_int16_t *id)
 {
 	if (vendor_id)
@@ -187,7 +189,7 @@ METHOD(ietf_attr_product_info_t, get_info, char*,
  * Described in header.
  */
 pa_tnc_attr_t *ietf_attr_product_info_create(pen_t vendor_id, u_int16_t id,
-											 char *name)
+											 chunk_t name)
 {
 	private_ietf_attr_product_info_t *this;
 
@@ -208,7 +210,7 @@ pa_tnc_attr_t *ietf_attr_product_info_create(pen_t vendor_id, u_int16_t id,
 		.type = { PEN_IETF, IETF_ATTR_PRODUCT_INFORMATION },
 		.product_vendor_id = vendor_id,
 		.product_id = id,
-		.product_name = strdup(name),
+		.product_name = chunk_clone(name),
 		.ref = 1,
 	);
 
@@ -227,6 +229,8 @@ pa_tnc_attr_t *ietf_attr_product_info_create_from_data(chunk_t data)
 			.pa_tnc_attribute = {
 				.get_type = _get_type,
 				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
 				.get_ref = _get_ref,
diff --git a/src/libimcv/ietf/ietf_attr_product_info.h b/src/libimcv/ietf/ietf_attr_product_info.h
index f1dfc3e83..dfaa67d6c 100644
--- a/src/libimcv/ietf/ietf_attr_product_info.h
+++ b/src/libimcv/ietf/ietf_attr_product_info.h
@@ -45,8 +45,8 @@ struct ietf_attr_product_info_t {
 	 * @param id			Product ID
 	 * @return				Product Name
 	 */
-	char* (*get_info)(ietf_attr_product_info_t *this,
-					  pen_t *vendor_id, u_int16_t *id);
+	chunk_t (*get_info)(ietf_attr_product_info_t *this,
+						pen_t *vendor_id, u_int16_t *id);
 
 };
 
@@ -55,7 +55,7 @@ struct ietf_attr_product_info_t {
  *
  */
 pa_tnc_attr_t* ietf_attr_product_info_create(pen_t vendor_id, u_int16_t id,
-											 char *name);
+											 chunk_t name);
 
 /**
  * Creates an ietf_attr_product_info_t object from received data
diff --git a/src/libimcv/ietf/ietf_attr_remediation_instr.c b/src/libimcv/ietf/ietf_attr_remediation_instr.c
new file mode 100644
index 000000000..f3b4e83dd
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_remediation_instr.c
@@ -0,0 +1,363 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ietf_attr_remediation_instr.h"
+
+#include <pa_tnc/pa_tnc_msg.h>
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <utils/debug.h>
+
+typedef struct private_ietf_attr_remediation_instr_t private_ietf_attr_remediation_instr_t;
+
+/**
+ * PA-TNC Remediation Instructions type  (see section 4.2.10 of RFC 5792)
+ *
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |    Reserved   |       Remediation Parameters Vendor ID        |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                  Remediation Parameters Type                  |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |            Remediation Parameters (Variable Length)           |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define REMEDIATION_INSTR_MIN_SIZE		8
+#define REMEDIATION_INSTR_RESERVED		0x00
+
+/**
+ * IETF Remediation Parameters URI type  (see section 4.2.10.1 of RFC 5792)
+ *
+ *                     1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                 Remediation URI (Variable Length)             |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * IETF Remediation Parameters String type  (see section 4.2.10.2 of RFC 5792)
+ *
+ *                     1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                   Remediation String Length                   |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                Remediation String (Variable Length)           |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  | Lang Code Len |  Remediation String Lang Code (Variable Len)  |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+/**
+ * Private data of an ietf_attr_remediation_instr_t object.
+ */
+struct private_ietf_attr_remediation_instr_t {
+
+	/**
+	 * Public members of ietf_attr_remediation_instr_t
+	 */
+	ietf_attr_remediation_instr_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * Remediation Parameters Type
+	 */
+	pen_type_t parameters_type;
+
+	/**
+	 * Remediation Parameters
+	 */
+	chunk_t parameters;
+
+	/**
+	 * Remediation String
+	 */
+	chunk_t string;
+
+	/**
+	 * Remediation Language Code
+	 */
+	chunk_t lang_code;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ietf_attr_remediation_instr_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ietf_attr_remediation_instr_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ietf_attr_remediation_instr_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ietf_attr_remediation_instr_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ietf_attr_remediation_instr_t *this)
+{
+	bio_writer_t *writer;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+
+	writer = bio_writer_create(REMEDIATION_INSTR_MIN_SIZE);
+	writer->write_uint8 (writer, REMEDIATION_INSTR_RESERVED);
+	writer->write_uint24(writer, this->parameters_type.vendor_id);
+	writer->write_uint32(writer, this->parameters_type.type);
+	writer->write_data  (writer, this->parameters);
+
+	this->value = chunk_clone(writer->get_buf(writer));
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ietf_attr_remediation_instr_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+	u_int8_t reserved;
+	status_t status = SUCCESS;
+	u_char *pos;
+
+	*offset = 0;
+
+	if (this->value.len < REMEDIATION_INSTR_MIN_SIZE)
+	{
+		DBG1(DBG_TNC, "insufficient data for IETF remediation instructions");
+		return FAILED;
+	}
+	reader = bio_reader_create(this->value);
+	reader->read_uint8 (reader, &reserved);
+	reader->read_uint24(reader, &this->parameters_type.vendor_id);
+	reader->read_uint32(reader, &this->parameters_type.type);
+	reader->read_data  (reader, reader->remaining(reader), &this->parameters);
+
+	this->parameters = chunk_clone(this->parameters);
+	reader->destroy(reader);
+
+	if (this->parameters_type.vendor_id == PEN_IETF &&
+		this->parameters_type.type == IETF_REMEDIATION_PARAMETERS_STRING)
+	{
+		reader = bio_reader_create(this->parameters);
+		status = FAILED;
+		*offset = 8;
+
+		if (!reader->read_data32(reader, &this->string))
+		{
+			DBG1(DBG_TNC, "insufficient data for IETF remediation string");
+			goto end;
+		}
+		pos = memchr(this->string.ptr, '\0', this->string.len);
+		if (pos)
+		{
+			DBG1(DBG_TNC, "nul termination in IETF remediation string");
+			*offset += 1 + (pos - this->string.ptr);
+			goto end;
+		}
+		*offset += 4 + this->string.len;
+
+		if (!reader->read_data8(reader, &this->lang_code))
+		{
+			DBG1(DBG_TNC, "insufficient data for IETF remediation lang code");
+			goto end;
+		}
+		status = SUCCESS;
+
+end:
+		reader->destroy(reader);
+	}
+	return status;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ietf_attr_remediation_instr_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ietf_attr_remediation_instr_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this->parameters.ptr);
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ietf_attr_remediation_instr_t, get_parameters_type, pen_type_t,
+	private_ietf_attr_remediation_instr_t *this)
+{
+	return this->parameters_type;
+}
+
+METHOD(ietf_attr_remediation_instr_t, get_parameters, chunk_t,
+	private_ietf_attr_remediation_instr_t *this)
+{
+	return this->parameters;
+}
+
+METHOD(ietf_attr_remediation_instr_t, get_uri, chunk_t,
+	private_ietf_attr_remediation_instr_t *this)
+{
+	return this->parameters;
+}
+
+METHOD(ietf_attr_remediation_instr_t, get_string, chunk_t,
+	private_ietf_attr_remediation_instr_t *this, chunk_t *lang_code)
+{
+	if (lang_code)
+	{
+		*lang_code = this->lang_code;
+	}
+	return this->string;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_remediation_instr_create(pen_type_t parameters_type,
+												  chunk_t parameters)
+{
+	private_ietf_attr_remediation_instr_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_parameters_type = _get_parameters_type,
+			.get_parameters = _get_parameters,
+			.get_uri = _get_uri,
+			.get_string = _get_string,
+		},
+		.type = { PEN_IETF, IETF_ATTR_REMEDIATION_INSTRUCTIONS },
+		.parameters_type = parameters_type,
+		.parameters = chunk_clone(parameters),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_remediation_instr_create_from_uri(chunk_t uri)
+{
+	pen_type_t type = { PEN_IETF, IETF_REMEDIATION_PARAMETERS_URI };
+
+	return ietf_attr_remediation_instr_create(type, uri);
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_remediation_instr_create_from_string(chunk_t string,
+															  chunk_t lang_code)
+{
+	pa_tnc_attr_t *attr;
+	bio_writer_t *writer;
+	pen_type_t type = { PEN_IETF, IETF_REMEDIATION_PARAMETERS_STRING };
+
+	/* limit language code to 255 octets */
+	lang_code.len = min(255, lang_code.len);
+
+	writer = bio_writer_create(4 + string.len + 1 + lang_code.len);
+	writer->write_data32(writer, string);
+	writer->write_data8 (writer, lang_code);
+
+	attr = ietf_attr_remediation_instr_create(type, writer->get_buf(writer));
+	writer->destroy(writer);
+
+	return attr;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_remediation_instr_create_from_data(chunk_t data)
+{
+	private_ietf_attr_remediation_instr_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_parameters_type = _get_parameters_type,
+			.get_parameters = _get_parameters,
+			.get_uri = _get_uri,
+			.get_string = _get_string,
+		},
+		.type = { PEN_IETF, IETF_ATTR_REMEDIATION_INSTRUCTIONS },
+		.value = chunk_clone(data),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
diff --git a/src/libimcv/ietf/ietf_attr_remediation_instr.h b/src/libimcv/ietf/ietf_attr_remediation_instr.h
new file mode 100644
index 000000000..473280c33
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_remediation_instr.h
@@ -0,0 +1,109 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ietf_attr_remediation_instrt ietf_attr_remediation_instr
+ * @{ @ingroup ietf
+ */
+
+#ifndef IETF_ATTR_REMEDIATION_INSTR_H_
+#define IETF_ATTR_REMEDIATION_INSTR_H_
+
+typedef struct ietf_attr_remediation_instr_t ietf_attr_remediation_instr_t;
+typedef enum ietf_remediation_parameters_t ietf_remediation_parameters_t;
+
+#include "ietf_attr.h"
+#include "pa_tnc/pa_tnc_attr.h"
+
+enum ietf_remediation_parameters_t {
+	IETF_REMEDIATION_PARAMETERS_URI =    1,
+	IETF_REMEDIATION_PARAMETERS_STRING = 2
+};
+
+/**
+ * Class implementing the IETF PA-TNC Remediation Instructions attribute.
+ *
+ */
+struct ietf_attr_remediation_instr_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Get the Remediation Parameters Type (Vendor ID and Type)
+	 *
+	 * @return				Remediation Parameters Type
+	 */
+	pen_type_t (*get_parameters_type)(ietf_attr_remediation_instr_t *this);
+
+	/**
+	 * Get the Remediation Parameters
+	 *
+	 * @return				Remediation Parameters
+	 */
+	chunk_t (*get_parameters)(ietf_attr_remediation_instr_t *this);
+
+	/**
+	 * Get the Remediation URI
+	 *
+	 * @return				Remediation URI
+	 */
+	chunk_t (*get_uri)(ietf_attr_remediation_instr_t *this);
+
+	/**
+	 * Get the Remediation String
+	 *
+	 * @param lang_code		Optional Language Code
+	 * @return				Remediation String
+	 */
+	chunk_t (*get_string)(ietf_attr_remediation_instr_t *this,
+						  chunk_t *lang_code);
+};
+
+/**
+ * Creates a general ietf_attr_remediation_instr_t object
+ *
+ * @param parameters_type	Remediation Parameters Type
+ * @param parameters		Remediation Parameters
+ */
+pa_tnc_attr_t* ietf_attr_remediation_instr_create(pen_type_t parameters_type,
+												  chunk_t parameters);
+
+/**
+ * Creates an ietf_attr_remediation_instr_t object of Remediation URI Type
+ *
+ * @param uri				Remediation URI
+ */
+pa_tnc_attr_t* ietf_attr_remediation_instr_create_from_uri(chunk_t uri);
+
+/**
+ * Creates an ietf_attr_remediation_instr_t object of Remediation String Type
+ *
+ * @param string			Remediation String
+ * @param lang_code			Remediation String Language Code
+ */
+pa_tnc_attr_t* ietf_attr_remediation_instr_create_from_string(chunk_t string,
+															  chunk_t lang_code);
+
+/**
+ * Creates an ietf_attr_remediation_instr_t object from received data
+ *
+ * @param value				unparsed attribute value
+ */
+pa_tnc_attr_t* ietf_attr_remediation_instr_create_from_data(chunk_t value);
+
+#endif /** IETF_ATTR_REMEDIATION_INSTR_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_string_version.c b/src/libimcv/ietf/ietf_attr_string_version.c
new file mode 100644
index 000000000..8f4129eac
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_string_version.c
@@ -0,0 +1,300 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ietf_attr_string_version.h"
+
+#include <pa_tnc/pa_tnc_msg.h>
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <utils/debug.h>
+
+typedef struct private_ietf_attr_string_version_t private_ietf_attr_string_version_t;
+
+/**
+ * PA-TNC String Version type  (see section 4.2.4 of RFC 5792)
+ *
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |  Version Len  |   Product Version Number (Variable Length)    |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  | Build Num Len |   Internal Build Number (Variable Length)     |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |  Config. Len  | Configuration Version Number (Variable Length)|
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define STRING_VERSION_MIN_SIZE		3
+
+/**
+ * Private data of an ietf_attr_string_version_t object.
+ */
+struct private_ietf_attr_string_version_t {
+
+	/**
+	 * Public members of ietf_attr_string_version_t
+	 */
+	ietf_attr_string_version_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * Product Version Number
+	 */
+	chunk_t version;
+
+	/**
+	 * Internal Build Number
+	 */
+	chunk_t build;
+
+	/**
+	 * Configuration Version Number
+	 */
+	chunk_t config;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ietf_attr_string_version_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ietf_attr_string_version_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ietf_attr_string_version_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ietf_attr_string_version_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ietf_attr_string_version_t *this)
+{
+	bio_writer_t *writer;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+
+	writer = bio_writer_create(STRING_VERSION_MIN_SIZE);
+	writer->write_data8(writer, this->version);
+	writer->write_data8(writer, this->build);
+	writer->write_data8(writer, this->config);
+
+	this->value = chunk_clone(writer->get_buf(writer));
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ietf_attr_string_version_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+	status_t status = FAILED;
+	chunk_t version, build, config;
+	u_char *pos;
+
+	*offset = 0;
+
+	if (this->value.len < STRING_VERSION_MIN_SIZE)
+	{
+		DBG1(DBG_TNC, "insufficient data for IETF string version");
+		return FAILED;
+	}
+	reader = bio_reader_create(this->value);
+
+	if (!reader->read_data8(reader, &version))
+	{
+		DBG1(DBG_TNC, "insufficient data for IETF product version number");
+		goto end;
+
+	}
+	pos = memchr(version.ptr, '\0', version.len);
+	if (pos)
+	{
+		DBG1(DBG_TNC, "nul termination in IETF product version number");
+		*offset += 1 + (pos - version.ptr);
+		goto end;
+	}
+	*offset += 1 + version.len;
+
+	if (!reader->read_data8(reader, &build))
+	{
+		DBG1(DBG_TNC, "insufficient data for IETF internal build number");
+		goto end;
+
+	}
+	pos = memchr(build.ptr, '\0', build.len);
+	if (pos)
+	{
+		DBG1(DBG_TNC, "nul termination in IETF internal build number");
+		*offset += 1 + (pos - build.ptr);
+		goto end;
+	}
+	*offset += 1 + build.len;
+
+	if (!reader->read_data8(reader, &config))
+	{
+		DBG1(DBG_TNC, "insufficient data for IETF configuration version number");
+		goto end;
+
+	}
+	pos = memchr(config.ptr, '\0', config.len);
+	if (pos)
+	{
+		DBG1(DBG_TNC, "nul termination in IETF configuration version number");
+		*offset += 1 + (pos - config.ptr);
+		goto end;
+	}
+
+	this->version = chunk_clone(version);
+	this->build = chunk_clone(build);
+	this->config = chunk_clone(config);
+	status = SUCCESS;
+
+end:
+	reader->destroy(reader);
+	return status;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ietf_attr_string_version_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ietf_attr_string_version_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this->version.ptr);
+		free(this->build.ptr);
+		free(this->config.ptr);
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ietf_attr_string_version_t, get_version, chunk_t,
+	private_ietf_attr_string_version_t *this, chunk_t *build, chunk_t *config)
+{
+	if (build)
+	{
+		*build = this->build;
+	}
+	if (config)
+	{
+		*config = this->config;
+	}
+	return this->version;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_string_version_create(chunk_t version, chunk_t build,
+											   chunk_t config)
+{
+	private_ietf_attr_string_version_t *this;
+
+	/* limit version numbers to 255 octets */
+	version.len = min(255, version.len);
+	build.len = min(255, build.len);
+	config.len = min(255, config.len);
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_version = _get_version,
+		},
+		.type = { PEN_IETF, IETF_ATTR_STRING_VERSION },
+		.version = chunk_clone(version),
+		.build = chunk_clone(build),
+		.config = chunk_clone(config),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_string_version_create_from_data(chunk_t data)
+{
+	private_ietf_attr_string_version_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_version = _get_version,
+		},
+		.type = { PEN_IETF, IETF_ATTR_STRING_VERSION },
+		.value = chunk_clone(data),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
diff --git a/src/libimcv/ietf/ietf_attr_string_version.h b/src/libimcv/ietf/ietf_attr_string_version.h
new file mode 100644
index 000000000..5ffbea8e0
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_string_version.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ietf_attr_string_versiont ietf_attr_string_version
+ * @{ @ingroup ietf
+ */
+
+#ifndef IETF_ATTR_STRING_VERSION_H_
+#define IETF_ATTR_STRING_VERSION_H_
+
+typedef struct ietf_attr_string_version_t ietf_attr_string_version_t;
+
+#include "ietf_attr.h"
+#include "pa_tnc/pa_tnc_attr.h"
+
+
+/**
+ * Class implementing the IETF PA-TNC String Version attribute.
+ *
+ */
+struct ietf_attr_string_version_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Gets the Product Version Number and optionally the Internal Build
+	 * and Configuration Version Numbers
+	 *
+	 * @param build			Internal Build Number (if build != NULL)
+	 * @param config		Configuration Version Number (if config != NULL)
+	 * @return				Product Version Number
+	 */
+	chunk_t (*get_version)(ietf_attr_string_version_t *this, chunk_t *build,
+															 chunk_t *config);
+};
+
+/**
+ * Creates an ietf_attr_string_version_t object
+ *
+ */
+pa_tnc_attr_t* ietf_attr_string_version_create(chunk_t version, chunk_t build,
+											   chunk_t config);
+
+/**
+ * Creates an ietf_attr_string_version_t object from received data
+ *
+ * @param value				unparsed attribute value
+ */
+pa_tnc_attr_t* ietf_attr_string_version_create_from_data(chunk_t value);
+
+#endif /** IETF_ATTR_STRING_VERSION_H_ @}*/
diff --git a/src/libimcv/imc/imc_agent.c b/src/libimcv/imc/imc_agent.c
index 8d1e70716..161623477 100644
--- a/src/libimcv/imc/imc_agent.c
+++ b/src/libimcv/imc/imc_agent.c
@@ -18,7 +18,7 @@
 
 #include <tncif_names.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/rwlock.h>
 
 typedef struct private_imc_agent_t private_imc_agent_t;
@@ -39,14 +39,14 @@ struct private_imc_agent_t {
 	const char *name;
 
 	/**
-	 * message vendor ID of IMC
+	 * message types registered by IMC
 	 */
-	TNC_VendorID vendor_id;
+	pen_type_t *supported_types;
 
 	/**
-	 * message subtype of IMC
+	 * number of message types registered by IMC
 	 */
-	TNC_MessageSubtype subtype;
+	u_int32_t type_count;
 
 	/**
 	 * ID of IMC as assigned by TNCC
@@ -95,45 +95,6 @@ struct private_imc_agent_t {
 									TNC_UInt32 type_count);
 
 	/**
-	 * Call when an IMC-IMC message is to be sent
-	 *
-	 * @param imc_id			IMC ID assigned by TNCC
-	 * @param connection_id		network connection ID assigned by TNCC
-	 * @param msg				message to send
-	 * @param msg_len			message length in bytes
-	 * @param msg_type			message type
-	 * @return					TNC result code
-	 */
-	TNC_Result (*send_message)(TNC_IMCID imc_id,
-							   TNC_ConnectionID connection_id,
-							   TNC_BufferReference msg,
-							   TNC_UInt32 msg_len,
-							   TNC_MessageType msg_type);
-
-
-	/**
-	 * Call when an IMC-IMC message is to be sent with long message types
-	 *
-	 * @param imc_id			IMC ID assigned by TNCC
-	 * @param connection_id		network connection ID assigned by TNCC
-	 * @param msg_flags			message flags
-	 * @param msg				message to send
-	 * @param msg_len			message length in bytes
-	 * @param msg_vid			message vendor ID
-	 * @param msg_subtype		message subtype
-	 * @param dst_imc_id		destination IMV ID
-	 * @return					TNC result code
-	 */
-	TNC_Result (*send_message_long)(TNC_IMCID imc_id,
-									TNC_ConnectionID connection_id,
-									TNC_UInt32 msg_flags,
-									TNC_BufferReference msg,
-									TNC_UInt32 msg_len,
-									TNC_VendorID msg_vid,
-									TNC_MessageSubtype msg_subtype,
-									TNC_UInt32 dst_imv_id);
-
-	/**
 	 * Get the value of an attribute associated with a connection
 	 * or with the TNCC as a whole.
 	 *
@@ -205,14 +166,14 @@ METHOD(imc_agent_t, bind_functions, TNC_Result,
 		this->public.request_handshake_retry = NULL;
 	}
 	if (bind_function(this->id, "TNC_TNCC_SendMessage",
-			(void**)&this->send_message) != TNC_RESULT_SUCCESS)
+			(void**)&this->public.send_message) != TNC_RESULT_SUCCESS)
 	{
-		this->send_message = NULL;
+		this->public.send_message = NULL;
 	}
 	if (bind_function(this->id, "TNC_TNCC_SendMessageLong",
-			(void**)&this->send_message_long) != TNC_RESULT_SUCCESS)
+			(void**)&this->public.send_message_long) != TNC_RESULT_SUCCESS)
 	{
-		this->send_message_long = NULL;
+		this->public.send_message_long = NULL;
 	}
 	if (bind_function(this->id, "TNC_TNCC_GetAttribute",
 			(void**)&this->get_attribute) != TNC_RESULT_SUCCESS)
@@ -234,17 +195,37 @@ METHOD(imc_agent_t, bind_functions, TNC_Result,
 
 	if (this->report_message_types_long)
 	{
-		this->report_message_types_long(this->id, &this->vendor_id,
-										&this->subtype, 1);
+		TNC_VendorIDList vendor_id_list;
+		TNC_MessageSubtypeList subtype_list;
+		int i;
+
+		vendor_id_list = malloc(this->type_count * sizeof(TNC_UInt32));
+		subtype_list   = malloc(this->type_count * sizeof(TNC_UInt32));
+
+		for (i = 0; i < this->type_count; i++)
+		{
+			vendor_id_list[i] = this->supported_types[i].vendor_id;
+			subtype_list[i]   = this->supported_types[i].type;
+		}
+		this->report_message_types_long(this->id, vendor_id_list, subtype_list,
+										this->type_count);
+		free(vendor_id_list);
+		free(subtype_list);
 	}
-	else if (this->report_message_types &&
-			 this->vendor_id <= TNC_VENDORID_ANY &&
-			 this->subtype <= TNC_SUBTYPE_ANY)
+	else if (this->report_message_types)
 	{
-		TNC_MessageType type;
+		TNC_MessageTypeList type_list;
+		int i;
+
+		type_list = malloc(this->type_count * sizeof(TNC_UInt32));
 
-		type = (this->vendor_id << 8) | this->subtype;
-		this->report_message_types(this->id, &type, 1);
+		for (i = 0; i < this->type_count; i++)
+		{
+			type_list[i] = (this->supported_types[i].vendor_id << 8) |
+						   (this->supported_types[i].type & 0xff);
+		}
+		this->report_message_types(this->id, type_list, this->type_count);
+		free(type_list);
 	}
 	return TNC_RESULT_SUCCESS;
 }
@@ -372,7 +353,7 @@ METHOD(imc_agent_t, create_state, TNC_Result,
 	has_long = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_LONG_TYPES);
 	has_excl = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_EXCLUSIVE);
 	has_soh  = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_SOH);
-	tnccs_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL); 
+	tnccs_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL);
 	tnccs_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_VERSION);
 	t_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_PROTOCOL);
 	t_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_VERSION);
@@ -427,7 +408,7 @@ METHOD(imc_agent_t, change_state, TNC_Result,
 		case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
 		case TNC_CONNECTION_STATE_ACCESS_NONE:
 			state = find_connection(this, connection_id);
-			
+
 			if (!state)
 			{
 				DBG1(DBG_IMC, "IMC %u \"%s\" has no state for Connection ID %u",
@@ -455,7 +436,7 @@ METHOD(imc_agent_t, change_state, TNC_Result,
 			DBG1(DBG_IMC, "IMC %u \"%s\" was notified of unknown state %u "
 				 		  "for Connection ID %u",
 						  this->id, this->name, new_state, connection_id);
-			return TNC_RESULT_INVALID_PARAMETER;		
+			return TNC_RESULT_INVALID_PARAMETER;
 	}
 	return TNC_RESULT_SUCCESS;
 }
@@ -474,165 +455,16 @@ METHOD(imc_agent_t, get_state, bool,
 	return TRUE;
 }
 
-METHOD(imc_agent_t, send_message, TNC_Result,
-	private_imc_agent_t *this, TNC_ConnectionID connection_id, bool excl,
-	TNC_UInt32 src_imc_id, TNC_UInt32 dst_imv_id, linked_list_t *attr_list)
+METHOD(imc_agent_t, get_name, const char*,
+	private_imc_agent_t *this)
 {
-	TNC_MessageType type;
-	TNC_UInt32 msg_flags;
-	TNC_Result result = TNC_RESULT_FATAL;
-	imc_state_t *state;
-	pa_tnc_attr_t *attr;
-	pa_tnc_msg_t *pa_tnc_msg;
-	chunk_t msg;
-	enumerator_t *enumerator;
-	bool attr_added;
-
-	state = find_connection(this, connection_id);
-	if (!state)
-	{
-		DBG1(DBG_IMV, "IMC %u \"%s\" has no state for Connection ID %u",
-					  this->id, this->name, connection_id);
-		return TNC_RESULT_FATAL;
-	}
-
-	while (attr_list->get_count(attr_list))
-	{
-		pa_tnc_msg = pa_tnc_msg_create(state->get_max_msg_len(state));
-		attr_added = FALSE;
-
-		enumerator = attr_list->create_enumerator(attr_list);
-		while (enumerator->enumerate(enumerator, &attr))
-		{
-			if (pa_tnc_msg->add_attribute(pa_tnc_msg, attr))
-			{
-				attr_added = TRUE;
-			}
-			else
-			{
-				if (attr_added)
-				{
-					break;
-				}
-				else
-				{
-					DBG1(DBG_IMC, "PA-TNC attribute too large to send, deleted");
-					attr->destroy(attr);
-				}
-			}
-			attr_list->remove_at(attr_list, enumerator);
-		}
-		enumerator->destroy(enumerator);
-
-		/* build and send the PA-TNC message via the IF-IMC interface */
-		if (!pa_tnc_msg->build(pa_tnc_msg))
-		{
-			pa_tnc_msg->destroy(pa_tnc_msg);
-			return TNC_RESULT_FATAL;
-		}
-		msg = pa_tnc_msg->get_encoding(pa_tnc_msg);
-
-		if (state->has_long(state) && this->send_message_long)
-		{
-			if (!src_imc_id)
-			{
-				src_imc_id = this->id;
-			}
-			msg_flags = excl ? TNC_MESSAGE_FLAGS_EXCLUSIVE : 0;
-
-			result = this->send_message_long(src_imc_id, connection_id,
-								msg_flags, msg.ptr, msg.len, this->vendor_id,
-								this->subtype, dst_imv_id);
-		}
-		else if (this->send_message)
-		{
-			type = (this->vendor_id << 8) | this->subtype;
-
-			result = this->send_message(this->id, connection_id, msg.ptr,
-								msg.len, type);
-		}
-
-		pa_tnc_msg->destroy(pa_tnc_msg);
-
-		if (result != TNC_RESULT_SUCCESS)
-		{
-			break;
-		}
-	}
-	return result;
+	return	this->name;
 }
 
-METHOD(imc_agent_t, receive_message, TNC_Result,
-	private_imc_agent_t *this, imc_state_t *state, chunk_t msg,
-	TNC_VendorID msg_vid, TNC_MessageSubtype msg_subtype,
-	TNC_UInt32 src_imv_id, TNC_UInt32 dst_imc_id, pa_tnc_msg_t **pa_tnc_msg)
+METHOD(imc_agent_t, get_id, TNC_IMCID,
+	private_imc_agent_t *this)
 {
-	pa_tnc_msg_t *pa_msg;
-	pa_tnc_attr_t *error_attr;
-	linked_list_t *error_attr_list;
-	enumerator_t *enumerator;
-	TNC_UInt32 src_imc_id, dst_imv_id;
-	TNC_ConnectionID connection_id;
-	TNC_Result result;
-
-	connection_id = state->get_connection_id(state);
-
-	if (state->has_long(state))
-	{
-		if (dst_imc_id != TNC_IMCID_ANY)
-		{
-			DBG2(DBG_IMC, "IMC %u \"%s\" received message for Connection ID %u "
-						  "from IMV %u to IMC %u", this->id, this->name,
-						   connection_id, src_imv_id, dst_imc_id);
-		}
-		else
-		{
-			DBG2(DBG_IMC, "IMC %u \"%s\" received message for Connection ID %u "
-						  "from IMV %u", this->id, this->name, connection_id,
-						   src_imv_id);
-		}
-	}
-	else
-	{
-		DBG2(DBG_IMC, "IMC %u \"%s\" received message for Connection ID %u",
-					   this->id, this->name, connection_id);
-	}
-
-	*pa_tnc_msg = NULL;
-	pa_msg = pa_tnc_msg_create_from_data(msg);
-
-	switch (pa_msg->process(pa_msg))
-	{
-		case SUCCESS:
-			*pa_tnc_msg = pa_msg;
-			break;
-		case VERIFY_ERROR:
-			/* extract and copy by refence all error attributes */
-			error_attr_list = linked_list_create();
-
-			enumerator = pa_msg->create_error_enumerator(pa_msg);
-			while (enumerator->enumerate(enumerator, &error_attr))
-			{
-				error_attr_list->insert_last(error_attr_list,
-											 error_attr->get_ref(error_attr));
-			}
-			enumerator->destroy(enumerator);
-
-			src_imc_id = (dst_imc_id == TNC_IMCID_ANY) ? this->id : dst_imc_id;
-			dst_imv_id = state->has_excl(state) ? src_imv_id : TNC_IMVID_ANY;
-
-			result = send_message(this, connection_id, state->has_excl(state),
- 								  src_imc_id, dst_imv_id, error_attr_list);
-
-			error_attr_list->destroy(error_attr_list);
-			pa_msg->destroy(pa_msg);
-			return result;
-		case FAILED:
-		default:
-			pa_msg->destroy(pa_msg);
-			return TNC_RESULT_FATAL;
-	}
-	return TNC_RESULT_SUCCESS;
+	return	this->id;
 }
 
 METHOD(imc_agent_t, reserve_additional_ids, TNC_Result,
@@ -697,7 +529,7 @@ METHOD(imc_agent_t, destroy, void,
  * Described in header.
  */
 imc_agent_t *imc_agent_create(const char *name,
-							  pen_t vendor_id, u_int32_t subtype,
+							  pen_type_t *supported_types, u_int32_t type_count,
 							  TNC_IMCID id, TNC_Version *actual_version)
 {
 	private_imc_agent_t *this;
@@ -715,22 +547,22 @@ imc_agent_t *imc_agent_create(const char *name,
 			.delete_state = _delete_state,
 			.change_state = _change_state,
 			.get_state = _get_state,
-			.send_message = _send_message,
-			.receive_message = _receive_message,
+			.get_name = _get_name,
+			.get_id = _get_id,
 			.reserve_additional_ids = _reserve_additional_ids,
 			.count_additional_ids = _count_additional_ids,
 			.create_id_enumerator = _create_id_enumerator,
 			.destroy = _destroy,
 		},
 		.name = name,
-		.vendor_id = vendor_id,
-		.subtype = subtype,
+		.supported_types = supported_types,
+		.type_count = type_count,
 		.id = id,
 		.additional_ids = linked_list_create(),
 		.connections = linked_list_create(),
 		.connection_lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 	);
-	
+
 	*actual_version = TNC_IFIMC_VERSION_1;
 	DBG1(DBG_IMC, "IMC %u \"%s\" initialized", this->id, this->name);
 
diff --git a/src/libimcv/imc/imc_agent.h b/src/libimcv/imc/imc_agent.h
index e87450aa6..aef10c0d7 100644
--- a/src/libimcv/imc/imc_agent.h
+++ b/src/libimcv/imc/imc_agent.h
@@ -27,7 +27,7 @@
 
 #include <tncifimc.h>
 #include <pen/pen.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 #include <library.h>
 
@@ -51,6 +51,44 @@ struct imc_agent_t {
 										  TNC_RetryReason reason);
 
 	/**
+	 * Call when an IMC-IMC message is to be sent
+	 *
+	 * @param imc_id			IMC ID assigned by TNCC
+	 * @param connection_id		network connection ID assigned by TNCC
+	 * @param msg				message to send
+	 * @param msg_len			message length in bytes
+	 * @param msg_type			message type
+	 * @return					TNC result code
+	 */
+	TNC_Result (*send_message)(TNC_IMCID imc_id,
+							   TNC_ConnectionID connection_id,
+							   TNC_BufferReference msg,
+							   TNC_UInt32 msg_len,
+							   TNC_MessageType msg_type);
+
+	/**
+	 * Call when an IMC-IMC message is to be sent with long message types
+	 *
+	 * @param imc_id			IMC ID assigned by TNCC
+	 * @param connection_id		network connection ID assigned by TNCC
+	 * @param msg_flags			message flags
+	 * @param msg				message to send
+	 * @param msg_len			message length in bytes
+	 * @param msg_vid			message vendor ID
+	 * @param msg_subtype		message subtype
+	 * @param dst_imc_id		destination IMV ID
+	 * @return					TNC result code
+	 */
+	TNC_Result (*send_message_long)(TNC_IMCID imc_id,
+									TNC_ConnectionID connection_id,
+									TNC_UInt32 msg_flags,
+									TNC_BufferReference msg,
+									TNC_UInt32 msg_len,
+									TNC_VendorID msg_vid,
+									TNC_MessageSubtype msg_subtype,
+									TNC_UInt32 dst_imv_id);
+
+	/**
 	 * Bind TNCC functions
 	 *
 	 * @param bind_function		function offered by the TNCC
@@ -100,39 +138,18 @@ struct imc_agent_t {
 					  TNC_ConnectionID connection_id, imc_state_t **state);
 
 	/**
-	 * Call when an PA-TNC message is to be sent
+	 * Get IMC name
 	 *
-	 * @param connection_id		network connection ID assigned by TNCC
-	 * @param excl				exclusive flag
-	 * @param src_imc_id		IMC ID to be set as source
-	 * @param dst_imv_id		IMV ID to be set as destination
-	 * @param attr_list			list of PA-TNC attributes to send
-	 * @return					TNC result code
+	 * return					IMC name
 	 */
-	TNC_Result (*send_message)(imc_agent_t *this,
-							   TNC_ConnectionID connection_id, bool excl,
-							   TNC_UInt32 src_imc_id, TNC_UInt32 dst_imv_id,
-							   linked_list_t *attr_list);
+	const char* (*get_name)(imc_agent_t *this);
 
 	/**
-	 * Call when a PA-TNC message was received
+	 * Get base IMC ID
 	 *
-	 * @param state				state for current connection
-	 * @param msg				received unparsed message
-	 * @param msg_vid			message vendorID of the received message
-	 * @param msg_subtype		message subtype of the received message
-	 * @param src_imv_id		source IMV ID
-	 * @param dst_imc_id		destination IMC ID
-	 * @param pa_tnc_message	parsed PA-TNC message or NULL if an error occurred
-	 * @return					TNC result code
+	 * return					base IMC ID
 	 */
-	TNC_Result (*receive_message)(imc_agent_t *this,
-								  imc_state_t *state, chunk_t msg,
-								  TNC_VendorID msg_vid,
-								  TNC_MessageSubtype msg_subtype,
-								  TNC_UInt32 src_imv_id,
-								  TNC_UInt32 dst_imc_id,
-								  pa_tnc_msg_t **pa_tnc_msg);
+	TNC_IMCID (*get_id)(imc_agent_t *this);
 
 	/**
 	 * Reserve additional IMC IDs from TNCC
@@ -164,14 +181,14 @@ struct imc_agent_t {
  * Create an imc_agent_t object
  *
  * @param name				name of the IMC
- * @param vendor_id			vendor ID of the IMC
- * @param subtype			message subtype of the IMC
+ * @param supported_types	list of message types registered by the IMC
+ * @param type_count		number of registered message types
  * @param id				ID of the IMC as assigned by the TNCS
  * @param actual_version	actual version of the IF-IMC API
  *
  */
 imc_agent_t *imc_agent_create(const char *name,
-							  pen_t vendor_id, u_int32_t subtype,
+							  pen_type_t *supported_types, u_int32_t type_count,
 							  TNC_IMCID id, TNC_Version *actual_version);
 
 #endif /** IMC_AGENT_H_ @}*/
diff --git a/src/libimcv/imc/imc_msg.c b/src/libimcv/imc/imc_msg.c
new file mode 100644
index 000000000..050e63f32
--- /dev/null
+++ b/src/libimcv/imc/imc_msg.c
@@ -0,0 +1,457 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imc_msg.h"
+
+#include "ietf/ietf_attr.h"
+#include "ietf/ietf_attr_assess_result.h"
+#include "ietf/ietf_attr_remediation_instr.h"
+
+#include <tncif_names.h>
+
+#include <pen/pen.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
+
+typedef struct private_imc_msg_t private_imc_msg_t;
+
+/**
+ * Private data of a imc_msg_t object.
+ *
+ */
+struct private_imc_msg_t {
+
+	/**
+	 * Public imc_msg_t interface.
+	 */
+	imc_msg_t public;
+
+	/**
+	 * Connection ID
+	 */
+	TNC_ConnectionID connection_id;
+
+	/**
+	 * source ID
+	 */
+	TNC_UInt32 src_id;
+
+	/**
+	 * destination ID
+	 */
+	TNC_UInt32 dst_id;
+
+	/**
+	 * PA-TNC message type
+	 */
+	pen_type_t msg_type;
+
+	/**
+	 * List of PA-TNC attributes to be sent
+	 */
+	linked_list_t *attr_list;
+
+	/**
+	 * PA-TNC message
+	 */
+	pa_tnc_msg_t *pa_msg;
+
+	/**
+	 * Assigned IMC agent
+	 */
+	imc_agent_t *agent;
+
+	/**
+	 * Assigned IMC state
+	 */
+	imc_state_t *state;
+};
+
+METHOD(imc_msg_t, get_src_id, TNC_UInt32,
+	private_imc_msg_t *this)
+{
+	return this->src_id;
+}
+
+METHOD(imc_msg_t, get_dst_id, TNC_UInt32,
+	private_imc_msg_t *this)
+{
+	return this->dst_id;
+}
+
+METHOD(imc_msg_t, send_, TNC_Result,
+	private_imc_msg_t *this, bool excl)
+{
+	pa_tnc_msg_t *pa_tnc_msg;
+	pa_tnc_attr_t *attr;
+	TNC_UInt32 msg_flags;
+	TNC_MessageType msg_type;
+	bool attr_added;
+	chunk_t msg;
+	enumerator_t *enumerator;
+	TNC_Result result = TNC_RESULT_SUCCESS;
+
+	while (this->attr_list->get_count(this->attr_list))
+	{
+		pa_tnc_msg = pa_tnc_msg_create(this->state->get_max_msg_len(this->state));
+		attr_added = FALSE;
+
+		enumerator = this->attr_list->create_enumerator(this->attr_list);
+		while (enumerator->enumerate(enumerator, &attr))
+		{
+			if (pa_tnc_msg->add_attribute(pa_tnc_msg, attr))
+			{
+				attr_added = TRUE;
+			}
+			else
+			{
+				if (attr_added)
+				{
+					break;
+				}
+				else
+				{
+					DBG1(DBG_IMC, "PA-TNC attribute too large to send, deleted");
+					attr->destroy(attr);
+				}
+			}
+			this->attr_list->remove_at(this->attr_list, enumerator);
+		}
+		enumerator->destroy(enumerator);
+
+		/* build and send the PA-TNC message via the IF-IMC interface */
+		if (!pa_tnc_msg->build(pa_tnc_msg))
+		{
+			pa_tnc_msg->destroy(pa_tnc_msg);
+			return TNC_RESULT_FATAL;
+		}
+		msg = pa_tnc_msg->get_encoding(pa_tnc_msg);
+		DBG3(DBG_IMC, "created PA-TNC message: %B", &msg);
+
+		if (this->state->has_long(this->state) && this->agent->send_message_long)
+		{
+			excl = excl && this->state->has_excl(this->state) &&
+						   this->dst_id != TNC_IMVID_ANY;
+			msg_flags = excl ? TNC_MESSAGE_FLAGS_EXCLUSIVE : 0;
+			result = this->agent->send_message_long(this->src_id,
+							this->connection_id, msg_flags,	msg.ptr, msg.len,
+							this->msg_type.vendor_id, this->msg_type.type,
+							this->dst_id);
+		}
+		else if (this->agent->send_message)
+		{
+			msg_type = (this->msg_type.vendor_id << 8) |
+					   (this->msg_type.type & 0x000000ff);
+			result = this->agent->send_message(this->src_id, this->connection_id,
+											   msg.ptr, msg.len, msg_type);
+		}
+
+		pa_tnc_msg->destroy(pa_tnc_msg);
+
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			break;
+		}
+	}
+	return result;
+}
+
+/**
+ * Print a clearly visible assessment header to the log
+ */
+static void print_assessment_header(const char *name, TNC_UInt32 id, bool *first)
+{
+	if (*first)
+	{
+		DBG1(DBG_IMC, "***** assessment of IMC %u \"%s\" *****", id, name);
+		*first = FALSE;
+	}
+}
+
+/**
+ * Print a clearly visible assessment trailer to the log
+ */
+static void print_assessment_trailer(bool first)
+{
+	if (!first)
+	{
+		DBG1(DBG_IMC, "***** end of assessment *****");
+	}
+}
+
+METHOD(imc_msg_t, receive, TNC_Result,
+	private_imc_msg_t *this, bool *fatal_error)
+{
+	TNC_UInt32 target_imc_id;
+	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t attr_type;
+	chunk_t msg;
+	bool first = TRUE;
+
+	if (this->state->has_long(this->state))
+	{
+		if (this->dst_id != TNC_IMCID_ANY)
+		{
+			DBG2(DBG_IMC, "IMC %u \"%s\" received message for Connection ID %u "
+						  "from IMV %u to IMC %u",
+						   this->agent->get_id(this->agent),
+						   this->agent->get_name(this->agent),
+						   this->connection_id, this->src_id, this->dst_id);
+		}
+		else
+		{
+			DBG2(DBG_IMC, "IMC %u \"%s\" received message for Connection ID %u "
+						  "from IMV %u", this->agent->get_id(this->agent),
+						   this->agent->get_name(this->agent),
+						   this->connection_id, this->src_id);
+		}
+	}
+	else
+	{
+		DBG2(DBG_IMC, "IMC %u \"%s\" received message for Connection ID %u",
+					   this->agent->get_id(this->agent),
+					   this->agent->get_name(this->agent),
+					   this->connection_id);
+	}
+	msg = this->pa_msg->get_encoding(this->pa_msg);
+	DBG3(DBG_IMC, "%B", &msg);
+
+	switch (this->pa_msg->process(this->pa_msg))
+	{
+		case SUCCESS:
+			break;
+		case VERIFY_ERROR:
+		{
+			imc_msg_t *error_msg;
+			TNC_Result result;
+
+			error_msg = imc_msg_create_as_reply(&this->public);
+
+			/* extract and copy by reference all error attributes */
+			enumerator = this->pa_msg->create_error_enumerator(this->pa_msg);
+			while (enumerator->enumerate(enumerator, &attr))
+			{
+				error_msg->add_attribute(error_msg, attr->get_ref(attr));
+			}
+			enumerator->destroy(enumerator);
+
+			/*
+			 * send the PA-TNC message containing all error attributes
+			 * with the excl flag set
+			 */
+			result = error_msg->send(error_msg, TRUE);
+			error_msg->destroy(error_msg);
+			return result;
+		}
+		case FAILED:
+		default:
+			return TNC_RESULT_FATAL;
+	}
+
+	/* determine target IMC ID */
+	target_imc_id = (this->dst_id != TNC_IMCID_ANY) ?
+					 this->dst_id : this->agent->get_id(this->agent);
+
+	/* preprocess any received IETF standard error attributes */
+	*fatal_error = this->pa_msg->process_ietf_std_errors(this->pa_msg);
+
+	/* preprocess any received IETF assessment result attribute */
+	enumerator = this->pa_msg->create_attribute_enumerator(this->pa_msg);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		attr_type = attr->get_type(attr);
+
+		if (attr_type.vendor_id != PEN_IETF)
+		{
+			continue;
+		}
+		if (attr_type.type == IETF_ATTR_ASSESSMENT_RESULT)
+		{
+			ietf_attr_assess_result_t *attr_cast;
+			TNC_IMV_Evaluation_Result result;
+
+			attr_cast = (ietf_attr_assess_result_t*)attr;
+			result =  attr_cast->get_result(attr_cast);
+			this->state->set_result(this->state, target_imc_id, result);
+
+			print_assessment_header(this->agent->get_name(this->agent),
+									target_imc_id, &first);
+			DBG1(DBG_IMC, "assessment result is '%N'",
+				 TNC_IMV_Evaluation_Result_names, result);
+		}
+		else if (attr_type.type == IETF_ATTR_REMEDIATION_INSTRUCTIONS)
+		{
+			ietf_attr_remediation_instr_t *attr_cast;
+			pen_type_t parameters_type;
+			chunk_t parameters, string, lang_code;
+
+			attr_cast = (ietf_attr_remediation_instr_t*)attr;
+			parameters_type = attr_cast->get_parameters_type(attr_cast);
+			parameters = attr_cast->get_parameters(attr_cast);
+
+			print_assessment_header(this->agent->get_name(this->agent),
+									target_imc_id, &first);
+			if (parameters_type.vendor_id == PEN_IETF)
+			{
+				switch (parameters_type.type)
+				{
+					case IETF_REMEDIATION_PARAMETERS_URI:
+						DBG1(DBG_IMC, "remediation uri: %.*s",
+									   parameters.len, parameters.ptr);
+						break;
+					case IETF_REMEDIATION_PARAMETERS_STRING:
+						string = attr_cast->get_string(attr_cast, &lang_code);
+						DBG1(DBG_IMC, "remediation string: [%.*s]\n%.*s",
+									   lang_code.len, lang_code.ptr,
+									   string.len, string.ptr);
+						break;
+					default:
+						DBG1(DBG_IMC, "remediation parameters: %B", &parameters);
+				}
+			}
+			else
+			{
+				DBG1(DBG_IMC, "remediation parameters: %B", &parameters);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	print_assessment_trailer(first);
+
+	return TNC_RESULT_SUCCESS;
+}
+
+METHOD(imc_msg_t, add_attribute, void,
+	private_imc_msg_t *this, pa_tnc_attr_t *attr)
+{
+	this->attr_list->insert_last(this->attr_list, attr);
+}
+
+METHOD(imc_msg_t, create_attribute_enumerator, enumerator_t*,
+	private_imc_msg_t *this)
+{
+	return this->pa_msg->create_attribute_enumerator(this->pa_msg);
+}
+
+METHOD(imc_msg_t, get_encoding, chunk_t,
+	private_imc_msg_t *this)
+{
+	if (this->pa_msg)
+	{
+		return this->pa_msg->get_encoding(this->pa_msg);
+	}
+	return chunk_empty;
+}
+
+METHOD(imc_msg_t, destroy, void,
+	private_imc_msg_t *this)
+{
+	this->attr_list->destroy_offset(this->attr_list,
+									offsetof(pa_tnc_attr_t, destroy));
+	DESTROY_IF(this->pa_msg);
+	free(this);
+}
+
+/**
+ * See header
+ */
+imc_msg_t *imc_msg_create(imc_agent_t *agent, imc_state_t *state,
+						  TNC_ConnectionID connection_id,
+						  TNC_UInt32 src_id, TNC_UInt32 dst_id,
+						  pen_type_t msg_type)
+{
+	private_imc_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.get_src_id = _get_src_id,
+			.get_dst_id = _get_dst_id,
+			.send = _send_,
+			.receive = _receive,
+			.add_attribute = _add_attribute,
+			.create_attribute_enumerator = _create_attribute_enumerator,
+			.get_encoding = _get_encoding,
+			.destroy = _destroy,
+		},
+		.connection_id = connection_id,
+		.src_id = src_id,
+		.dst_id = dst_id,
+		.msg_type = msg_type,
+		.attr_list = linked_list_create(),
+		.agent = agent,
+		.state = state,
+	);
+
+	return &this->public;
+}
+
+/**
+ * See header
+ */
+imc_msg_t* imc_msg_create_as_reply(imc_msg_t *msg)
+{
+	private_imc_msg_t *in;
+	TNC_UInt32 src_id;
+
+	in = (private_imc_msg_t*)msg;
+	src_id = (in->dst_id != TNC_IMCID_ANY) ?
+			  in->dst_id : in->agent->get_id(in->agent);
+
+	return imc_msg_create(in->agent, in->state, in->connection_id, src_id,
+						  in->src_id, in->msg_type);
+}
+
+/**
+ * See header
+ */
+imc_msg_t *imc_msg_create_from_data(imc_agent_t *agent, imc_state_t *state,
+									TNC_ConnectionID connection_id,
+									TNC_MessageType msg_type,
+									chunk_t msg)
+{
+	TNC_VendorID msg_vid;
+	TNC_MessageSubtype msg_subtype;
+
+	msg_vid = msg_type >> 8;
+	msg_subtype = msg_type & TNC_SUBTYPE_ANY;
+
+	return imc_msg_create_from_long_data(agent, state, connection_id,
+								TNC_IMVID_ANY, agent->get_id(agent),
+								msg_vid, msg_subtype, msg);
+}
+
+/**
+ * See header
+ */
+imc_msg_t *imc_msg_create_from_long_data(imc_agent_t *agent, imc_state_t *state,
+										 TNC_ConnectionID connection_id,
+										 TNC_UInt32 src_id,
+										 TNC_UInt32 dst_id,
+										 TNC_VendorID msg_vid,
+										 TNC_MessageSubtype msg_subtype,
+										 chunk_t msg)
+{
+	private_imc_msg_t *this;
+
+	this = (private_imc_msg_t*)imc_msg_create(agent, state,
+										connection_id, src_id, dst_id,
+										pen_type_create(msg_vid, msg_subtype));
+	this->pa_msg = pa_tnc_msg_create_from_data(msg);
+
+	return &this->public;
+}
+
diff --git a/src/libimcv/imc/imc_msg.h b/src/libimcv/imc/imc_msg.h
new file mode 100644
index 000000000..6dd712e84
--- /dev/null
+++ b/src/libimcv/imc/imc_msg.h
@@ -0,0 +1,149 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup imc_msg imc_msg
+ * @{ @ingroup libimcv
+ */
+
+#ifndef IMC_MSG_H_
+#define IMC_MSG_H_
+
+#include <imc/imc_agent.h>
+
+typedef struct imc_msg_t imc_msg_t;
+
+#include <library.h>
+
+/**
+ * Interface for a PA-TNC message handled by an IMC.
+ *
+ */
+struct imc_msg_t {
+
+	/**
+	 * Get source ID of PA-TNC message
+	 *
+	 * @return					src ID
+	 */
+	TNC_UInt32 (*get_src_id)(imc_msg_t *this);
+
+	/**
+	 * Get destination ID of PA-TNC message
+	 *
+	 * @return					destination ID
+	 */
+	TNC_UInt32 (*get_dst_id)(imc_msg_t *this);
+
+	/**
+	 * Sends one or multiple PA-TNC messages
+	 *
+	 * @param excl				set the excl message flag if supported
+	 * @return					TNC result code
+	 */
+	TNC_Result (*send)(imc_msg_t *this, bool excl);
+
+	/**
+	 * Processes a received PA-TNC message
+	 *
+	 * @param fatal_error		TRUE if IMV sent a fatal error message
+	 * @return					TNC result code
+	 */
+	TNC_Result (*receive)(imc_msg_t *this, bool *fatal_error);
+
+	/**
+	 * Add a PA-TNC attribute to the send queue
+	 *
+	 * @param attr				PA-TNC attribute to be added
+	 */
+	void (*add_attribute)(imc_msg_t *this, pa_tnc_attr_t *attr);
+
+	/**
+	 * Enumerator over PA-TNC attributes contained in the PA-TNC message
+	 *
+	 * @return					PA-TNC attribute enumerator
+	 */
+	enumerator_t* (*create_attribute_enumerator)(imc_msg_t *this);
+
+	/**
+	 * Get the encoding of the IMC message.
+	 *
+	 * @return					message encoding, internal data
+	 */
+	chunk_t (*get_encoding)(imc_msg_t *this);
+
+	/**
+	 * Destroys a imc_msg_t object.
+	 */
+	void (*destroy)(imc_msg_t *this);
+};
+
+/**
+ * Create a wrapper for an outbound message
+ *
+ * @param agent					IMC agent responsible for the message
+ * @param state					IMC state for the given connection ID
+ * @param connection_id			connection ID
+ * @param src_id				source IMC ID
+ * @param dst_id				destination IMV ID
+ * @param msg_type				PA-TNC message type
+ */
+imc_msg_t* imc_msg_create(imc_agent_t *agent, imc_state_t *state,
+						  TNC_ConnectionID connection_id,
+						  TNC_UInt32 src_id, TNC_UInt32 dst_id,
+						  pen_type_t msg_type);
+
+/**
+ * Create a wrapper for an outbound message based on a received message
+ *
+ * @param msg					received message the reply is based on
+ */
+imc_msg_t* imc_msg_create_as_reply(imc_msg_t *msg);
+
+/**
+ * Create a wrapper around message data received via the legacy IF-IMC interface
+ *
+ * @param agent					IMC agent responsible for the message
+ * @param state					IMC state for the given connection ID
+ * @param connection_id			connection ID
+ * @param msg_type				PA-TNC message type
+ * @param msg					received PA-TNC message blob
+ */
+imc_msg_t* imc_msg_create_from_data(imc_agent_t *agent, imc_state_t *state,
+									TNC_ConnectionID connection_id,
+									TNC_MessageType msg_type,
+									chunk_t msg);
+
+/**
+ * Create a wrapper around message data received via the long IF-IMC interface
+ *
+ * @param agent					IMC agent responsible for the message
+ * @param state					IMC state for the given connection ID
+ * @param connection_id			connection ID
+ * @param src_id				source IMV ID
+ * @param dst_id				destination IMC ID
+ * @param msg_flags				PA-TNC message flags
+ * @param msg_vid				PA-TNC message vendor ID
+ * @param msg_subtype			PA-TNC subtype
+ * @param msg					received PA-TNC message blob
+ */
+imc_msg_t* imc_msg_create_from_long_data(imc_agent_t *agent, imc_state_t *state,
+										 TNC_ConnectionID connection_id,
+										 TNC_UInt32 src_id, TNC_UInt32 dst_id,
+										 TNC_VendorID msg_vid,
+										 TNC_MessageSubtype msg_subtype,
+										 chunk_t msg);
+
+#endif /** IMC_MSG_H_ @}*/
diff --git a/src/libimcv/imcv.c b/src/libimcv/imcv.c
index b84548f9b..e1b828d10 100644
--- a/src/libimcv/imcv.c
+++ b/src/libimcv/imcv.c
@@ -16,8 +16,8 @@
 #include "ietf/ietf_attr.h"
 #include "ita/ita_attr.h"
 
-#include <utils.h>
-#include <debug.h>
+#include <utils/debug.h>
+#include <utils/utils.h>
 #include <pen/pen.h>
 
 #include <syslog.h>
@@ -119,7 +119,7 @@ bool libimcv_init(void)
 									"libimcv.debug_level", IMCV_DEBUG_LEVEL);
 		imcv_stderr_quiet = lib->settings->get_int(lib->settings,
 									"libimcv.stderr_quiet", FALSE);
-		
+
 		/* activate the imcv debugging hook */
 		dbg = imcv_dbg;
 		openlog("imcv", 0, LOG_DAEMON);
@@ -155,7 +155,7 @@ void libimcv_deinit(void)
 	}
 	if (ref_put(&libstrongswan_ref))
 	{
-		library_deinit();		
+		library_deinit();
 	}
 }
 
diff --git a/src/libimcv/imv/imv_agent.c b/src/libimcv/imv/imv_agent.c
index fa04e0237..6a33e396c 100644
--- a/src/libimcv/imv/imv_agent.c
+++ b/src/libimcv/imv/imv_agent.c
@@ -19,7 +19,7 @@
 
 #include <tncif_names.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/rwlock.h>
 
 typedef struct private_imv_agent_t private_imv_agent_t;
@@ -40,19 +40,14 @@ struct private_imv_agent_t {
 	const char *name;
 
 	/**
-	 * message vendor ID of IMV
+	 * message types registered by IMV
 	 */
-	TNC_VendorID vendor_id;
+	pen_type_t *supported_types;
 
 	/**
-	 * message subtype of IMV
+	 * number of message types registered by IMV
 	 */
-	TNC_MessageSubtype subtype;
-
-	/**
-	 * Maximum PA-TNC Message size
-	 */
-	size_t max_msg_len;
+	u_int32_t type_count;
 
 	/**
 	 * ID of IMV as assigned by TNCS
@@ -101,44 +96,6 @@ struct private_imv_agent_t {
 									TNC_UInt32 type_count);
 
 	/**
-	 * Call when an IMV-IMC message is to be sent
-	 *
-	 * @param imv_id			IMV ID assigned by TNCS
-	 * @param connection_id		network connection ID assigned by TNCS
-	 * @param msg				message to send
-	 * @param msg_len			message length in bytes
-	 * @param msg_type			message type
-	 * @return					TNC result code
-	 */
-	TNC_Result (*send_message)(TNC_IMVID imv_id,
-							   TNC_ConnectionID connection_id,
-							   TNC_BufferReference msg,
-							   TNC_UInt32 msg_len,
-							   TNC_MessageType msg_type);
-
-	/**
-	 * Call when an IMV-IMC message is to be sent with long message types
-	 *
-	 * @param imv_id			IMV ID assigned by TNCS
-	 * @param connection_id		network connection ID assigned by TNCS
-	 * @param msg_flags			message flags
-	 * @param msg				message to send
-	 * @param msg_len			message length in bytes
-	 * @param msg_vid			message vendor ID
-	 * @param msg_subtype		message subtype
-	 * @param dst_imc_id		destination IMC ID
-	 * @return					TNC result code
-	 */
-	TNC_Result (*send_message_long)(TNC_IMVID imv_id,
-									TNC_ConnectionID connection_id,
-									TNC_UInt32 msg_flags,
-									TNC_BufferReference msg,
-									TNC_UInt32 msg_len,
-									TNC_VendorID msg_vid,
-									TNC_MessageSubtype msg_subtype,
-									TNC_UInt32 dst_imc_id);
-
-	/**
 	 * Deliver IMV Action Recommendation and IMV Evaluation Results to the TNCS
 	 *
 	 * @param imv_id			IMV ID assigned by TNCS
@@ -224,14 +181,14 @@ METHOD(imv_agent_t, bind_functions, TNC_Result,
 		this->public.request_handshake_retry = NULL;
 	}
 	if (bind_function(this->id, "TNC_TNCS_SendMessage",
-			(void**)&this->send_message) != TNC_RESULT_SUCCESS)
+			(void**)&this->public.send_message) != TNC_RESULT_SUCCESS)
 	{
-		this->send_message = NULL;
+		this->public.send_message = NULL;
 	}
 	if (bind_function(this->id, "TNC_TNCS_SendMessageLong",
-			(void**)&this->send_message_long) != TNC_RESULT_SUCCESS)
+			(void**)&this->public.send_message_long) != TNC_RESULT_SUCCESS)
 	{
-		this->send_message_long = NULL;
+		this->public.send_message_long = NULL;
 	}
 	if (bind_function(this->id, "TNC_TNCS_ProvideRecommendation",
 			(void**)&this->provide_recommendation) != TNC_RESULT_SUCCESS)
@@ -258,17 +215,37 @@ METHOD(imv_agent_t, bind_functions, TNC_Result,
 
 	if (this->report_message_types_long)
 	{
-		this->report_message_types_long(this->id, &this->vendor_id,
-										&this->subtype, 1);
+		TNC_VendorIDList vendor_id_list;
+		TNC_MessageSubtypeList subtype_list;
+		int i;
+
+		vendor_id_list = malloc(this->type_count * sizeof(TNC_UInt32));
+		subtype_list   = malloc(this->type_count * sizeof(TNC_UInt32));
+
+		for (i = 0; i < this->type_count; i++)
+		{
+			vendor_id_list[i] = this->supported_types[i].vendor_id;
+			subtype_list[i]   = this->supported_types[i].type;
+		}
+		this->report_message_types_long(this->id, vendor_id_list, subtype_list,
+										this->type_count);
+		free(vendor_id_list);
+		free(subtype_list);
 	}
-	else if (this->report_message_types &&
-			 this->vendor_id <= TNC_VENDORID_ANY &&
-			 this->subtype <= TNC_SUBTYPE_ANY)
+	else if (this->report_message_types)
 	{
-		TNC_MessageType type;
+		TNC_MessageTypeList type_list;
+		int i;
 
-		type = (this->vendor_id << 8) | this->subtype;
-		this->report_message_types(this->id, &type, 1);
+		type_list = malloc(this->type_count * sizeof(TNC_UInt32));
+
+		for (i = 0; i < this->type_count; i++)
+		{
+			type_list[i] = (this->supported_types[i].vendor_id << 8) |
+						   (this->supported_types[i].type & 0xff);
+		}
+		this->report_message_types(this->id, type_list, this->type_count);
+		free(type_list);
 	}
 	return TNC_RESULT_SUCCESS;
 }
@@ -497,258 +474,16 @@ METHOD(imv_agent_t, get_state, bool,
 	return TRUE;
 }
 
-METHOD(imv_agent_t, send_message, TNC_Result,
-	private_imv_agent_t *this, TNC_ConnectionID connection_id, bool excl,
-	TNC_UInt32 src_imv_id, TNC_UInt32 dst_imc_id, linked_list_t *attr_list)
-{
-	TNC_MessageType type;
-	TNC_UInt32 msg_flags;
-	TNC_Result result = TNC_RESULT_FATAL;
-	imv_state_t *state;
-	pa_tnc_attr_t *attr;
-	pa_tnc_msg_t *pa_tnc_msg;
-	chunk_t msg;
-	enumerator_t *enumerator;
-	bool attr_added;
-
-	state = find_connection(this, connection_id);
-	if (!state)
-	{
-		DBG1(DBG_IMV, "IMV %u \"%s\" has no state for Connection ID %u",
-					  this->id, this->name, connection_id);
-		return TNC_RESULT_FATAL;
-	}
-
-	while (attr_list->get_count(attr_list))
-	{
-		pa_tnc_msg = pa_tnc_msg_create(this->max_msg_len);
-		attr_added = FALSE;
-
-		enumerator = attr_list->create_enumerator(attr_list);
-		while (enumerator->enumerate(enumerator, &attr))
-		{
-			if (pa_tnc_msg->add_attribute(pa_tnc_msg, attr))
-			{
-				attr_added = TRUE;
-			}
-			else
-			{
-				if (attr_added)
-				{
-					break;
-				}
-				else
-				{
-					DBG1(DBG_IMV, "PA-TNC attribute too large to send, deleted");
-					attr->destroy(attr);
-				}
-			}
-			attr_list->remove_at(attr_list, enumerator);
-		}
-		enumerator->destroy(enumerator);
-
-		/* build and send the PA-TNC message via the IF-IMV interface */
-		if (!pa_tnc_msg->build(pa_tnc_msg))
-		{
-			pa_tnc_msg->destroy(pa_tnc_msg);
-			return TNC_RESULT_FATAL;
-		}
-		msg = pa_tnc_msg->get_encoding(pa_tnc_msg);
-
-		if (state->has_long(state) && this->send_message_long)
-		{
-			if (!src_imv_id)
-			{
-				src_imv_id = this->id;
-			}
-			msg_flags = excl ? TNC_MESSAGE_FLAGS_EXCLUSIVE : 0;
-
-			result = this->send_message_long(src_imv_id, connection_id,
-								msg_flags, msg.ptr, msg.len, this->vendor_id,
-								this->subtype, dst_imc_id);
-		}
-		else if (this->send_message)
-		{
-			type = (this->vendor_id << 8) | this->subtype;
-
-			result = this->send_message(this->id, connection_id, msg.ptr,
-								msg.len, type);
-		}
-
-		pa_tnc_msg->destroy(pa_tnc_msg);
-
-		if (result != TNC_RESULT_SUCCESS)
-		{
-			break;
-		}
-	}
-	return result;
-}
-
-METHOD(imv_agent_t, set_recommendation, TNC_Result,
-	private_imv_agent_t *this, TNC_ConnectionID connection_id,
-							   TNC_IMV_Action_Recommendation rec,
-							   TNC_IMV_Evaluation_Result eval)
-{
-	imv_state_t *state;
-
-	state = find_connection(this, connection_id);
-	if (!state)
-	{
-		DBG1(DBG_IMV, "IMV %u \"%s\" has no state for Connection ID %u",
-					  this->id, this->name, connection_id);
-		return TNC_RESULT_FATAL;
-	}
-
-	state->set_recommendation(state, rec, eval);
-	return this->provide_recommendation(this->id, connection_id, rec, eval);
-}
-
-METHOD(imv_agent_t, receive_message, TNC_Result,
-	private_imv_agent_t *this, imv_state_t *state, chunk_t msg,
-	TNC_VendorID msg_vid, TNC_MessageSubtype msg_subtype,
-	TNC_UInt32 src_imc_id, TNC_UInt32 dst_imv_id, pa_tnc_msg_t **pa_tnc_msg)
+METHOD(imv_agent_t, get_name, const char*,
+	private_imv_agent_t *this)
 {
-	pa_tnc_msg_t *pa_msg;
-	pa_tnc_attr_t *error_attr;
-	linked_list_t *error_attr_list;
-	enumerator_t *enumerator;
-	TNC_UInt32 src_imv_id, dst_imc_id;
-	TNC_ConnectionID connection_id;
-	TNC_Result result;
-
-	connection_id = state->get_connection_id(state);
-
-	if (state->has_long(state))
-	{
-		if (dst_imv_id != TNC_IMVID_ANY)
-		{
-			DBG2(DBG_IMV, "IMV %u \"%s\" received message for Connection ID %u "
-						  "from IMC %u to IMV %u", this->id, this->name,
-						   connection_id, src_imc_id, dst_imv_id);
-		}
-		else
-		{
-			DBG2(DBG_IMV, "IMV %u \"%s\" received message for Connection ID %u "
-						  "from IMC %u", this->id, this->name, connection_id,
-						   src_imc_id);
-		}
-	}
-	else
-	{
-		DBG2(DBG_IMV, "IMV %u \"%s\" received message for Connection ID %u",
-					   this->id, this->name, connection_id);
-	}
-
-	*pa_tnc_msg = NULL;
-	pa_msg = pa_tnc_msg_create_from_data(msg);
-
-	switch (pa_msg->process(pa_msg))
-	{
-		case SUCCESS:
-			*pa_tnc_msg = pa_msg;
-			break;
-		case VERIFY_ERROR:
-			/* extract and copy by refence all error attributes */
-			error_attr_list = linked_list_create();
-
-			enumerator = pa_msg->create_error_enumerator(pa_msg);
-			while (enumerator->enumerate(enumerator, &error_attr))
-			{
-				error_attr_list->insert_last(error_attr_list,
-											 error_attr->get_ref(error_attr));
-			}
-			enumerator->destroy(enumerator);
-
-			src_imv_id = (dst_imv_id == TNC_IMVID_ANY) ? this->id : dst_imv_id;
-			dst_imc_id = state->has_excl(state) ? src_imc_id : TNC_IMCID_ANY;
-
-			result = send_message(this, connection_id, state->has_excl(state),
- 								  src_imv_id, dst_imc_id, error_attr_list);
-
-			error_attr_list->destroy(error_attr_list);
-			pa_msg->destroy(pa_msg);
-			return result;
-		case FAILED:
-		default:
-			pa_msg->destroy(pa_msg);
-			state->set_recommendation(state,
-							TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-							TNC_IMV_EVALUATION_RESULT_ERROR);
-			return this->provide_recommendation(this->id, connection_id,
-							TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-							TNC_IMV_EVALUATION_RESULT_ERROR);
-	}
-	return TNC_RESULT_SUCCESS;
+	return	this->name;
 }
 
-METHOD(imv_agent_t, provide_recommendation, TNC_Result,
-	private_imv_agent_t *this, TNC_ConnectionID connection_id,
-	TNC_UInt32 dst_imc_id)
+METHOD(imv_agent_t, get_id, TNC_IMVID,
+	private_imv_agent_t *this)
 {
-	imv_state_t *state;
-	linked_list_t *attr_list;
-	pa_tnc_attr_t *attr;
-	TNC_Result result;
-	TNC_IMV_Action_Recommendation rec;
-	TNC_IMV_Evaluation_Result eval;
-	TNC_UInt32 lang_len;
-	char buf[BUF_LEN];
-	chunk_t pref_lang = { buf, 0 }, reason_string, reason_lang;
-
-	state = find_connection(this, connection_id);
-	if (!state)
-	{
-		DBG1(DBG_IMV, "IMV %u \"%s\" has no state for Connection ID %u",
-					  this->id, this->name, connection_id);
-		return TNC_RESULT_FATAL;
-	}
-	state->get_recommendation(state, &rec, &eval);
-
-	/* send a reason string if action recommendation is not allow */
-	if (rec != TNC_IMV_ACTION_RECOMMENDATION_ALLOW)
-	{
-		/* check if there a preferred language has been requested */
-		if (this->get_attribute  &&
-			this->get_attribute(this->id, connection_id,
-								TNC_ATTRIBUTEID_PREFERRED_LANGUAGE, BUF_LEN,
-								buf, &lang_len) == TNC_RESULT_SUCCESS &&
-			lang_len <= BUF_LEN)
-		{
-			pref_lang.len = lang_len;
-			DBG2(DBG_IMV, "preferred language is '%.*s'", (int)pref_lang.len,
-				 pref_lang.ptr);
-		}
-
-		/* find a reason string for the preferred or default language and set it */
-		if (this->set_attribute &&
-			state->get_reason_string(state, pref_lang, &reason_string,
-													   &reason_lang))
-		{
-			this->set_attribute(this->id, connection_id,
-								TNC_ATTRIBUTEID_REASON_STRING,
-								reason_string.len, reason_string.ptr);
-			this->set_attribute(this->id, connection_id,
-								TNC_ATTRIBUTEID_REASON_LANGUAGE,
-								reason_lang.len, reason_lang.ptr);
-		}
-	}
-
-	/* Send an IETF Assessment Result attribute if enabled */
-	if (lib->settings->get_bool(lib->settings, "libimcv.assessment_result", TRUE))
-	{
-		attr = ietf_attr_assess_result_create(eval);
-		attr_list = linked_list_create();
-		attr_list->insert_last(attr_list, attr);
-		result = send_message(this, connection_id, FALSE, this->id, dst_imc_id,
-							  attr_list);
-		attr_list->destroy(attr_list);
-		if (result != TNC_RESULT_SUCCESS)
-		{
-			return result;
-		}
-	}
-	return this->provide_recommendation(this->id, connection_id, rec, eval);
+	return	this->id;
 }
 
 METHOD(imv_agent_t, reserve_additional_ids, TNC_Result,
@@ -796,6 +531,146 @@ METHOD(imv_agent_t, create_id_enumerator, enumerator_t*,
 	return this->additional_ids->create_enumerator(this->additional_ids);
 }
 
+typedef struct {
+	/**
+	 * implements enumerator_t
+	 */
+	enumerator_t public;
+
+	/**
+	 * language length
+	 */
+	TNC_UInt32 lang_len;
+
+	/**
+	 * language buffer
+	 */
+	char lang_buf[BUF_LEN];
+
+	/**
+	 * position pointer into language buffer
+	 */
+	char *lang_pos;
+
+} language_enumerator_t;
+
+/**
+ * Implementation of language_enumerator.destroy.
+ */
+static void language_enumerator_destroy(language_enumerator_t *this)
+{
+	free(this);
+}
+
+/**
+ * Implementation of language_enumerator.enumerate
+ */
+static bool language_enumerator_enumerate(language_enumerator_t *this, ...)
+{
+	char *pos, *cur_lang, **lang;
+	TNC_UInt32 len;
+	va_list args;
+
+	if (!this->lang_len)
+	{
+		return FALSE;
+	}
+	cur_lang = this->lang_pos;
+	pos = strchr(this->lang_pos, ',');
+	if (pos)
+	{
+		len = pos - this->lang_pos;
+		this->lang_pos += len + 1,
+		this->lang_len -= len + 1;
+	}
+	else
+	{
+		len = this->lang_len;
+		pos = this->lang_pos + len;
+		this->lang_pos = NULL;
+		this->lang_len = 0;
+	}
+
+	/* remove preceding whitespace */
+	while (*cur_lang == ' ' && len--)
+	{
+		cur_lang++;
+	}
+
+	/* remove trailing whitespace */
+	while (len && *(--pos) == ' ')
+	{
+		len--;
+	}
+	cur_lang[len] = '\0';
+
+	va_start(args, this);
+	lang = va_arg(args, char**);
+	*lang = cur_lang;
+	va_end(args);
+
+	return TRUE;
+}
+
+METHOD(imv_agent_t, create_language_enumerator, enumerator_t*,
+	private_imv_agent_t *this, imv_state_t *state)
+{
+	language_enumerator_t *e;
+
+	/* Create a language enumerator instance */
+	e = malloc_thing(language_enumerator_t);
+	e->public.enumerate = (void*)language_enumerator_enumerate;
+	e->public.destroy = (void*)language_enumerator_destroy;
+
+	if (!this->get_attribute ||
+		!this->get_attribute(this->id, state->get_connection_id(state),
+						TNC_ATTRIBUTEID_PREFERRED_LANGUAGE, BUF_LEN,
+						e->lang_buf, &e->lang_len) == TNC_RESULT_SUCCESS ||
+		e->lang_len >= BUF_LEN)
+	{
+		e->lang_len = 0;
+	}
+	e->lang_buf[e->lang_len] = '\0';
+	e->lang_pos = e->lang_buf;
+
+	return (enumerator_t*)e;
+}
+
+METHOD(imv_agent_t, provide_recommendation, TNC_Result,
+	private_imv_agent_t *this, imv_state_t *state)
+{
+	TNC_IMV_Action_Recommendation rec;
+	TNC_IMV_Evaluation_Result eval;
+	TNC_ConnectionID connection_id;
+	chunk_t reason_string;
+	char *reason_lang;
+	enumerator_t *e;
+
+	state->get_recommendation(state, &rec, &eval);
+	connection_id = state->get_connection_id(state);
+
+	/* send a reason string if action recommendation is not allow */
+	if (rec != TNC_IMV_ACTION_RECOMMENDATION_ALLOW)
+	{
+		/* find a reason string for the preferred language and set it */
+		if (this->set_attribute)
+		{
+			e = create_language_enumerator(this, state);
+			if (state->get_reason_string(state, e, &reason_string, &reason_lang))
+			{
+				this->set_attribute(this->id, connection_id,
+									TNC_ATTRIBUTEID_REASON_STRING,
+									reason_string.len, reason_string.ptr);
+				this->set_attribute(this->id, connection_id,
+									TNC_ATTRIBUTEID_REASON_LANGUAGE,
+									strlen(reason_lang), reason_lang);
+			}
+			e->destroy(e);
+		}
+	}
+	return this->provide_recommendation(this->id, connection_id, rec, eval);
+}
+
 METHOD(imv_agent_t, destroy, void,
 	private_imv_agent_t *this)
 {
@@ -814,7 +689,7 @@ METHOD(imv_agent_t, destroy, void,
  * Described in header.
  */
 imv_agent_t *imv_agent_create(const char *name,
-							  pen_t vendor_id, u_int32_t subtype,
+							  pen_type_t *supported_types, u_int32_t type_count,
 							  TNC_IMVID id, TNC_Version *actual_version)
 {
 	private_imv_agent_t *this;
@@ -832,19 +707,18 @@ imv_agent_t *imv_agent_create(const char *name,
 			.delete_state = _delete_state,
 			.change_state = _change_state,
 			.get_state = _get_state,
-			.send_message = _send_message,
-			.receive_message = _receive_message,
-			.set_recommendation = _set_recommendation,
-			.provide_recommendation = _provide_recommendation,
+			.get_name = _get_name,
+			.get_id = _get_id,
 			.reserve_additional_ids = _reserve_additional_ids,
 			.count_additional_ids = _count_additional_ids,
 			.create_id_enumerator = _create_id_enumerator,
+			.create_language_enumerator = _create_language_enumerator,
+			.provide_recommendation = _provide_recommendation,
 			.destroy = _destroy,
 		},
 		.name = name,
-		.vendor_id = vendor_id,
-		.subtype = subtype,
-		.max_msg_len = 65490,
+		.supported_types = supported_types,
+		.type_count = type_count,
 		.id = id,
 		.additional_ids = linked_list_create(),
 		.connections = linked_list_create(),
diff --git a/src/libimcv/imv/imv_agent.h b/src/libimcv/imv/imv_agent.h
index 34ac3c109..5b2cffefe 100644
--- a/src/libimcv/imv/imv_agent.h
+++ b/src/libimcv/imv/imv_agent.h
@@ -27,7 +27,7 @@
 
 #include <tncifimv.h>
 #include <pen/pen.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 #include <library.h>
 
@@ -51,6 +51,44 @@ struct imv_agent_t {
 										  TNC_RetryReason reason);
 
 	/**
+	 * Call when an IMV-IMC message is to be sent
+	 *
+	 * @param imv_id			IMV ID assigned by TNCS
+	 * @param connection_id		network connection ID assigned by TNCS
+	 * @param msg				message to send
+	 * @param msg_len			message length in bytes
+	 * @param msg_type			message type
+	 * @return					TNC result code
+	 */
+	TNC_Result (*send_message)(TNC_IMVID imv_id,
+							   TNC_ConnectionID connection_id,
+							   TNC_BufferReference msg,
+							   TNC_UInt32 msg_len,
+							   TNC_MessageType msg_type);
+
+	/**
+	 * Call when an IMV-IMC message is to be sent with long message types
+	 *
+	 * @param imv_id			IMV ID assigned by TNCS
+	 * @param connection_id		network connection ID assigned by TNCS
+	 * @param msg_flags			message flags
+	 * @param msg				message to send
+	 * @param msg_len			message length in bytes
+	 * @param msg_vid			message vendor ID
+	 * @param msg_subtype		message subtype
+	 * @param dst_imc_id		destination IMC ID
+	 * @return					TNC result code
+	 */
+	TNC_Result (*send_message_long)(TNC_IMVID imv_id,
+									TNC_ConnectionID connection_id,
+									TNC_UInt32 msg_flags,
+									TNC_BufferReference msg,
+									TNC_UInt32 msg_len,
+									TNC_VendorID msg_vid,
+									TNC_MessageSubtype msg_subtype,
+									TNC_UInt32 dst_imc_id);
+
+	/**
 	 * Bind TNCS functions
 	 *
 	 * @param bind_function		function offered by the TNCS
@@ -100,63 +138,18 @@ struct imv_agent_t {
 					  TNC_ConnectionID connection_id, imv_state_t **state);
 
 	/**
-	 * Call when a PA-TNC message is to be sent
+	 * Get IMV name
 	 *
-	 * @param connection_id		network connection ID assigned by TNCS
-	 * @param excl				exclusive flag
-	 * @param src_imv_id		IMV ID to be set as source
-	 * @param dst_imc_id		IMD ID to be set as destination
-	 * @param attr_list			list of PA-TNC attributes to send
-	 * @return					TNC result code
+	 * return					IMV name
 	 */
-	TNC_Result (*send_message)(imv_agent_t *this,
-							   TNC_ConnectionID connection_id, bool excl,
-							   TNC_UInt32 src_imv_id, TNC_UInt32 dst_imc_id,
-							   linked_list_t *attr_list);
+	const char* (*get_name)(imv_agent_t *this);
 
 	/**
-	 * Call when a PA-TNC message was received
+	 * Get base IMV ID
 	 *
-	 * @param state				state for current connection
-	 * @param msg				received unparsed message
-	 * @param msg_vid			message vendorID of the received message
-	 * @param msg_subtype		message subtype of the received message
-	 * @param src_imc_id		source IMC ID
-	 * @param dst_imv_id		destination IMV ID
-	 * @param pa_tnc_message	parsed PA-TNC message or NULL if an error occurred
-	 * @return					TNC result code
+	 * return					base IMV ID
 	 */
-	TNC_Result (*receive_message)(imv_agent_t *this,
-								  imv_state_t *state, chunk_t msg,
-								  TNC_VendorID msg_vid,
-								  TNC_MessageSubtype msg_subtype,
-								  TNC_UInt32 src_imc_id,
-								  TNC_UInt32 dst_imv_id,
-								  pa_tnc_msg_t **pa_tnc_msg);
-
-	/**
-	 * Set Action Recommendation and Evaluation Result in the IMV state
-	 *
-	 * @param connection_id		network connection ID assigned by TNCS
-	 * @param rec				IMV action recommendation
-	 * @param eval				IMV evaluation result
-	 * @return					TNC result code
-	 */
-	TNC_Result (*set_recommendation)(imv_agent_t *this,
-									 TNC_ConnectionID connection_id,
-									 TNC_IMV_Action_Recommendation rec,
-									 TNC_IMV_Evaluation_Result eval);
-
-	/**
-	 * Deliver IMV Action Recommendation and IMV Evaluation Result to the TNCS
-	 *
-	 * @param connection_id		network connection ID assigned by TNCS
-	 * @param dst_imc_id		IMD ID to be set as destination
-	 * @return					TNC result code
-	 */
-	TNC_Result (*provide_recommendation)(imv_agent_t *this,
-										 TNC_ConnectionID connection_id,
-										 TNC_UInt32 dst_imc_id);
+	TNC_IMVID (*get_id)(imv_agent_t *this);
 
 	/**
 	 * Reserve additional IMV IDs from TNCS
@@ -179,6 +172,22 @@ struct imv_agent_t {
 	enumerator_t* (*create_id_enumerator)(imv_agent_t *this);
 
 	/**
+	 * Create a preferred languages enumerator
+	 *
+	 * @param					state of TNCCS connection
+	 */
+	enumerator_t* (*create_language_enumerator)(imv_agent_t *this,
+				   imv_state_t *state);
+
+	/**
+	 * Deliver IMV Action Recommendation and IMV Evaluation Result to the TNCS
+	 *
+	 * @param state				state bound to a connection ID
+	 * @return					TNC result code
+	 */
+	TNC_Result (*provide_recommendation)(imv_agent_t *this, imv_state_t* state);
+
+	/**
 	 * Destroys an imv_agent_t object
 	 */
 	void (*destroy)(imv_agent_t *this);
@@ -188,14 +197,14 @@ struct imv_agent_t {
  * Create an imv_agent_t object
  *
  * @param name				name of the IMV
- * @param vendor_id			vendor ID of the IMV
- * @param subtype			message subtype of the IMV
+ * @param supported_types	list of message types registered by the IMV
+ * @param type_count		number of registered message types
  * @param id				ID of the IMV as assigned by the TNCS
  * @param actual_version	actual version of the IF-IMV API
  *
  */
 imv_agent_t *imv_agent_create(const char *name,
-							  pen_t vendor_id, u_int32_t subtype,
+							  pen_type_t *supported_types, u_int32_t type_count,
 							  TNC_IMVID id, TNC_Version *actual_version);
 
 #endif /** IMV_AGENT_H_ @}*/
diff --git a/src/libimcv/imv/imv_lang_string.c b/src/libimcv/imv/imv_lang_string.c
new file mode 100644
index 000000000..c86fc5cd7
--- /dev/null
+++ b/src/libimcv/imv/imv_lang_string.c
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_lang_string.h"
+
+#include <utils/debug.h>
+
+/**
+ * Described in header.
+ */
+char* imv_lang_string_select_lang(enumerator_t *language_enumerator,
+								  char* languages[], int lang_count)
+{
+	bool match = FALSE;
+	char *lang;
+	int i, i_chosen = 0;
+
+	while (language_enumerator->enumerate(language_enumerator, &lang))
+	{
+		for (i = 0; i < lang_count; i++)
+		{
+			if (streq(lang, languages[i]))
+			{
+				match = TRUE;
+				i_chosen = i;
+				break;
+			}
+		}
+		if (match)
+		{
+			break;
+		}
+	}
+	return languages[i_chosen];
+}
+
+/**
+ * Described in header.
+ */
+char* imv_lang_string_select_string(imv_lang_string_t lang_string[], char *lang)
+{
+	char *string;
+	int i = 0;
+
+	if (!lang_string)
+	{
+		return NULL;
+	}
+
+	string = lang_string[0].string;
+	while (lang_string[i].lang)
+	{
+		if (streq(lang, lang_string[i].lang))
+		{
+			string = lang_string[i].string;
+			break;
+		}
+		i++;
+	}
+	return string;
+}
diff --git a/src/libimcv/imv/imv_lang_string.h b/src/libimcv/imv/imv_lang_string.h
new file mode 100644
index 000000000..90a66db76
--- /dev/null
+++ b/src/libimcv/imv/imv_lang_string.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup imv_lang_string_t imv_lang_string
+ * @{ @ingroup imv_lang_string
+ */
+
+#ifndef IMV_LANG_STRING_H_
+#define IMV_LANG_STRING_H_
+
+#include <library.h>
+#include <collections/enumerator.h>
+
+typedef struct imv_lang_string_t imv_lang_string_t;
+
+/**
+ * Define a language string entry
+ */
+struct imv_lang_string_t {
+
+	/**
+	 * language code
+	 */
+	char *lang;
+
+	/**
+	 * UTF-8 string in the corresponding language
+	 */
+	char *string;
+
+};
+
+/**
+ * Select the preferred language
+ *
+ * @param language_enumerator	enumerator over user preferred languages
+ * @param languages				string array of available languages
+ * @param lang_count			number of available languages
+ * @return						selected language as a language code
+ */
+char* imv_lang_string_select_lang(enumerator_t *language_enumerator,
+								  char* languages[], int lang_count);
+
+/**
+ * Select the preferred language string
+ *
+ * @param lang_string			multi-lingual array of strings
+ * @param lang					language code of preferred language
+ * @return						selected string
+ */
+char* imv_lang_string_select_string(imv_lang_string_t lang_string[], char *lang);
+
+#endif /** IMV_LANG_STRING_H_ @}*/
diff --git a/src/libimcv/imv/imv_msg.c b/src/libimcv/imv/imv_msg.c
new file mode 100644
index 000000000..4ed19dd13
--- /dev/null
+++ b/src/libimcv/imv/imv_msg.c
@@ -0,0 +1,429 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_msg.h"
+
+#include "ietf/ietf_attr.h"
+#include "ietf/ietf_attr_assess_result.h"
+#include "ietf/ietf_attr_remediation_instr.h"
+
+#include <tncif_names.h>
+
+#include <pen/pen.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
+
+typedef struct private_imv_msg_t private_imv_msg_t;
+
+/**
+ * Private data of a imv_msg_t object.
+ *
+ */
+struct private_imv_msg_t {
+
+	/**
+	 * Public imv_msg_t interface.
+	 */
+	imv_msg_t public;
+
+	/**
+	 * Connection ID
+	 */
+	TNC_ConnectionID connection_id;
+
+	/**
+	 * source ID
+	 */
+	TNC_UInt32 src_id;
+
+	/**
+	 * destination ID
+	 */
+	TNC_UInt32 dst_id;
+
+	/**
+	 * PA-TNC message type
+	 */
+	pen_type_t msg_type;
+
+	/**
+	 * List of PA-TNC attributes to be sent
+	 */
+	linked_list_t *attr_list;
+
+	/**
+	 * PA-TNC message
+	 */
+	pa_tnc_msg_t *pa_msg;
+
+	/**
+	 * Assigned IMV agent
+	 */
+	imv_agent_t *agent;
+
+	/**
+	 * Assigned IMV state
+	 */
+	imv_state_t *state;
+};
+
+METHOD(imv_msg_t, get_src_id, TNC_UInt32,
+	private_imv_msg_t *this)
+{
+	return this->src_id;
+}
+
+METHOD(imv_msg_t, get_dst_id, TNC_UInt32,
+	private_imv_msg_t *this)
+{
+	return this->dst_id;
+}
+
+METHOD(imv_msg_t, set_msg_type, void,
+	private_imv_msg_t *this, pen_type_t msg_type)
+{
+	if (msg_type.vendor_id != this->msg_type.vendor_id ||
+		msg_type.type != this->msg_type.type)
+	{
+		this->msg_type = msg_type;
+		this->dst_id = TNC_IMCID_ANY;
+	}
+}
+
+METHOD(imv_msg_t, add_attribute, void,
+	private_imv_msg_t *this, pa_tnc_attr_t *attr)
+{
+	this->attr_list->insert_last(this->attr_list, attr);
+}
+
+METHOD(imv_msg_t, send_, TNC_Result,
+	private_imv_msg_t *this, bool excl)
+{
+	pa_tnc_msg_t *pa_tnc_msg;
+	pa_tnc_attr_t *attr;
+	TNC_UInt32 msg_flags;
+	TNC_MessageType msg_type;
+	bool attr_added;
+	chunk_t msg;
+	enumerator_t *enumerator;
+	TNC_Result result = TNC_RESULT_SUCCESS;
+
+	while (this->attr_list->get_count(this->attr_list))
+	{
+		pa_tnc_msg = pa_tnc_msg_create(this->state->get_max_msg_len(this->state));
+		attr_added = FALSE;
+
+		enumerator = this->attr_list->create_enumerator(this->attr_list);
+		while (enumerator->enumerate(enumerator, &attr))
+		{
+			if (pa_tnc_msg->add_attribute(pa_tnc_msg, attr))
+			{
+				attr_added = TRUE;
+			}
+			else
+			{
+				if (attr_added)
+				{
+					break;
+				}
+				else
+				{
+					DBG1(DBG_IMV, "PA-TNC attribute too large to send, deleted");
+					attr->destroy(attr);
+				}
+			}
+			this->attr_list->remove_at(this->attr_list, enumerator);
+		}
+		enumerator->destroy(enumerator);
+
+		/* build and send the PA-TNC message via the IF-IMV interface */
+		if (!pa_tnc_msg->build(pa_tnc_msg))
+		{
+			pa_tnc_msg->destroy(pa_tnc_msg);
+			return TNC_RESULT_FATAL;
+		}
+		msg = pa_tnc_msg->get_encoding(pa_tnc_msg);
+		DBG3(DBG_IMV, "created PA-TNC message: %B", &msg);
+
+		if (this->state->has_long(this->state) && this->agent->send_message_long)
+		{
+			excl = excl && this->state->has_excl(this->state) &&
+						   this->dst_id != TNC_IMCID_ANY;
+			msg_flags = excl ? TNC_MESSAGE_FLAGS_EXCLUSIVE : 0;
+			result = this->agent->send_message_long(this->src_id,
+							this->connection_id, msg_flags,	msg.ptr, msg.len,
+							this->msg_type.vendor_id, this->msg_type.type,
+							this->dst_id);
+		}
+		else if (this->agent->send_message)
+		{
+			msg_type = (this->msg_type.vendor_id << 8) |
+					   (this->msg_type.type & 0x000000ff);
+			result = this->agent->send_message(this->src_id, this->connection_id,
+											   msg.ptr, msg.len, msg_type);
+		}
+
+		pa_tnc_msg->destroy(pa_tnc_msg);
+
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			break;
+		}
+	}
+	return result;
+}
+
+METHOD(imv_msg_t, send_assessment, TNC_Result,
+	private_imv_msg_t *this)
+{
+	TNC_IMV_Action_Recommendation rec;
+	TNC_IMV_Evaluation_Result eval;
+	pa_tnc_attr_t *attr;
+	chunk_t string = chunk_empty;
+	char *lang_code = NULL, *uri = NULL;
+	enumerator_t *e;
+
+	/* Remove any attributes that have already been constructed */
+	while (this->attr_list->remove_last(this->attr_list, (void**)&attr) == SUCCESS)
+	{
+		attr->destroy(attr);
+	}
+
+	/* Send an IETF Assessment Result attribute if enabled */
+	if (lib->settings->get_bool(lib->settings, "libimcv.assessment_result",
+								TRUE))
+	{
+		this->state->get_recommendation(this->state, &rec, &eval);
+		attr = ietf_attr_assess_result_create(eval);
+		add_attribute(this, attr);
+
+		/* Send IETF Remediation Instructions if available */
+		if (eval != TNC_IMV_EVALUATION_RESULT_COMPLIANT)
+		{
+			e = this->agent->create_language_enumerator(this->agent,
+									this->state);
+			if (this->state->get_remediation_instructions(this->state,
+									e, &string, &lang_code, &uri))
+			{
+				if (string.len && lang_code)
+				{
+					attr = ietf_attr_remediation_instr_create_from_string(string,
+									chunk_create(lang_code, strlen(lang_code)));
+					add_attribute(this, attr);
+				}
+				if (uri)
+				{
+					attr = ietf_attr_remediation_instr_create_from_uri(
+									chunk_create(uri, strlen(uri)));
+					add_attribute(this, attr);
+				}
+			}
+			e->destroy(e);
+		}
+
+		/* send PA-TNC message with the excl flag set */
+		return send_(this, TRUE);
+	}
+	return TNC_RESULT_SUCCESS;
+}
+
+METHOD(imv_msg_t, receive, TNC_Result,
+	private_imv_msg_t *this, bool *fatal_error)
+{
+	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	chunk_t msg;
+
+	if (this->state->has_long(this->state))
+	{
+		if (this->dst_id != TNC_IMVID_ANY)
+		{
+			DBG2(DBG_IMV, "IMV %u \"%s\" received message for Connection ID %u "
+						  "from IMC %u to IMV %u",
+						   this->agent->get_id(this->agent),
+						   this->agent->get_name(this->agent),
+						   this->connection_id, this->src_id, this->dst_id);
+		}
+		else
+		{
+			DBG2(DBG_IMV, "IMV %u \"%s\" received message for Connection ID %u "
+						  "from IMC %u", this->agent->get_id(this->agent),
+						   this->agent->get_name(this->agent),
+						   this->connection_id, this->src_id);
+		}
+	}
+	else
+	{
+		DBG2(DBG_IMV, "IMV %u \"%s\" received message for Connection ID %u",
+					   this->agent->get_id(this->agent),
+					   this->agent->get_name(this->agent),
+					   this->connection_id);
+	}
+	msg = this->pa_msg->get_encoding(this->pa_msg);
+	DBG3(DBG_IMV, "%B", &msg);
+
+	switch (this->pa_msg->process(this->pa_msg))
+	{
+		case SUCCESS:
+			break;
+		case VERIFY_ERROR:
+		{
+			imv_msg_t *error_msg;
+			TNC_Result result;
+
+			error_msg = imv_msg_create_as_reply(&this->public);
+
+			/* extract and copy by reference all error attributes */
+			enumerator = this->pa_msg->create_error_enumerator(this->pa_msg);
+			while (enumerator->enumerate(enumerator, &attr))
+			{
+				error_msg->add_attribute(error_msg, attr->get_ref(attr));
+			}
+			enumerator->destroy(enumerator);
+
+			/*
+			 * send the PA-TNC message containing all error attributes
+			 * with the excl flag set
+			 */
+			result = error_msg->send(error_msg, TRUE);
+			error_msg->destroy(error_msg);
+			return result;
+		}
+		case FAILED:
+		default:
+			return TNC_RESULT_FATAL;
+	}
+
+	/* preprocess any received IETF standard error attributes */
+	*fatal_error = this->pa_msg->process_ietf_std_errors(this->pa_msg);
+
+	return TNC_RESULT_SUCCESS;
+}
+
+METHOD(imv_msg_t, create_attribute_enumerator, enumerator_t*,
+	private_imv_msg_t *this)
+{
+	return this->pa_msg->create_attribute_enumerator(this->pa_msg);
+}
+
+METHOD(imv_msg_t, get_encoding, chunk_t,
+	private_imv_msg_t *this)
+{
+	if (this->pa_msg)
+	{
+		return this->pa_msg->get_encoding(this->pa_msg);
+	}
+	return chunk_empty;
+}
+
+METHOD(imv_msg_t, destroy, void,
+	private_imv_msg_t *this)
+{
+	this->attr_list->destroy_offset(this->attr_list,
+									offsetof(pa_tnc_attr_t, destroy));
+	DESTROY_IF(this->pa_msg);
+	free(this);
+}
+
+/**
+ * See header
+ */
+imv_msg_t *imv_msg_create(imv_agent_t *agent, imv_state_t *state,
+						  TNC_ConnectionID connection_id,
+						  TNC_UInt32 src_id, TNC_UInt32 dst_id,
+						  pen_type_t msg_type)
+{
+	private_imv_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.get_src_id = _get_src_id,
+			.get_dst_id = _get_dst_id,
+			.set_msg_type = _set_msg_type,
+			.send = _send_,
+			.send_assessment = _send_assessment,
+			.receive = _receive,
+			.add_attribute = _add_attribute,
+			.create_attribute_enumerator = _create_attribute_enumerator,
+			.get_encoding = _get_encoding,
+			.destroy = _destroy,
+		},
+		.connection_id = connection_id,
+		.src_id = src_id,
+		.dst_id = dst_id,
+		.msg_type = msg_type,
+		.attr_list = linked_list_create(),
+		.agent = agent,
+		.state = state,
+	);
+
+	return &this->public;
+}
+
+/**
+ * See header
+ */
+imv_msg_t* imv_msg_create_as_reply(imv_msg_t *msg)
+{
+	private_imv_msg_t *in;
+	TNC_UInt32 src_id;
+
+	in = (private_imv_msg_t*)msg;
+	src_id = (in->dst_id != TNC_IMVID_ANY) ?
+			  in->dst_id : in->agent->get_id(in->agent);
+
+	return imv_msg_create(in->agent, in->state, in->connection_id, src_id,
+						  in->src_id, in->msg_type);
+}
+
+/**
+ * See header
+ */
+imv_msg_t *imv_msg_create_from_data(imv_agent_t *agent, imv_state_t *state,
+									TNC_ConnectionID connection_id,
+									TNC_MessageType msg_type,
+									chunk_t msg)
+{
+	TNC_VendorID msg_vid;
+	TNC_MessageSubtype msg_subtype;
+
+	msg_vid = msg_type >> 8;
+	msg_subtype = msg_type & TNC_SUBTYPE_ANY;
+
+	return imv_msg_create_from_long_data(agent, state, connection_id,
+								TNC_IMCID_ANY, agent->get_id(agent),
+								msg_vid, msg_subtype, msg);
+}
+
+/**
+ * See header
+ */
+imv_msg_t *imv_msg_create_from_long_data(imv_agent_t *agent, imv_state_t *state,
+										 TNC_ConnectionID connection_id,
+										 TNC_UInt32 src_id,
+										 TNC_UInt32 dst_id,
+										 TNC_VendorID msg_vid,
+										 TNC_MessageSubtype msg_subtype,
+										 chunk_t msg)
+{
+	private_imv_msg_t *this;
+
+	this = (private_imv_msg_t*)imv_msg_create(agent, state,
+										connection_id, src_id, dst_id,
+										pen_type_create(msg_vid, msg_subtype));
+	this->pa_msg = pa_tnc_msg_create_from_data(msg);
+
+	return &this->public;
+}
diff --git a/src/libimcv/imv/imv_msg.h b/src/libimcv/imv/imv_msg.h
new file mode 100644
index 000000000..b639712e8
--- /dev/null
+++ b/src/libimcv/imv/imv_msg.h
@@ -0,0 +1,163 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup imv_msg imv_msg
+ * @{ @ingroup libimcv
+ */
+
+#ifndef IMV_MSG_H_
+#define IMV_MSG_H_
+
+#include <imv/imv_agent.h>
+
+typedef struct imv_msg_t imv_msg_t;
+
+#include <library.h>
+
+/**
+ * Interface for a PA-TNC message handled by an IMV.
+ *
+ */
+struct imv_msg_t {
+
+	/**
+	 * Get source ID of PA-TNC message
+	 *
+	 * @return					src ID
+	 */
+	TNC_UInt32 (*get_src_id)(imv_msg_t *this);
+
+	/**
+	 * Get destination ID of PA-TNC message
+	 *
+	 * @return					destination ID
+	 */
+	TNC_UInt32 (*get_dst_id)(imv_msg_t *this);
+
+	/**
+	 * Set the type of a PA-TNC message
+	 *
+	 * @param msg_type			message type
+	 */
+	void (*set_msg_type)(imv_msg_t *this, pen_type_t msg_type);
+
+	/**
+	 * Sends one or multiple PA-TNC messages
+	 *
+	 * @param excl				set the excl message flag if supported
+	 * @return					TNC result code
+	 */
+	TNC_Result (*send)(imv_msg_t *this, bool excl);
+
+	/**
+	 * Send a PA-TNC message containing an IETF Assessment Result attribute
+	 *
+	 * @return					TNC result code
+	 */
+	TNC_Result (*send_assessment)(imv_msg_t *this);
+
+	/**
+	 * Processes a received PA-TNC message
+	 *
+	 * @param fatal_error		TRUE if IMC sent a fatal error message
+	 * @return					TNC result code
+	 */
+	TNC_Result (*receive)(imv_msg_t *this, bool *fatal_error);
+
+	/**
+	 * Add a PA-TNC attribute to the send queue
+	 *
+	 * @param attr				PA-TNC attribute to be added
+	 */
+	void (*add_attribute)(imv_msg_t *this, pa_tnc_attr_t *attr);
+
+	/**
+	 * Enumerator over PA-TNC attributes contained in the PA-TNC message
+	 *
+	 * @return					PA-TNC attribute enumerator
+	 */
+	enumerator_t* (*create_attribute_enumerator)(imv_msg_t *this);
+
+	/**
+	 * Get the full encoding of an IMV message.
+	 *
+	 * @return					message encoding, internal data
+	 */
+	chunk_t (*get_encoding)(imv_msg_t *this);
+
+	/**
+	 * Destroys a imv_msg_t object.
+	 */
+	void (*destroy)(imv_msg_t *this);
+};
+
+/**
+ * Create a wrapper for an outbound message
+ *
+ * @param agent					IMV agent responsible for the message
+ * @param state					IMV state for the given connection ID
+ * @param connection_id			connection ID
+ * @param src_id				source IMV ID
+ * @param dst_id				destination IMC ID
+ * @param msg_type				PA-TNC message type
+ */
+imv_msg_t* imv_msg_create(imv_agent_t *agent, imv_state_t *state,
+						  TNC_ConnectionID connection_id,
+						  TNC_UInt32 src_id, TNC_UInt32 dst_id,
+						  pen_type_t msg_type);
+
+/**
+ * Create a wrapper for an outbound message based on a received message
+ *
+ * @param msg					received message the reply is based on
+ */
+imv_msg_t* imv_msg_create_as_reply(imv_msg_t *msg);
+
+/**
+ * Create a wrapper around message data received via the legacy IF-IMV interface
+ *
+ * @param agent					IMV agent responsible for the message
+ * @param state					IMV state for the given connection ID
+ * @param connection_id			connection ID
+ * @param msg_type				PA-TNC message type
+ * @param msg					received PA-TNC message blob
+ */
+imv_msg_t* imv_msg_create_from_data(imv_agent_t *agent, imv_state_t *state,
+									TNC_ConnectionID connection_id,
+									TNC_MessageType msg_type,
+									chunk_t msg);
+
+/**
+ * Create a wrapper around message data received via the long IF-IMV interface
+ *
+ * @param agent					IMV agent responsible for the message
+ * @param state					IMV state for the given connection ID
+ * @param connection_id			connection ID
+ * @param src_id				source IMC ID
+ * @param dst_id				destination IMV ID
+ * @param msg_flags				PA-TNC message flags
+ * @param msg_vid				PA-TNC message vendor ID
+ * @param msg_subtype			PA-TNC subtype
+ * @param msg					received PA-TNC message blob
+ */
+imv_msg_t* imv_msg_create_from_long_data(imv_agent_t *agent, imv_state_t *state,
+										 TNC_ConnectionID connection_id,
+										 TNC_UInt32 src_id, TNC_UInt32 dst_id,
+										 TNC_VendorID msg_vid,
+										 TNC_MessageSubtype msg_subtype,
+										 chunk_t msg);
+
+#endif /** IMV_MSG_H_ @}*/
diff --git a/src/libimcv/imv/imv_reason_string.c b/src/libimcv/imv/imv_reason_string.c
new file mode 100644
index 000000000..18eade01b
--- /dev/null
+++ b/src/libimcv/imv/imv_reason_string.c
@@ -0,0 +1,95 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_reason_string.h"
+
+#include <utils/debug.h>
+
+typedef struct private_imv_reason_string_t private_imv_reason_string_t;
+
+/**
+ * Private data of an imv_reason_string_t object.
+ */
+struct private_imv_reason_string_t {
+
+	/**
+	 * Public members of imv_reason_string_t
+	 */
+	imv_reason_string_t public;
+
+	/**
+	 * Preferred language
+	 */
+	char *lang;
+
+	/**
+	 * Contains the concatenated reasons
+	 */
+	chunk_t reasons;
+
+};
+
+METHOD(imv_reason_string_t, add_reason, void,
+	private_imv_reason_string_t *this, imv_lang_string_t reason[])
+{
+	char *s_reason;
+
+	s_reason = imv_lang_string_select_string(reason, this->lang);
+
+	if (this->reasons.len)
+	{
+		/* append any further reasons */
+		this->reasons = chunk_cat("cm", this->reasons, chunk_from_chars('\n'),
+								  chunk_create(s_reason, strlen(s_reason)));
+	}
+	else
+	{
+		/* add the first reason */
+		this->reasons = chunk_clone(chunk_create(s_reason, strlen(s_reason)));
+	}
+}
+
+METHOD(imv_reason_string_t, get_encoding, chunk_t,
+	private_imv_reason_string_t *this)
+{
+	return this->reasons;
+}
+
+METHOD(imv_reason_string_t, destroy, void,
+	private_imv_reason_string_t *this)
+{
+	free(this->reasons.ptr);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+imv_reason_string_t *imv_reason_string_create(char *lang)
+{
+	private_imv_reason_string_t *this;
+
+	INIT(this,
+		.public = {
+			.add_reason = _add_reason,
+			.get_encoding = _get_encoding,
+			.destroy = _destroy,
+		},
+		.lang = lang,
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libimcv/imv/imv_reason_string.h b/src/libimcv/imv/imv_reason_string.h
new file mode 100644
index 000000000..320b2476a
--- /dev/null
+++ b/src/libimcv/imv/imv_reason_string.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup imv_reason_string_t imv_reason_string
+ * @{ @ingroup imv_reason_string
+ */
+
+#ifndef IMV_REASON_STRING_H_
+#define IMV_REASON_STRING_H_
+
+#include "imv_lang_string.h"
+
+#include <library.h>
+#include <collections/linked_list.h>
+
+typedef struct imv_reason_string_t imv_reason_string_t;
+
+/**
+ * Defines and builds a TNC Reason String
+ */
+struct imv_reason_string_t {
+
+	/**
+	 * Add an individual remediation instruction to the string
+	 *
+	 * @param reason		Multi-lingual reason string
+	 */
+	 void (*add_reason)(imv_reason_string_t *this, imv_lang_string_t reason[]);
+
+	/**
+	 * Gets  encoding of the reason string
+	 *
+	 * @return				TNC reason string
+	 */
+	chunk_t (*get_encoding)(imv_reason_string_t *this);
+
+	/**
+	 * Destroys an imv_reason_string_t object
+	 */
+	void (*destroy)(imv_reason_string_t *this);
+};
+
+/**
+ * Creates an Reason String object
+ *
+ * @param lang				Preferred language
+ */
+ imv_reason_string_t* imv_reason_string_create(char *lang);
+
+#endif /** IMV_REASON_STRING_H_ @}*/
diff --git a/src/libimcv/imv/imv_remediation_string.c b/src/libimcv/imv/imv_remediation_string.c
new file mode 100644
index 000000000..af82e1cdd
--- /dev/null
+++ b/src/libimcv/imv/imv_remediation_string.c
@@ -0,0 +1,209 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_remediation_string.h"
+
+#include <utils/debug.h>
+
+typedef struct private_imv_remediation_string_t private_imv_remediation_string_t;
+
+/**
+ * Private data of an imv_remediation_string_t object.
+ */
+struct private_imv_remediation_string_t {
+
+	/**
+	 * Public members of imv_remediation_string_t
+	 */
+	imv_remediation_string_t public;
+
+	/**
+	 * XML or plaintext encoding
+	 */
+	bool as_xml;
+
+	/**
+	 * Preferred language
+	 */
+	char *lang;
+
+	/**
+	 * Contains the concatenated remediation instructions
+	 */
+	chunk_t instructions;
+
+};
+
+METHOD(imv_remediation_string_t, add_instruction, void,
+	private_imv_remediation_string_t *this, imv_lang_string_t title[],
+	imv_lang_string_t description[], imv_lang_string_t itemsheader[],
+	linked_list_t *item_list)
+{
+	char xml_format[] = "  <instruction>\n"
+						"    <title>%s</title>\n"
+						"    <description>%s</description>\n"
+						"%s%s"
+						"  </instruction>\n";
+	char *instruction, *format, *item, *pos, *header, *items;
+	char *s_title, *s_description, *s_itemsheader;
+	size_t len;
+
+	s_title = imv_lang_string_select_string(title, this->lang);
+	s_description = imv_lang_string_select_string(description, this->lang);
+	s_itemsheader = imv_lang_string_select_string(itemsheader, this->lang);
+	header = NULL;
+	items = NULL;
+
+	if (s_itemsheader)
+	{
+		int header_len = strlen(s_itemsheader);
+		char *header_format;
+
+		if (this->as_xml)
+		{
+			header_format = "    <itemsheader>%s</itemsheader>\n";
+			header_len +=  strlen(header_format) - 2;
+		}
+		else
+		{
+			header_format = "\n  %s";
+			header_len += 3;
+		}
+		header = malloc(header_len + 1);
+		sprintf(header, header_format, s_itemsheader);
+	}
+
+	if (item_list && item_list->get_count(item_list))
+	{
+		enumerator_t *enumerator;
+		int items_len = 0;
+
+		/* compute total length of all items */
+		enumerator = item_list->create_enumerator(item_list);
+		while (enumerator->enumerate(enumerator, &item))
+		{
+			items_len += strlen(item);
+		}
+		enumerator->destroy(enumerator);
+
+		if (this->as_xml)
+		{
+			items_len += 12 + 20 * item_list->get_count(item_list) + 13;
+
+			pos = items = malloc(items_len + 1);
+			pos += sprintf(pos, "    <items>\n");
+
+			enumerator = item_list->create_enumerator(item_list);
+			while (enumerator->enumerate(enumerator, &item))
+			{
+				pos += sprintf(pos, "      <item>%s</item>\n", item);
+			}
+			enumerator->destroy(enumerator);
+
+			pos += sprintf(pos, "    </items>\n");
+		}
+		else
+		{
+			items_len += 5 * item_list->get_count(item_list);
+
+			pos = items = malloc(items_len + 1);
+
+			enumerator = item_list->create_enumerator(item_list);
+			while (enumerator->enumerate(enumerator, &item))
+			{
+				pos += sprintf(pos, "\n    %s", item);
+			}
+			enumerator->destroy(enumerator);
+		}
+	}
+
+	len = strlen(s_title) + strlen(s_description);
+	if (header)
+	{
+		len += strlen(header);
+	}
+	if (items)
+	{
+		len += strlen(items);
+	}
+
+	if (this->as_xml)
+	{
+		format = xml_format;
+		len += strlen(xml_format) - 8;
+	}
+	else
+	{
+		format = this->instructions.len ? "\n%s\n  %s%s%s" : "%s\n  %s%s%s";
+		len += 4;
+	}
+	instruction = malloc(len + 1);
+	sprintf(instruction, format, s_title, s_description, header ? header : "",
+			items ? items : "");
+	free(header);
+	free(items);
+	this->instructions = chunk_cat("mm", this->instructions, 
+							chunk_create(instruction, strlen(instruction)));
+}
+
+METHOD(imv_remediation_string_t, get_encoding, chunk_t,
+	private_imv_remediation_string_t *this)
+{
+	char xml_header[]  = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
+						 "<remediationinstructions>\n";
+	char xml_trailer[] = "</remediationinstructions>";
+
+	if (!this->instructions.len)
+	{
+		return chunk_empty;
+	}
+	if (this->as_xml)
+	{
+		this->instructions = chunk_cat("cmc",
+								chunk_create(xml_header, strlen(xml_header)),
+								this->instructions,
+								chunk_create(xml_trailer, strlen(xml_trailer))
+							 );
+	}
+	return this->instructions;
+}
+
+METHOD(imv_remediation_string_t, destroy, void,
+	private_imv_remediation_string_t *this)
+{
+	free(this->instructions.ptr);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+imv_remediation_string_t *imv_remediation_string_create(bool as_xml, char *lang)
+{
+	private_imv_remediation_string_t *this;
+
+	INIT(this,
+		.public = {
+			.add_instruction = _add_instruction,
+			.get_encoding = _get_encoding,
+			.destroy = _destroy,
+		},
+		.as_xml = as_xml,
+		.lang = lang,
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libimcv/imv/imv_remediation_string.h b/src/libimcv/imv/imv_remediation_string.h
new file mode 100644
index 000000000..9249c2aab
--- /dev/null
+++ b/src/libimcv/imv/imv_remediation_string.h
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup imv_remediation_string_t imv_remediation_string
+ * @{ @ingroup imv_remediation_string
+ */
+
+#ifndef IMV_REMEDIATION_STRING_H_
+#define IMV_REMEDIATION_STRING_H_
+
+#include "imv_lang_string.h"
+
+#include <library.h>
+#include <collections/linked_list.h>
+
+typedef struct imv_remediation_string_t imv_remediation_string_t;
+
+/**
+ * Defines and builds an IETF Remediation Instructions String
+ */
+struct imv_remediation_string_t {
+
+	/**
+	 * Add an individual remediation instruction to the string
+	 *
+	 * @param title			instruction title
+	 * @param description	instruction description
+	 * @param itemsheader	optional items header or NULL
+	 * @param items			optional items list or NULL
+	 */
+	 void (*add_instruction)(imv_remediation_string_t *this,
+							 imv_lang_string_t title[],
+							 imv_lang_string_t description[],
+							 imv_lang_string_t itemsheader[],
+							 linked_list_t *items);
+
+	/**
+	 * Gets the plaintext or XML encoding of the remediation instructions
+	 *
+	 * @return				remediation instructions string
+	 */
+	chunk_t (*get_encoding)(imv_remediation_string_t *this);
+
+	/**
+	 * Destroys an imv_remediation_string_t object
+	 */
+	void (*destroy)(imv_remediation_string_t *this);
+};
+
+/**
+ * Creates an IETF Remediation Instructions String object
+ *
+ * @param as_xml			XML encoding if TRUE, plaintext otherwise
+ * @param lang				Preferred language
+ */
+ imv_remediation_string_t* imv_remediation_string_create(bool as_xml, char *lang);
+
+#endif /** IMV_REMEDIATION_STRING_H_ @}*/
diff --git a/src/libimcv/imv/imv_state.h b/src/libimcv/imv/imv_state.h
index 1b0845b84..f40402e2b 100644
--- a/src/libimcv/imv/imv_state.h
+++ b/src/libimcv/imv/imv_state.h
@@ -109,13 +109,28 @@ struct imv_state_t {
 	/**
 	 * Get reason string based on the preferred language
 	 *
-	 * @param preferred_language	preferred language
+	 * @param language_enumerator	language enumerator
 	 * @param reason_string			reason string
-	 * @param language code			language of the returned reason string
+	 * @param reason_language		language of the returned reason string
 	 * @return						TRUE if a reason string was found
 	 */
-	bool (*get_reason_string)(imv_state_t *this, chunk_t preferred_language,
-							  chunk_t *reason_string, chunk_t *language_code);
+	bool (*get_reason_string)(imv_state_t *this,
+							  enumerator_t *language_enumerator,
+							  chunk_t *reason_string, char **reason_language);
+
+	/**
+	 * Get remediation instructions based on the preferred language
+	 *
+	 * @param language_enumerator	language enumerator
+	 * @param string				remediation instruction string
+	 * @param lang_code				language of the remediation instructions
+	 * @param uri					remediation URI
+	 * @return						TRUE if remediation instructions were found
+	 */
+	bool (*get_remediation_instructions)(imv_state_t *this,
+										 enumerator_t *language_enumerator,
+										 chunk_t *string, char **lang_code,
+										 char **uri);
 
 	/**
 	 * Destroys an imv_state_t object
diff --git a/src/libimcv/ita/ita_attr.c b/src/libimcv/ita/ita_attr.c
index 0ea799c3a..09754aed6 100644
--- a/src/libimcv/ita/ita_attr.c
+++ b/src/libimcv/ita/ita_attr.c
@@ -16,10 +16,17 @@
 #include "ita_attr.h"
 #include "ita/ita_attr_command.h"
 #include "ita/ita_attr_dummy.h"
+#include "ita/ita_attr_get_settings.h"
+#include "ita/ita_attr_settings.h"
+#include "ita/ita_attr_angel.h"
 
-ENUM(ita_attr_names, ITA_ATTR_COMMAND, ITA_ATTR_DUMMY,
+ENUM(ita_attr_names, ITA_ATTR_COMMAND, ITA_ATTR_STOP_ANGEL,
 	"Command",
 	"Dummy",
+	"Get Settings",
+	"Settings",
+	"Start Angel",
+	"Stop Angel"
 );
 
 /**
@@ -33,6 +40,14 @@ pa_tnc_attr_t* ita_attr_create_from_data(u_int32_t type, chunk_t value)
 			return ita_attr_command_create_from_data(value);
 		case ITA_ATTR_DUMMY:
 			return ita_attr_dummy_create_from_data(value);
+		case ITA_ATTR_GET_SETTINGS:
+			return ita_attr_get_settings_create_from_data(value);
+		case ITA_ATTR_SETTINGS:
+			return ita_attr_settings_create_from_data(value);
+		case ITA_ATTR_START_ANGEL:
+			return ita_attr_angel_create_from_data(TRUE, value);
+		case ITA_ATTR_STOP_ANGEL:
+			return ita_attr_angel_create_from_data(FALSE, value);
 		default:
 			return NULL;
 	}
diff --git a/src/libimcv/ita/ita_attr.h b/src/libimcv/ita/ita_attr.h
index 3baf0e3b8..d7b06146f 100644
--- a/src/libimcv/ita/ita_attr.h
+++ b/src/libimcv/ita/ita_attr.h
@@ -33,6 +33,10 @@ typedef enum ita_attr_t ita_attr_t;
 enum ita_attr_t {
 	ITA_ATTR_COMMAND =	1,
 	ITA_ATTR_DUMMY = 2,
+	ITA_ATTR_GET_SETTINGS = 3,
+	ITA_ATTR_SETTINGS = 4,
+	ITA_ATTR_START_ANGEL = 5,
+	ITA_ATTR_STOP_ANGEL = 6
 };
 
 /**
diff --git a/src/libimcv/ita/ita_attr_angel.c b/src/libimcv/ita/ita_attr_angel.c
new file mode 100644
index 000000000..0e9cff0a9
--- /dev/null
+++ b/src/libimcv/ita/ita_attr_angel.c
@@ -0,0 +1,159 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ita_attr.h"
+#include "ita_attr_angel.h"
+
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
+#include <collections/linked_list.h>
+#include <pen/pen.h>
+#include <utils/debug.h>
+
+typedef struct private_ita_attr_angel_t private_ita_attr_angel_t;
+
+/**
+ * Private data of an ita_attr_angel_t object.
+ */
+struct private_ita_attr_angel_t {
+
+	/**
+	 * Public members of ita_attr_angel_t
+	 */
+	ita_attr_angel_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ita_attr_angel_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ita_attr_angel_t *this)
+{
+	return chunk_empty;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ita_attr_angel_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ita_attr_angel_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ita_attr_angel_t *this)
+{
+	/* nothing to build */
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ita_attr_angel_t *this, u_int32_t *offset)
+{
+	return SUCCESS;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ita_attr_angel_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ita_attr_angel_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this);
+	}
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ita_attr_angel_create(bool start)
+{
+	private_ita_attr_angel_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.type = { PEN_ITA, start ? ITA_ATTR_START_ANGEL : ITA_ATTR_STOP_ANGEL },
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ita_attr_angel_create_from_data(bool start, chunk_t data)
+{
+	private_ita_attr_angel_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.type = { PEN_ITA, start ? ITA_ATTR_START_ANGEL : ITA_ATTR_STOP_ANGEL },
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+
diff --git a/src/libimcv/ita/ita_attr_angel.h b/src/libimcv/ita/ita_attr_angel.h
new file mode 100644
index 000000000..c392f7927
--- /dev/null
+++ b/src/libimcv/ita/ita_attr_angel.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ita_attr_angelt ita_attr_angel
+ * @{ @ingroup ita_attr_angel
+ */
+
+#ifndef ITA_ATTR_ANGEL_H_
+#define ITA_ATTR_ANGEL_H_
+
+typedef struct ita_attr_angel_t ita_attr_angel_t;
+
+#include "pa_tnc/pa_tnc_attr.h"
+
+/**
+ * Class implementing the ITA Start/Stop Angel PA-TNC attribute.
+ *
+ */
+struct ita_attr_angel_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+};
+
+/**
+ * Creates an ita_attr_angel_t object with an empty settings list
+ *
+ * @param start				TRUE for Start, FALSE for Stop Angel attribute
+ */
+pa_tnc_attr_t* ita_attr_angel_create(bool start);
+
+/**
+ * Creates an ita_attr_angel_t object from received data
+ *
+ * @param start				TRUE for Start, FALSE for Stop Angel attribute
+ * @param value				binary value blob
+ */
+pa_tnc_attr_t* ita_attr_angel_create_from_data(bool start, chunk_t value);
+
+#endif /** ITA_ATTR_ANGEL_H_ @}*/
diff --git a/src/libimcv/ita/ita_attr_command.c b/src/libimcv/ita/ita_attr_command.c
index d43e4777b..f32ab2bfe 100644
--- a/src/libimcv/ita/ita_attr_command.c
+++ b/src/libimcv/ita/ita_attr_command.c
@@ -17,8 +17,9 @@
 #include "ita_attr_command.h"
 
 #include <pen/pen.h>
+#include <utils/debug.h>
 
-#include <debug.h>
+#include <string.h>
 
 typedef struct private_ita_attr_command_t private_ita_attr_command_t;
 
@@ -96,11 +97,9 @@ METHOD(pa_tnc_attr_t, build, void,
 METHOD(pa_tnc_attr_t, process, status_t,
 	private_ita_attr_command_t *this, u_int32_t *offset)
 {
-	this->command = malloc(this->value.len + 1);
-	memcpy(this->command, this->value.ptr, this->value.len);
-	this->command[this->value.len] = '\0';
+	this->command = strndup(this->value.ptr, this->value.len);
 
-	return SUCCESS;	
+	return SUCCESS;
 }
 
 METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
@@ -168,6 +167,8 @@ pa_tnc_attr_t *ita_attr_command_create_from_data(chunk_t data)
 			.pa_tnc_attribute = {
 				.get_type = _get_type,
 				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
 				.get_ref = _get_ref,
diff --git a/src/libimcv/ita/ita_attr_dummy.c b/src/libimcv/ita/ita_attr_dummy.c
index f122256a1..6497d4645 100644
--- a/src/libimcv/ita/ita_attr_dummy.c
+++ b/src/libimcv/ita/ita_attr_dummy.c
@@ -18,7 +18,7 @@
 
 #include <pen/pen.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_ita_attr_dummy_t private_ita_attr_dummy_t;
 
@@ -98,7 +98,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 {
 	this->size = this->value.len;
 
-	return SUCCESS;	
+	return SUCCESS;
 }
 
 METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
@@ -165,6 +165,8 @@ pa_tnc_attr_t *ita_attr_dummy_create_from_data(chunk_t data)
 			.pa_tnc_attribute = {
 				.get_type = _get_type,
 				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
 				.get_ref = _get_ref,
diff --git a/src/libimcv/ita/ita_attr_get_settings.c b/src/libimcv/ita/ita_attr_get_settings.c
new file mode 100644
index 000000000..8016b761d
--- /dev/null
+++ b/src/libimcv/ita/ita_attr_get_settings.c
@@ -0,0 +1,264 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ita_attr.h"
+#include "ita_attr_get_settings.h"
+
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
+#include <collections/linked_list.h>
+#include <pen/pen.h>
+#include <utils/debug.h>
+
+#include <string.h>
+
+typedef struct private_ita_attr_get_settings_t private_ita_attr_get_settings_t;
+
+/**
+ * ITA Get Settings
+ *
+ *					   1				   2				   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                         Settings Count                        |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |        Name Length            |  Name (Variable Length)       ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  ~                      Name (Variable Length)                   ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |        Name Length            |  Name (Variable Length)       ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  ~                      Name (Variable Length)                   ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *					 ...........................
+ */
+
+#define ITA_GET_SETTINGS_MIN_SIZE	4
+
+/**
+ * Private data of an ita_attr_get_settings_t object.
+ */
+struct private_ita_attr_get_settings_t {
+
+	/**
+	 * Public members of ita_attr_get_settings_t
+	 */
+	ita_attr_get_settings_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * List of requested settings
+	 */
+	linked_list_t *list;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ita_attr_get_settings_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ita_attr_get_settings_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ita_attr_get_settings_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ita_attr_get_settings_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ita_attr_get_settings_t *this)
+{
+	bio_writer_t *writer;
+	enumerator_t *enumerator;
+	char *name;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+	writer = bio_writer_create(ITA_GET_SETTINGS_MIN_SIZE);
+	writer->write_uint32(writer, this->list->get_count(this->list));
+
+	enumerator = this->list->create_enumerator(this->list);
+	while (enumerator->enumerate(enumerator, &name))
+	{
+		writer->write_data16(writer, chunk_create(name, strlen(name)));
+	}
+	enumerator->destroy(enumerator);
+
+	this->value = chunk_clone(writer->get_buf(writer));
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ita_attr_get_settings_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+	u_int32_t count;
+	chunk_t name;
+	status_t status = FAILED;
+
+	if (this->value.len < ITA_GET_SETTINGS_MIN_SIZE)
+	{
+		DBG1(DBG_TNC, "insufficient data for ITA Get Settings attribute");
+		*offset = 0;
+		return FAILED;
+	}
+
+	reader = bio_reader_create(this->value);
+	reader->read_uint32(reader, &count);
+
+	*offset = ITA_GET_SETTINGS_MIN_SIZE;
+
+	while (count--)
+	{
+		if (!reader->read_data16(reader, &name))
+		{
+			DBG1(DBG_TNC, "insufficient data for setting name");
+			goto end;
+		}
+		*offset += 2 + name.len;
+
+		this->list->insert_last(this->list, strndup(name.ptr, name.len));
+	}
+	status = SUCCESS;
+
+end:
+	reader->destroy(reader);	
+	return status;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ita_attr_get_settings_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ita_attr_get_settings_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		this->list->destroy_function(this->list, free);	
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ita_attr_get_settings_t, add, void,
+	private_ita_attr_get_settings_t *this, char *name)
+{
+	this->list->insert_last(this->list, strdup(name));
+}
+
+METHOD(ita_attr_get_settings_t, create_enumerator, enumerator_t*,
+	private_ita_attr_get_settings_t *this)
+{
+	return this->list->create_enumerator(this->list);
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ita_attr_get_settings_create(void)
+{
+	private_ita_attr_get_settings_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.add = _add,
+			.create_enumerator = _create_enumerator,
+		},
+		.type = { PEN_ITA, ITA_ATTR_GET_SETTINGS },
+		.list = linked_list_create(),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ita_attr_get_settings_create_from_data(chunk_t data)
+{
+	private_ita_attr_get_settings_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.add = _add,
+			.create_enumerator = _create_enumerator,
+		},
+		.type = { PEN_ITA, ITA_ATTR_GET_SETTINGS },
+		.value = chunk_clone(data),
+		.list = linked_list_create(),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+
diff --git a/src/libimcv/ita/ita_attr_get_settings.h b/src/libimcv/ita/ita_attr_get_settings.h
new file mode 100644
index 000000000..cc5c18140
--- /dev/null
+++ b/src/libimcv/ita/ita_attr_get_settings.h
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ita_attr_get_settingst ita_attr_get_settings
+ * @{ @ingroup ita_attr_get_settings
+ */
+
+#ifndef ITA_ATTR_GET_SETTINGS_H_
+#define ITA_ATTR_GET_SETTINGS_H_
+
+typedef struct ita_attr_get_settings_t ita_attr_get_settings_t;
+
+#include "pa_tnc/pa_tnc_attr.h"
+
+/**
+ * Class implementing the ITA Get Settings PA-TNC attribute.
+ *
+ */
+struct ita_attr_get_settings_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Add a setting request to the list
+	 *
+	 * @param name			name of the requested setting
+	 */
+	void (*add)(ita_attr_get_settings_t *this, char *name);
+
+	/**
+	 * Return an enumerator over all requested settings
+	 *
+	 * @return				enumerator returns char *name
+	 */
+	enumerator_t* (*create_enumerator)(ita_attr_get_settings_t *this);
+};
+
+/**
+ * Creates an ita_attr_get_settings_t object with an empty settings list
+ */
+pa_tnc_attr_t* ita_attr_get_settings_create(void);
+
+/**
+ * Creates an ita_attr_get_settings_t object from received data
+ *
+ * @param value				binary value blob
+ */
+pa_tnc_attr_t* ita_attr_get_settings_create_from_data(chunk_t value);
+
+#endif /** ITA_ATTR_GET_SETTINGS_H_ @}*/
diff --git a/src/libimcv/ita/ita_attr_settings.c b/src/libimcv/ita/ita_attr_settings.c
new file mode 100644
index 000000000..7941cf69e
--- /dev/null
+++ b/src/libimcv/ita/ita_attr_settings.c
@@ -0,0 +1,326 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ita_attr.h"
+#include "ita_attr_settings.h"
+
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
+#include <collections/linked_list.h>
+#include <pen/pen.h>
+#include <utils/debug.h>
+
+#include <string.h>
+
+typedef struct private_ita_attr_settings_t private_ita_attr_settings_t;
+typedef struct entry_t entry_t;
+
+/**
+ * Contains a settins name/value pair
+ */
+struct entry_t {
+	char *name;
+	chunk_t value;
+};
+
+/**
+ * Free an entry_t object
+ */
+static void free_entry(entry_t *this)
+{
+	free(this->name);
+	free(this->value.ptr);
+	free(this);
+}
+
+/**
+ * ITA Settings
+ *
+ *					   1				   2				   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                         Settings Count                        |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |        Name Length            |  Name (Variable Length)       ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  ~                      Name (Variable Length)                   ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |        Value Length           |  Value (Variable Length)      ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  ~                      Value (Variable Length)                  ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |        Name Length            |  Name (Variable Length)       ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  ~                      Name (Variable Length)                   ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |        Value Length           |  Value (Variable Length)      ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  ~                      Value (Variable Length)                  ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *					 ...........................
+ */
+
+#define ITA_SETTINGS_MIN_SIZE	4
+
+/**
+ * Private data of an ita_attr_settings_t object.
+ */
+struct private_ita_attr_settings_t {
+
+	/**
+	 * Public members of ita_attr_settings_t
+	 */
+	ita_attr_settings_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * List of settings
+	 */
+	linked_list_t *list;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ita_attr_settings_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ita_attr_settings_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ita_attr_settings_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ita_attr_settings_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ita_attr_settings_t *this)
+{
+	bio_writer_t *writer;
+	enumerator_t *enumerator;
+	entry_t *entry;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+	writer = bio_writer_create(ITA_SETTINGS_MIN_SIZE);
+	writer->write_uint32(writer, this->list->get_count(this->list));
+
+	enumerator = this->list->create_enumerator(this->list);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		writer->write_data16(writer, chunk_create(entry->name,
+												  strlen(entry->name)));
+		writer->write_data16(writer, entry->value);
+	}
+	enumerator->destroy(enumerator);
+
+	this->value = chunk_clone(writer->get_buf(writer));
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ita_attr_settings_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+	u_int32_t count;
+	chunk_t name, value;
+	entry_t *entry;
+	status_t status = FAILED;
+
+	if (this->value.len < ITA_SETTINGS_MIN_SIZE)
+	{
+		DBG1(DBG_TNC, "insufficient data for ITA Settings attribute");
+		*offset = 0;
+		return FAILED;
+	}
+
+	reader = bio_reader_create(this->value);
+	reader->read_uint32(reader, &count);
+
+	*offset = ITA_SETTINGS_MIN_SIZE;
+
+	while (count--)
+	{
+		if (!reader->read_data16(reader, &name))
+		{
+			DBG1(DBG_TNC, "insufficient data for setting name");
+			goto end;
+		}
+		*offset += 2 + name.len;
+
+		if (!reader->read_data16(reader, &value))
+		{
+			DBG1(DBG_TNC, "insufficient data for setting value");
+			goto end;
+		}
+		*offset += 2 + value.len;
+
+		/* remove a terminating newline character */
+		if (value.len && value.ptr[value.len - 1] == '\n')
+		{
+			value.len--;
+		}
+		entry = malloc_thing(entry_t);
+		entry->name = strndup(name.ptr, name.len);
+		entry->value = chunk_clone(value);
+		this->list->insert_last(this->list, entry);
+	}
+	status = SUCCESS;
+
+end:
+	reader->destroy(reader);	
+	return status;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ita_attr_settings_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ita_attr_settings_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		this->list->destroy_function(this->list, (void*)free_entry);	
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ita_attr_settings_t, add, void,
+	private_ita_attr_settings_t *this, char *name, chunk_t value)
+{
+	entry_t *entry;
+
+	entry = malloc_thing(entry_t);
+	entry->name = strdup(name);
+	entry->value = chunk_clone(value);
+	this->list->insert_last(this->list, entry);
+}
+
+/**
+ * Enumerate name/value pairs
+ */
+static bool entry_filter(void *null, entry_t **entry, char **name,
+						 void *i2, chunk_t *value)
+{
+	*name = (*entry)->name;
+	*value = (*entry)->value;
+	return TRUE;
+}
+
+METHOD(ita_attr_settings_t, create_enumerator, enumerator_t*,
+	private_ita_attr_settings_t *this)
+{
+	return enumerator_create_filter(this->list->create_enumerator(this->list),
+								   (void*)entry_filter, NULL, NULL);
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ita_attr_settings_create(void)
+{
+	private_ita_attr_settings_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.add = _add,
+			.create_enumerator = _create_enumerator,
+		},
+		.type = { PEN_ITA, ITA_ATTR_SETTINGS },
+		.list = linked_list_create(),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ita_attr_settings_create_from_data(chunk_t data)
+{
+	private_ita_attr_settings_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.add = _add,
+			.create_enumerator = _create_enumerator,
+		},
+		.type = { PEN_ITA, ITA_ATTR_SETTINGS },
+		.value = chunk_clone(data),
+		.list = linked_list_create(),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+
diff --git a/src/libimcv/ita/ita_attr_settings.h b/src/libimcv/ita/ita_attr_settings.h
new file mode 100644
index 000000000..f3d1fd438
--- /dev/null
+++ b/src/libimcv/ita/ita_attr_settings.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ita_attr_settingst ita_attr_settings
+ * @{ @ingroup ita_attr_settings
+ */
+
+#ifndef ITA_ATTR_SETTINGS_H_
+#define ITA_ATTR_SETTINGS_H_
+
+typedef struct ita_attr_settings_t ita_attr_settings_t;
+
+#include "pa_tnc/pa_tnc_attr.h"
+
+/**
+ * Class implementing the ITA Settings PA-TNC attribute.
+ *
+ */
+struct ita_attr_settings_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Add a setting to the list
+	 *
+	 * @param name			name of the setting
+	 * @param value			value of the setting
+	 */
+	void (*add)(ita_attr_settings_t *this, char *name, chunk_t value);
+
+	/**
+	 * Return an enumerator over all name/value pairs
+	 *
+	 * @return				enumerator returns char **name, chunk_t *value
+	 */
+	enumerator_t* (*create_enumerator)(ita_attr_settings_t *this);
+};
+
+/**
+ * Creates an ita_attr_settings_t object with an empty settings list
+ */
+pa_tnc_attr_t* ita_attr_settings_create(void);
+
+/**
+ * Creates an ita_attr_settings_t object from received data
+ *
+ * @param value				binary value blob
+ */
+pa_tnc_attr_t* ita_attr_settings_create_from_data(chunk_t value);
+
+#endif /** ITA_ATTR_SETTINGS_H_ @}*/
diff --git a/src/libimcv/os_info/os_info.c b/src/libimcv/os_info/os_info.c
new file mode 100644
index 000000000..13374c876
--- /dev/null
+++ b/src/libimcv/os_info/os_info.c
@@ -0,0 +1,606 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "os_info.h"
+
+#include <sys/utsname.h>
+#include <stdio.h>
+#include <stdarg.h>
+
+#include <collections/linked_list.h>
+#include <utils/debug.h>
+
+typedef struct private_os_info_t private_os_info_t;
+
+ENUM(os_type_names, OS_TYPE_UNKNOWN, OS_TYPE_ANDROID,
+	"Unknown",
+	"Debian",
+	"Ubuntu",
+	"Fedora",
+	"Red Hat",
+	"CentOS",
+	"SUSE",
+	"Gentoo",
+	"Android"
+);
+
+ENUM(os_fwd_status_names, OS_FWD_DISABLED, OS_FWD_UNKNOWN,
+	"disabled",
+	"enabled",
+	"unknown"
+);
+
+ENUM(os_package_state_names, OS_PACKAGE_STATE_UPDATE, OS_PACKAGE_STATE_BLACKLIST,
+	"",
+	" [s]",
+	" [b]"
+);
+
+/**
+ * Private data of an os_info_t object.
+ *
+ */
+struct private_os_info_t {
+
+	/**
+	 * Public os_info_t interface.
+	 */
+	os_info_t public;
+
+	/**
+	 * OS type
+	 */
+	os_type_t type;
+
+	/**
+	 * OS name
+	 */
+	chunk_t name;
+
+	/**
+	 * OS version
+	 */
+	chunk_t version;
+
+};
+
+METHOD(os_info_t, get_type, os_type_t,
+	private_os_info_t *this)
+{
+	return this->type;
+}
+
+METHOD(os_info_t, get_name, chunk_t,
+	private_os_info_t *this)
+{
+	return this->name;
+}
+
+METHOD(os_info_t, get_numeric_version, void,
+	private_os_info_t *this, u_int32_t *major, u_int32_t *minor)
+{
+	u_char *pos;
+
+	if (major)
+	{
+		*major = atol(this->version.ptr);
+	}
+	pos = memchr(this->version.ptr, '.', this->version.len);
+	if (minor)
+	{
+		*minor = pos ? atol(pos + 1) : 0;
+	}
+}
+
+METHOD(os_info_t, get_version, chunk_t,
+	private_os_info_t *this)
+{
+	return this->version;
+}
+
+METHOD(os_info_t, get_fwd_status, os_fwd_status_t,
+	private_os_info_t *this)
+{
+	const char ip_forward[] = "/proc/sys/net/ipv4/ip_forward";
+	char buf[2];
+	FILE *file;
+
+	os_fwd_status_t fwd_status = OS_FWD_UNKNOWN;
+
+	file = fopen(ip_forward, "r");
+	if (file)
+	{
+		if (fread(buf, 1, 1, file) == 1)
+		{
+			switch (buf[0])
+			{
+				case '0':
+					fwd_status = OS_FWD_DISABLED;
+					break;
+				case '1':
+					fwd_status = OS_FWD_ENABLED;
+					break;
+				default:
+					DBG1(DBG_IMC, "\"%s\" returns invalid value ", ip_forward);
+					break;
+			}
+		}
+		else
+		{
+			DBG1(DBG_IMC, "could not read from \"%s\"", ip_forward);
+		}
+		fclose(file);
+	}
+	else
+	{
+		DBG1(DBG_IMC, "failed to open \"%s\"", ip_forward);
+	}
+
+	return fwd_status;
+}
+
+METHOD(os_info_t, get_uptime, time_t,
+	private_os_info_t *this)
+{
+	const char proc_uptime[] = "/proc/uptime";
+	FILE *file;
+	time_t uptime;
+
+	file = fopen(proc_uptime, "r");
+	if (!file)
+	{
+		DBG1(DBG_IMC, "failed to open \"%s\"", proc_uptime);
+		return 0;
+	}
+	if (fscanf(file, "%u", &uptime) != 1)
+	{
+		DBG1(DBG_IMC, "failed to read file \"%s\"", proc_uptime);
+		uptime = 0;
+	}
+	fclose(file);
+
+	return uptime;
+}
+
+METHOD(os_info_t, get_setting, chunk_t,
+	private_os_info_t *this, char *name)
+{
+	FILE *file;
+	u_char buf[2048];
+	size_t i = 0;
+	chunk_t value;
+
+	if (!strneq(name, "/etc/", 5) && !strneq(name, "/proc/", 6) &&
+		!strneq(name, "/sys/", 5) && !strneq(name, "/var/", 5))
+	{
+		/**
+		 * In order to guarantee privacy, only settings from the
+		 * /etc/, /proc/ and /sys/ directories can be retrieved
+		 */
+		DBG1(DBG_IMC, "not allowed to access '%s'", name);
+
+		return chunk_empty;
+	}
+
+	file = fopen(name, "r");
+	if (!file)
+	{
+		DBG1(DBG_IMC, "failed to open '%s'", name);
+
+		return chunk_empty;
+	}
+	while (i < sizeof(buf) && fread(buf + i, 1, 1, file) == 1)
+	{
+		i++;
+	}
+	fclose(file);
+
+	value = chunk_create(buf, i);
+
+	return chunk_clone(value);
+}
+
+typedef struct {
+	/**
+	 * implements enumerator_t
+	 */
+	enumerator_t public;
+
+	/**
+	 * package info pipe stream
+	 */
+	FILE* file;
+
+	/**
+	 * line buffer
+	 */
+	u_char line[512];
+
+} package_enumerator_t;
+
+/**
+ * Implementation of package_enumerator.destroy.
+ */
+static void package_enumerator_destroy(package_enumerator_t *this)
+{
+	pclose(this->file);
+	free(this);
+}
+
+/**
+ * Implementation of package_enumerator.enumerate
+ */
+static bool package_enumerator_enumerate(package_enumerator_t *this, ...)
+{
+	chunk_t *name, *version;
+	u_char *pos;
+	va_list args;
+
+	while (TRUE)
+	{
+		if (!fgets(this->line, sizeof(this->line), this->file))
+		{
+			return FALSE;
+		}
+
+		pos = strchr(this->line, '\t');
+		if (!pos)
+		{
+			return FALSE;
+		}
+		*pos++ = '\0';
+
+		if (!streq(this->line, "install ok installed"))
+		{
+			continue;
+		}
+		va_start(args, this);
+
+		name = va_arg(args, chunk_t*);
+		name->ptr = pos;
+		pos = strchr(pos, '\t');
+		if (!pos)
+		{
+			va_end(args);
+			return FALSE;
+		}
+		name->len = pos++ - name->ptr;
+
+		version = va_arg(args, chunk_t*);
+		version->ptr = pos;
+		version->len = strlen(pos) - 1;
+
+		va_end(args);
+		return TRUE;
+	}
+}
+
+METHOD(os_info_t, create_package_enumerator, enumerator_t*,
+	private_os_info_t *this)
+{
+	FILE *file;
+	const char command[] = "dpkg-query --show --showformat="
+								"'${Status}\t${Package}\t${Version}\n'";
+	package_enumerator_t *enumerator;
+
+	/* Only Debian and Ubuntu package enumeration is currently supported */
+	if (this->type != OS_TYPE_DEBIAN && this->type != OS_TYPE_UBUNTU)
+	{
+		return NULL;
+	}
+
+	/* Open a pipe stream for reading the output of the dpkg-query commmand */
+	file = popen(command, "r");
+	if (!file)
+	{
+		DBG1(DBG_IMC, "failed to run dpkg command");
+		return NULL;
+	}
+
+	/* Create a package enumerator instance */
+	enumerator = malloc_thing(package_enumerator_t);
+	enumerator->public.enumerate = (void*)package_enumerator_enumerate;
+	enumerator->public.destroy = (void*)package_enumerator_destroy;
+	enumerator->file = file;
+
+	return (enumerator_t*)enumerator;
+}
+
+
+METHOD(os_info_t, destroy, void,
+	private_os_info_t *this)
+{
+	free(this->name.ptr);
+	free(this->version.ptr);
+	free(this);
+}
+
+#define RELEASE_LSB		0
+#define RELEASE_DEBIAN	1
+
+/**
+ * Determine Linux distribution version and hardware platform
+ */
+static bool extract_platform_info(os_type_t *type, chunk_t *name,
+								  chunk_t *version)
+{
+	FILE *file;
+	u_char buf[BUF_LEN], *pos = buf;
+	int len = BUF_LEN - 1;
+	os_type_t os_type = OS_TYPE_UNKNOWN;
+	chunk_t os_name = chunk_empty;
+	chunk_t os_version = chunk_empty;
+	char *os_str;
+	struct utsname uninfo;
+	int i;
+
+	/* Linux/Unix distribution release info (from http://linuxmafia.com) */
+	const char* releases[] = {
+		"/etc/lsb-release",           "/etc/debian_version",
+		"/etc/SuSE-release",          "/etc/novell-release",
+		"/etc/sles-release",          "/etc/redhat-release",
+		"/etc/fedora-release",        "/etc/gentoo-release",
+		"/etc/slackware-version",     "/etc/annvix-release",
+		"/etc/arch-release",          "/etc/arklinux-release",
+		"/etc/aurox-release",         "/etc/blackcat-release",
+		"/etc/cobalt-release",        "/etc/conectiva-release",
+		"/etc/debian_release",        "/etc/immunix-release",
+		"/etc/lfs-release",           "/etc/linuxppc-release",
+		"/etc/mandrake-release",      "/etc/mandriva-release",
+		"/etc/mandrakelinux-release", "/etc/mklinux-release",
+		"/etc/pld-release",           "/etc/redhat_version",
+		"/etc/slackware-release",     "/etc/e-smith-release",
+		"/etc/release",               "/etc/sun-release",
+		"/etc/tinysofa-release",      "/etc/turbolinux-release",
+		"/etc/ultrapenguin-release",  "/etc/UnitedLinux-release",
+		"/etc/va-release",            "/etc/yellowdog-release"
+	};
+
+	const char lsb_distrib_id[]      = "DISTRIB_ID=";
+	const char lsb_distrib_release[] = "DISTRIB_RELEASE=";
+
+	for (i = 0; i < countof(releases); i++)
+	{
+		file = fopen(releases[i], "r");
+		if (!file)
+		{
+			continue;
+		}
+
+		/* read release file into buffer */
+		fseek(file, 0, SEEK_END);
+		len = min(ftell(file), len);
+		rewind(file);
+		buf[len] = '\0';
+		if (fread(buf, 1, len, file) != len)
+		{
+			DBG1(DBG_IMC, "failed to read file \"%s\"", releases[i]);
+			fclose(file);
+			return FALSE;
+		}
+		fclose(file);
+
+		DBG1(DBG_IMC, "processing \"%s\" file", releases[i]);
+
+		switch (i)
+		{
+			case RELEASE_LSB:
+			{
+				/* Determine Distribution ID */
+				pos = strstr(buf, lsb_distrib_id);
+				if (!pos)
+				{
+					DBG1(DBG_IMC, "failed to find begin of DISTRIB_ID field");
+					return FALSE;
+				}
+				pos += strlen(lsb_distrib_id);
+
+				os_name.ptr = pos;
+
+				pos = strchr(pos, '\n');
+				if (!pos)
+				{
+					DBG1(DBG_IMC, "failed to find end of DISTRIB_ID field");
+					return FALSE;
+			 	}
+				os_name.len = pos - os_name.ptr;
+
+				/* Determine Distribution Release */
+				pos = strstr(buf, lsb_distrib_release);
+				if (!pos)
+				{
+					DBG1(DBG_IMC, "failed to find begin of DISTRIB_RELEASE field");
+					return FALSE;
+				}
+				pos += strlen(lsb_distrib_release);
+
+				os_version.ptr = pos;
+
+				pos = strchr(pos, '\n');
+				if (!pos)
+				{
+					DBG1(DBG_IMC, "failed to find end of DISTRIB_RELEASE field");
+					return FALSE;
+			 	}
+				os_version.len = pos - os_version.ptr;
+
+				break;
+			}
+			case RELEASE_DEBIAN:
+			{
+				os_type = OS_TYPE_DEBIAN;
+
+				os_version.ptr = buf;
+				pos = strchr(buf, '\n');
+				if (!pos)
+				{
+					DBG1(DBG_PTS, "failed to find end of release string");
+					return FALSE;
+				}
+
+				os_version.len = pos - os_version.ptr;
+
+				break;
+			}
+			default:
+			{
+				const char str_release[] = " release ";
+
+				os_name.ptr = buf;
+
+				pos = strstr(buf, str_release);
+				if (!pos)
+				{
+					DBG1(DBG_IMC, "failed to find release keyword");
+					return FALSE;
+				}
+
+				os_name.len = pos - os_name.ptr;
+
+				pos += strlen(str_release);
+				os_version.ptr = pos;
+
+				pos = strchr(pos, '\n');
+				if (!pos)
+				{
+					DBG1(DBG_IMC, "failed to find end of release string");
+					return FALSE;
+			 	}
+
+				os_version.len = pos - os_version.ptr;
+
+				break;
+			}
+		}
+		break;
+	}
+
+	if (!os_version.ptr)
+	{
+		DBG1(DBG_IMC, "no distribution release file found");
+		return FALSE;
+	}
+
+	if (uname(&uninfo) < 0)
+	{
+		DBG1(DBG_IMC, "could not retrieve machine architecture");
+		return FALSE;
+	}
+
+	/* Try to find a matching OS type based on the OS name */
+	if (os_type == OS_TYPE_UNKNOWN)
+	{
+		os_type = os_type_from_name(os_name);
+	}
+
+	/* If known use the official OS name */
+	if (os_type != OS_TYPE_UNKNOWN)
+	{
+		os_str = enum_to_name(os_type_names, os_type);
+		os_name = chunk_create(os_str, strlen(os_str));
+	}
+
+	/* copy OS type */
+	*type = os_type;
+
+	/* copy OS name */
+	*name = chunk_clone(os_name);
+
+	/* copy OS version and machine architecture */
+	*version = chunk_alloc(os_version.len + 1 + strlen(uninfo.machine));
+	pos = version->ptr;
+	memcpy(pos, os_version.ptr, os_version.len);
+	pos += os_version.len;
+	*pos++ = ' ';
+	memcpy(pos, uninfo.machine, strlen(uninfo.machine));
+
+	return TRUE;
+}
+
+/**
+ * See header
+ */
+os_type_t os_type_from_name(chunk_t name)
+{
+	os_type_t type;
+	char *name_str;
+
+	for (type = OS_TYPE_DEBIAN; type < OS_TYPE_ROOF; type++)
+	{
+		/* name_str is a substring of name.ptr */
+		name_str = enum_to_name(os_type_names, type);
+		if (memeq(name.ptr, name_str, min(name.len, strlen(name_str))))
+		{
+			return type;
+		}
+	}
+	return OS_TYPE_UNKNOWN;
+}
+
+/**
+ * See header
+ */
+os_info_t *os_info_create(void)
+{
+	private_os_info_t *this;
+	chunk_t name, version;
+	os_type_t type;
+
+	/* As an option OS name and OS version can be configured manually */
+	name.ptr = lib->settings->get_str(lib->settings,
+									  "libimcv.os_info.name", NULL);
+	version.ptr = lib->settings->get_str(lib->settings,
+									  "libimcv.os_info.version", NULL);
+	if (name.ptr && version.ptr)
+	{
+		name.len = strlen(name.ptr);
+		name = chunk_clone(name);
+
+		version.len = strlen(version.ptr);
+		version = chunk_clone(version);
+
+		type = os_type_from_name(name);
+	}
+	else
+	{
+		if (!extract_platform_info(&type, &name, &version))
+		{
+			return NULL;
+		}
+	}
+	DBG1(DBG_IMC, "operating system name is '%.*s'",
+				   name.len, name.ptr);
+	DBG1(DBG_IMC, "operating system version is '%.*s'",
+				   version.len, version.ptr);
+
+	INIT(this,
+		.public = {
+			.get_type = _get_type,
+			.get_name = _get_name,
+			.get_numeric_version = _get_numeric_version,
+			.get_version = _get_version,
+			.get_fwd_status = _get_fwd_status,
+			.get_uptime = _get_uptime,
+			.get_setting = _get_setting,
+			.create_package_enumerator = _create_package_enumerator,
+			.destroy = _destroy,
+		},
+		.type = type,
+		.name = name,
+		.version = version,
+	);
+
+	return &this->public;
+}
diff --git a/src/libimcv/os_info/os_info.h b/src/libimcv/os_info/os_info.h
new file mode 100644
index 000000000..f47460709
--- /dev/null
+++ b/src/libimcv/os_info/os_info.h
@@ -0,0 +1,153 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup os_info os_info
+ * @{ @ingroup libimcv
+ */
+
+#ifndef OS_INFO_H_
+#define OS_INFO_H_
+
+typedef struct os_info_t os_info_t;
+typedef enum os_type_t os_type_t;
+typedef enum os_fwd_status_t os_fwd_status_t;
+typedef enum os_package_state_t os_package_state_t;
+
+#include <library.h>
+
+#include <time.h>
+
+enum os_type_t {
+	OS_TYPE_UNKNOWN,
+	OS_TYPE_DEBIAN,
+	OS_TYPE_UBUNTU,
+	OS_TYPE_FEDORA,
+	OS_TYPE_REDHAT,
+	OS_TYPE_CENTOS,
+	OS_TYPE_SUSE,
+	OS_TYPE_GENTOO,
+	OS_TYPE_ANDROID,
+	OS_TYPE_ROOF
+};
+
+extern enum_name_t *os_type_names;
+
+/**
+ * Defines the security state of a package stored in the database
+ */
+enum os_package_state_t {
+	OS_PACKAGE_STATE_UPDATE =    0,		/* latest update */
+	OS_PACKAGE_STATE_SECURITY =  1,		/* latest security fix */
+	OS_PACKAGE_STATE_BLACKLIST = 2 		/* blacklisted package */
+};
+
+extern enum_name_t *os_package_state_names;
+
+/**
+ * Defines the IPv4 forwarding status
+ */
+enum os_fwd_status_t {
+	OS_FWD_DISABLED =	0,
+	OS_FWD_ENABLED =	1,
+	OS_FWD_UNKNOWN =	2
+};
+
+extern enum_name_t *os_fwd_status_names;
+
+/**
+ * Interface for the Operating System (OS) information module
+ */
+struct os_info_t {
+
+	/**
+	 * Get the OS type if it can be determined
+	 *
+	 * @return					OS type
+	 */
+	os_type_t (*get_type)(os_info_t *this);
+
+	/**
+	 * Get the OS product name or distribution
+	 *
+	 * @return					OS name
+	 */
+	chunk_t (*get_name)(os_info_t *this);
+
+	/**
+	 * Get the numeric OS version or release
+	 *
+	 * @param major				OS major version number
+	 * @param minor				OS minor version number
+	 */
+	void (*get_numeric_version)(os_info_t *this, u_int32_t *major,
+												 u_int32_t *minor);
+
+	/**
+	 * Get the OS version or release
+	 *
+	 * @return					OS version
+	 */
+	chunk_t (*get_version)(os_info_t *this);
+
+	/**
+	 * Get the OS IPv4 forwarding status
+	 *
+	 * @return					IP forwarding status
+	 */
+	os_fwd_status_t (*get_fwd_status)(os_info_t *this);
+
+	/**
+	 * Get the OS uptime in seconds
+	 *
+	 * @return					OS uptime
+	 */
+	time_t (*get_uptime)(os_info_t *this);
+
+	/**
+	 * Get an OS setting (restricted to /proc, /sys, and /etc)
+	 *
+	 * @param name				name of OS setting
+	 * @return					value of OS setting
+	 */
+	chunk_t (*get_setting)(os_info_t *this, char *name);
+
+	/**
+	 * Enumerates over all installed packages
+	 *
+	 * @return				return package enumerator
+	 */
+	enumerator_t* (*create_package_enumerator)(os_info_t *this);
+
+	/**
+	 * Destroys an os_info_t object.
+	 */
+	void (*destroy)(os_info_t *this);
+};
+
+/**
+ * Convert an OS name into an OS enumeration type
+ *
+ * @param name				OS name
+ * @return					OS enumeration type
+ */
+os_type_t os_type_from_name(chunk_t name);
+
+/**
+ * Create an os_info_t object
+ */
+os_info_t* os_info_create(void);
+
+#endif /** OS_INFO_H_ @}*/
diff --git a/src/libimcv/pa_tnc/pa_tnc_attr_manager.c b/src/libimcv/pa_tnc/pa_tnc_attr_manager.c
index 1de89d87d..900a55716 100644
--- a/src/libimcv/pa_tnc/pa_tnc_attr_manager.c
+++ b/src/libimcv/pa_tnc/pa_tnc_attr_manager.c
@@ -16,8 +16,8 @@
 
 #include "pa_tnc_attr_manager.h"
 
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 typedef struct private_pa_tnc_attr_manager_t private_pa_tnc_attr_manager_t;
 typedef struct entry_t entry_t;
@@ -46,7 +46,7 @@ struct private_pa_tnc_attr_manager_t {
 };
 
 METHOD(pa_tnc_attr_manager_t, add_vendor, void,
-	private_pa_tnc_attr_manager_t *this, pen_t vendor_id, 
+	private_pa_tnc_attr_manager_t *this, pen_t vendor_id,
 	pa_tnc_attr_create_t attr_create, enum_name_t *attr_names)
 {
 	entry_t *entry;
@@ -128,7 +128,7 @@ METHOD(pa_tnc_attr_manager_t, create, pa_tnc_attr_t*,
 METHOD(pa_tnc_attr_manager_t, destroy, void,
 	private_pa_tnc_attr_manager_t *this)
 {
-	this->list->destroy_function(this->list, free); 
+	this->list->destroy_function(this->list, free);
 	free(this);
 }
 
diff --git a/src/libimcv/pa_tnc/pa_tnc_msg.c b/src/libimcv/pa_tnc/pa_tnc_msg.c
index b1476fc7f..63445f3a1 100644
--- a/src/libimcv/pa_tnc/pa_tnc_msg.c
+++ b/src/libimcv/pa_tnc/pa_tnc_msg.c
@@ -19,9 +19,9 @@
 
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <pen/pen.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 
 typedef struct private_pa_tnc_msg_t private_pa_tnc_msg_t;
@@ -42,7 +42,7 @@ typedef struct private_pa_tnc_msg_t private_pa_tnc_msg_t;
 #define PA_TNC_RESERVED		0x000000
 
 /**
- *  PA-TNC attribute 
+ *  PA-TNC attribute
  *
  *                       1                   2                   3
  *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
@@ -207,7 +207,7 @@ METHOD(pa_tnc_msg_t, process, status_t,
 	pa_tnc_attr_t *error;
 	u_int8_t version;
 	u_int32_t reserved, offset, attr_offset;
-	pen_type_t error_code;
+	pen_type_t error_code = { PEN_IETF, PA_ERROR_INVALID_PARAMETER };
 
 	/* process message header */
 	if (this->encoding.len < PA_TNC_HEADER_SIZE)
@@ -224,13 +224,12 @@ METHOD(pa_tnc_msg_t, process, status_t,
 
 	if (version != PA_TNC_VERSION)
 	{
-		pen_type_t error_code = { PEN_IETF, PA_ERROR_VERSION_NOT_SUPPORTED };
-
 		DBG1(DBG_TNC, "PA-TNC version %u not supported", version);
+		error_code = pen_type_create(PEN_IETF, PA_ERROR_VERSION_NOT_SUPPORTED);
 		error = ietf_attr_pa_tnc_error_create(error_code, this->encoding);
 		goto err;
 	}
-	
+
 	/* offset of the first PA-TNC attribute in the PA-TNC message */
 	offset = PA_TNC_HEADER_SIZE;
 
@@ -244,7 +243,6 @@ METHOD(pa_tnc_msg_t, process, status_t,
 		pa_tnc_attr_t *attr;
 		enum_name_t *pa_attr_names;
 		ietf_attr_pa_tnc_error_t *error_attr;
-		pen_type_t error_code;
 
 		attr_info = reader->peek(reader);
 		attr_info.len = PA_TNC_ATTR_INFO_SIZE;
@@ -272,7 +270,6 @@ METHOD(pa_tnc_msg_t, process, status_t,
 		{
 			DBG1(DBG_TNC, "%u bytes too small for PA-TNC attribute length",
 						   length);
-			error_code = pen_type_create(PEN_IETF, PA_ERROR_INVALID_PARAMETER);
 			error = ietf_attr_pa_tnc_error_create_with_offset(error_code,
 						this->encoding, offset + PA_TNC_ATTR_INFO_SIZE);
 			goto err;
@@ -281,11 +278,10 @@ METHOD(pa_tnc_msg_t, process, status_t,
 		if (!reader->read_data(reader, length - PA_TNC_ATTR_HEADER_SIZE, &value))
 		{
 			DBG1(DBG_TNC, "insufficient bytes for PA-TNC attribute value");
-			error_code = pen_type_create(PEN_IETF, PA_ERROR_INVALID_PARAMETER);
 			error = ietf_attr_pa_tnc_error_create_with_offset(error_code,
 						this->encoding, offset + PA_TNC_ATTR_INFO_SIZE);
-			goto err; 
-		} 
+			goto err;
+		}
 		DBG3(DBG_TNC, "%B", &value);
 
 		attr = imcv_pa_tnc_attributes->create(imcv_pa_tnc_attributes,
@@ -314,15 +310,14 @@ METHOD(pa_tnc_msg_t, process, status_t,
 		if (attr->process(attr, &attr_offset) != SUCCESS)
 		{
 			attr->destroy(attr);
-			if (error_code.vendor_id == PEN_IETF &&
-				error_code.type == IETF_ATTR_PA_TNC_ERROR)
+			if (vendor_id == PEN_IETF && type == IETF_ATTR_PA_TNC_ERROR)
 			{
 				/* error while processing a PA-TNC error attribute - abort */
 				reader->destroy(reader);
 				return FAILED;
 			}
 			error_code = pen_type_create(PEN_IETF,
-										 PA_ERROR_ATTR_TYPE_NOT_SUPPORTED);
+										 PA_ERROR_INVALID_PARAMETER);
 			error = ietf_attr_pa_tnc_error_create_with_offset(error_code,
 						this->encoding,
 						offset + PA_TNC_ATTR_HEADER_SIZE + attr_offset);
@@ -338,7 +333,6 @@ METHOD(pa_tnc_msg_t, process, status_t,
 		return SUCCESS;
 	}
 	DBG1(DBG_TNC, "insufficient bytes for PA-TNC attribute header");
-	error_code = pen_type_create(PEN_IETF, PA_ERROR_INVALID_PARAMETER);
 	error = ietf_attr_pa_tnc_error_create_with_offset(error_code,
 						this->encoding, offset);
 
@@ -377,7 +371,7 @@ METHOD(pa_tnc_msg_t, process_ietf_std_errors, bool,
 			{
 				continue;
 			}
-			DBG1(DBG_IMC, "received PA-TNC error '%N' concerning message "
+			DBG1(DBG_TNC, "received PA-TNC error '%N' concerning message "
 				 "0x%08x/0x%08x", pa_tnc_error_code_names, error_code.type,
 				 untoh32(msg_info.ptr), untoh32(msg_info.ptr + 4));
 
@@ -385,19 +379,15 @@ METHOD(pa_tnc_msg_t, process_ietf_std_errors, bool,
 			{
 				case PA_ERROR_INVALID_PARAMETER:
 					offset = error_attr->get_offset(error_attr);
-					DBG1(DBG_IMC, "  occurred at offset of %u bytes", offset);
+					DBG1(DBG_TNC, "  occurred at offset of %u bytes", offset);
 					break;
 				case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED:
 					attr_info = error_attr->get_attr_info(error_attr);
-					DBG1(DBG_IMC, "  unsupported attribute %#B", &attr_info);
+					DBG1(DBG_TNC, "  unsupported attribute %#B", &attr_info);
 					break;
 				default:
 					break;
 			}
-
-			/* remove and delete the processed IETF standard error attribute */
-			this->attributes->remove_at(this->attributes, enumerator);
-			attr->destroy(attr);
 			fatal_error = TRUE;
 		}
 	}
@@ -422,7 +412,7 @@ METHOD(pa_tnc_msg_t, destroy, void,
 	private_pa_tnc_msg_t *this)
 {
 	this->attributes->destroy_offset(this->attributes,
-									 offsetof(pa_tnc_attr_t, destroy)); 
+									 offsetof(pa_tnc_attr_t, destroy));
 	this->errors->destroy_offset(this->errors,
 									 offsetof(pa_tnc_attr_t, destroy));
 	free(this->encoding.ptr);
diff --git a/src/libimcv/pa_tnc/pa_tnc_msg.h b/src/libimcv/pa_tnc/pa_tnc_msg.h
index 80016fecd..332f2506f 100644
--- a/src/libimcv/pa_tnc/pa_tnc_msg.h
+++ b/src/libimcv/pa_tnc/pa_tnc_msg.h
@@ -65,7 +65,7 @@ struct pa_tnc_msg_t {
 	status_t (*process)(pa_tnc_msg_t *this);
 
 	/**
-	 * Process and remove all IETF standard error PA-TNC attributes
+	 * Process all IETF standard error PA-TNC attributes
 	 *
 	 * @return					TRUE if at least one error attribute processed
 	 */
diff --git a/src/libimcv/plugins/imc_os/Makefile.am b/src/libimcv/plugins/imc_os/Makefile.am
new file mode 100644
index 000000000..0bfe776a5
--- /dev/null
+++ b/src/libimcv/plugins/imc_os/Makefile.am
@@ -0,0 +1,15 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libimcv
+
+AM_CFLAGS = -rdynamic
+
+imcv_LTLIBRARIES = imc-os.la
+
+imc_os_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+
+imc_os_la_SOURCES = imc_os.c imc_os_state.h imc_os_state.c
+
+imc_os_la_LDFLAGS = -module -avoid-version
+
diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in
new file mode 100644
index 000000000..7b871df2a
--- /dev/null
+++ b/src/libimcv/plugins/imc_os/Makefile.in
@@ -0,0 +1,620 @@
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libimcv/plugins/imc_os
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(imcvdir)"
+LTLIBRARIES = $(imcv_LTLIBRARIES)
+imc_os_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+am_imc_os_la_OBJECTS = imc_os.lo imc_os_state.lo
+imc_os_la_OBJECTS = $(am_imc_os_la_OBJECTS)
+imc_os_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(imc_os_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(imc_os_la_SOURCES)
+DIST_SOURCES = $(imc_os_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+axis2c_CFLAGS = @axis2c_CFLAGS@
+axis2c_LIBS = @axis2c_LIBS@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libimcv
+
+AM_CFLAGS = -rdynamic
+imcv_LTLIBRARIES = imc-os.la
+imc_os_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+
+imc_os_la_SOURCES = imc_os.c imc_os_state.h imc_os_state.c
+imc_os_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libimcv/plugins/imc_os/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libimcv/plugins/imc_os/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(imcvdir)" || $(MKDIR_P) "$(DESTDIR)$(imcvdir)"
+	@list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(imcvdir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(imcvdir)"; \
+	}
+
+uninstall-imcvLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(imcvdir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(imcvdir)/$$f"; \
+	done
+
+clean-imcvLTLIBRARIES:
+	-test -z "$(imcv_LTLIBRARIES)" || rm -f $(imcv_LTLIBRARIES)
+	@list='$(imcv_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+imc-os.la: $(imc_os_la_OBJECTS) $(imc_os_la_DEPENDENCIES) $(EXTRA_imc_os_la_DEPENDENCIES) 
+	$(imc_os_la_LINK) -rpath $(imcvdir) $(imc_os_la_OBJECTS) $(imc_os_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_os.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_os_state.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(imcvdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-imcvLTLIBRARIES clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-imcvLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-imcvLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-imcvLTLIBRARIES clean-libtool ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-imcvLTLIBRARIES install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-imcvLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libimcv/plugins/imc_os/imc_os.c b/src/libimcv/plugins/imc_os/imc_os.c
new file mode 100644
index 000000000..f6e205ce7
--- /dev/null
+++ b/src/libimcv/plugins/imc_os/imc_os.c
@@ -0,0 +1,585 @@
+/*
+ * Copyright (C) 2011-2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imc_os_state.h"
+
+#include <imc/imc_agent.h>
+#include <imc/imc_msg.h>
+#include <ietf/ietf_attr.h>
+#include <ietf/ietf_attr_attr_request.h>
+#include <ietf/ietf_attr_default_pwd_enabled.h>
+#include <ietf/ietf_attr_fwd_enabled.h>
+#include <ietf/ietf_attr_installed_packages.h>
+#include <ietf/ietf_attr_numeric_version.h>
+#include <ietf/ietf_attr_op_status.h>
+#include <ietf/ietf_attr_product_info.h>
+#include <ietf/ietf_attr_string_version.h>
+#include <ita/ita_attr.h>
+#include <ita/ita_attr_get_settings.h>
+#include <ita/ita_attr_settings.h>
+#include <ita/ita_attr_angel.h>
+#include <os_info/os_info.h>
+
+#include <tncif_pa_subtypes.h>
+
+#include <pen/pen.h>
+#include <utils/debug.h>
+
+/* IMC definitions */
+
+static const char imc_name[] = "OS";
+
+static pen_type_t msg_types[] = {
+	{ PEN_IETF, PA_SUBTYPE_IETF_OPERATING_SYSTEM }
+};
+
+static imc_agent_t *imc_os;
+static os_info_t *os;
+
+/**
+ * see section 3.8.1 of TCG TNC IF-IMC Specification 1.3
+ */
+TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
+							  TNC_Version min_version,
+							  TNC_Version max_version,
+							  TNC_Version *actual_version)
+{
+	if (imc_os)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has already been initialized", imc_name);
+		return TNC_RESULT_ALREADY_INITIALIZED;
+	}
+	imc_os = imc_agent_create(imc_name, msg_types, countof(msg_types),
+							  imc_id, actual_version);
+	if (!imc_os)
+	{
+		return TNC_RESULT_FATAL;
+	}
+
+	os = os_info_create();
+	if (!os)
+	{
+		imc_os->destroy(imc_os);
+		imc_os = NULL;
+
+		return TNC_RESULT_FATAL;
+	}
+
+	if (min_version > TNC_IFIMC_VERSION_1 || max_version < TNC_IFIMC_VERSION_1)
+	{
+		DBG1(DBG_IMC, "no common IF-IMC version");
+		return TNC_RESULT_NO_COMMON_VERSION;
+	}
+	return TNC_RESULT_SUCCESS;
+}
+
+/**
+ * see section 3.8.2 of TCG TNC IF-IMC Specification 1.3
+ */
+TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
+										  TNC_ConnectionID connection_id,
+										  TNC_ConnectionState new_state)
+{
+	imc_state_t *state;
+
+	if (!imc_os)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	switch (new_state)
+	{
+		case TNC_CONNECTION_STATE_CREATE:
+			state = imc_os_state_create(connection_id);
+			return imc_os->create_state(imc_os, state);
+		case TNC_CONNECTION_STATE_HANDSHAKE:
+			if (imc_os->change_state(imc_os, connection_id, new_state,
+				&state) != TNC_RESULT_SUCCESS)
+			{
+				return TNC_RESULT_FATAL;
+			}
+			state->set_result(state, imc_id,
+							  TNC_IMV_EVALUATION_RESULT_DONT_KNOW);
+			return TNC_RESULT_SUCCESS;
+		case TNC_CONNECTION_STATE_DELETE:
+			return imc_os->delete_state(imc_os, connection_id);
+		default:
+			return imc_os->change_state(imc_os, connection_id,
+											 new_state, NULL);
+	}
+}
+
+/**
+ * Add IETF Product Information attribute to the send queue
+ */
+static void add_product_info(imc_msg_t *msg)
+{
+	pa_tnc_attr_t *attr;
+	os_type_t os_type;
+	pen_t vendor_id = PEN_IETF;
+	int i;
+
+	typedef struct vendor_pen_t {
+		os_type_t os_type;
+		pen_t pen;
+	} vendor_pen_t;
+
+	vendor_pen_t vendor_pens[] = {
+		{ OS_TYPE_DEBIAN,  PEN_DEBIAN },
+		{ OS_TYPE_UBUNTU,  PEN_CANONICAL },
+		{ OS_TYPE_FEDORA,  PEN_FEDORA },
+		{ OS_TYPE_REDHAT,  PEN_REDHAT },
+		{ OS_TYPE_ANDROID, PEN_GOOGLE }
+	};
+
+	os_type = os->get_type(os);
+	for (i = 0; i < countof(vendor_pens); i++)
+	{
+		if (os_type == vendor_pens[i].os_type)
+		{
+			vendor_id = vendor_pens[i].pen;
+			break;
+		}
+	}
+	attr = ietf_attr_product_info_create(vendor_id, 0, os->get_name(os));
+	msg->add_attribute(msg, attr);
+}
+
+/**
+ * Add IETF Numeric Version attribute to the send queue
+ */
+static void add_numeric_version(imc_msg_t *msg)
+{
+	pa_tnc_attr_t *attr;
+	u_int32_t major, minor;
+
+	os->get_numeric_version(os, &major, &minor);
+	DBG1(DBG_IMC, "operating system numeric version is %d.%d",
+				   major, minor);
+
+	attr = ietf_attr_numeric_version_create(major, minor, 0, 0, 0);
+	msg->add_attribute(msg, attr);
+}
+
+/**
+ * Add IETF String Version attribute to the send queue
+ */
+static void add_string_version(imc_msg_t *msg)
+{
+	pa_tnc_attr_t *attr;
+
+	attr = ietf_attr_string_version_create(os->get_version(os),
+										   chunk_empty, chunk_empty);
+	msg->add_attribute(msg, attr);
+}
+
+/**
+ * Add IETF Operational Status attribute to the send queue
+ */
+static void add_op_status(imc_msg_t *msg)
+{
+	pa_tnc_attr_t *attr;
+	time_t uptime, last_boot;
+
+	uptime = os->get_uptime(os);
+	last_boot = uptime ? time(NULL) - uptime : UNDEFINED_TIME;
+	if (last_boot != UNDEFINED_TIME)
+	{
+		DBG1(DBG_IMC, "last boot: %T, %u s ago", &last_boot, TRUE, uptime);
+	}
+	attr = ietf_attr_op_status_create(OP_STATUS_OPERATIONAL,
+									  OP_RESULT_SUCCESSFUL, last_boot);
+	msg->add_attribute(msg, attr);
+}
+
+/**
+ * Add IETF Forwarding Enabled attribute to the send queue
+ */
+static void add_fwd_enabled(imc_msg_t *msg)
+{
+	pa_tnc_attr_t *attr;
+	os_fwd_status_t fwd_status;
+
+	fwd_status = os->get_fwd_status(os);
+	DBG1(DBG_IMC, "IPv4 forwarding status: %N",
+				   os_fwd_status_names, fwd_status);
+	attr = ietf_attr_fwd_enabled_create(fwd_status);
+	msg->add_attribute(msg, attr);
+}
+
+/**
+ * Add IETF Factory Default Password Enabled attribute to the send queue
+ */
+static void add_default_pwd_enabled(imc_msg_t *msg)
+{
+	pa_tnc_attr_t *attr;
+
+	DBG1(DBG_IMC, "factory default password: disabled");
+	attr = ietf_attr_default_pwd_enabled_create(FALSE);
+	msg->add_attribute(msg, attr);
+}
+
+/**
+ * Add an IETF Installed Packages attribute to the send queue
+ */
+static void add_installed_packages(imc_state_t *state, imc_msg_t *msg)
+{
+	pa_tnc_attr_t *attr = NULL, *attr_angel;
+	ietf_attr_installed_packages_t *attr_cast;
+	enumerator_t *enumerator;
+	chunk_t name, version;
+	size_t max_attr_size, attr_size, entry_size;
+	bool first = TRUE;
+
+	/**
+	 * Compute the maximum IETF Installed Packages attribute size
+	 * leaving space for an additional ITA Angel attribute
+	 */
+	max_attr_size = state->get_max_msg_len(state) - 8 - 12;
+
+	/* At least one IETF Installed Packages attribute is sent */
+	attr = ietf_attr_installed_packages_create();
+	attr_size = 12 + 4;
+
+	enumerator = os->create_package_enumerator(os);
+	if (enumerator)
+	{
+		while (enumerator->enumerate(enumerator, &name, &version))
+		{
+			DBG2(DBG_IMC, "package '%.*s' (%.*s)",
+						   name.len, name.ptr, version.len, version.ptr);
+
+			entry_size = 2 + name.len + version.len;
+			if (attr_size + entry_size > max_attr_size)
+			{
+				if (first)
+				{
+					/**
+					 * Send an ITA Start Angel attribute to the IMV signalling
+					 * that multiple ITA Installed Package attributes follow.
+					 */
+					attr_angel = ita_attr_angel_create(TRUE);
+					msg->add_attribute(msg, attr_angel);
+					first = FALSE;
+				}
+				msg->add_attribute(msg, attr);
+
+				/* create the next IETF Installed Packages attribute */
+				attr = ietf_attr_installed_packages_create();
+				attr_size = 12 + 4;
+			}
+			attr_cast = (ietf_attr_installed_packages_t*)attr;
+			attr_cast->add(attr_cast, name, version);
+			attr_size += entry_size;
+		}
+		enumerator->destroy(enumerator);
+	}
+	msg->add_attribute(msg, attr);
+
+	if (!first)
+	{
+		/**
+		 * If we sent an ITA Start Angel attribute in the first place,
+		 * terminate by appending a matching ITA Stop Angel attribute.
+		 */
+		attr_angel = ita_attr_angel_create(FALSE);
+		msg->add_attribute(msg, attr_angel);
+	}
+}
+
+/**
+ * Add ITA Settings attribute to the send queue
+ */
+static void add_settings(enumerator_t *enumerator, imc_msg_t *msg)
+{
+	pa_tnc_attr_t *attr = NULL;
+	ita_attr_settings_t *attr_cast;
+	chunk_t value;
+	char *name;
+	bool first = TRUE;
+
+	while (enumerator->enumerate(enumerator, &name))
+	{
+		DBG1(DBG_IMC, "setting '%s'", name);
+
+		value = os->get_setting(os, name);
+		if (!value.ptr)
+		{
+			continue;
+		}
+		if (first)
+		{
+			attr = ita_attr_settings_create();
+			first = FALSE;
+		}
+		attr_cast = (ita_attr_settings_t*)attr;
+		attr_cast->add(attr_cast, name, value);
+		chunk_free(&value);
+	}
+
+	if (attr)
+	{
+		msg->add_attribute(msg, attr);
+	}
+}
+
+/**
+ * see section 3.8.3 of TCG TNC IF-IMC Specification 1.3
+ */
+TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
+								  TNC_ConnectionID connection_id)
+{
+	imc_state_t *state;
+	imc_msg_t *out_msg;
+	TNC_Result result = TNC_RESULT_SUCCESS;
+
+	if (!imc_os)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_os->get_state(imc_os, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	if (lib->settings->get_bool(lib->settings,
+								"libimcv.plugins.imc-os.push_info", TRUE))
+	{
+		out_msg = imc_msg_create(imc_os, state, connection_id, imc_id,
+								 TNC_IMVID_ANY, msg_types[0]);
+		add_product_info(out_msg);
+		add_string_version(out_msg);
+		add_numeric_version(out_msg);
+		add_op_status(out_msg);
+		add_fwd_enabled(out_msg);
+		add_default_pwd_enabled(out_msg);
+
+		/* send PA-TNC message with the excl flag not set */
+		result = out_msg->send(out_msg, FALSE);
+		out_msg->destroy(out_msg);
+	}
+
+	return result;
+}
+
+static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg)
+{
+	imc_msg_t *out_msg;
+	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t type;
+	TNC_Result result;
+	bool fatal_error = FALSE;
+
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
+	{
+		return result;
+	}
+	out_msg = imc_msg_create_as_reply(in_msg);
+
+	/* analyze PA-TNC attributes */
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		type = attr->get_type(attr);
+
+		if (type.vendor_id == PEN_IETF)
+		{
+			if (type.type == IETF_ATTR_ATTRIBUTE_REQUEST)
+			{
+				ietf_attr_attr_request_t *attr_cast;
+				pen_type_t *entry;
+				enumerator_t *e;
+
+				attr_cast = (ietf_attr_attr_request_t*)attr;
+
+				e = attr_cast->create_enumerator(attr_cast);
+				while (e->enumerate(e, &entry))
+				{
+					if (entry->vendor_id != PEN_IETF)
+					{
+						continue;
+					}
+					switch (entry->type)
+					{
+						case IETF_ATTR_PRODUCT_INFORMATION:
+							add_product_info(out_msg);
+							break;
+						case IETF_ATTR_STRING_VERSION:
+							add_string_version(out_msg);
+							break;
+						case IETF_ATTR_NUMERIC_VERSION:
+							add_numeric_version(out_msg);
+							break;
+						case IETF_ATTR_OPERATIONAL_STATUS:
+							add_op_status(out_msg);
+							break;
+						case IETF_ATTR_FORWARDING_ENABLED:
+							add_fwd_enabled(out_msg);
+							break;
+						case IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED:
+							add_default_pwd_enabled(out_msg);
+							break;
+						case IETF_ATTR_INSTALLED_PACKAGES:
+							add_installed_packages(state, out_msg);
+							break;
+						default:
+							break;
+					}
+				}
+				e->destroy(e);
+			}
+		}
+		else if (type.vendor_id == PEN_ITA && type.type == ITA_ATTR_GET_SETTINGS)
+		{
+			ita_attr_get_settings_t *attr_cast;
+			enumerator_t *e;
+
+			attr_cast = (ita_attr_get_settings_t*)attr;
+
+			e = attr_cast->create_enumerator(attr_cast);
+			add_settings(e, out_msg);
+			e->destroy(e);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (fatal_error)
+	{
+		result = TNC_RESULT_FATAL;
+	}
+	else
+	{
+		result = out_msg->send(out_msg, TRUE);
+	}
+	out_msg->destroy(out_msg);
+
+	return result;
+}
+
+/**
+ * see section 3.8.4 of TCG TNC IF-IMC Specification 1.3
+
+ */
+TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
+								  TNC_ConnectionID connection_id,
+								  TNC_BufferReference msg,
+								  TNC_UInt32 msg_len,
+								  TNC_MessageType msg_type)
+{
+	imc_state_t *state;
+	imc_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imc_os)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_os->get_state(imc_os, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imc_msg_create_from_data(imc_os, state, connection_id, msg_type,
+									  chunk_create(msg, msg_len));
+	result = receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
+}
+
+/**
+ * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMC_ReceiveMessageLong(TNC_IMCID imc_id,
+									  TNC_ConnectionID connection_id,
+									  TNC_UInt32 msg_flags,
+									  TNC_BufferReference msg,
+									  TNC_UInt32 msg_len,
+									  TNC_VendorID msg_vid,
+									  TNC_MessageSubtype msg_subtype,
+									  TNC_UInt32 src_imv_id,
+									  TNC_UInt32 dst_imc_id)
+{
+	imc_state_t *state;
+	imc_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imc_os)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_os->get_state(imc_os, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imc_msg_create_from_long_data(imc_os, state, connection_id,
+								src_imv_id, dst_imc_id,msg_vid, msg_subtype,
+								chunk_create(msg, msg_len));
+	result =receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
+}
+
+/**
+ * see section 3.8.7 of TCG TNC IF-IMC Specification 1.3
+ */
+TNC_Result TNC_IMC_BatchEnding(TNC_IMCID imc_id,
+							   TNC_ConnectionID connection_id)
+{
+	if (!imc_os)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	return TNC_RESULT_SUCCESS;
+}
+
+/**
+ * see section 3.8.8 of TCG TNC IF-IMC Specification 1.3
+ */
+TNC_Result TNC_IMC_Terminate(TNC_IMCID imc_id)
+{
+	if (!imc_os)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	imc_os->destroy(imc_os);
+	imc_os = NULL;
+
+	os->destroy(os);
+	os = NULL;
+
+	return TNC_RESULT_SUCCESS;
+}
+
+/**
+ * see section 4.2.8.1 of TCG TNC IF-IMC Specification 1.3
+ */
+TNC_Result TNC_IMC_ProvideBindFunction(TNC_IMCID imc_id,
+									   TNC_TNCC_BindFunctionPointer bind_function)
+{
+	if (!imc_os)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	return imc_os->bind_functions(imc_os, bind_function);
+}
diff --git a/src/libimcv/plugins/imc_os/imc_os_state.c b/src/libimcv/plugins/imc_os/imc_os_state.c
new file mode 100644
index 000000000..f49959ab9
--- /dev/null
+++ b/src/libimcv/plugins/imc_os/imc_os_state.c
@@ -0,0 +1,162 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imc_os_state.h"
+
+#include <tncif_names.h>
+
+#include <utils/debug.h>
+
+typedef struct private_imc_os_state_t private_imc_os_state_t;
+
+/**
+ * Private data of an imc_os_state_t object.
+ */
+struct private_imc_os_state_t {
+
+	/**
+	 * Public members of imc_os_state_t
+	 */
+	imc_os_state_t public;
+
+	/**
+	 * TNCCS connection ID
+	 */
+	TNC_ConnectionID connection_id;
+
+	/**
+	 * TNCCS connection state
+	 */
+	TNC_ConnectionState state;
+
+	/**
+	 * Assessment/Evaluation Result
+	 */
+	TNC_IMV_Evaluation_Result result;
+
+	/**
+	 * Does the TNCCS connection support long message types?
+	 */
+	bool has_long;
+
+	/**
+	 * Does the TNCCS connection support exclusive delivery?
+	 */
+	bool has_excl;
+
+	/**
+	 * Maximum PA-TNC message size for this TNCCS connection
+	 */
+	u_int32_t max_msg_len;
+};
+
+METHOD(imc_state_t, get_connection_id, TNC_ConnectionID,
+	private_imc_os_state_t *this)
+{
+	return this->connection_id;
+}
+
+METHOD(imc_state_t, has_long, bool,
+	private_imc_os_state_t *this)
+{
+	return this->has_long;
+}
+
+METHOD(imc_state_t, has_excl, bool,
+	private_imc_os_state_t *this)
+{
+	return this->has_excl;
+}
+
+METHOD(imc_state_t, set_flags, void,
+	private_imc_os_state_t *this, bool has_long, bool has_excl)
+{
+	this->has_long = has_long;
+	this->has_excl = has_excl;
+}
+
+METHOD(imc_state_t, set_max_msg_len, void,
+	private_imc_os_state_t *this, u_int32_t max_msg_len)
+{
+	this->max_msg_len = max_msg_len;
+}
+
+METHOD(imc_state_t, get_max_msg_len, u_int32_t,
+	private_imc_os_state_t *this)
+{
+	return this->max_msg_len;
+}
+
+METHOD(imc_state_t, change_state, void,
+	private_imc_os_state_t *this, TNC_ConnectionState new_state)
+{
+	this->state = new_state;
+}
+
+METHOD(imc_state_t, set_result, void,
+	private_imc_os_state_t *this, TNC_IMCID id,
+	TNC_IMV_Evaluation_Result result)
+{
+	this->result = result;
+}
+
+METHOD(imc_state_t, get_result, bool,
+	private_imc_os_state_t *this, TNC_IMCID id,
+	TNC_IMV_Evaluation_Result *result)
+{
+	if (result)
+	{
+		*result = this->result;
+	}
+	return this->result != TNC_IMV_EVALUATION_RESULT_DONT_KNOW;
+}
+
+METHOD(imc_state_t, destroy, void,
+	private_imc_os_state_t *this)
+{
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+imc_state_t *imc_os_state_create(TNC_ConnectionID connection_id)
+{
+	private_imc_os_state_t *this;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.get_connection_id = _get_connection_id,
+				.has_long = _has_long,
+				.has_excl = _has_excl,
+				.set_flags = _set_flags,
+				.set_max_msg_len = _set_max_msg_len,
+				.get_max_msg_len = _get_max_msg_len,
+				.change_state = _change_state,
+				.set_result = _set_result,
+				.get_result = _get_result,
+				.destroy = _destroy,
+			},
+		},
+		.state = TNC_CONNECTION_STATE_CREATE,
+		.result = TNC_IMV_EVALUATION_RESULT_DONT_KNOW,
+		.connection_id = connection_id,
+	);
+
+	return &this->public.interface;
+}
+
+
diff --git a/src/libimcv/plugins/imc_os/imc_os_state.h b/src/libimcv/plugins/imc_os/imc_os_state.h
new file mode 100644
index 000000000..1fe23175a
--- /dev/null
+++ b/src/libimcv/plugins/imc_os/imc_os_state.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup imc_os_state_t imc_os_state
+ * @{ @ingroup imc_os_state
+ */
+
+#ifndef IMC_OS_STATE_H_
+#define IMC_OS_STATE_H_
+
+#include <imc/imc_state.h>
+#include <library.h>
+
+typedef struct imc_os_state_t imc_os_state_t;
+
+/**
+ * Internal state of an imc_os_t connection instance
+ */
+struct imc_os_state_t {
+
+	/**
+	 * imc_state_t interface
+	 */
+	imc_state_t interface;
+};
+
+/**
+ * Create an imc_os_state_t instance
+ *
+ * @param id		connection ID
+ */
+imc_state_t* imc_os_state_create(TNC_ConnectionID id);
+
+#endif /** IMC_OS_STATE_H_ @}*/
diff --git a/src/libimcv/plugins/imc_scanner/Makefile.in b/src/libimcv/plugins/imc_scanner/Makefile.in
index d06798170..c865544f6 100644
--- a/src/libimcv/plugins/imc_scanner/Makefile.in
+++ b/src/libimcv/plugins/imc_scanner/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(imcvdir)"
 LTLIBRARIES = $(imcv_LTLIBRARIES)
 imc_scanner_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
@@ -119,6 +125,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -146,6 +153,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -173,6 +181,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -185,6 +194,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -238,7 +248,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -360,7 +369,7 @@ clean-imcvLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-imc-scanner.la: $(imc_scanner_la_OBJECTS) $(imc_scanner_la_DEPENDENCIES) 
+imc-scanner.la: $(imc_scanner_la_OBJECTS) $(imc_scanner_la_DEPENDENCIES) $(EXTRA_imc_scanner_la_DEPENDENCIES) 
 	$(imc_scanner_la_LINK) -rpath $(imcvdir) $(imc_scanner_la_OBJECTS) $(imc_scanner_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -498,10 +507,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libimcv/plugins/imc_scanner/imc_scanner.c b/src/libimcv/plugins/imc_scanner/imc_scanner.c
index 34c9359fe..c87e827cd 100644
--- a/src/libimcv/plugins/imc_scanner/imc_scanner.c
+++ b/src/libimcv/plugins/imc_scanner/imc_scanner.c
@@ -16,17 +16,16 @@
 #include "imc_scanner_state.h"
 
 #include <imc/imc_agent.h>
-#include <pa_tnc/pa_tnc_msg.h>
+#include <imc/imc_msg.h>
 #include <ietf/ietf_attr.h>
-#include <ietf/ietf_attr_pa_tnc_error.h>
+#include <ietf/ietf_attr_attr_request.h>
 #include <ietf/ietf_attr_port_filter.h>
-#include <ietf/ietf_attr_assess_result.h>
 
 #include <tncif_pa_subtypes.h>
 
 #include <pen/pen.h>
 #include <utils/lexparser.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <stdio.h>
 
@@ -34,8 +33,9 @@
 
 static const char imc_name[] = "Scanner";
 
-#define IMC_VENDOR_ID	PEN_ITA
-#define IMC_SUBTYPE		PA_SUBTYPE_ITA_SCANNER
+static pen_type_t msg_types[] = {
+	{ PEN_IETF, PA_SUBTYPE_IETF_VPN }
+};
 
 static imc_agent_t *imc_scanner;
 
@@ -52,8 +52,8 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
 		DBG1(DBG_IMC, "IMC \"%s\" has already been initialized", imc_name);
 		return TNC_RESULT_ALREADY_INITIALIZED;
 	}
-	imc_scanner = imc_agent_create(imc_name, IMC_VENDOR_ID, IMC_SUBTYPE,
-								imc_id, actual_version);
+	imc_scanner = imc_agent_create(imc_name, msg_types, countof(msg_types),
+								   imc_id, actual_version);
 	if (!imc_scanner)
 	{
 		return TNC_RESULT_FATAL;
@@ -112,6 +112,7 @@ static bool do_netstat(ietf_attr_port_filter_t *attr)
 	chunk_t line, token;
 	int n = 0;
 	bool success = FALSE;
+	const char system_v4[]   = "127.0.1.1";
 	const char loopback_v4[] = "127.0.0.1";
 	const char loopback_v6[] = "::1";
 
@@ -119,12 +120,12 @@ static bool do_netstat(ietf_attr_port_filter_t *attr)
 	file = popen("/bin/netstat -n -l -p -4 -6 --inet", "r");
 	if (!file)
 	{
-		DBG1(DBG_IMC, "Failed to run netstat command");
+		DBG1(DBG_IMC, "failed to run netstat command");
 		return FALSE;
 	}
 
 	/* Read the output a line at a time */
-	while (fgets(buf, BUF_LEN-1, file))
+	while (fgets(buf, sizeof(buf), file))
 	{
 		u_char *pos;
 		u_int8_t new_protocol, protocol;
@@ -145,7 +146,7 @@ static bool do_netstat(ietf_attr_port_filter_t *attr)
 		/* Extract the IP protocol type */
 		if (!extract_token(&token, ' ', &line))
 		{
-			DBG1(DBG_IMC, "Protocol field in netstat output not found");
+			DBG1(DBG_IMC, "protocol field in netstat output not found");
 			goto end;
 		}
 		if (match("tcp", &token) || match("tcp6", &token))
@@ -158,7 +159,7 @@ static bool do_netstat(ietf_attr_port_filter_t *attr)
 		}
 		else
 		{
-			DBG1(DBG_IMC, "Skipped unknown IP protocol in netstat output");
+			DBG1(DBG_IMC, "skipped unknown IP protocol in netstat output");
 			continue;
 		}
 
@@ -173,7 +174,7 @@ static bool do_netstat(ietf_attr_port_filter_t *attr)
 		}
 		if (token.len == 0)
 		{
-			DBG1(DBG_IMC, "Local Address field in netstat output not found");
+			DBG1(DBG_IMC, "local address field in netstat output not found");
 			goto end;
 		}
 
@@ -182,13 +183,16 @@ static bool do_netstat(ietf_attr_port_filter_t *attr)
 		while (*--pos != ':' && --token.len);
 		if (*pos != ':')
 		{
-			DBG1(DBG_IMC, "Local port field in netstat output not found");
+			DBG1(DBG_IMC, "local port field in netstat output not found");
 			goto end;
 		}
 		token.len--;
 
-		/* ignore ports of IPv4 and IPv6 loopback interfaces */
-		if ((token.len == strlen(loopback_v4) &&
+		/* ignore ports of IPv4 and IPv6 loopback interfaces
+		   and the internal system IPv4 address */
+		if ((token.len == strlen(system_v4) &&
+				memeq(system_v4, token.ptr, token.len)) ||
+			(token.len == strlen(loopback_v4) &&
 				memeq(loopback_v4, token.ptr, token.len)) ||
 			(token.len == strlen(loopback_v6) &&
 				memeq(loopback_v6, token.ptr, token.len)))
@@ -229,12 +233,13 @@ end:
 	return success;
 }
 
-static TNC_Result send_message(TNC_ConnectionID connection_id)
+/**
+ * Add IETF Port Filter attribute to the send queue
+ */
+static TNC_Result add_port_filter(imc_msg_t *msg)
 {
-	linked_list_t *attr_list;
 	pa_tnc_attr_t *attr;
 	ietf_attr_port_filter_t *attr_port_filter;
-	TNC_Result result;
 
 	attr = ietf_attr_port_filter_create();
 	attr->set_noskip_flag(attr, TRUE);
@@ -244,13 +249,9 @@ static TNC_Result send_message(TNC_ConnectionID connection_id)
 		attr->destroy(attr);
 		return TNC_RESULT_FATAL;
 	}
-	attr_list = linked_list_create();
-	attr_list->insert_last(attr_list, attr);
-	result = imc_scanner->send_message(imc_scanner, connection_id, FALSE, 0,
-									   TNC_IMVID_ANY, attr_list);
-	attr_list->destroy(attr_list);
+	msg->add_attribute(msg, attr);
 
-	return result;
+	return TNC_RESULT_SUCCESS;
 }
 
 /**
@@ -259,85 +260,103 @@ static TNC_Result send_message(TNC_ConnectionID connection_id)
 TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
 								  TNC_ConnectionID connection_id)
 {
-	if (!imc_scanner)
-	{
-		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	return send_message(connection_id);
-}
-
-static TNC_Result receive_message(TNC_IMCID imc_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_UInt32 msg_flags,
-								  chunk_t msg,
-								  TNC_VendorID msg_vid,
-								  TNC_MessageSubtype msg_subtype,
-								  TNC_UInt32 src_imv_id,
-								  TNC_UInt32 dst_imc_id)
-{
-	pa_tnc_msg_t *pa_tnc_msg;
-	pa_tnc_attr_t *attr;
-	pen_type_t attr_type;
 	imc_state_t *state;
-	enumerator_t *enumerator;
-	TNC_Result result;
-	TNC_UInt32 target_imc_id;
-	bool fatal_error;
+	imc_msg_t *out_msg;
+	TNC_Result result = TNC_RESULT_SUCCESS;
 
 	if (!imc_scanner)
 	{
 		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
 		return TNC_RESULT_NOT_INITIALIZED;
 	}
-
-	/* get current IMC state */
 	if (!imc_scanner->get_state(imc_scanner, connection_id, &state))
 	{
 		return TNC_RESULT_FATAL;
 	}
+	if (lib->settings->get_bool(lib->settings,
+								"libimcv.plugins.imc-scanner.push_info", TRUE))
+	{
+		out_msg = imc_msg_create(imc_scanner, state, connection_id, imc_id,
+								 TNC_IMVID_ANY, msg_types[0]);
+		result = add_port_filter(out_msg);
+		if (result == TNC_RESULT_SUCCESS)
+		{
+			/* send PA-TNC message with the excl flag not set */
+			result = out_msg->send(out_msg, FALSE);
+		}
+		out_msg->destroy(out_msg);
+	}
 
-	/* parse received PA-TNC message and automatically handle any errors */
-	result = imc_scanner->receive_message(imc_scanner, state, msg, msg_vid,
-							msg_subtype, src_imv_id, dst_imc_id, &pa_tnc_msg);
+	return result;
+}
 
-	/* no parsed PA-TNC attributes available if an error occurred */
-	if (!pa_tnc_msg)
+static TNC_Result receive_message(imc_msg_t *in_msg)
+{
+	imc_msg_t *out_msg;
+	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t attr_type;
+	TNC_Result result = TNC_RESULT_SUCCESS;
+	bool fatal_error = FALSE;
+
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
 	{
 		return result;
 	}
-	target_imc_id = (dst_imc_id == TNC_IMCID_ANY) ? imc_id : dst_imc_id;
-
-	/* preprocess any IETF standard error attributes */
-	fatal_error = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg);
+	out_msg = imc_msg_create_as_reply(in_msg);
 
 	/* analyze PA-TNC attributes */
-	enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
 	while (enumerator->enumerate(enumerator, &attr))
 	{
 		attr_type = attr->get_type(attr);
 
-		if (attr_type.vendor_id == PEN_IETF &&
-			attr_type.type == IETF_ATTR_ASSESSMENT_RESULT)
+		if (attr_type.vendor_id != PEN_IETF)
+		{
+			continue;
+		}
+		if (attr_type.type == IETF_ATTR_ATTRIBUTE_REQUEST)
 		{
-			ietf_attr_assess_result_t *ietf_attr;
+			ietf_attr_attr_request_t *attr_cast;
+			pen_type_t *entry;
+			enumerator_t *e;
 
-			ietf_attr = (ietf_attr_assess_result_t*)attr;
-			state->set_result(state, target_imc_id,
-							  ietf_attr->get_result(ietf_attr));
+			attr_cast = (ietf_attr_attr_request_t*)attr;
+
+			e = attr_cast->create_enumerator(attr_cast);
+			while (e->enumerate(e, &entry))
+			{
+				if (entry->vendor_id != PEN_IETF)
+				{
+					continue;
+				}
+				switch (entry->type)
+				{
+					case IETF_ATTR_PORT_FILTER:
+						result = add_port_filter(out_msg);
+						break;
+					default:
+						break;
+				}
+			}
+			e->destroy(e);
 		}
 	}
 	enumerator->destroy(enumerator);
-	pa_tnc_msg->destroy(pa_tnc_msg);
 
 	if (fatal_error)
 	{
-		return TNC_RESULT_FATAL;
+		result = TNC_RESULT_FATAL;
 	}
+	else if (result == TNC_RESULT_SUCCESS)
+	{
+		result = out_msg->send(out_msg, TRUE);
+	}
+	out_msg->destroy(out_msg);
 
-	/* if no assessment result is known then repeat the measurement */
-	return state->get_result(state, target_imc_id, NULL) ?
-		   TNC_RESULT_SUCCESS : send_message(connection_id);
+	return result;
 }
 
 /**
@@ -350,14 +369,26 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
 								  TNC_UInt32 msg_len,
 								  TNC_MessageType msg_type)
 {
-	TNC_VendorID msg_vid;
-	TNC_MessageSubtype msg_subtype;
+	imc_state_t *state;
+	imc_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imc_scanner)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_scanner->get_state(imc_scanner, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
 
-	msg_vid = msg_type >> 8;
-	msg_subtype = msg_type & TNC_SUBTYPE_ANY;
+	in_msg = imc_msg_create_from_data(imc_scanner, state, connection_id,
+									  msg_type, chunk_create(msg, msg_len));
+	result = receive_message(in_msg);
+	in_msg->destroy(in_msg);
 
-	return receive_message(imc_id, connection_id, 0, chunk_create(msg, msg_len),
-						   msg_vid,	msg_subtype, 0, TNC_IMCID_ANY);
+	return result;
 }
 
 /**
@@ -373,9 +404,26 @@ TNC_Result TNC_IMC_ReceiveMessageLong(TNC_IMCID imc_id,
 									  TNC_UInt32 src_imv_id,
 									  TNC_UInt32 dst_imc_id)
 {
-	return receive_message(imc_id, connection_id, msg_flags,
-						   chunk_create(msg, msg_len), msg_vid, msg_subtype,
-						   src_imv_id, dst_imc_id);
+	imc_state_t *state;
+	imc_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imc_scanner)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_scanner->get_state(imc_scanner, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imc_msg_create_from_long_data(imc_scanner, state, connection_id,
+								src_imv_id, dst_imc_id, msg_vid, msg_subtype,
+								chunk_create(msg, msg_len));
+	result = receive_message(in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
 }
 
 /**
diff --git a/src/libimcv/plugins/imc_scanner/imc_scanner_state.c b/src/libimcv/plugins/imc_scanner/imc_scanner_state.c
index 991b24a73..b5a6cdd20 100644
--- a/src/libimcv/plugins/imc_scanner/imc_scanner_state.c
+++ b/src/libimcv/plugins/imc_scanner/imc_scanner_state.c
@@ -17,7 +17,7 @@
 
 #include <tncif_names.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_imc_scanner_state_t private_imc_scanner_state_t;
 
@@ -109,8 +109,6 @@ METHOD(imc_state_t, set_result, void,
 	private_imc_scanner_state_t *this, TNC_IMCID id,
 	TNC_IMV_Evaluation_Result result)
 {
-	DBG1(DBG_IMC, "set assessment result for IMC %u to '%N'",
-		 id, TNC_IMV_Evaluation_Result_names, result);
 	this->result = result;
 }
 
@@ -157,7 +155,7 @@ imc_state_t *imc_scanner_state_create(TNC_ConnectionID connection_id)
 		.result = TNC_IMV_EVALUATION_RESULT_DONT_KNOW,
 		.connection_id = connection_id,
 	);
-	
+
 	return &this->public.interface;
 }
 
diff --git a/src/libimcv/plugins/imc_test/Makefile.in b/src/libimcv/plugins/imc_test/Makefile.in
index 8e37e7e9e..51878adc0 100644
--- a/src/libimcv/plugins/imc_test/Makefile.in
+++ b/src/libimcv/plugins/imc_test/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(imcvdir)"
 LTLIBRARIES = $(imcv_LTLIBRARIES)
 imc_test_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
@@ -119,6 +125,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -146,6 +153,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -173,6 +181,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -185,6 +194,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -238,7 +248,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -360,7 +369,7 @@ clean-imcvLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-imc-test.la: $(imc_test_la_OBJECTS) $(imc_test_la_DEPENDENCIES) 
+imc-test.la: $(imc_test_la_OBJECTS) $(imc_test_la_DEPENDENCIES) $(EXTRA_imc_test_la_DEPENDENCIES) 
 	$(imc_test_la_LINK) -rpath $(imcvdir) $(imc_test_la_OBJECTS) $(imc_test_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -498,10 +507,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libimcv/plugins/imc_test/imc_test.c b/src/libimcv/plugins/imc_test/imc_test.c
index ee8e5b206..c97d41628 100644
--- a/src/libimcv/plugins/imc_test/imc_test.c
+++ b/src/libimcv/plugins/imc_test/imc_test.c
@@ -16,10 +16,8 @@
 #include "imc_test_state.h"
 
 #include <imc/imc_agent.h>
-#include <pa_tnc/pa_tnc_msg.h>
+#include <imc/imc_msg.h>
 #include <ietf/ietf_attr.h>
-#include <ietf/ietf_attr_pa_tnc_error.h>
-#include <ietf/ietf_attr_assess_result.h>
 #include <ita/ita_attr.h>
 #include <ita/ita_attr_command.h>
 #include <ita/ita_attr_dummy.h>
@@ -27,17 +25,18 @@
 #include <tncif_pa_subtypes.h>
 
 #include <pen/pen.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 /* IMC definitions */
 
 static const char imc_name[] = "Test";
 
-#define IMC_VENDOR_ID	PEN_ITA
-#define IMC_SUBTYPE		PA_SUBTYPE_ITA_TEST
+static pen_type_t msg_types[] = {
+	{ PEN_ITA, PA_SUBTYPE_ITA_TEST }
+};
 
 static imc_agent_t *imc_test;
- 
+
 /**
  * see section 3.8.1 of TCG TNC IF-IMC Specification 1.3
  */
@@ -51,7 +50,7 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
 		DBG1(DBG_IMC, "IMC \"%s\" has already been initialized", imc_name);
 		return TNC_RESULT_ALREADY_INITIALIZED;
 	}
-	imc_test = imc_agent_create(imc_name, IMC_VENDOR_ID, IMC_SUBTYPE,
+	imc_test = imc_agent_create(imc_name, msg_types, countof(msg_types),
 								imc_id, actual_version);
 	if (!imc_test)
 	{
@@ -182,36 +181,24 @@ TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
 	}
 }
 
-static TNC_Result send_message(imc_state_t *state, TNC_UInt32 src_imc_id,
-												   TNC_UInt32 dst_imv_id)
+static TNC_Result send_message(imc_state_t *state, imc_msg_t *out_msg)
 {
 	imc_test_state_t *test_state;
-	linked_list_t *attr_list;
 	pa_tnc_attr_t *attr;
-	bool excl;
-	TNC_ConnectionID connection_id;
-	TNC_Result result;
 
-	attr_list = linked_list_create();
-	connection_id = state->get_connection_id(state);
 	test_state = (imc_test_state_t*)state;
-
 	if (test_state->get_dummy_size(test_state))
 	{
 		attr = ita_attr_dummy_create(test_state->get_dummy_size(test_state));
 		attr->set_noskip_flag(attr, TRUE);
-		attr_list->insert_last(attr_list, attr);
+		out_msg->add_attribute(out_msg, attr);
 	}
 	attr = ita_attr_command_create(test_state->get_command(test_state));
 	attr->set_noskip_flag(attr, TRUE);
-	attr_list->insert_last(attr_list, attr);
-
-	excl = dst_imv_id != TNC_IMVID_ANY;
-	result = imc_test->send_message(imc_test, connection_id, excl, src_imc_id,
-									dst_imv_id, attr_list);
-	attr_list->destroy(attr_list);
+	out_msg->add_attribute(out_msg, attr);
 
-	return result;
+	/* send PA-TNC message with the excl flag set */
+	return out_msg->send(out_msg, TRUE);
 }
 
 /**
@@ -221,6 +208,7 @@ TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
 								  TNC_ConnectionID connection_id)
 {
 	imc_state_t *state;
+	imc_msg_t *out_msg;
 	enumerator_t *enumerator;
 	void *pointer;
 	TNC_UInt32 additional_id;
@@ -231,15 +219,16 @@ TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
 		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
 		return TNC_RESULT_NOT_INITIALIZED;
 	}
-
-	/* get current IMC state */
 	if (!imc_test->get_state(imc_test, connection_id, &state))
 	{
 		return TNC_RESULT_FATAL;
 	}
 
 	/* send PA message for primary IMC ID */
-	result = send_message(state, imc_id, TNC_IMVID_ANY);
+	out_msg = imc_msg_create(imc_test, state, connection_id, imc_id,
+							 TNC_IMVID_ANY, msg_types[0]);
+	result = send_message(state, out_msg);
+	out_msg->destroy(out_msg);
 
 	/* Exit if there are no additional IMC IDs */
 	if (!imc_test->count_additional_ids(imc_test))
@@ -262,93 +251,60 @@ TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
 	{
 		/* interpret pointer as scalar value */
 		additional_id = (TNC_UInt32)pointer;
-		result = send_message(state, additional_id, TNC_IMVID_ANY);	
+		out_msg = imc_msg_create(imc_test, state, connection_id, additional_id,
+								 TNC_IMVID_ANY, msg_types[0]);
+		result = send_message(state, out_msg);
+		out_msg->destroy(out_msg);
 	}
 	enumerator->destroy(enumerator);
 
 	return result;
 }
 
-static TNC_Result receive_message(TNC_IMCID imc_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_UInt32 msg_flags,
-								  chunk_t msg,
-								  TNC_VendorID msg_vid,
-								  TNC_MessageSubtype msg_subtype,
-								  TNC_UInt32 src_imv_id,
-								  TNC_UInt32 dst_imc_id)
+static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg)
 {
-	pa_tnc_msg_t *pa_tnc_msg;
+	imc_msg_t *out_msg;
+	enumerator_t *enumerator;
 	pa_tnc_attr_t *attr;
 	pen_type_t attr_type;
-	imc_state_t *state;
-	enumerator_t *enumerator;
 	TNC_Result result;
-	TNC_UInt32 target_imc_id;
 	bool fatal_error = FALSE;
 
-	if (!imc_test)
-	{
-		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-
-	/* get current IMC state */
-	if (!imc_test->get_state(imc_test, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-
-	/* parse received PA-TNC message and automatically handle any errors */ 
-	result = imc_test->receive_message(imc_test, state, msg, msg_vid,
-							msg_subtype, src_imv_id, dst_imc_id, &pa_tnc_msg);
-
-	/* no parsed PA-TNC attributes available if an error occurred */
-	if (!pa_tnc_msg)
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
 	{
 		return result;
 	}
-	target_imc_id = (dst_imc_id == TNC_IMCID_ANY) ? imc_id : dst_imc_id;
-
-	/* preprocess any IETF standard error attributes */
-	fatal_error = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg);
 
 	/* analyze PA-TNC attributes */
-	enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
 	while (enumerator->enumerate(enumerator, &attr))
 	{
 		attr_type = attr->get_type(attr);
 
-		if (attr_type.vendor_id == PEN_IETF)
+		if (attr_type.vendor_id != PEN_ITA)
 		{
-			ietf_attr_assess_result_t *ietf_attr;
-
-			ietf_attr = (ietf_attr_assess_result_t*)attr;
-			state->set_result(state, target_imc_id,
-							  ietf_attr->get_result(ietf_attr));
+			continue;
 		}
-		else if (attr_type.vendor_id == PEN_ITA)
+		if (attr_type.type == ITA_ATTR_COMMAND)
 		{
-			if (attr_type.type == ITA_ATTR_COMMAND)
-			{
-				ita_attr_command_t *ita_attr;
+			ita_attr_command_t *ita_attr;
 
-				ita_attr = (ita_attr_command_t*)attr;
-				DBG1(DBG_IMC, "received command '%s'",
-					 ita_attr->get_command(ita_attr));
-			}
-			else if (attr_type.type == ITA_ATTR_DUMMY)
-			{
-				ita_attr_dummy_t *ita_attr;
+			ita_attr = (ita_attr_command_t*)attr;
+			DBG1(DBG_IMC, "received command '%s'",
+				 ita_attr->get_command(ita_attr));
+		}
+		else if (attr_type.type == ITA_ATTR_DUMMY)
+		{
+			ita_attr_dummy_t *ita_attr;
 
-				ita_attr = (ita_attr_dummy_t*)attr;
-				DBG1(DBG_IMC, "received dummy attribute value (%d bytes)",
-					 ita_attr->get_size(ita_attr));
-			}
+			ita_attr = (ita_attr_dummy_t*)attr;
+			DBG1(DBG_IMC, "received dummy attribute value (%d bytes)",
+				 ita_attr->get_size(ita_attr));
 		}
 	}
 	enumerator->destroy(enumerator);
-	pa_tnc_msg->destroy(pa_tnc_msg);
 
 	if (fatal_error)
 	{
@@ -356,8 +312,15 @@ static TNC_Result receive_message(TNC_IMCID imc_id,
 	}
 
 	/* if no assessment result is known then repeat the measurement */
-	return state->get_result(state, target_imc_id, NULL) ?
-		   TNC_RESULT_SUCCESS : send_message(state, dst_imc_id, src_imv_id);
+	if (state->get_result(state, in_msg->get_dst_id(in_msg), NULL))
+	{
+		return TNC_RESULT_SUCCESS;
+	}
+	out_msg = imc_msg_create_as_reply(in_msg);
+ 	result = send_message(state, out_msg);
+	out_msg->destroy(out_msg);
+
+	return result;
 }
 
 /**
@@ -369,14 +332,26 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
 								  TNC_UInt32 msg_len,
 								  TNC_MessageType msg_type)
 {
-	TNC_VendorID msg_vid;
-	TNC_MessageSubtype msg_subtype;
+	imc_state_t *state;
+	imc_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imc_test)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_test->get_state(imc_test, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
 
-	msg_vid = msg_type >> 8;
-	msg_subtype = msg_type & TNC_SUBTYPE_ANY;
+	in_msg = imc_msg_create_from_data(imc_test, state, connection_id, msg_type,
+									  chunk_create(msg, msg_len));
+	result = receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
 
-	return receive_message(imc_id, connection_id, 0, chunk_create(msg, msg_len),
-						   msg_vid,	msg_subtype, 0, TNC_IMCID_ANY);
+	return result;
 }
 
 /**
@@ -392,9 +367,26 @@ TNC_Result TNC_IMC_ReceiveMessageLong(TNC_IMCID imc_id,
 									  TNC_UInt32 src_imv_id,
 									  TNC_UInt32 dst_imc_id)
 {
-	return receive_message(imc_id, connection_id, msg_flags,
-						   chunk_create(msg, msg_len), msg_vid, msg_subtype,
-						   src_imv_id, dst_imc_id);
+	imc_state_t *state;
+	imc_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imc_test)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_test->get_state(imc_test, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imc_msg_create_from_long_data(imc_test, state, connection_id,
+								src_imv_id, dst_imc_id, msg_vid, msg_subtype,
+								chunk_create(msg, msg_len));
+	result =receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
 }
 
 /**
diff --git a/src/libimcv/plugins/imc_test/imc_test_state.c b/src/libimcv/plugins/imc_test/imc_test_state.c
index e70eb1492..e7beca0aa 100644
--- a/src/libimcv/plugins/imc_test/imc_test_state.c
+++ b/src/libimcv/plugins/imc_test/imc_test_state.c
@@ -17,8 +17,8 @@
 
 #include <tncif_names.h>
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 typedef struct private_imc_test_state_t private_imc_test_state_t;
 typedef struct entry_t entry_t;
@@ -82,7 +82,7 @@ struct private_imc_test_state_t {
 	 * Do a handshake retry
 	 */
 	bool handshake_retry;
-	
+
 };
 
 /**
@@ -144,9 +144,6 @@ METHOD(imc_state_t, set_result, void,
 	entry_t *entry;
 	bool found = FALSE;
 
-	DBG1(DBG_IMC, "set assessment result for IMC %u to '%N'",
-		 id, TNC_IMV_Evaluation_Result_names, result);
-
 	enumerator = this->results->create_enumerator(this->results);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -283,7 +280,7 @@ imc_state_t *imc_test_state_create(TNC_ConnectionID connection_id,
 		.first_handshake = TRUE,
 		.handshake_retry = retry,
 	);
-	
+
 	return &this->public.interface;
 }
 
diff --git a/src/libimcv/plugins/imv_os/Makefile.am b/src/libimcv/plugins/imv_os/Makefile.am
new file mode 100644
index 000000000..58edc6963
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/Makefile.am
@@ -0,0 +1,24 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libimcv
+
+AM_CFLAGS = -rdynamic
+
+imcv_LTLIBRARIES = imv-os.la
+
+imv_os_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+
+imv_os_la_SOURCES = \
+	imv_os.c imv_os_state.h imv_os_state.c \
+	imv_os_database.c imv_os_database.h
+
+imv_os_la_LDFLAGS = -module -avoid-version
+
+ipsec_PROGRAMS = pacman
+pacman_SOURCES = pacman.c 
+pacman_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+pacman.o :	$(top_builddir)/config.status
+
+EXTRA_DIST = pacman.sh
+
diff --git a/src/libimcv/plugins/imv_os/Makefile.in b/src/libimcv/plugins/imv_os/Makefile.in
new file mode 100644
index 000000000..53a547a4d
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/Makefile.in
@@ -0,0 +1,684 @@
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+ipsec_PROGRAMS = pacman$(EXEEXT)
+subdir = src/libimcv/plugins/imv_os
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(imcvdir)" "$(DESTDIR)$(ipsecdir)"
+LTLIBRARIES = $(imcv_LTLIBRARIES)
+imv_os_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+am_imv_os_la_OBJECTS = imv_os.lo imv_os_state.lo imv_os_database.lo
+imv_os_la_OBJECTS = $(am_imv_os_la_OBJECTS)
+imv_os_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(imv_os_la_LDFLAGS) $(LDFLAGS) -o $@
+PROGRAMS = $(ipsec_PROGRAMS)
+am_pacman_OBJECTS = pacman.$(OBJEXT)
+pacman_OBJECTS = $(am_pacman_OBJECTS)
+pacman_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(imv_os_la_SOURCES) $(pacman_SOURCES)
+DIST_SOURCES = $(imv_os_la_SOURCES) $(pacman_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+axis2c_CFLAGS = @axis2c_CFLAGS@
+axis2c_LIBS = @axis2c_LIBS@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libimcv
+
+AM_CFLAGS = -rdynamic
+imcv_LTLIBRARIES = imv-os.la
+imv_os_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+
+imv_os_la_SOURCES = \
+	imv_os.c imv_os_state.h imv_os_state.c \
+	imv_os_database.c imv_os_database.h
+
+imv_os_la_LDFLAGS = -module -avoid-version
+pacman_SOURCES = pacman.c 
+pacman_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+EXTRA_DIST = pacman.sh
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libimcv/plugins/imv_os/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libimcv/plugins/imv_os/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(imcvdir)" || $(MKDIR_P) "$(DESTDIR)$(imcvdir)"
+	@list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(imcvdir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(imcvdir)"; \
+	}
+
+uninstall-imcvLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(imcvdir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(imcvdir)/$$f"; \
+	done
+
+clean-imcvLTLIBRARIES:
+	-test -z "$(imcv_LTLIBRARIES)" || rm -f $(imcv_LTLIBRARIES)
+	@list='$(imcv_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+imv-os.la: $(imv_os_la_OBJECTS) $(imv_os_la_DEPENDENCIES) $(EXTRA_imv_os_la_DEPENDENCIES) 
+	$(imv_os_la_LINK) -rpath $(imcvdir) $(imv_os_la_OBJECTS) $(imv_os_la_LIBADD) $(LIBS)
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+pacman$(EXEEXT): $(pacman_OBJECTS) $(pacman_DEPENDENCIES) $(EXTRA_pacman_DEPENDENCIES) 
+	@rm -f pacman$(EXEEXT)
+	$(LINK) $(pacman_OBJECTS) $(pacman_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_os.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_os_database.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_os_state.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pacman.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
+installdirs:
+	for dir in "$(DESTDIR)$(imcvdir)" "$(DESTDIR)$(ipsecdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-imcvLTLIBRARIES clean-ipsecPROGRAMS \
+	clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-imcvLTLIBRARIES install-ipsecPROGRAMS
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-imcvLTLIBRARIES uninstall-ipsecPROGRAMS
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-imcvLTLIBRARIES clean-ipsecPROGRAMS clean-libtool ctags \
+	distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am \
+	install-imcvLTLIBRARIES install-info install-info-am \
+	install-ipsecPROGRAMS install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-imcvLTLIBRARIES \
+	uninstall-ipsecPROGRAMS
+
+pacman.o :	$(top_builddir)/config.status
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libimcv/plugins/imv_os/imv_os.c b/src/libimcv/plugins/imv_os/imv_os.c
new file mode 100644
index 000000000..65538df07
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/imv_os.c
@@ -0,0 +1,590 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_os_state.h"
+#include "imv_os_database.h"
+
+#include <imv/imv_agent.h>
+#include <imv/imv_msg.h>
+#include <ietf/ietf_attr.h>
+#include <ietf/ietf_attr_attr_request.h>
+#include <ietf/ietf_attr_default_pwd_enabled.h>
+#include <ietf/ietf_attr_fwd_enabled.h>
+#include <ietf/ietf_attr_installed_packages.h>
+#include <ietf/ietf_attr_numeric_version.h>
+#include <ietf/ietf_attr_op_status.h>
+#include <ietf/ietf_attr_pa_tnc_error.h>
+#include <ietf/ietf_attr_product_info.h>
+#include <ietf/ietf_attr_remediation_instr.h>
+#include <ietf/ietf_attr_string_version.h>
+#include <ita/ita_attr.h>
+#include <ita/ita_attr_get_settings.h>
+#include <ita/ita_attr_settings.h>
+#include <ita/ita_attr_angel.h>
+
+#include <tncif_names.h>
+#include <tncif_pa_subtypes.h>
+
+#include <pen/pen.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
+#include <utils/lexparser.h>
+
+/* IMV definitions */
+
+static const char imv_name[] = "OS";
+
+static pen_type_t msg_types[] = {
+	{ PEN_IETF, PA_SUBTYPE_IETF_OPERATING_SYSTEM }
+};
+
+static imv_agent_t *imv_os;
+
+/**
+ * IMV OS database
+ */
+static imv_os_database_t *os_db;
+
+/*
+ * see section 3.8.1 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
+							  TNC_Version min_version,
+							  TNC_Version max_version,
+							  TNC_Version *actual_version)
+{
+	char *uri;
+
+	if (imv_os)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
+		return TNC_RESULT_ALREADY_INITIALIZED;
+	}
+	imv_os = imv_agent_create(imv_name, msg_types, countof(msg_types),
+							  imv_id, actual_version);
+	if (!imv_os)
+	{
+		return TNC_RESULT_FATAL;
+	}
+	if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1)
+	{
+		DBG1(DBG_IMV, "no common IF-IMV version");
+		return TNC_RESULT_NO_COMMON_VERSION;
+	}
+
+	/* attach OS database */
+	uri = lib->settings->get_str(lib->settings,
+				"libimcv.plugins.imv-os.database", NULL);
+	if (uri)
+	{
+		os_db = imv_os_database_create(uri);
+	}
+
+	return TNC_RESULT_SUCCESS;
+}
+
+/**
+ * see section 3.8.2 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
+										  TNC_ConnectionID connection_id,
+										  TNC_ConnectionState new_state)
+{
+	imv_state_t *state;
+
+	if (!imv_os)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	switch (new_state)
+	{
+		case TNC_CONNECTION_STATE_CREATE:
+			state = imv_os_state_create(connection_id);
+			return imv_os->create_state(imv_os, state);
+		case TNC_CONNECTION_STATE_DELETE:
+			return imv_os->delete_state(imv_os, connection_id);
+		default:
+			return imv_os->change_state(imv_os, connection_id,
+											 new_state, NULL);
+	}
+}
+
+static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg)
+{
+	imv_msg_t *out_msg;
+	imv_os_state_t *os_state;
+	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t type;
+	TNC_Result result;
+	chunk_t os_name = chunk_empty;
+	chunk_t os_version = chunk_empty;
+	bool fatal_error = FALSE, assessment = FALSE;
+	char non_market_apps_str[] = "install_non_market_apps";
+	char android_id_str[] = "android_id";
+	char machine_id_str[] = "/var/lib/dbus/machine-id";
+
+	os_state = (imv_os_state_t*)state;
+
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
+	{
+		return result;
+	}
+
+	out_msg = imv_msg_create_as_reply(in_msg);
+
+	/* analyze PA-TNC attributes */
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		type = attr->get_type(attr);
+
+		if (type.vendor_id == PEN_IETF)
+		{
+			switch (type.type)
+			{
+				case IETF_ATTR_PRODUCT_INFORMATION:
+				{
+					ietf_attr_product_info_t *attr_cast;
+					pen_t vendor_id;
+
+					attr_cast = (ietf_attr_product_info_t*)attr;
+					os_name = attr_cast->get_info(attr_cast, &vendor_id, NULL);
+					if (vendor_id != PEN_IETF)
+					{
+						DBG1(DBG_IMV, "operating system name is '%.*s' "
+									  "from vendor %N", os_name.len, os_name.ptr,
+									   pen_names, vendor_id);
+					}
+					else
+					{
+						DBG1(DBG_IMV, "operating system name is '%.*s'",
+									   os_name.len, os_name.ptr);
+					}
+					break;
+				}
+				case IETF_ATTR_STRING_VERSION:
+				{
+					ietf_attr_string_version_t *attr_cast;
+
+					attr_cast = (ietf_attr_string_version_t*)attr;
+					os_version = attr_cast->get_version(attr_cast, NULL, NULL);
+					if (os_version.len)
+					{
+						DBG1(DBG_IMV, "operating system version is '%.*s'",
+									   os_version.len, os_version.ptr);
+					}
+					break;
+				}
+				case IETF_ATTR_NUMERIC_VERSION:
+				{
+					ietf_attr_numeric_version_t *attr_cast;
+					u_int32_t major, minor;
+
+					attr_cast = (ietf_attr_numeric_version_t*)attr;
+					attr_cast->get_version(attr_cast, &major, &minor);
+					DBG1(DBG_IMV, "operating system numeric version is %d.%d",
+								   major, minor);
+					break;
+				}
+				case IETF_ATTR_OPERATIONAL_STATUS:
+				{
+					ietf_attr_op_status_t *attr_cast;
+					op_status_t op_status;
+					op_result_t op_result;
+					time_t last_boot;
+
+					attr_cast = (ietf_attr_op_status_t*)attr;
+					op_status = attr_cast->get_status(attr_cast);
+					op_result = attr_cast->get_result(attr_cast);
+					last_boot = attr_cast->get_last_use(attr_cast);
+					DBG1(DBG_IMV, "operational status: %N, result: %N",
+						 op_status_names, op_status, op_result_names, op_result);
+					DBG1(DBG_IMV, "last boot: %T", &last_boot, TRUE);
+					break;
+				}
+				case IETF_ATTR_FORWARDING_ENABLED:
+				{
+					ietf_attr_fwd_enabled_t *attr_cast;
+					os_fwd_status_t fwd_status;
+
+					attr_cast = (ietf_attr_fwd_enabled_t*)attr;
+					fwd_status = attr_cast->get_status(attr_cast);
+					DBG1(DBG_IMV, "IPv4 forwarding status: %N",
+								   os_fwd_status_names, fwd_status);
+					if (fwd_status == OS_FWD_ENABLED)
+					{
+						os_state->set_os_settings(os_state,
+											OS_SETTINGS_FWD_ENABLED);
+					}
+					break;
+				}
+				case IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED:
+				{
+					ietf_attr_default_pwd_enabled_t *attr_cast;
+					bool default_pwd_status;
+
+					attr_cast = (ietf_attr_default_pwd_enabled_t*)attr;
+					default_pwd_status = attr_cast->get_status(attr_cast);
+					DBG1(DBG_IMV, "factory default password: %sabled",
+								   default_pwd_status ? "en":"dis");
+					if (default_pwd_status)
+					{
+						os_state->set_os_settings(os_state,
+											OS_SETTINGS_DEFAULT_PWD_ENABLED);
+					}
+					break;
+				}
+				case IETF_ATTR_INSTALLED_PACKAGES:
+				{
+					ietf_attr_installed_packages_t *attr_cast;
+					enumerator_t *e;
+					status_t status;
+
+					/* Received at least one Installed Packages attribute */
+					os_state->set_package_request(os_state, FALSE);
+
+					if (!os_db)
+					{
+						break;
+					}
+					attr_cast = (ietf_attr_installed_packages_t*)attr;
+
+					e = attr_cast->create_enumerator(attr_cast);
+					status = os_db->check_packages(os_db, os_state, e);
+					e->destroy(e);
+
+					if (status == FAILED)
+					{
+						state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+								TNC_IMV_EVALUATION_RESULT_ERROR);
+						assessment = TRUE;
+					}
+					break;
+				}
+				default:
+					break;
+			}
+		}
+		else if (type.vendor_id == PEN_ITA)
+		{
+			switch (type.type)
+			{
+				case ITA_ATTR_SETTINGS:
+				{
+					ita_attr_settings_t *attr_cast;
+					enumerator_t *e;
+					char *name;
+					chunk_t value;
+
+					attr_cast = (ita_attr_settings_t*)attr;
+					e = attr_cast->create_enumerator(attr_cast);
+					while (e->enumerate(e, &name, &value))
+					{
+						if (streq(name, non_market_apps_str) &&
+							chunk_equals(value, chunk_from_chars('1')))
+						{
+							os_state->set_os_settings(os_state,
+												OS_SETTINGS_NON_MARKET_APPS);
+						}
+						else if ((streq(name, android_id_str) ||
+								  streq(name, machine_id_str)) && os_db)
+						{
+							os_state->set_device_id(os_state,
+										os_db->get_device_id(os_db, value));
+						}
+						DBG1(DBG_IMV, "setting '%s'\n  %.*s",
+							 name, value.len, value.ptr);
+					}
+					e->destroy(e);
+					break;
+				}
+				case ITA_ATTR_START_ANGEL:
+					os_state->set_angel_count(os_state, TRUE);
+					break;
+				case ITA_ATTR_STOP_ANGEL:
+					os_state->set_angel_count(os_state, FALSE);
+					break;
+				default:
+					break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (os_name.len && os_version.len)
+	{
+		os_type_t os_type;
+		ita_attr_get_settings_t *attr_cast;
+
+		/* set the OS type, name and version */
+		os_type = os_type_from_name(os_name);
+		os_state->set_info(os_state,os_type, os_name, os_version);
+
+		/* requesting installed packages */
+		os_state->set_package_request(os_state, TRUE);
+		attr = ietf_attr_attr_request_create(PEN_IETF,
+											 IETF_ATTR_INSTALLED_PACKAGES);
+		out_msg->add_attribute(out_msg, attr);
+
+		/* requesting Android or Linux settings */
+		attr = ita_attr_get_settings_create();
+		attr_cast = (ita_attr_get_settings_t*)attr;
+
+		if (os_type == OS_TYPE_ANDROID)
+		{
+			attr_cast->add(attr_cast, android_id_str);
+			attr_cast->add(attr_cast, non_market_apps_str);
+		}
+		else
+		{
+			attr_cast->add(attr_cast, machine_id_str);
+			attr_cast->add(attr_cast, "/proc/sys/kernel/tainted");
+		}
+		out_msg->add_attribute(out_msg, attr);
+	}
+
+	if (fatal_error)
+	{
+		state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+								TNC_IMV_EVALUATION_RESULT_ERROR);
+		assessment = TRUE;
+	}
+
+	/* If all Installed Packages attributes were received, go to assessment */
+	if (!assessment &&
+		!os_state->get_package_request(os_state) &&
+		!os_state->get_angel_count(os_state))
+	{
+		int device_id, count, count_update, count_blacklist, count_ok;
+		u_int os_settings;
+
+		os_settings = os_state->get_os_settings(os_state);
+		os_state->get_count(os_state, &count, &count_update, &count_blacklist,
+									  &count_ok);
+		DBG1(DBG_IMV, "processed %d packages: %d not updated, %d blacklisted, "
+			 "%d ok, %d not found", count, count_update, count_blacklist,
+			 count_ok, count - count_update - count_blacklist - count_ok);
+
+		/* Store device information in database */
+		device_id = os_state->get_device_id(os_state);
+		if (os_db && device_id)
+		{
+			os_db->set_device_info(os_db, device_id,
+						os_state->get_info(os_state, NULL, NULL, NULL),
+						count, count_update, count_blacklist, os_settings);
+		}
+
+		if (count_update || count_blacklist || os_settings)
+		{
+			state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
+								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR);
+		}
+		else
+		{
+			state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
+								TNC_IMV_EVALUATION_RESULT_COMPLIANT);
+		}
+		assessment = TRUE;
+	}
+
+	if (assessment)
+	{
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}  
+		return imv_os->provide_recommendation(imv_os, state);
+	}
+
+	/* send PA-TNC message with excl flag set */ 
+	result = out_msg->send(out_msg, TRUE);
+	out_msg->destroy(out_msg);
+
+	return result;
+ }
+
+/**
+ * see section 3.8.4 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
+								  TNC_ConnectionID connection_id,
+								  TNC_BufferReference msg,
+								  TNC_UInt32 msg_len,
+								  TNC_MessageType msg_type)
+{
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imv_os)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imv_os->get_state(imv_os, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_data(imv_os, state, connection_id, msg_type,
+									  chunk_create(msg, msg_len));
+	result = receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
+}
+
+/**
+ * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
+									  TNC_ConnectionID connection_id,
+									  TNC_UInt32 msg_flags,
+									  TNC_BufferReference msg,
+									  TNC_UInt32 msg_len,
+									  TNC_VendorID msg_vid,
+									  TNC_MessageSubtype msg_subtype,
+									  TNC_UInt32 src_imc_id,
+									  TNC_UInt32 dst_imv_id)
+{
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imv_os)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imv_os->get_state(imv_os, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_long_data(imv_os, state, connection_id,
+								src_imc_id, dst_imv_id, msg_vid, msg_subtype,
+								chunk_create(msg, msg_len));
+	result =receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
+}
+
+/**
+ * see section 3.8.7 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
+										 TNC_ConnectionID connection_id)
+{
+	imv_state_t *state;
+
+	if (!imv_os)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imv_os->get_state(imv_os, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	return imv_os->provide_recommendation(imv_os, state);
+}
+
+/**
+ * see section 3.8.8 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
+							   TNC_ConnectionID connection_id)
+{
+	imv_state_t *state;
+	imv_os_state_t *os_state;
+	TNC_Result result = TNC_RESULT_SUCCESS;
+
+	if (!imv_os)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imv_os->get_state(imv_os, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	os_state = (imv_os_state_t*)state;
+
+	if (os_state->get_info(os_state, NULL, NULL, NULL) == NULL)
+	{
+		imv_msg_t *out_msg;
+		pa_tnc_attr_t *attr;
+		ietf_attr_attr_request_t *attr_cast;
+
+		out_msg = imv_msg_create(imv_os, state, connection_id, imv_id,
+								 TNC_IMCID_ANY, msg_types[0]);
+		attr = ietf_attr_attr_request_create(PEN_IETF,
+											 IETF_ATTR_PRODUCT_INFORMATION);
+		attr_cast = (ietf_attr_attr_request_t*)attr;
+		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_STRING_VERSION);
+		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_NUMERIC_VERSION);
+		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_OPERATIONAL_STATUS);
+		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_FORWARDING_ENABLED);
+		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED);
+		out_msg->add_attribute(out_msg, attr);
+
+		/* send PA-TNC message with excl flag not set */
+		result = out_msg->send(out_msg, FALSE);
+		out_msg->destroy(out_msg);
+	}
+
+	return result;
+}
+
+/**
+ * see section 3.8.9 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
+{
+	if (!imv_os)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	DESTROY_IF(os_db);
+
+	imv_os->destroy(imv_os);
+	imv_os = NULL;
+
+	return TNC_RESULT_SUCCESS;
+}
+
+/**
+ * see section 4.2.8.1 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id,
+									   TNC_TNCS_BindFunctionPointer bind_function)
+{
+	if (!imv_os)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	return imv_os->bind_functions(imv_os, bind_function);
+}
diff --git a/src/libimcv/plugins/imv_os/imv_os_database.c b/src/libimcv/plugins/imv_os/imv_os_database.c
new file mode 100644
index 000000000..c6db9953f
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/imv_os_database.c
@@ -0,0 +1,311 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_os_database.h"
+
+#include <utils/debug.h>
+
+#include <string.h>
+
+typedef struct private_imv_os_database_t private_imv_os_database_t;
+
+/**
+ * Private data of a imv_os_database_t object.
+ *
+ */
+struct private_imv_os_database_t {
+
+	/**
+	 * Public imv_os_database_t interface.
+	 */
+	imv_os_database_t public;
+
+	/**
+	 * database instance
+	 */
+	database_t *db;
+
+};
+
+METHOD(imv_os_database_t, check_packages, status_t,
+	private_imv_os_database_t *this, imv_os_state_t *state,
+	enumerator_t *package_enumerator)
+{
+	char *product, *package, *release, *cur_release;
+	u_char *pos;
+	chunk_t os_name, os_version, name, version;
+	os_type_t os_type;
+	size_t os_version_len;
+	os_package_state_t package_state;
+	int pid, gid;
+	int count = 0, count_ok = 0, count_no_match = 0, count_blacklist = 0;
+	enumerator_t *e;
+	status_t status = SUCCESS;
+	bool found, match;
+
+	state->get_info(state, &os_type, &os_name, &os_version);
+
+	if (os_type == OS_TYPE_ANDROID)
+	{
+		/*no package dependency on Android version */
+		product = strdup(enum_to_name(os_type_names, os_type));
+	}
+	else
+	{
+		/* remove appended platform info */
+		pos = memchr(os_version.ptr, ' ', os_version.len);
+		os_version_len = pos ? (pos - os_version.ptr) : os_version.len;
+		product = malloc(os_name.len + 1 + os_version_len + 1);
+		sprintf(product, "%.*s %.*s", (int)os_name.len, os_name.ptr,
+									  (int)os_version_len, os_version.ptr);
+	}
+	DBG1(DBG_IMV, "processing installed '%s' packages", product);
+
+	/* Get primary key of product */
+	e = this->db->query(this->db,
+				"SELECT id FROM products WHERE name = ?",
+				DB_TEXT, product, DB_INT);
+	if (!e)
+	{
+		free(product);
+		return FAILED;
+	}
+	if (!e->enumerate(e, &pid))
+	{
+		e->destroy(e);
+		free(product);
+		return NOT_FOUND;
+	}
+	e->destroy(e);
+
+	while (package_enumerator->enumerate(package_enumerator, &name, &version))
+	{
+		/* Convert package name chunk to a string */
+		package = strndup(name.ptr, name.len);
+		count++;
+
+		/* Get primary key of package */
+		e = this->db->query(this->db,
+					"SELECT id FROM packages WHERE name = ?",
+					DB_TEXT, package, DB_INT);
+		if (!e)
+		{
+			free(product);
+			free(package);
+			return FAILED;
+		}
+		if (!e->enumerate(e, &gid))
+		{
+			/* package not present in database for any product - skip */
+			if (os_type == OS_TYPE_ANDROID)
+			{
+				DBG2(DBG_IMV, "package '%s' (%.*s) not found",
+					 package, version.len, version.ptr);
+			}
+			free(package);
+			e->destroy(e);
+			continue;
+		}
+		e->destroy(e);
+
+		/* Convert package version chunk to a string */
+		release = strndup(version.ptr, version.len);
+
+		/* Enumerate over all acceptable versions */
+		e = this->db->query(this->db,
+				"SELECT release, security FROM versions "
+				"WHERE product = ? AND package = ?",
+				DB_INT, pid, DB_INT, gid, DB_TEXT, DB_INT);
+		if (!e)
+		{
+			free(product);
+			free(package);
+			free(release);
+			return FAILED;
+		}
+		found = FALSE;
+		match = FALSE;
+
+		while (e->enumerate(e, &cur_release, &package_state))
+		{
+			found = TRUE;
+			if (streq(release, cur_release) || streq("*", cur_release))
+			{
+				match = TRUE;
+				break;
+			}
+		}
+		e->destroy(e);
+
+		if (found)
+		{
+			if (match)
+			{
+				if (package_state == OS_PACKAGE_STATE_BLACKLIST)
+				{
+					DBG2(DBG_IMV, "package '%s' (%s) is blacklisted",
+								   package, release);
+					count_blacklist++;
+					state->add_bad_package(state, package, package_state);
+				}
+				else
+				{
+					DBG2(DBG_IMV, "package '%s' (%s)%N is ok", package, release,
+								   os_package_state_names, package_state);
+					count_ok++;
+				}
+			}
+			else
+			{
+				DBG1(DBG_IMV, "package '%s' (%s) no match", package, release);
+				count_no_match++;
+				state->add_bad_package(state, package, package_state);
+			}
+		}
+		else
+		{
+			/* package not present in database for this product - skip */
+		}
+		free(package);
+		free(release);
+	}
+	free(product);
+	state->set_count(state, count, count_no_match, count_blacklist, count_ok);
+
+	return status;
+}
+
+METHOD(imv_os_database_t, get_device_id, int,
+	private_imv_os_database_t *this, chunk_t value)
+{
+	enumerator_t *e;
+	int id;
+
+	/* get primary key of device ID */
+	e = this->db->query(this->db, "SELECT id FROM devices WHERE value = ?",
+						DB_BLOB, value, DB_INT);
+	if (!e)
+	{
+		return 0;
+	}
+	if (e->enumerate(e, &id))
+	{
+		/* device ID already exists in database - return primary key */
+		e->destroy(e);
+		return id;
+	}
+
+	/* register new device ID in database and return primary key */
+	return (this->db->execute(this->db, &id,
+			"INSERT INTO devices (value) VALUES (?)", DB_BLOB, value) == 1) ?
+			id : 0;
+}
+
+METHOD(imv_os_database_t, set_device_info, void,
+	private_imv_os_database_t *this,  int device_id, char *os_info,
+	int count, int count_update, int count_blacklist, u_int flags)
+{
+	enumerator_t *e;
+	time_t last_time;
+	int pid = 0, last_pid = 0, last_count_update = 0, last_count_blacklist = 0;
+	u_int last_flags;
+	bool found = FALSE;
+
+	/* get primary key of OS info string if it exists */
+	e = this->db->query(this->db,
+			"SELECT id FROM products WHERE name = ?", DB_TEXT, os_info,
+			 DB_INT);
+	if (e)
+	{
+		e->enumerate(e, &pid);
+		e->destroy(e);
+	}
+
+	/* if OS ifo string has not been found - register it */
+	if (!pid)
+	{
+		this->db->execute(this->db, &pid,
+			"INSERT INTO products (name) VALUES (?)", DB_TEXT, os_info);
+	}
+
+	/* get latest device info record if it exists */
+	e = this->db->query(this->db,
+			"SELECT time, product, count_update, count_blacklist, flags "
+			"FROM device_infos WHERE device = ? ORDER BY time DESC",
+			 DB_INT, device_id, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT);
+	if (e)
+	{
+		found = e->enumerate(e, &last_time, &last_pid, &last_count_update,
+								&last_count_blacklist, &last_flags);
+		e->destroy(e);
+	}
+	if (found && !last_count_update && !last_count_blacklist && !last_flags &&
+		pid == last_pid)
+	{
+		/* update device info */
+		this->db->execute(this->db, NULL,
+			"UPDATE device_infos SET time = ?, count = ?, count_update = ?, "
+			"count_blacklist = ?, flags = ? WHERE device = ? AND time = ?",
+			 DB_UINT, time(NULL), DB_INT, count, DB_INT, count_update,
+			 DB_INT, count_blacklist, DB_UINT, flags,
+			 DB_INT, device_id, DB_UINT, last_time);
+	}
+	else
+	{
+		/* insert device info */
+		this->db->execute(this->db, NULL,
+			"INSERT INTO device_infos (device, time, product, count, "
+			"count_update, count_blacklist, flags) VALUES (?, ?, ?, ?, ?, ?, ?)",
+			 DB_INT, device_id, DB_UINT, time(NULL), DB_INT, pid,
+			 DB_INT, count, DB_INT, count_update, DB_INT, count_blacklist,
+			 DB_UINT, flags);
+	}
+}
+
+METHOD(imv_os_database_t, destroy, void,
+	private_imv_os_database_t *this)
+{
+	this->db->destroy(this->db);
+	free(this);
+}
+
+/**
+ * See header
+ */
+imv_os_database_t *imv_os_database_create(char *uri)
+{
+	private_imv_os_database_t *this;
+
+	INIT(this,
+		.public = {
+			.check_packages = _check_packages,
+			.get_device_id = _get_device_id,
+			.set_device_info = _set_device_info,
+			.destroy = _destroy,
+		},
+		.db = lib->db->create(lib->db, uri),
+	);
+
+	if (!this->db)
+	{
+		DBG1(DBG_IMV,
+			 "failed to connect to OS database '%s'", uri);
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
+
diff --git a/src/libimcv/plugins/imv_os/imv_os_database.h b/src/libimcv/plugins/imv_os/imv_os_database.h
new file mode 100644
index 000000000..9ce748f9b
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/imv_os_database.h
@@ -0,0 +1,80 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup imv_os_database_t imv_os_database
+ * @{ @ingroup imv_os_database
+ */
+
+#ifndef IMV_OS_DATABASE_H_
+#define IMV_OS_DATABASE_H_
+
+#include "imv_os_state.h"
+
+#include <library.h>
+
+typedef struct imv_os_database_t imv_os_database_t;
+
+/**
+ * Internal state of an imv_os_database_t instance
+ */
+struct imv_os_database_t {
+
+	/**
+	 * Check Installed Packages for a given OS
+	 *
+	 * @param state					OS IMV state
+	 * @param package_enumerator	enumerates over installed packages
+	 */
+	status_t (*check_packages)(imv_os_database_t *this, imv_os_state_t *state,
+							   enumerator_t *package_enumerator);
+
+	/**
+	* Get the primary database key of the device ID
+	*
+	* @param value					Device ID value
+	*/
+	int (*get_device_id)(imv_os_database_t *this, chunk_t value);
+
+	/**
+	* Set health infos for a given  device
+	*
+	* @param device_id				Device ID primary key
+	* @param os_info				OS info string
+	* @param count					Number of installed packages
+	* @param count_update			Number of packages to be updated
+	* @param count_blacklist		Number of blacklisted packages
+	* @param flags					Various flags, e.g. illegal OS settings
+	*/
+	void (*set_device_info)(imv_os_database_t *this, int device_id, char *os_info,
+							int count, int count_update, int count_blacklist,
+							u_int flags);
+
+	/**
+	* Destroys an imv_os_database_t object.
+	*/
+	void (*destroy)(imv_os_database_t *this);
+
+};
+
+/**
+ * Create an imv_os_database_t instance
+ *
+ * @param uri			database uri
+ */
+imv_os_database_t* imv_os_database_create(char *uri);
+
+#endif /** IMV_OS_DATABASE_H_ @}*/
diff --git a/src/libimcv/plugins/imv_os/imv_os_state.c b/src/libimcv/plugins/imv_os/imv_os_state.c
new file mode 100644
index 000000000..ca6e050f7
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/imv_os_state.c
@@ -0,0 +1,621 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_os_state.h"
+#include "imv/imv_lang_string.h"
+#include "imv/imv_reason_string.h"
+#include "imv/imv_remediation_string.h"
+
+#include <utils/debug.h>
+#include <collections/linked_list.h>
+
+typedef struct private_imv_os_state_t private_imv_os_state_t;
+typedef struct package_entry_t package_entry_t;
+typedef struct entry_t entry_t;
+typedef struct instruction_entry_t instruction_entry_t;
+
+/**
+ * Private data of an imv_os_state_t object.
+ */
+struct private_imv_os_state_t {
+
+	/**
+	 * Public members of imv_os_state_t
+	 */
+	imv_os_state_t public;
+
+	/**
+	 * TNCCS connection ID
+	 */
+	TNC_ConnectionID connection_id;
+
+	/**
+	 * TNCCS connection state
+	 */
+	TNC_ConnectionState state;
+
+	/**
+	 * Does the TNCCS connection support long message types?
+	 */
+	bool has_long;
+
+	/**
+	 * Does the TNCCS connection support exclusive delivery?
+	 */
+	bool has_excl;
+
+	/**
+	 * Maximum PA-TNC message size for this TNCCS connection
+	 */
+	u_int32_t max_msg_len;
+
+	/**
+	 * IMV action recommendation
+	 */
+	TNC_IMV_Action_Recommendation rec;
+
+	/**
+	 * IMV evaluation result
+	 */
+	TNC_IMV_Evaluation_Result eval;
+
+	/**
+	 * OS Product Information (concatenation of OS Name and Version)
+	 */
+	char *info;
+
+	/**
+	 * OS Type
+	 */
+	os_type_t type;
+
+	/**
+	 * OS Name
+	 */
+	chunk_t name;
+
+	/**
+	 * OS Version
+	 */
+	chunk_t version;
+
+	/**
+	 * List of blacklisted packages to be removed
+	 */
+	linked_list_t *remove_packages;
+
+	/**
+	 * List of vulnerable packages to be updated
+	 */
+	linked_list_t *update_packages;
+
+	/**
+	 * TNC Reason String
+	 */
+	imv_reason_string_t *reason_string;
+
+	/**
+	 * IETF Remediation Instructions String
+	 */
+	imv_remediation_string_t *remediation_string;
+
+	/**
+	 * Primary database key of device ID
+	 */
+	int device_id;
+
+	/**
+	 * Number of processed packages
+	 */
+	int count;
+
+	/**
+	 * Number of not updated packages
+	 */
+	int count_update;
+
+	/**
+	 * Number of blacklisted packages
+	 */
+	int count_blacklist;
+
+	/**
+	 * Number of whitelisted packages
+	 */
+	int count_ok;
+
+	/**
+	 * OS Installed Package request sent - mandatory response expected
+	 */
+	bool package_request;
+
+	/**
+	 * OS Settings
+	 */
+	u_int os_settings;
+
+	/**
+	 * Angel count
+	 */
+	int angel_count;
+
+};
+
+/**
+ * Supported languages
+ */
+static char* languages[] = { "en", "de", "pl" };
+
+/**
+ * Reason strings for "OS settings"
+ */
+static imv_lang_string_t reason_settings[] = {
+	{ "en", "Improper OS settings were detected" },
+	{ "de", "Unzulässige OS Einstellungen wurden festgestellt" },
+	{ "pl", "Stwierdzono niewłaściwe ustawienia OS" },
+	{ NULL, NULL }
+};
+
+/**
+ * Reason strings for "installed software packages"
+ */
+static imv_lang_string_t reason_packages[] = {
+	{ "en", "Vulnerable or blacklisted software packages were found" },
+	{ "de", "Schwachstellenbehaftete oder gesperrte Softwarepakete wurden gefunden" },
+	{ "pl", "Znaleziono pakiety podatne na atak lub będące na czarnej liście" },
+	{ NULL, NULL }
+};
+
+/**
+ * Instruction strings for "Software Security Updates"
+ */
+static imv_lang_string_t instr_update_packages_title[] = {
+	{ "en", "Software Security Updates" },
+	{ "de", "Software Sicherheitsupdates" },
+	{ "pl", "Aktualizacja softwaru zabezpieczającego" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_update_packages_descr[] = {
+	{ "en", "Packages with security vulnerabilities were found" },
+	{ "de", "Softwarepakete mit Sicherheitsschwachstellen wurden gefunden" },
+	{ "pl", "Znaleziono pakiety podatne na atak" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_update_packages_header[] = {
+	{ "en", "Please update the following software packages:" },
+	{ "de", "Bitte updaten Sie die folgenden Softwarepakete:" },
+	{ "pl", "Proszę zaktualizować następujące pakiety:" },
+	{ NULL, NULL }
+};
+
+/**
+ * Instruction strings for "Blacklisted Software Packages"
+ */
+static imv_lang_string_t instr_remove_packages_title[] = {
+	{ "en", "Blacklisted Software Packages" },
+	{ "de", "Gesperrte Softwarepakete" },
+	{ "pl", "Pakiety będące na czarnej liście" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_remove_packages_descr[] = {
+	{ "en", "Dangerous software packages were found" },
+	{ "de", "Gefährliche Softwarepakete wurden gefunden" },
+	{ "pl", "Znaleziono niebezpieczne pakiety" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_remove_packages_header[] = {
+	{ "en", "Please remove the following software packages:" },
+	{ "de", "Bitte entfernen Sie die folgenden Softwarepakete:" },
+	{ "pl", "Proszę usunąć następujące pakiety:" },
+	{ NULL, NULL }
+};
+
+;/**
+ * Instruction strings for "Forwarding Enabled"
+ */
+static imv_lang_string_t instr_fwd_enabled_title[] = {
+	{ "en", "IP Packet Forwarding" },
+	{ "de", "Weiterleitung von IP Paketen" },
+	{ "pl", "Przekazywanie pakietów IP" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_fwd_enabled_descr[] = {
+	{ "en", "Please disable the forwarding of IP packets" },
+	{ "de", "Bitte deaktivieren Sie das Forwarding von IP Paketen" },
+	{ "pl", "Proszę zdezaktywować przekazywanie pakietów IP" },
+	{ NULL, NULL }
+};
+
+/**
+ * Instruction strings for "Default Password Enabled"
+ */
+static imv_lang_string_t instr_default_pwd_enabled_title[] = {
+	{ "en", "Default Password" },
+	{ "de", "Default Passwort" },
+	{ "pl", "Hasło domyślne" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_default_pwd_enabled_descr[] = {
+	{ "en", "Please change the default password" },
+	{ "de", "Bitte ändern Sie das Default Passwort" },
+	{ "pl", "Proszę zmienić domyślne hasło" },
+	{ NULL, NULL }
+};
+
+/**
+ * Instruction strings for  "Install Non-Market Apps"
+ */
+static imv_lang_string_t instr_non_market_apps_title[] = {
+	{ "en", "Unknown Software Origin" },
+	{ "de", "Unbekannte Softwareherkunft" },
+	{ "pl", "Nieznane pochodzenie softwaru" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_non_market_apps_descr[] = {
+	{ "en", "Do not allow the installation of apps from unknown sources" },
+	{ "de", "Erlauben Sie nicht die Installation von Apps aus unbekannten Quellen" },
+	{ "pl", "Proszę nie dopuszczać do instalacji Apps z nieznanych źródeł" },
+	{ NULL, NULL }
+};
+
+METHOD(imv_state_t, get_connection_id, TNC_ConnectionID,
+	private_imv_os_state_t *this)
+{
+	return this->connection_id;
+}
+
+METHOD(imv_state_t, has_long, bool,
+	private_imv_os_state_t *this)
+{
+	return this->has_long;
+}
+
+METHOD(imv_state_t, has_excl, bool,
+	private_imv_os_state_t *this)
+{
+	return this->has_excl;
+}
+
+METHOD(imv_state_t, set_flags, void,
+	private_imv_os_state_t *this, bool has_long, bool has_excl)
+{
+	this->has_long = has_long;
+	this->has_excl = has_excl;
+}
+
+METHOD(imv_state_t, set_max_msg_len, void,
+	private_imv_os_state_t *this, u_int32_t max_msg_len)
+{
+	this->max_msg_len = max_msg_len;
+}
+
+METHOD(imv_state_t, get_max_msg_len, u_int32_t,
+	private_imv_os_state_t *this)
+{
+	return this->max_msg_len;
+}
+
+METHOD(imv_state_t, change_state, void,
+	private_imv_os_state_t *this, TNC_ConnectionState new_state)
+{
+	this->state = new_state;
+}
+
+METHOD(imv_state_t, get_recommendation, void,
+	private_imv_os_state_t *this, TNC_IMV_Action_Recommendation *rec,
+									TNC_IMV_Evaluation_Result *eval)
+{
+	*rec = this->rec;
+	*eval = this->eval;
+}
+
+METHOD(imv_state_t, set_recommendation, void,
+	private_imv_os_state_t *this, TNC_IMV_Action_Recommendation rec,
+									TNC_IMV_Evaluation_Result eval)
+{
+	this->rec = rec;
+	this->eval = eval;
+}
+
+METHOD(imv_state_t, get_reason_string, bool,
+	private_imv_os_state_t *this, enumerator_t *language_enumerator,
+	chunk_t *reason_string, char **reason_language)
+{
+	if (!this->count_update && !this->count_blacklist & !this->os_settings)
+	{
+		return FALSE;
+	}
+	*reason_language = imv_lang_string_select_lang(language_enumerator,
+											  languages, countof(languages));
+
+	/* Instantiate a TNC Reason String object */
+	DESTROY_IF(this->reason_string);
+	this->reason_string = imv_reason_string_create(*reason_language);
+
+	if (this->count_update || this->count_blacklist)
+	{
+		this->reason_string->add_reason(this->reason_string, reason_packages);
+	}
+	if (this->os_settings)
+	{
+		this->reason_string->add_reason(this->reason_string, reason_settings);
+	}
+	*reason_string = this->reason_string->get_encoding(this->reason_string);
+
+	return TRUE;
+}
+
+METHOD(imv_state_t, get_remediation_instructions, bool,
+	private_imv_os_state_t *this, enumerator_t *language_enumerator,
+	chunk_t *string, char **lang_code, char **uri)
+{
+	if (!this->count_update && !this->count_blacklist & !this->os_settings)
+	{
+		return FALSE;
+	}
+	*lang_code = imv_lang_string_select_lang(language_enumerator,
+										languages, countof(languages));
+
+	/* Instantiate an IETF Remediation Instructions String object */
+	DESTROY_IF(this->remediation_string);
+	this->remediation_string = imv_remediation_string_create(
+									this->type == OS_TYPE_ANDROID, *lang_code);
+
+	/* List of blacklisted packages to be removed, if any */
+	if (this->count_blacklist)
+	{
+		this->remediation_string->add_instruction(this->remediation_string,
+							instr_remove_packages_title,
+							instr_remove_packages_descr,
+							instr_remove_packages_header,
+							this->remove_packages);
+	}
+
+	/* List of packages in need of an update, if any */
+	if (this->count_update)
+	{
+		this->remediation_string->add_instruction(this->remediation_string,
+							instr_update_packages_title,
+							instr_update_packages_descr,
+							instr_update_packages_header,
+							this->update_packages);
+	}
+
+	/* Add instructions concerning improper OS settings */
+	if (this->os_settings & OS_SETTINGS_FWD_ENABLED)
+	{
+		this->remediation_string->add_instruction(this->remediation_string,
+							instr_fwd_enabled_title,
+							instr_fwd_enabled_descr, NULL, NULL);
+	}
+	if (this->os_settings & OS_SETTINGS_DEFAULT_PWD_ENABLED)
+	{
+		this->remediation_string->add_instruction(this->remediation_string,
+							instr_default_pwd_enabled_title,
+							instr_default_pwd_enabled_descr, NULL, NULL);
+	}
+	if (this->os_settings & OS_SETTINGS_NON_MARKET_APPS)
+	{
+		this->remediation_string->add_instruction(this->remediation_string,
+							instr_non_market_apps_title,
+							instr_non_market_apps_descr, NULL, NULL);
+	}
+
+	*string = this->remediation_string->get_encoding(this->remediation_string);
+	*uri = lib->settings->get_str(lib->settings,
+							"libimcv.plugins.imv-os.remediation_uri", NULL);
+
+	return TRUE;
+}
+
+METHOD(imv_state_t, destroy, void,
+	private_imv_os_state_t *this)
+{
+	DESTROY_IF(this->reason_string);
+	DESTROY_IF(this->remediation_string);
+	this->update_packages->destroy_function(this->update_packages, free);
+	this->remove_packages->destroy_function(this->remove_packages, free);
+	free(this->info);
+	free(this->name.ptr);
+	free(this->version.ptr);
+	free(this);
+}
+
+METHOD(imv_os_state_t, set_info, void,
+	private_imv_os_state_t *this, os_type_t type, chunk_t name, chunk_t version)
+{
+	int len = name.len + 1 + version.len + 1;
+
+	/* OS info is a concatenation of OS name and OS version */
+	free(this->info);
+	this->info = malloc(len);
+	snprintf(this->info, len, "%.*s %.*s", (int)name.len, name.ptr,
+										   (int)version.len, version.ptr);
+	this->type = type;
+	this->name = chunk_clone(name);
+	this->version = chunk_clone(version);
+}
+
+METHOD(imv_os_state_t, get_info, char*,
+	private_imv_os_state_t *this, os_type_t *type, chunk_t *name,
+	chunk_t *version)
+{
+	if (type)
+	{
+		*type = this->type;
+	}
+	if (name)
+	{
+		*name = this->name;
+	}
+	if (version)
+	{
+		*version = this->version;
+	}
+	return this->info;
+}
+
+METHOD(imv_os_state_t, set_count, void,
+	private_imv_os_state_t *this, int count, int count_update,
+	int count_blacklist, int count_ok)
+{
+	this->count           += count;
+	this->count_update    += count_update;
+	this->count_blacklist += count_blacklist;
+	this->count_ok        += count_ok;
+}
+
+METHOD(imv_os_state_t, get_count, void,
+	private_imv_os_state_t *this, int *count, int *count_update,
+	int *count_blacklist, int *count_ok)
+{
+	if (count)
+	{
+		*count = this->count;
+	}
+	if (count_update)
+	{
+		*count_update = this->count_update;
+	}
+	if (count_blacklist)
+	{
+		*count_blacklist = this->count_blacklist;
+	}
+	if (count_ok)
+	{
+		*count_ok = this->count_ok;
+	}
+}
+
+METHOD(imv_os_state_t, set_package_request, void,
+	private_imv_os_state_t *this, bool set)
+{
+	this->package_request = set;
+}
+
+METHOD(imv_os_state_t, get_package_request, bool,
+	private_imv_os_state_t *this)
+{
+	return this->package_request;
+}
+
+METHOD(imv_os_state_t, set_device_id, void,
+	private_imv_os_state_t *this, int id)
+{
+	this->device_id = id;
+}
+
+METHOD(imv_os_state_t, get_device_id, int,
+	private_imv_os_state_t *this)
+{
+	return this->device_id;
+}
+
+METHOD(imv_os_state_t, set_os_settings, void,
+	private_imv_os_state_t *this, u_int settings)
+{
+	this->os_settings |= settings;
+}
+
+METHOD(imv_os_state_t, get_os_settings, u_int,
+	private_imv_os_state_t *this)
+{
+	return this->os_settings;
+}
+
+METHOD(imv_os_state_t, set_angel_count, void,
+	private_imv_os_state_t *this, bool start)
+{
+	this->angel_count += start ? 1 : -1;
+}
+
+METHOD(imv_os_state_t, get_angel_count, int,
+	private_imv_os_state_t *this)
+{
+	return this->angel_count;
+}
+
+METHOD(imv_os_state_t, add_bad_package, void,
+	private_imv_os_state_t *this, char *package,
+	os_package_state_t package_state)
+{
+	package = strdup(package);
+
+	if (package_state == OS_PACKAGE_STATE_BLACKLIST)
+	{
+		this->remove_packages->insert_last(this->remove_packages, package);
+	}
+	else
+	{
+		this->update_packages->insert_last(this->update_packages, package);
+	}
+}
+
+/**
+ * Described in header.
+ */
+imv_state_t *imv_os_state_create(TNC_ConnectionID connection_id)
+{
+	private_imv_os_state_t *this;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.get_connection_id = _get_connection_id,
+				.has_long = _has_long,
+				.has_excl = _has_excl,
+				.set_flags = _set_flags,
+				.set_max_msg_len = _set_max_msg_len,
+				.get_max_msg_len = _get_max_msg_len,
+				.change_state = _change_state,
+				.get_recommendation = _get_recommendation,
+				.set_recommendation = _set_recommendation,
+				.get_reason_string = _get_reason_string,
+				.get_remediation_instructions = _get_remediation_instructions,
+				.destroy = _destroy,
+			},
+			.set_info = _set_info,
+			.get_info = _get_info,
+			.set_count = _set_count,
+			.get_count = _get_count,
+			.set_package_request = _set_package_request,
+			.get_package_request = _get_package_request,
+			.set_device_id = _set_device_id,
+			.get_device_id = _get_device_id,
+			.set_os_settings = _set_os_settings,
+			.get_os_settings = _get_os_settings,
+			.set_angel_count = _set_angel_count,
+			.get_angel_count = _get_angel_count,
+			.add_bad_package = _add_bad_package,
+		},
+		.state = TNC_CONNECTION_STATE_CREATE,
+		.rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+		.eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW,
+		.connection_id = connection_id,
+		.update_packages = linked_list_create(),
+		.remove_packages = linked_list_create(),
+	);
+
+	return &this->public.interface;
+}
+
+
diff --git a/src/libimcv/plugins/imv_os/imv_os_state.h b/src/libimcv/plugins/imv_os/imv_os_state.h
new file mode 100644
index 000000000..05abdbb6c
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/imv_os_state.h
@@ -0,0 +1,164 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup imv_os_state_t imv_os_state
+ * @{ @ingroup imv_os_state
+ */
+
+#ifndef IMV_OS_STATE_H_
+#define IMV_OS_STATE_H_
+
+#include "os_info/os_info.h"
+#include <imv/imv_state.h>
+#include <library.h>
+
+typedef struct imv_os_state_t imv_os_state_t;
+typedef enum os_settings_t os_settings_t;
+
+enum os_settings_t {
+	OS_SETTINGS_FWD_ENABLED =         1,
+	OS_SETTINGS_DEFAULT_PWD_ENABLED = 2,
+	OS_SETTINGS_NON_MARKET_APPS =     4
+};
+
+/**
+ * Internal state of an imv_os_t connection instance
+ */
+struct imv_os_state_t {
+
+	/**
+	 * imv_state_t interface
+	 */
+	imv_state_t interface;
+
+	/**
+	 * Set OS Product Information
+	 *
+	 * @param type			OS type (enumerated)
+	 * @param name			OS name (string)
+	 * @param version		OS version
+	 */
+	void (*set_info)(imv_os_state_t *this, os_type_t os_type,
+					 chunk_t name, chunk_t version);
+
+	/**
+	 * Get OS Product Information
+	 *
+	 * @param type			OS type (enumerated)
+	 * @param name			OS name (string)
+	 * @param version		OS version
+	 * @return				OS name & version as a concatenated string 
+	 */
+	char* (*get_info)(imv_os_state_t *this, os_type_t *os_type,
+					  chunk_t *name, chunk_t *version);
+
+	/**
+	 * Set [or with multiple attributes increment] package counters
+	 *
+	 * @param count				Number of processed packages
+	 * @param count_update		Number of not updated packages
+	 * @param count_blacklist	Number of blacklisted packages
+	 * @param count_ok			Number of whitelisted packages
+	 */
+	void (*set_count)(imv_os_state_t *this, int count, int count_update,
+					  int count_blacklist, int count_ok);
+
+	/**
+	 * Set [or with multiple attributes increment] package counters
+	 *
+	 * @param count				Number of processed packages
+	 * @param count_update		Number of not updated packages
+	 * @param count_blacklist	Number of blacklisted packages
+	 * @param count_ok			Number of whitelisted packages
+	 */
+	void (*get_count)(imv_os_state_t *this, int *count, int *count_update,
+					  int *count_blacklist, int *count_ok);
+	/**
+	 * Set/reset OS Installed Packages request status
+	 *
+	 * @param set			TRUE to set, FALSE to clear
+	 */
+	void (*set_package_request)(imv_os_state_t *this, bool set);
+
+	/**
+	 * Get OS Installed Packages request status
+	 *
+	 * @return				TRUE if set, FALSE if unset
+	 */
+	bool (*get_package_request)(imv_os_state_t *this);
+
+	/**
+	 * Set device ID
+	 *
+	 * @param device_id		Device ID primary database key
+	 */
+	void (*set_device_id)(imv_os_state_t *this, int id);
+
+	/**
+	 * Get device ID
+	 *
+	 * @return				Device ID primary database key
+	 */
+	int (*get_device_id)(imv_os_state_t *this);
+
+	/**
+	 * Set OS settings
+	 *
+	 * @param settings		OS settings
+	 */
+	void (*set_os_settings)(imv_os_state_t *this, u_int settings);
+
+	/**
+	 * Get OS settings
+	 *
+	 * @return				OS settings
+	 */
+	u_int (*get_os_settings)(imv_os_state_t *this);
+
+	/**
+	 * Increase/Decrease the ITA Angel count
+	 *
+	 * @param start			TRUE increases and FALSE decreases count by one
+	 */
+	void (*set_angel_count)(imv_os_state_t *this, bool start);
+
+	/**
+	 * Get the ITA Angel count
+	 *
+	 * @return				ITA Angel count
+	 */
+	int (*get_angel_count)(imv_os_state_t *this);
+
+	/**
+	 * Store a bad package that has to be updated or removed
+	 *
+	 * @param package		Name of software package
+	 * @param package_state	Security state of software package
+	 */
+	void (*add_bad_package)(imv_os_state_t *this, char *package,
+							os_package_state_t package_state);
+
+};
+
+/**
+ * Create an imv_os_state_t instance
+ *
+ * @param id			connection ID
+ */
+imv_state_t* imv_os_state_create(TNC_ConnectionID id);
+
+#endif /** IMV_OS_STATE_H_ @}*/
diff --git a/src/libimcv/plugins/imv_os/pacman.c b/src/libimcv/plugins/imv_os/pacman.c
new file mode 100644
index 000000000..f5f52885d
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/pacman.c
@@ -0,0 +1,498 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <getopt.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <syslog.h>
+#include <time.h>
+
+#include "imv_os_state.h"
+
+#include <library.h>
+#include <utils/debug.h>
+
+/**
+ * global debug output variables
+ */
+static int debug_level = 1;
+static bool stderr_quiet = TRUE;
+
+/**
+ * pacman dbg function
+ */
+static void pacman_dbg(debug_t group, level_t level, char *fmt, ...)
+{
+	int priority = LOG_INFO;
+	char buffer[8192];
+	char *current = buffer, *next;
+	va_list args;
+
+	if (level <= debug_level)
+	{
+		if (!stderr_quiet)
+		{
+			va_start(args, fmt);
+			vfprintf(stderr, fmt, args);
+			fprintf(stderr, "\n");
+			va_end(args);
+		}
+
+		/* write in memory buffer first */
+		va_start(args, fmt);
+		vsnprintf(buffer, sizeof(buffer), fmt, args);
+		va_end(args);
+
+		/* do a syslog with every line */
+		while (current)
+		{
+			next = strchr(current, '\n');
+			if (next)
+			{
+				*(next++) = '\0';
+			}
+			syslog(priority, "%s\n", current);
+			current = next;
+		}
+	}
+}
+
+/**
+ * atexit handler to close everything on shutdown
+ */
+static void cleanup(void)
+{
+	closelog();
+	library_deinit();
+}
+
+static void usage(void)
+{
+ 	printf("Usage:\n"
+		   "ipsec pacman --product <name> --file <filename> [--update]\n");
+}
+
+/**
+ * Extract the time the package file was generated
+ */
+static time_t extract_time(char *line)
+{
+	struct tm t;
+	char wday[4], mon[4];
+	char* months[] = { "Jan", "Feb", "Mar", "Apr", "May", "Jun",
+					   "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" };
+	int i;
+
+	if (sscanf(line, "Generated: %3s %3s %2d %2d:%2d:%2d %4d UTC", wday, mon,
+			   &t.tm_mday, &t.tm_hour, &t.tm_min, &t.tm_sec, &t.tm_year) != 7)
+	{
+		return UNDEFINED_TIME;
+	}
+	t.tm_isdst = 0;
+	t.tm_year -= 1900;
+	t.tm_mon = 12;
+
+	for (i = 0; i < countof(months); i++)
+	{
+		if (streq(mon, months[i]))
+		{
+			t.tm_mon = i;
+			break;
+		}
+	}
+	if (t.tm_mon == 12)
+	{
+		return UNDEFINED_TIME;
+	}
+
+	return mktime(&t) - timezone;
+}
+
+/**
+ * Process a package file and store updates in the database
+ */
+static void process_packages(char *filename, char *product, bool update)
+{
+	char *uri, line[12288], *pos;
+	int count = 0, errored = 0, vulnerable = 0, new_packages = 0;
+	int new_versions = 0, updated_versions = 0, deleted_versions = 0;
+	u_int32_t pid = 0;
+	enumerator_t *e;
+	database_t *db;
+	FILE *file;
+
+	/* opening package file */
+	printf("loading\"%s\"\n", filename);
+	file = fopen(filename, "r");
+	if (!file)
+	{
+		fprintf(stderr, "could not open \"%s\"\n", filename);
+		exit(EXIT_FAILURE);
+	}
+
+	/* connect package database */
+	uri = lib->settings->get_str(lib->settings, "pacman.database", NULL);
+	if (!uri)
+	{
+		fprintf(stderr, "database URI pacman.database not set\n");
+		fclose(file);
+		exit(EXIT_FAILURE);
+	}
+	db = lib->db->create(lib->db, uri);
+	if (!db)
+	{
+		fprintf(stderr, "could not connect to database '%s'\n", uri);
+		fclose(file);
+		exit(EXIT_FAILURE);
+	}
+
+	/* check if product is already in database */
+	e = db->query(db, "SELECT id FROM products WHERE name = ?",
+				  DB_TEXT, product, DB_INT);
+	if (e)
+	{
+		if (!e->enumerate(e, &pid))
+		{
+			pid = 0;
+		}
+		e->destroy(e);
+	}
+	if (!pid)
+	{
+		if (db->execute(db, &pid, "INSERT INTO products (name) VALUES (?)",
+						DB_TEXT, product) != 1)
+		{
+			fprintf(stderr, "could not store product '%s' to database\n",
+							 product);
+			fclose(file);
+			db->destroy(db);
+			exit(EXIT_FAILURE);
+		}
+	}
+
+	while (fgets(line, sizeof(line), file))
+	{
+		char *package, *version;
+		char *cur_version, *version_update = NULL, *version_delete = NULL;
+		bool security, add_version = TRUE;
+		int cur_security, security_update = 0, security_delete = 0;
+		u_int32_t gid = 0, vid = 0, vid_update = 0, vid_delete = 0;
+		time_t gen_time, cur_time;
+
+		count++;
+		if (count == 1)
+		{
+			printf("%s", line);
+		}
+		if (count == 3)
+		{
+			gen_time = extract_time(line);
+
+			if (gen_time == UNDEFINED_TIME)
+			{
+				fprintf(stderr, "could not extract generation time\n");
+				fclose(file);
+				db->destroy(db);
+				exit(EXIT_FAILURE);
+			}
+			printf("Generated: %T\n", &gen_time, TRUE);
+		}
+		if (count < 7)
+		{
+			continue;
+		}
+
+		/* look for the package name */
+		pos = strchr(line, ' ');
+		if (!pos)
+		{
+			fprintf(stderr, "could not extract package name from '%.*s'\n",
+					(int)(strlen(line)-1), line);
+			errored++;
+			continue;
+		}
+		*pos++ = '\0';
+		package = line;
+
+		/* look for version string in parentheses */
+		if (*pos == '(')
+		{
+			version = ++pos;
+			pos = strchr(pos, ')');
+			if (pos)
+			{
+				*pos++ = '\0';
+			}
+			else
+			{
+				fprintf(stderr, "could not extract package version from "
+						"'%.*s'\n", (int)(strlen(line)-1), line);
+				errored++;
+				continue;
+			}
+		}
+		else
+		{
+			/* no version information, skip entry */
+			continue;
+		}
+		security = (strstr(pos, "[security]") != NULL);
+		if (security)
+		{
+			vulnerable++;
+		}
+
+		/* handle non-security packages in update mode only */
+		if (!update && !security)
+		{
+			continue;
+		}
+
+		/* check if package is already in database */
+		e = db->query(db, "SELECT id FROM packages WHERE name = ?",
+						  DB_TEXT, package, DB_INT);
+		if (e)
+		{
+			if (!e->enumerate(e, &gid))
+			{
+				gid = 0;
+			}
+			e->destroy(e);
+		}
+		if (!gid && security)
+		{
+			if (db->execute(db, &gid, "INSERT INTO packages (name) VALUES (?)",
+								DB_TEXT, package) != 1)
+			{
+				fprintf(stderr, "could not store package '%s' to database\n",
+								 package);
+				fclose(file);
+				db->destroy(db);
+				exit(EXIT_FAILURE);
+			}
+			new_packages++;
+		}
+
+		/* check for package versions already in database */
+		e = db->query(db,
+				"SELECT id, release, security, time FROM versions "
+				"WHERE package = ? AND product = ?",
+				DB_INT, gid, DB_INT, pid, DB_INT, DB_TEXT, DB_INT, DB_INT);
+		if (!e)
+		{
+			break;
+		}
+		while (e->enumerate(e, &vid, &cur_version, &cur_security, &cur_time))
+		{
+			if (streq(version, cur_version))
+			{
+				/* already in data base */
+				add_version = FALSE;
+				break;
+			}
+			else if (gen_time > cur_time)
+			{
+				if (security)
+				{
+					if (cur_security)
+					{
+						vid_update = vid;
+						version_update = strdup(cur_version);
+						security_update = cur_security;
+					}
+					else
+					{
+						vid_delete = vid;
+						version_delete = strdup(cur_version);
+						security_delete = cur_security;
+					}
+				}
+				else
+				{
+					if (!cur_security)
+					{
+						vid_update = vid;
+						version_update = strdup(cur_version);
+						security_update = cur_security;
+					}
+				}
+			}
+			else
+			{
+				if (security == cur_security)
+				{
+					add_version = FALSE;
+				}
+			}
+		}
+		e->destroy(e);
+
+		if ((!vid && !security) || (vid && !add_version))
+		{
+			free(version_update);
+			free(version_delete);
+			continue;
+		}
+
+		if ((!vid && security) || (vid && !vid_update))
+		{
+			printf("%s (%s) %s\n", package, version, security ? "[s]" : "");
+
+			if (db->execute(db, &vid,
+				"INSERT INTO versions "
+				"(package, product, release, security, time) "
+				"VALUES (?, ?, ?, ?, ?)", DB_INT, gid, DB_INT, pid,
+				DB_TEXT, version, DB_INT, security, DB_INT, gen_time) != 1)
+			{
+				fprintf(stderr, "could not store version '%s' to database\n",
+								 version);
+				free(version_update);
+				free(version_delete);
+				fclose(file);
+				db->destroy(db);
+				exit(EXIT_FAILURE);
+			}
+			new_versions++;
+		}
+		else
+		{
+			printf("%s (%s) %s updated by\n",
+				   package, version_update, security_update ? "[s]" : "");
+			printf("%s (%s) %s\n", package, version, security ? "[s]" : "");
+
+			if (db->execute(db, NULL,
+				"UPDATE versions SET release = ?, time = ? WHERE id = ?",
+				DB_TEXT, version, DB_INT, gen_time, DB_INT, vid_update) <= 0)
+			{
+				fprintf(stderr, "could not update version '%s' to database\n",
+								 version);
+				free(version_update);
+				free(version_delete);
+				fclose(file);
+				db->destroy(db);
+				exit(EXIT_FAILURE);
+			}
+			updated_versions++;
+		}
+
+		if (vid_delete)
+		{
+			printf("%s (%s) %s deleted\n",
+				   package, version_delete, security_delete ? "[s]" : "");
+
+			if (db->execute(db, NULL,
+				"DELETE FROM  versions WHERE id = ?",
+				DB_INT, vid_delete) <= 0)
+			{
+				fprintf(stderr, "could not delete version '%s' from database\n",
+								 version_delete);
+				free(version_update);
+				free(version_delete);
+				fclose(file);
+				db->destroy(db);
+				exit(EXIT_FAILURE);
+			}
+			deleted_versions++;
+		}
+		free(version_update);
+		free(version_delete);
+	}
+	fclose(file);
+	db->destroy(db);
+
+	printf("processed %d packages, %d security, %d new packages, "
+		   "%d new versions, %d updated versions, %d deleted versions, "
+		   "%d errored\n", count - 6, vulnerable, new_packages, new_versions,
+		   updated_versions, deleted_versions, errored);
+}
+
+static void do_args(int argc, char *argv[])
+{
+	char *filename = NULL, *product = NULL;
+	bool update = FALSE;
+
+	/* reinit getopt state */
+	optind = 0;
+
+	while (TRUE)
+	{
+		int c;
+
+		struct option long_opts[] = {
+			{ "help", no_argument, NULL, 'h' },
+			{ "file", required_argument, NULL, 'f' },
+			{ "product", required_argument, NULL, 'p' },
+			{ "update", no_argument, NULL, 'u' },
+			{ 0,0,0,0 }
+		};
+
+		c = getopt_long(argc, argv, "", long_opts, NULL);
+		switch (c)
+		{
+			case EOF:
+				break;
+			case 'h':
+				usage();
+				exit(EXIT_SUCCESS);
+			case 'f':
+				filename = optarg;
+				continue;
+			case 'p':
+				product = optarg;
+				continue;
+			case 'u':
+				update = TRUE;
+				continue;
+		}
+		break;
+	}
+
+	if (filename && product)
+	{
+		process_packages(filename, product, update);
+	}
+	else
+	{
+		usage();
+		exit(EXIT_FAILURE);
+	}
+}
+
+int main(int argc, char *argv[])
+{
+	/* enable attest debugging hook */
+	dbg = pacman_dbg;
+	openlog("pacman", 0, LOG_DEBUG);
+
+	atexit(cleanup);
+
+	/* initialize library */
+	if (!library_init(NULL))
+	{
+		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+	}
+	if (!lib->plugins->load(lib->plugins, NULL,
+			lib->settings->get_str(lib->settings, "attest.load", "sqlite")))
+	{
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+	do_args(argc, argv);
+
+	exit(EXIT_SUCCESS);
+}
+
diff --git a/src/libimcv/plugins/imv_os/pacman.sh b/src/libimcv/plugins/imv_os/pacman.sh
new file mode 100755
index 000000000..e9134ea5d
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/pacman.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+DATE=`date +%Y%m%d`
+DEBIAN=http://packages.debian.org
+UBUNTU=http://packages.ubuntu.com
+UBUNTU_VERSIONS="quantal precise oneiric lucid"
+PACKAGES=allpackages?format=txt.gz
+PACMAN=/usr/libexec/ipsec/pacman
+DIR=/etc/pts
+
+cd $DIR
+
+for v in $UBUNTU_VERSIONS
+do
+  wget $UBUNTU/$v/$PACKAGES -O $DATE-$v.txt.gz
+  wget $UBUNTU/$v-updates/$PACKAGES -O $DATE-$v-updates.txt.gz
+done
+
+wget $DEBIAN/stable/$PACKAGES -O $DATE-squeeze.txt.gz
+gunzip *.gz
+
+$PACMAN --product "Ubuntu 12.10" --file $DATE-quantal.txt
+echo
+$PACMAN --product "Ubuntu 12.10" --file $DATE-quantal-updates.txt --update
+echo
+$PACMAN --product "Ubuntu 12.04" --file $DATE-precise.txt
+echo
+$PACMAN --product "Ubuntu 12.04" --file $DATE-precise-updates.txt --update
+echo
+$PACMAN --product "Ubuntu 11.10" --file $DATE-oneiric.txt
+echo
+$PACMAN --product "Ubuntu 11.10" --file $DATE-oneiric-updates.txt --update
+echo
+$PACMAN --product "Ubuntu 10.04" --file $DATE-lucid.txt
+echo
+$PACMAN --product "Ubuntu 10.04" --file $DATE-lucid-updates.txt --update
+echo
+$PACMAN --product "Debian squeeze" --file $DATE-squeeze.txt
+
+cp config.db config.db-$DATE
diff --git a/src/libimcv/plugins/imv_scanner/Makefile.in b/src/libimcv/plugins/imv_scanner/Makefile.in
index 126a42c93..da797a9b0 100644
--- a/src/libimcv/plugins/imv_scanner/Makefile.in
+++ b/src/libimcv/plugins/imv_scanner/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(imcvdir)"
 LTLIBRARIES = $(imcv_LTLIBRARIES)
 imv_scanner_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
@@ -119,6 +125,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -146,6 +153,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -173,6 +181,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -185,6 +194,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -238,7 +248,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -360,7 +369,7 @@ clean-imcvLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-imv-scanner.la: $(imv_scanner_la_OBJECTS) $(imv_scanner_la_DEPENDENCIES) 
+imv-scanner.la: $(imv_scanner_la_OBJECTS) $(imv_scanner_la_DEPENDENCIES) $(EXTRA_imv_scanner_la_DEPENDENCIES) 
 	$(imv_scanner_la_LINK) -rpath $(imcvdir) $(imv_scanner_la_OBJECTS) $(imv_scanner_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -498,10 +507,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner.c b/src/libimcv/plugins/imv_scanner/imv_scanner.c
index 1352397c6..16ce0863f 100644
--- a/src/libimcv/plugins/imv_scanner/imv_scanner.c
+++ b/src/libimcv/plugins/imv_scanner/imv_scanner.c
@@ -16,8 +16,9 @@
 #include "imv_scanner_state.h"
 
 #include <imv/imv_agent.h>
-#include <pa_tnc/pa_tnc_msg.h>
+#include <imv/imv_msg.h>
 #include <ietf/ietf_attr.h>
+#include <ietf/ietf_attr_attr_request.h>
 #include <ietf/ietf_attr_pa_tnc_error.h>
 #include <ietf/ietf_attr_port_filter.h>
 
@@ -25,16 +26,17 @@
 #include <tncif_pa_subtypes.h>
 
 #include <pen/pen.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/lexparser.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 /* IMV definitions */
 
 static const char imv_name[] = "Scanner";
 
-#define IMV_VENDOR_ID	PEN_ITA
-#define IMV_SUBTYPE		PA_SUBTYPE_ITA_SCANNER
+static pen_type_t msg_types[] = {
+	{ PEN_IETF, PA_SUBTYPE_IETF_VPN }
+};
 
 static imv_agent_t *imv_scanner;
 
@@ -46,7 +48,7 @@ struct port_range_t {
 
 
 /**
- * Default port policy 
+ * Default port policy
  *
  * TRUE:  all server ports on the TNC client must be closed
  * FALSE: any server port on the TNC client is allowed to be open
@@ -124,8 +126,8 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
 		DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
 		return TNC_RESULT_ALREADY_INITIALIZED;
 	}
-	imv_scanner = imv_agent_create(imv_name, IMV_VENDOR_ID, IMV_SUBTYPE,
-								imv_id, actual_version);
+	imv_scanner = imv_agent_create(imv_name, msg_types, countof(msg_types),
+								   imv_id, actual_version);
 	if (!imv_scanner)
 	{
 		return TNC_RESULT_FATAL;
@@ -176,64 +178,39 @@ TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
 	}
 }
 
-static TNC_Result receive_message(TNC_IMVID imv_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_UInt32 msg_flags,
-								  chunk_t msg,
-								  TNC_VendorID msg_vid,
-								  TNC_MessageSubtype msg_subtype,
-								  TNC_UInt32 src_imc_id,
-								  TNC_UInt32 dst_imv_id)
+static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg)
 {
-	pa_tnc_msg_t *pa_tnc_msg;
+	imv_msg_t *out_msg;
+	enumerator_t *enumerator;
 	pa_tnc_attr_t *attr;
 	pen_type_t type;
-	imv_state_t *state;
-	enumerator_t *enumerator;
 	TNC_Result result;
-	bool fatal_error;
+	bool fatal_error = FALSE;
 
-	if (!imv_scanner)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-
-	/* get current IMV state */
-	if (!imv_scanner->get_state(imv_scanner, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-
-	/* parse received PA-TNC message and automatically handle any errors */ 
-	result = imv_scanner->receive_message(imv_scanner, state, msg, msg_vid,
-					 		msg_subtype, src_imc_id, dst_imv_id, &pa_tnc_msg);
-
-	/* no parsed PA-TNC attributes available if an error occurred */
-	if (!pa_tnc_msg)
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
 	{
 		return result;
 	}
 
-	/* preprocess any IETF standard error attributes */
-	fatal_error = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg);
-
 	/* analyze PA-TNC attributes */
-	enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
 	while (enumerator->enumerate(enumerator, &attr))
 	{
 		type = attr->get_type(attr);
 
 		if (type.vendor_id == PEN_IETF && type.type == IETF_ATTR_PORT_FILTER)
 		{
+			imv_scanner_state_t *imv_scanner_state;
 			ietf_attr_port_filter_t *attr_port_filter;
 			enumerator_t *enumerator;
 			u_int8_t protocol;
 			u_int16_t port;
-			char buf[BUF_LEN], *pos = buf;
-			size_t len = BUF_LEN;
 			bool blocked, compliant = TRUE;
-	
+
+
+			imv_scanner_state = (imv_scanner_state_t*)state;
 			attr_port_filter = (ietf_attr_port_filter_t*)attr;
 			enumerator = attr_port_filter->create_port_enumerator(attr_port_filter);
 			while (enumerator->enumerate(enumerator, &blocked, &protocol, &port))
@@ -241,7 +218,7 @@ static TNC_Result receive_message(TNC_IMVID imv_id,
 				enumerator_t *e;
 				port_range_t *port_range;
 				bool passed, found = FALSE;
-				int written = 0;
+				char buf[20];
 
 				if (blocked)
 				{
@@ -263,54 +240,51 @@ static TNC_Result receive_message(TNC_IMVID imv_id,
 				e->destroy(e);
 
 				passed = (closed_port_policy == found);
-				DBG2(DBG_IMV, "%s port %5u %s: %s", 
+				DBG2(DBG_IMV, "%s port %5u %s: %s",
 					(protocol == IPPROTO_TCP) ? "tcp" : "udp", port,
 					 blocked ? "closed" : "open", passed ? "ok" : "fatal");
 				if (!passed)
 				{
 					compliant = FALSE;
-					written = snprintf(pos, len, " %s/%u",
-									  (protocol == IPPROTO_TCP) ? "tcp" : "udp",
-									   port);
-					if (written < 0 || written >= len)
-					{
-						break;
-					}
-					pos += written;
-					len -= written;
+					snprintf(buf, sizeof(buf), "%s/%u",
+							(protocol == IPPROTO_TCP) ? "tcp" : "udp", port);
+					imv_scanner_state->add_violating_port(imv_scanner_state,
+														  strdup(buf));
 				}
-			} 
+			}
 			enumerator->destroy(enumerator);
 
 			if (compliant)
 			{
 				state->set_recommendation(state,
 								TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
-								TNC_IMV_EVALUATION_RESULT_COMPLIANT);	
+								TNC_IMV_EVALUATION_RESULT_COMPLIANT);
 			}
 			else
 			{
-				imv_scanner_state_t *imv_scanner_state;
-
-				imv_scanner_state = (imv_scanner_state_t*)state;
-				imv_scanner_state->set_violating_ports(imv_scanner_state, buf);
 				state->set_recommendation(state,
 								TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS,
-								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);	
-			}		  
-		}		
+								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);
+			}
+		}
 	}
 	enumerator->destroy(enumerator);
-	pa_tnc_msg->destroy(pa_tnc_msg);
 
 	if (fatal_error)
 	{
 		state->set_recommendation(state,
 								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-								TNC_IMV_EVALUATION_RESULT_ERROR);			  
+								TNC_IMV_EVALUATION_RESULT_ERROR);
 	}
-	return imv_scanner->provide_recommendation(imv_scanner, connection_id,
-											   src_imc_id);
+
+	out_msg = imv_msg_create_as_reply(in_msg);
+	result = out_msg->send_assessment(out_msg);
+	out_msg->destroy(out_msg);
+	if (result != TNC_RESULT_SUCCESS)
+	{
+		return result;
+	}  
+	return imv_scanner->provide_recommendation(imv_scanner, state);
  }
 
 /**
@@ -322,14 +296,26 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
 								  TNC_UInt32 msg_len,
 								  TNC_MessageType msg_type)
 {
-	TNC_VendorID msg_vid;
-	TNC_MessageSubtype msg_subtype;
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
 
-	msg_vid = msg_type >> 8;
-	msg_subtype = msg_type & TNC_SUBTYPE_ANY;
+	if (!imv_scanner)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imv_scanner->get_state(imv_scanner, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+
+	in_msg = imv_msg_create_from_data(imv_scanner, state, connection_id, msg_type,
+									  chunk_create(msg, msg_len));
+	result = receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
 
-	return receive_message(imv_id, connection_id, 0, chunk_create(msg, msg_len),
-						   msg_vid,	msg_subtype, 0, TNC_IMVID_ANY);
+	return result;
 }
 
 /**
@@ -345,9 +331,26 @@ TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
 									  TNC_UInt32 src_imc_id,
 									  TNC_UInt32 dst_imv_id)
 {
-	return receive_message(imv_id, connection_id, msg_flags,
-						   chunk_create(msg, msg_len), msg_vid, msg_subtype,
-						   src_imc_id, dst_imv_id);
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imv_scanner)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imv_scanner->get_state(imv_scanner, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_long_data(imv_scanner, state, connection_id,
+								src_imc_id, dst_imv_id, msg_vid, msg_subtype,
+								chunk_create(msg, msg_len));
+	result =receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
 }
 
 /**
@@ -356,13 +359,18 @@ TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
 TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
 										 TNC_ConnectionID connection_id)
 {
+	imv_state_t *state;
+
 	if (!imv_scanner)
 	{
 		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
 		return TNC_RESULT_NOT_INITIALIZED;
 	}
-	return imv_scanner->provide_recommendation(imv_scanner, connection_id,
-											   TNC_IMCID_ANY);
+	if (!imv_scanner->get_state(imv_scanner, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	return imv_scanner->provide_recommendation(imv_scanner, state);
 }
 
 /**
@@ -371,12 +379,36 @@ TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
 TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
 							   TNC_ConnectionID connection_id)
 {
+	imv_state_t *state;
+	imv_msg_t *out_msg;
+	pa_tnc_attr_t *attr;
+	TNC_IMV_Action_Recommendation rec;
+	TNC_IMV_Evaluation_Result eval;
+	TNC_Result result = TNC_RESULT_SUCCESS;
+
 	if (!imv_scanner)
 	{
 		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
 		return TNC_RESULT_NOT_INITIALIZED;
 	}
-	return TNC_RESULT_SUCCESS;
+	if (!imv_scanner->get_state(imv_scanner, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	state->get_recommendation(state, &rec, &eval);
+	if (rec == TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION)
+	{
+		out_msg = imv_msg_create(imv_scanner, state, connection_id, imv_id,
+								 TNC_IMCID_ANY, msg_types[0]);
+		attr = ietf_attr_attr_request_create(PEN_IETF, IETF_ATTR_PORT_FILTER);
+		out_msg->add_attribute(out_msg, attr);
+
+		/* send PA-TNC message with excl flag not set */
+		result = out_msg->send(out_msg, FALSE);
+		out_msg->destroy(out_msg);
+
+	}
+	return result;
 }
 
 /**
diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner_state.c b/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
index fecc84e70..108e5ff6f 100644
--- a/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
+++ b/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
@@ -14,9 +14,12 @@
  */
 
 #include "imv_scanner_state.h"
+#include "imv/imv_lang_string.h"
+#include "imv/imv_reason_string.h"
+#include "imv/imv_remediation_string.h"
 
 #include <utils/lexparser.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_imv_scanner_state_t private_imv_scanner_state_t;
 
@@ -66,34 +69,63 @@ struct private_imv_scanner_state_t {
 	TNC_IMV_Evaluation_Result eval;
 
 	/**
-	 * String with list of ports that should be closed
+	 * List with ports that should be closed
 	 */
-	char *violating_ports;
+	 linked_list_t *violating_ports;
 
 	/**
-	 * Local copy of the reason string
+	 * TNC Reason String
 	 */
-	chunk_t reason_string;
+	imv_reason_string_t *reason_string;
+
+	/**
+	 * IETF Remediation Instructions String
+	 */
+	imv_remediation_string_t *remediation_string;
+
 };
 
-typedef struct entry_t entry_t;
+/**
+ * Supported languages
+ */
+static char* languages[] = { "en", "de", "fr", "pl" };
 
 /**
- * Define an internal reason string entry
+ * Reason strings for "Port Filter"
  */
-struct entry_t {
-	char *lang;
-	char *string;
+static imv_lang_string_t reasons[] = {
+	{ "en", "Open server ports were detected" },
+	{ "de", "Offene Serverports wurden festgestellt" },
+	{ "fr", "Il y a des ports du serveur ouverts" },
+	{ "pl", "Są otwarte porty serwera" },
+	{ NULL, NULL }
 };
 
 /**
- * Table of multi-lingual reason string entries 
+ * Instruction strings for "Port Filters"
  */
-static entry_t reasons[] = {
-	{ "en", "The following ports are open:" },
-	{ "de", "Die folgenden Ports sind offen" },
-	{ "fr", "Les ports suivants sont ouverts:" },
-	{ "pl", "Następujące porty sa otwarte:" }
+static imv_lang_string_t instr_ports_title[] = {
+	{ "en", "Open Server Ports" },
+	{ "de", "Offene Server Ports" },
+	{ "fr", "Ports ouverts du serveur" },
+	{ "pl", "Otwarte Porty Serwera" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_ports_descr[] = {
+	{ "en", "Open Internet ports have been detected" },
+	{ "de", "Offenen Internet-Ports wurden festgestellt" },
+	{ "fr", "Il y'a des ports Internet ouverts" },
+	{ "pl", "Porty internetowe są otwarte" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_ports_header[] = {
+	{ "en", "Please close the following server ports:" },
+	{ "de", "Bitte schliessen Sie die folgenden Serverports:" },
+	{ "fr", "Fermez les ports du serveur suivants s'il vous plait:" },
+	{ "pl", "Proszę zamknąć następujące porty serwera:" },
+	{ NULL, NULL }
 };
 
 METHOD(imv_state_t, get_connection_id, TNC_ConnectionID,
@@ -156,75 +188,66 @@ METHOD(imv_state_t, set_recommendation, void,
 }
 
 METHOD(imv_state_t, get_reason_string, bool,
-	private_imv_scanner_state_t *this, chunk_t preferred_language,
-	chunk_t *reason_string, chunk_t *reason_language)
+	private_imv_scanner_state_t *this, enumerator_t *language_enumerator,
+	chunk_t *reason_string, char **reason_language)
 {
-	chunk_t pref_lang, lang;
-	u_char *pos;
-	int i;
-
 	if (!this->violating_ports)
 	{
 		return FALSE;
 	}
+	*reason_language = imv_lang_string_select_lang(language_enumerator,
+											  languages, countof(languages));
+
+	/* Instantiate a TNC Reason String object */
+	DESTROY_IF(this->reason_string);
+	this->reason_string = imv_reason_string_create(*reason_language);
+	this->reason_string->add_reason(this->reason_string, reasons);
+	*reason_string = this->reason_string->get_encoding(this->reason_string);
+
+	return TRUE;
+}
 
-	while (eat_whitespace(&preferred_language))
+METHOD(imv_state_t, get_remediation_instructions, bool,
+	private_imv_scanner_state_t *this, enumerator_t *language_enumerator,
+	chunk_t *string, char **lang_code, char **uri)
+{
+	if (!this->violating_ports)
 	{
-		if (!extract_token(&pref_lang, ',', &preferred_language))
-		{
-			/* last entry in a comma-separated list or single entry */
-			pref_lang = preferred_language;
-		}
-
-		/* eat trailing whitespace */
-		pos = pref_lang.ptr + pref_lang.len - 1;
-		while (pref_lang.len && *pos-- == ' ')
-		{
-			pref_lang.len--;
-		}
-
-		for (i = 0 ; i < countof(reasons); i++)
-		{
-			lang = chunk_create(reasons[i].lang, strlen(reasons[i].lang));
-			if (chunk_equals(lang, pref_lang))
-			{
-				this->reason_string = chunk_cat("cc",
-									chunk_create(reasons[i].string, 
-												 strlen(reasons[i].string)),
-									chunk_create(this->violating_ports,
-												 strlen(this->violating_ports)));
-				*reason_string = this->reason_string;
-				*reason_language = lang;
-				return TRUE;
-			}
-		}
+		return FALSE;
 	}
+	*lang_code = imv_lang_string_select_lang(language_enumerator,
+										languages, countof(languages));
+
+	/* Instantiate an IETF Remediation Instructions String object */
+	DESTROY_IF(this->remediation_string);
+	this->remediation_string = imv_remediation_string_create(
+									TRUE, *lang_code);	/* TODO get os_type */
+
+	this->remediation_string->add_instruction(this->remediation_string,
+									instr_ports_title,
+									instr_ports_descr,
+									instr_ports_header,
+									this->violating_ports);
+	*string = this->remediation_string->get_encoding(this->remediation_string);
+	*uri = lib->settings->get_str(lib->settings,
+				"libimcv.plugins.imv-scanner.remediation_uri", NULL);
 
-	/* no preferred language match found - use the default language */
-
-	this->reason_string =   chunk_cat("cc",
-									chunk_create(reasons[0].string,
-												 strlen(reasons[0].string)),
-									chunk_create(this->violating_ports,
-												 strlen(this->violating_ports)));
-	*reason_string = this->reason_string;
-	*reason_language = chunk_create(reasons[0].lang, 
-									strlen(reasons[0].lang));
 	return TRUE;
 }
 
 METHOD(imv_state_t, destroy, void,
 	private_imv_scanner_state_t *this)
 {
-	free(this->violating_ports);
-	free(this->reason_string.ptr);
+	DESTROY_IF(this->reason_string);
+	DESTROY_IF(this->remediation_string);
+	this->violating_ports->destroy_function(this->violating_ports, free);
 	free(this);
 }
 
-METHOD(imv_scanner_state_t, set_violating_ports, void,
-	private_imv_scanner_state_t *this, char *ports)
+METHOD(imv_scanner_state_t, add_violating_port, void,
+	private_imv_scanner_state_t *this, char *port)
 {
-	this->violating_ports = strdup(ports);
+	this->violating_ports->insert_last(this->violating_ports, port);
 }
 
 /**
@@ -247,16 +270,18 @@ imv_state_t *imv_scanner_state_create(TNC_ConnectionID connection_id)
 				.get_recommendation = _get_recommendation,
 				.set_recommendation = _set_recommendation,
 				.get_reason_string = _get_reason_string,
+				.get_remediation_instructions = _get_remediation_instructions,
 				.destroy = _destroy,
 			},
-			.set_violating_ports = _set_violating_ports,
+			.add_violating_port = _add_violating_port,
 		},
 		.state = TNC_CONNECTION_STATE_CREATE,
 		.rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
 		.eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW,
 		.connection_id = connection_id,
+		.violating_ports = linked_list_create(),
 	);
-	
+
 	return &this->public.interface;
 }
 
diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner_state.h b/src/libimcv/plugins/imv_scanner/imv_scanner_state.h
index 716ddfea0..9a0930396 100644
--- a/src/libimcv/plugins/imv_scanner/imv_scanner_state.h
+++ b/src/libimcv/plugins/imv_scanner/imv_scanner_state.h
@@ -37,9 +37,9 @@ struct imv_scanner_state_t {
 	imv_state_t interface;
 
 	/**
-	 * list of violating TCP and UDP ports
+	 * add a violating TCP or UDP port
 	 */
-	void (*set_violating_ports)(imv_scanner_state_t *this, char *ports);
+	void (*add_violating_port)(imv_scanner_state_t *this, char *port);
 };
 
 /**
diff --git a/src/libimcv/plugins/imv_test/Makefile.in b/src/libimcv/plugins/imv_test/Makefile.in
index e395f8187..04b750973 100644
--- a/src/libimcv/plugins/imv_test/Makefile.in
+++ b/src/libimcv/plugins/imv_test/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(imcvdir)"
 LTLIBRARIES = $(imcv_LTLIBRARIES)
 imv_test_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
@@ -119,6 +125,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -146,6 +153,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -173,6 +181,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -185,6 +194,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -238,7 +248,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -360,7 +369,7 @@ clean-imcvLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-imv-test.la: $(imv_test_la_OBJECTS) $(imv_test_la_DEPENDENCIES) 
+imv-test.la: $(imv_test_la_OBJECTS) $(imv_test_la_DEPENDENCIES) $(EXTRA_imv_test_la_DEPENDENCIES) 
 	$(imv_test_la_LINK) -rpath $(imcvdir) $(imv_test_la_OBJECTS) $(imv_test_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -498,10 +507,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libimcv/plugins/imv_test/imv_test.c b/src/libimcv/plugins/imv_test/imv_test.c
index 5ea82e97c..df45ce69a 100644
--- a/src/libimcv/plugins/imv_test/imv_test.c
+++ b/src/libimcv/plugins/imv_test/imv_test.c
@@ -16,7 +16,7 @@
 #include "imv_test_state.h"
 
 #include <imv/imv_agent.h>
-#include <pa_tnc/pa_tnc_msg.h>
+#include <imv/imv_msg.h>
 #include <ietf/ietf_attr.h>
 #include <ietf/ietf_attr_pa_tnc_error.h>
 #include <ita/ita_attr.h>
@@ -27,14 +27,15 @@
 #include <tncif_pa_subtypes.h>
 
 #include <pen/pen.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 /* IMV definitions */
 
 static const char imv_name[] = "Test";
 
-#define IMV_VENDOR_ID	PEN_ITA
-#define IMV_SUBTYPE		PA_SUBTYPE_ITA_TEST
+static pen_type_t msg_types[] = {
+	{ PEN_ITA, PA_SUBTYPE_ITA_TEST }
+};
 
 static imv_agent_t *imv_test;
 
@@ -51,7 +52,7 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
 		DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
 		return TNC_RESULT_ALREADY_INITIALIZED;
 	}
-	imv_test = imv_agent_create(imv_name, IMV_VENDOR_ID, IMV_SUBTYPE,
+	imv_test = imv_agent_create(imv_name, msg_types, countof(msg_types),
 								imv_id, actual_version);
 	if (!imv_test)
 	{
@@ -92,59 +93,32 @@ TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
 	}
 }
 
-static TNC_Result receive_message(TNC_IMVID imv_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_UInt32 msg_flags,
-								  chunk_t msg,
-								  TNC_VendorID msg_vid,
-								  TNC_MessageSubtype msg_subtype,
-								  TNC_UInt32 src_imc_id,
-								  TNC_UInt32 dst_imv_id)
+static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg)
 {
-	pa_tnc_msg_t *pa_tnc_msg;
-	pa_tnc_attr_t *attr;
-	pen_type_t attr_type;
-	linked_list_t *attr_list;
-	imv_state_t *state;
+	imv_msg_t *out_msg;
 	imv_test_state_t *test_state;
 	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t attr_type;
 	TNC_Result result;
 	int rounds;
-	bool fatal_error, received_command = FALSE, retry = FALSE;
-
-	if (!imv_test)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-
-	/* get current IMV state */
-	if (!imv_test->get_state(imv_test, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	test_state = (imv_test_state_t*)state;
-
-	/* parse received PA-TNC message and automatically handle any errors */ 
-	result = imv_test->receive_message(imv_test, state, msg, msg_vid,
-					 		msg_subtype, src_imc_id, dst_imv_id, &pa_tnc_msg);
+	bool fatal_error = FALSE, received_command = FALSE, retry = FALSE;
 
-	/* no parsed PA-TNC attributes available if an error occurred */
-	if (!pa_tnc_msg)
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
 	{
 		return result;
 	}
 
-	/* preprocess any IETF standard error attributes */
-	fatal_error = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg);
-
 	/* add any new IMC and set its number of rounds */
 	rounds = lib->settings->get_int(lib->settings,
 								"libimcv.plugins.imv-test.rounds", 0);
-	test_state->add_imc(test_state, src_imc_id, rounds);
+	test_state = (imv_test_state_t*)state;
+	test_state->add_imc(test_state, in_msg->get_src_id(in_msg), rounds);
 
 	/* analyze PA-TNC attributes */
-	enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
 	while (enumerator->enumerate(enumerator, &attr))
 	{
 		attr_type = attr->get_type(attr);
@@ -157,7 +131,7 @@ static TNC_Result receive_message(TNC_IMVID imv_id,
 		{
 			ita_attr_command_t *ita_attr;
 			char *command;
-	
+
 			received_command = TRUE;
 			ita_attr = (ita_attr_command_t*)attr;
 			command = ita_attr->get_command(ita_attr);
@@ -166,19 +140,19 @@ static TNC_Result receive_message(TNC_IMVID imv_id,
 			{
 				state->set_recommendation(state,
 								TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
-								TNC_IMV_EVALUATION_RESULT_COMPLIANT);			  
+								TNC_IMV_EVALUATION_RESULT_COMPLIANT);
 			}
 			else if (streq(command, "isolate"))
 			{
 				state->set_recommendation(state,
 								TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
-								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR);			  
+								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR);
 			}
 			else if (streq(command, "block") || streq(command, "none"))
 			{
 				state->set_recommendation(state,
 								TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS,
-								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);			  
+								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);
 			}
 			else if (streq(command, "retry"))
 			{
@@ -189,7 +163,7 @@ static TNC_Result receive_message(TNC_IMVID imv_id,
 				DBG1(DBG_IMV, "unsupported ITA Command '%s'", command);
 				state->set_recommendation(state,
 								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-								TNC_IMV_EVALUATION_RESULT_ERROR);			  
+								TNC_IMV_EVALUATION_RESULT_ERROR);
 			}
 		}
 		else if (attr_type.type == ITA_ATTR_DUMMY)
@@ -202,40 +176,60 @@ static TNC_Result receive_message(TNC_IMVID imv_id,
 		}
 	}
 	enumerator->destroy(enumerator);
-	pa_tnc_msg->destroy(pa_tnc_msg);
 
 	if (fatal_error)
 	{
 		state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-								TNC_IMV_EVALUATION_RESULT_ERROR);			  
-		return imv_test->provide_recommendation(imv_test, connection_id,
-												src_imc_id);
+							TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+							TNC_IMV_EVALUATION_RESULT_ERROR);
+		out_msg = imv_msg_create_as_reply(in_msg);
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}  
+		return imv_test->provide_recommendation(imv_test, state);
 	}
 
 	/* request a handshake retry ? */
 	if (retry)
 	{
 		test_state->set_rounds(test_state, rounds);
-		return imv_test->request_handshake_retry(imv_id, connection_id,
-								TNC_RETRY_REASON_IMV_SERIOUS_EVENT);
+		return imv_test->request_handshake_retry(imv_test->get_id(imv_test),
+											state->get_connection_id(state),
+											TNC_RETRY_REASON_IMV_SERIOUS_EVENT);
 	}
-	
+
 	/* repeat the measurement ? */
-	if (test_state->another_round(test_state, src_imc_id))
+	if (test_state->another_round(test_state, in_msg->get_src_id(in_msg)))
 	{
-		attr_list = linked_list_create();
+		out_msg = imv_msg_create_as_reply(in_msg);
 		attr = ita_attr_command_create("repeat");
-		attr_list->insert_last(attr_list, attr);
-		result = imv_test->send_message(imv_test, connection_id, TRUE, imv_id,
-							src_imc_id, attr_list);	
-		attr_list->destroy(attr_list);
+		out_msg->add_attribute(out_msg, attr);
+
+		/* send PA-TNC message with excl flag set */
+		result = out_msg->send(out_msg, TRUE);	
+		out_msg->destroy(out_msg);
 
 		return result;
 	}
 
-	return received_command ? imv_test->provide_recommendation(imv_test,
-			 connection_id, src_imc_id) : TNC_RESULT_SUCCESS;
+	if (received_command)
+	{
+		out_msg = imv_msg_create_as_reply(in_msg);
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}  
+		return imv_test->provide_recommendation(imv_test, state);
+	}
+	else
+	{	
+		return TNC_RESULT_SUCCESS;
+	}
 }
 
 /**
@@ -247,14 +241,25 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
 								  TNC_UInt32 msg_len,
 								  TNC_MessageType msg_type)
 {
-	TNC_VendorID msg_vid;
-	TNC_MessageSubtype msg_subtype;
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
 
-	msg_vid = msg_type >> 8;
-	msg_subtype = msg_type & TNC_SUBTYPE_ANY;
+	if (!imv_test)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imv_test->get_state(imv_test, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_data(imv_test, state, connection_id, msg_type,
+									  chunk_create(msg, msg_len));
+	result = receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
 
-	return receive_message(imv_id, connection_id, 0, chunk_create(msg, msg_len),
-						   msg_vid,	msg_subtype, 0, TNC_IMVID_ANY);
+	return result;
 }
 
 /**
@@ -270,9 +275,26 @@ TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
 									  TNC_UInt32 src_imc_id,
 									  TNC_UInt32 dst_imv_id)
 {
-	return receive_message(imv_id, connection_id, msg_flags,
-						   chunk_create(msg, msg_len), msg_vid, msg_subtype,
-						   src_imc_id, dst_imv_id);
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imv_test)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imv_test->get_state(imv_test, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_long_data(imv_test, state, connection_id,
+								src_imc_id, dst_imv_id, msg_vid, msg_subtype,
+								chunk_create(msg, msg_len));
+	result =receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
 }
 
 /**
@@ -281,13 +303,18 @@ TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
 TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
 										 TNC_ConnectionID connection_id)
 {
+	imv_state_t *state;
+
 	if (!imv_test)
 	{
 		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
 		return TNC_RESULT_NOT_INITIALIZED;
 	}
-	return imv_test->provide_recommendation(imv_test, connection_id,
-											TNC_IMCID_ANY);
+	if (!imv_test->get_state(imv_test, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	return imv_test->provide_recommendation(imv_test, state);
 }
 
 /**
diff --git a/src/libimcv/plugins/imv_test/imv_test_state.c b/src/libimcv/plugins/imv_test/imv_test_state.c
index 67f22c062..9b9344bf6 100644
--- a/src/libimcv/plugins/imv_test/imv_test_state.c
+++ b/src/libimcv/plugins/imv_test/imv_test_state.c
@@ -14,10 +14,12 @@
  */
 
 #include "imv_test_state.h"
+#include "imv/imv_lang_string.h"
+#include "imv/imv_reason_string.h"
 
 #include <utils/lexparser.h>
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 typedef struct private_imv_test_state_t private_imv_test_state_t;
 
@@ -67,6 +69,11 @@ struct private_imv_test_state_t {
 	TNC_IMV_Evaluation_Result eval;
 
 	/**
+	 * TNC Reason String
+	 */
+	imv_reason_string_t *reason_string;
+
+	/**
 	 * List of IMCs
 	 */
 	linked_list_t *imcs;
@@ -83,24 +90,20 @@ struct imc_entry_t {
 	int rounds;
 };
 
-typedef struct entry_t entry_t;
-
 /**
- * Define an internal reason string entry
+ * Supported languages
  */
-struct entry_t {
-	char *lang;
-	char *string;
-};
+static char* languages[] = { "en", "de", "fr", "pl" };
 
 /**
- * Table of multi-lingual reason string entries 
+ * Table of reason strings
  */
-static entry_t reasons[] = {
+static imv_lang_string_t reasons[] = {
 	{ "en", "IMC Test was not configured with \"command = allow\"" },
 	{ "de", "IMC Test wurde nicht mit \"command = allow\" konfiguriert" },
 	{ "fr", "IMC Test n'etait pas configuré avec \"command = allow\"" },
-	{ "pl", "IMC Test nie zostało skonfigurowany z \"command = allow\"" }
+	{ "pl", "IMC Test nie zostało skonfigurowany z \"command = allow\"" },
+	{ NULL, NULL }
 };
 
 METHOD(imv_state_t, get_connection_id, TNC_ConnectionID,
@@ -163,52 +166,32 @@ METHOD(imv_state_t, set_recommendation, void,
 }
 
 METHOD(imv_state_t, get_reason_string, bool,
-	private_imv_test_state_t *this, chunk_t preferred_language,
-	chunk_t *reason_string, chunk_t *reason_language)
+	private_imv_test_state_t *this, enumerator_t *language_enumerator,
+	chunk_t *reason_string, char **reason_language)
 {
-	chunk_t pref_lang, lang;
-	u_char *pos;
-	int i;
-
-	while (eat_whitespace(&preferred_language))
-	{
-		if (!extract_token(&pref_lang, ',', &preferred_language))
-		{
-			/* last entry in a comma-separated list or single entry */
-			pref_lang = preferred_language;
-		}
-
-		/* eat trailing whitespace */
-		pos = pref_lang.ptr + pref_lang.len - 1;
-		while (pref_lang.len && *pos-- == ' ')
-		{
-			pref_lang.len--;
-		}
+	*reason_language = imv_lang_string_select_lang(language_enumerator,
+											  languages, countof(languages));
 
-		for (i = 0 ; i < countof(reasons); i++)
-		{
-			lang = chunk_create(reasons[i].lang, strlen(reasons[i].lang));
-			if (chunk_equals(lang, pref_lang))
-			{
-				*reason_language = lang;
-				*reason_string = chunk_create(reasons[i].string, 
-										strlen(reasons[i].string));
-				return TRUE;
-			}
-		}
-	}
+	/* Instantiate a TNC Reason String object */
+	DESTROY_IF(this->reason_string);
+	this->reason_string = imv_reason_string_create(*reason_language);
+	this->reason_string->add_reason(this->reason_string, reasons);
+	*reason_string = this->reason_string->get_encoding(this->reason_string);
 
-	/* no preferred language match found - use the default language */
-	*reason_string =   chunk_create(reasons[0].string,
-									strlen(reasons[0].string));
-	*reason_language = chunk_create(reasons[0].lang, 
-									strlen(reasons[0].lang));
 	return TRUE;
 }
 
+METHOD(imv_state_t, get_remediation_instructions, bool,
+	private_imv_test_state_t *this, enumerator_t *language_enumerator,
+	chunk_t *string, char **lang_code, char **uri)
+{
+	return FALSE;
+}
+
 METHOD(imv_state_t, destroy, void,
 	private_imv_test_state_t *this)
 {
+	DESTROY_IF(this->reason_string);
 	this->imcs->destroy_function(this->imcs, free);
 	free(this);
 }
@@ -274,8 +257,8 @@ METHOD(imv_test_state_t, another_round, bool,
 		}
 	}
 	enumerator->destroy(enumerator);
-	
-	return not_finished;	
+
+	return not_finished;
 }
 
 /**
@@ -298,6 +281,7 @@ imv_state_t *imv_test_state_create(TNC_ConnectionID connection_id)
 				.get_recommendation = _get_recommendation,
 				.set_recommendation = _set_recommendation,
 				.get_reason_string = _get_reason_string,
+				.get_remediation_instructions = _get_remediation_instructions,
 				.destroy = _destroy,
 			},
 			.add_imc = _add_imc,
@@ -310,7 +294,7 @@ imv_state_t *imv_test_state_create(TNC_ConnectionID connection_id)
 		.connection_id = connection_id,
 		.imcs = linked_list_create(),
 	);
-	
+
 	return &this->public.interface;
 }
 
diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in
index 6d984d8ab..628857cbe 100644
--- a/src/libipsec/Makefile.in
+++ b/src/libipsec/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libipsec_la_DEPENDENCIES =
@@ -156,6 +162,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -183,6 +190,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -210,6 +218,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -222,6 +231,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -275,7 +285,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -411,7 +420,7 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libipsec.la: $(libipsec_la_OBJECTS) $(libipsec_la_DEPENDENCIES) 
+libipsec.la: $(libipsec_la_OBJECTS) $(libipsec_la_DEPENDENCIES) $(EXTRA_libipsec_la_DEPENDENCIES) 
 	$(LINK) -rpath $(ipseclibdir) $(libipsec_la_OBJECTS) $(libipsec_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -669,10 +678,15 @@ install-am: all-am
 
 installcheck: installcheck-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libipsec/esp_context.c b/src/libipsec/esp_context.c
index dc3ad3f8b..44b1117d9 100644
--- a/src/libipsec/esp_context.c
+++ b/src/libipsec/esp_context.c
@@ -21,7 +21,7 @@
 #include "esp_context.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <crypto/crypters/crypter.h>
 #include <crypto/signers/signer.h>
 
diff --git a/src/libipsec/esp_packet.c b/src/libipsec/esp_packet.c
index bfcab95eb..16cc687ef 100644
--- a/src/libipsec/esp_packet.c
+++ b/src/libipsec/esp_packet.c
@@ -19,7 +19,7 @@
 #include "esp_packet.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <crypto/crypters/crypter.h>
 #include <crypto/signers/signer.h>
 #include <bio/bio_reader.h>
diff --git a/src/libipsec/esp_packet.h b/src/libipsec/esp_packet.h
index a1d1602c1..ce8645825 100644
--- a/src/libipsec/esp_packet.h
+++ b/src/libipsec/esp_packet.h
@@ -27,8 +27,8 @@
 #include "esp_context.h"
 
 #include <library.h>
-#include <utils/host.h>
-#include <utils/packet.h>
+#include <networking/host.h>
+#include <networking/packet.h>
 
 typedef struct esp_packet_t esp_packet_t;
 
diff --git a/src/libipsec/ip_packet.c b/src/libipsec/ip_packet.c
index 096ca33a8..5c8cc2e3e 100644
--- a/src/libipsec/ip_packet.c
+++ b/src/libipsec/ip_packet.c
@@ -17,7 +17,7 @@
 #include "ip_packet.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <netinet/in.h>
 #include <netinet/ip.h>
diff --git a/src/libipsec/ip_packet.h b/src/libipsec/ip_packet.h
index b4fc298ff..de817e23e 100644
--- a/src/libipsec/ip_packet.h
+++ b/src/libipsec/ip_packet.h
@@ -22,8 +22,8 @@
 #define IP_PACKET_H_
 
 #include <library.h>
-#include <utils/host.h>
-#include <utils/packet.h>
+#include <networking/host.h>
+#include <networking/packet.h>
 
 typedef struct ip_packet_t ip_packet_t;
 
diff --git a/src/libipsec/ipsec.c b/src/libipsec/ipsec.c
index 50d9163ea..6c9a26acf 100644
--- a/src/libipsec/ipsec.c
+++ b/src/libipsec/ipsec.c
@@ -17,7 +17,7 @@
 
 #include "ipsec.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_ipsec_t private_ipsec_t;
 
diff --git a/src/libipsec/ipsec_event_relay.c b/src/libipsec/ipsec_event_relay.c
index 34222258c..d7d7e8276 100644
--- a/src/libipsec/ipsec_event_relay.c
+++ b/src/libipsec/ipsec_event_relay.c
@@ -18,10 +18,10 @@
 #include "ipsec_event_relay.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
-#include <utils/blocking_queue.h>
+#include <collections/linked_list.h>
+#include <collections/blocking_queue.h>
 #include <processing/jobs/callback_job.h>
 
 typedef struct private_ipsec_event_relay_t private_ipsec_event_relay_t;
diff --git a/src/libipsec/ipsec_policy.c b/src/libipsec/ipsec_policy.c
index af8ea9f9d..8407921ac 100644
--- a/src/libipsec/ipsec_policy.c
+++ b/src/libipsec/ipsec_policy.c
@@ -17,7 +17,7 @@
 
 #include "ipsec_policy.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_ipsec_policy_t private_ipsec_policy_t;
 
diff --git a/src/libipsec/ipsec_policy.h b/src/libipsec/ipsec_policy.h
index 67ad0b0ed..23a9ea99d 100644
--- a/src/libipsec/ipsec_policy.h
+++ b/src/libipsec/ipsec_policy.h
@@ -26,7 +26,7 @@
 #include "ip_packet.h"
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <ipsec/ipsec_types.h>
 #include <selectors/traffic_selector.h>
 
diff --git a/src/libipsec/ipsec_policy_mgr.c b/src/libipsec/ipsec_policy_mgr.c
index 41ba792c3..72f94ec20 100644
--- a/src/libipsec/ipsec_policy_mgr.c
+++ b/src/libipsec/ipsec_policy_mgr.c
@@ -17,9 +17,9 @@
 
 #include "ipsec_policy_mgr.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /** Base priority for installed policies */
 #define PRIO_BASE 512
diff --git a/src/libipsec/ipsec_policy_mgr.h b/src/libipsec/ipsec_policy_mgr.h
index d3ee1074f..dfa4b12c3 100644
--- a/src/libipsec/ipsec_policy_mgr.h
+++ b/src/libipsec/ipsec_policy_mgr.h
@@ -27,8 +27,8 @@
 #include "ip_packet.h"
 
 #include <library.h>
-#include <utils/host.h>
-#include <utils/linked_list.h>
+#include <networking/host.h>
+#include <collections/linked_list.h>
 #include <ipsec/ipsec_types.h>
 #include <selectors/traffic_selector.h>
 
diff --git a/src/libipsec/ipsec_processor.c b/src/libipsec/ipsec_processor.c
index a91d9e074..66f43a408 100644
--- a/src/libipsec/ipsec_processor.c
+++ b/src/libipsec/ipsec_processor.c
@@ -16,10 +16,10 @@
 #include "ipsec.h"
 #include "ipsec_processor.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <library.h>
 #include <threading/rwlock.h>
-#include <utils/blocking_queue.h>
+#include <collections/blocking_queue.h>
 #include <processing/jobs/callback_job.h>
 
 typedef struct private_ipsec_processor_t private_ipsec_processor_t;
@@ -146,7 +146,9 @@ static job_requeue_t process_inbound(private_ipsec_processor_t *this)
 				policy->destroy(policy);
 				break;
 			}
-			DBG1(DBG_ESP, "discarding inbound IP packet due to policy");
+			DBG1(DBG_ESP, "discarding inbound IP packet %H == %H due to "
+				 "policy", ip_packet->get_source(ip_packet),
+				 ip_packet->get_destination(ip_packet));
 			/* no matching policy found, fall-through */
 		}
 		case IPPROTO_NONE:
diff --git a/src/libipsec/ipsec_sa.c b/src/libipsec/ipsec_sa.c
index cccd16404..2ff5cff55 100644
--- a/src/libipsec/ipsec_sa.c
+++ b/src/libipsec/ipsec_sa.c
@@ -18,7 +18,7 @@
 #include "ipsec_sa.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_ipsec_sa_t private_ipsec_sa_t;
 
@@ -95,6 +95,20 @@ METHOD(ipsec_sa_t, get_destination, host_t*,
 	return this->dst;
 }
 
+METHOD(ipsec_sa_t, set_source, void,
+	private_ipsec_sa_t *this, host_t *addr)
+{
+	this->src->destroy(this->src);
+	this->src = addr->clone(addr);
+}
+
+METHOD(ipsec_sa_t, set_destination, void,
+	private_ipsec_sa_t *this, host_t *addr)
+{
+	this->dst->destroy(this->dst);
+	this->dst = addr->clone(addr);
+}
+
 METHOD(ipsec_sa_t, get_spi, u_int32_t,
 	private_ipsec_sa_t *this)
 {
@@ -202,6 +216,8 @@ ipsec_sa_t *ipsec_sa_create(u_int32_t spi, host_t *src, host_t *dst,
 			.destroy = _destroy,
 			.get_source = _get_source,
 			.get_destination = _get_destination,
+			.set_source = _set_source,
+			.set_destination = _set_destination,
 			.get_spi = _get_spi,
 			.get_reqid = _get_reqid,
 			.get_protocol = _get_protocol,
diff --git a/src/libipsec/ipsec_sa.h b/src/libipsec/ipsec_sa.h
index 5fd03b6e4..dec688e68 100644
--- a/src/libipsec/ipsec_sa.h
+++ b/src/libipsec/ipsec_sa.h
@@ -26,7 +26,7 @@
 #include "esp_context.h"
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <selectors/traffic_selector.h>
 #include <ipsec/ipsec_types.h>
 
@@ -52,6 +52,20 @@ struct ipsec_sa_t {
 	host_t *(*get_destination)(ipsec_sa_t *this);
 
 	/**
+	 * Set the source address for this SA
+	 *
+	 * @param addr		source address of this SA (gets cloned)
+	 */
+	void (*set_source)(ipsec_sa_t *this, host_t *addr);
+
+	/**
+	 * Set the destination address for this SA
+	 *
+	 * @param addr		destination address of this SA (gets cloned)
+	 */
+	void (*set_destination)(ipsec_sa_t *this, host_t *addr);
+
+	/**
 	 * Get the SPI for this SA
 	 *
 	 * @return			SPI of this SA
diff --git a/src/libipsec/ipsec_sa_mgr.c b/src/libipsec/ipsec_sa_mgr.c
index e42c77aa5..28748971d 100644
--- a/src/libipsec/ipsec_sa_mgr.c
+++ b/src/libipsec/ipsec_sa_mgr.c
@@ -18,13 +18,13 @@
 #include "ipsec.h"
 #include "ipsec_sa_mgr.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <library.h>
 #include <processing/jobs/callback_job.h>
 #include <threading/condvar.h>
 #include <threading/mutex.h>
-#include <utils/hashtable.h>
-#include <utils/linked_list.h>
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
 
 typedef struct private_ipsec_sa_mgr_t private_ipsec_sa_mgr_t;
 
@@ -237,29 +237,29 @@ static bool match_entry_by_sa_ptr(ipsec_sa_entry_t *item, ipsec_sa_t *sa)
 	return item->sa == sa;
 }
 
-static bool match_entry_by_spi_inbound(ipsec_sa_entry_t *item, u_int32_t spi,
-									   bool inbound)
+static bool match_entry_by_spi_inbound(ipsec_sa_entry_t *item, u_int32_t *spi,
+									   bool *inbound)
 {
-	return item->sa->get_spi(item->sa) == spi &&
-		   item->sa->is_inbound(item->sa) == inbound;
+	return item->sa->get_spi(item->sa) == *spi &&
+		   item->sa->is_inbound(item->sa) == *inbound;
 }
 
-static bool match_entry_by_spi_src_dst(ipsec_sa_entry_t *item, u_int32_t spi,
+static bool match_entry_by_spi_src_dst(ipsec_sa_entry_t *item, u_int32_t *spi,
 									   host_t *src, host_t *dst)
 {
-	return item->sa->match_by_spi_src_dst(item->sa, spi, src, dst);
+	return item->sa->match_by_spi_src_dst(item->sa, *spi, src, dst);
 }
 
 static bool match_entry_by_reqid_inbound(ipsec_sa_entry_t *item,
-										 u_int32_t reqid, bool inbound)
+										 u_int32_t *reqid, bool *inbound)
 {
-	return item->sa->match_by_reqid(item->sa, reqid, inbound);
+	return item->sa->match_by_reqid(item->sa, *reqid, *inbound);
 }
 
-static bool match_entry_by_spi_dst(ipsec_sa_entry_t *item, u_int32_t spi,
+static bool match_entry_by_spi_dst(ipsec_sa_entry_t *item, u_int32_t *spi,
 								   host_t *dst)
 {
-	return item->sa->match_by_spi_dst(item->sa, spi, dst);
+	return item->sa->match_by_spi_dst(item->sa, *spi, dst);
 }
 
 /**
@@ -381,7 +381,7 @@ static bool allocate_spi(private_ipsec_sa_mgr_t *this, u_int32_t spi)
 
 	if (this->allocated_spis->get(this->allocated_spis, &spi) ||
 		this->sas->find_first(this->sas, (void*)match_entry_by_spi_inbound,
-							  NULL, spi, TRUE) == SUCCESS)
+							  NULL, &spi, TRUE) == SUCCESS)
 	{
 		return FALSE;
 	}
@@ -471,7 +471,7 @@ METHOD(ipsec_sa_mgr_t, add_sa, status_t,
 	}
 
 	if (this->sas->find_first(this->sas, (void*)match_entry_by_spi_src_dst,
-							  NULL, spi, src, dst) == SUCCESS)
+							  NULL, &spi, src, dst) == SUCCESS)
 	{
 		this->mutex->unlock(this->mutex);
 		DBG1(DBG_ESP, "failed to install SAD entry: already installed");
@@ -487,6 +487,44 @@ METHOD(ipsec_sa_mgr_t, add_sa, status_t,
 	return SUCCESS;
 }
 
+METHOD(ipsec_sa_mgr_t, update_sa, status_t,
+	private_ipsec_sa_mgr_t *this, u_int32_t spi, u_int8_t protocol,
+	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
+	bool encap, bool new_encap, mark_t mark)
+{
+	ipsec_sa_entry_t *entry = NULL;
+
+	DBG2(DBG_ESP, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
+		 ntohl(spi), src, dst, new_src, new_dst);
+
+	if (!new_encap)
+	{
+		DBG1(DBG_ESP, "failed to update SAD entry: can't deactivate UDP "
+			 "encapsulation");
+		return NOT_SUPPORTED;
+	}
+
+	this->mutex->lock(this->mutex);
+	if (this->sas->find_first(this->sas, (void*)match_entry_by_spi_src_dst,
+							 (void**)&entry, &spi, src, dst) == SUCCESS &&
+		wait_for_entry(this, entry))
+	{
+		entry->sa->set_source(entry->sa, new_src);
+		entry->sa->set_destination(entry->sa, new_dst);
+		/* checkin the entry */
+		entry->locked = FALSE;
+		entry->condvar->signal(entry->condvar);
+	}
+	this->mutex->unlock(this->mutex);
+
+	if (!entry)
+	{
+		DBG1(DBG_ESP, "failed to update SAD entry: not found");
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
 METHOD(ipsec_sa_mgr_t, del_sa, status_t,
 	private_ipsec_sa_mgr_t *this, host_t *src, host_t *dst, u_int32_t spi,
 	u_int8_t protocol, u_int16_t cpi, mark_t mark)
@@ -498,7 +536,7 @@ METHOD(ipsec_sa_mgr_t, del_sa, status_t,
 	enumerator = this->sas->create_enumerator(this->sas);
 	while (enumerator->enumerate(enumerator, (void**)&current))
 	{
-		if (match_entry_by_spi_src_dst(current, spi, src, dst))
+		if (match_entry_by_spi_src_dst(current, &spi, src, dst))
 		{
 			if (wait_remove_entry(this, current))
 			{
@@ -529,7 +567,7 @@ METHOD(ipsec_sa_mgr_t, checkout_by_reqid, ipsec_sa_t*,
 
 	this->mutex->lock(this->mutex);
 	if (this->sas->find_first(this->sas, (void*)match_entry_by_reqid_inbound,
-							 (void**)&entry, reqid, inbound) == SUCCESS &&
+							 (void**)&entry, &reqid, &inbound) == SUCCESS &&
 		wait_for_entry(this, entry))
 	{
 		sa = entry->sa;
@@ -546,7 +584,7 @@ METHOD(ipsec_sa_mgr_t, checkout_by_spi, ipsec_sa_t*,
 
 	this->mutex->lock(this->mutex);
 	if (this->sas->find_first(this->sas, (void*)match_entry_by_spi_dst,
-							 (void**)&entry, spi, dst) == SUCCESS &&
+							 (void**)&entry, &spi, dst) == SUCCESS &&
 		wait_for_entry(this, entry))
 	{
 		sa = entry->sa;
@@ -609,6 +647,7 @@ ipsec_sa_mgr_t *ipsec_sa_mgr_create()
 		.public = {
 			.get_spi = _get_spi,
 			.add_sa = _add_sa,
+			.update_sa = _update_sa,
 			.del_sa = _del_sa,
 			.checkout_by_spi = _checkout_by_spi,
 			.checkout_by_reqid = _checkout_by_reqid,
diff --git a/src/libipsec/ipsec_sa_mgr.h b/src/libipsec/ipsec_sa_mgr.h
index 303b36f0e..3ff092038 100644
--- a/src/libipsec/ipsec_sa_mgr.h
+++ b/src/libipsec/ipsec_sa_mgr.h
@@ -28,7 +28,7 @@
 #include <library.h>
 #include <ipsec/ipsec_types.h>
 #include <selectors/traffic_selector.h>
-#include <utils/host.h>
+#include <networking/host.h>
 
 typedef struct ipsec_sa_mgr_t ipsec_sa_mgr_t;
 
@@ -86,6 +86,27 @@ struct ipsec_sa_mgr_t {
 					   traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
 
 	/**
+	 * Update the hosts on an installed SA.
+	 *
+	 * @param spi			SPI of the SA
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param cpi			CPI for IPComp, 0 if no IPComp is used
+	 * @param src			current source address
+	 * @param dst			current destination address
+	 * @param new_src		new source address
+	 * @param new_dst		new destination address
+	 * @param encap			current use of UDP encapsulation
+	 * @param new_encap		new use of UDP encapsulation
+	 * @param mark			optional mark for this SA
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*update_sa)(ipsec_sa_mgr_t *this,
+						  u_int32_t spi, u_int8_t protocol, u_int16_t cpi,
+						  host_t *src, host_t *dst,
+						  host_t *new_src, host_t *new_dst,
+						  bool encap, bool new_encap, mark_t mark);
+
+	/**
 	 * Delete a previously added SA
 	 *
 	 * @param spi			SPI of the SA
diff --git a/src/libpts/Makefile.am b/src/libpts/Makefile.am
index 8137493ab..edf3f7416 100644
--- a/src/libpts/Makefile.am
+++ b/src/libpts/Makefile.am
@@ -3,7 +3,11 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libimcv
 
 ipseclib_LTLIBRARIES = libpts.la
 
-libpts_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la -ltspi
+libpts_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la
+
+if USE_TROUSERS
+  libpts_la_LIBADD += -ltspi
+endif
 
 libpts_la_SOURCES = \
 	libpts.h libpts.c \
@@ -47,7 +51,7 @@ libpts_la_SOURCES = \
 	tcg/tcg_pts_attr_file_meas.h tcg/tcg_pts_attr_file_meas.c \
 	tcg/tcg_pts_attr_req_file_meta.h tcg/tcg_pts_attr_req_file_meta.c \
 	tcg/tcg_pts_attr_unix_file_meta.h tcg/tcg_pts_attr_unix_file_meta.c
-	
+
 SUBDIRS = .
 
 if USE_IMC_ATTESTATION
diff --git a/src/libpts/Makefile.in b/src/libpts/Makefile.in
index 0b6451bcc..d275a8b2b 100644
--- a/src/libpts/Makefile.in
+++ b/src/libpts/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -34,8 +34,9 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-@USE_IMC_ATTESTATION_TRUE@am__append_1 = plugins/imc_attestation
-@USE_IMV_ATTESTATION_TRUE@am__append_2 = plugins/imv_attestation
+@USE_TROUSERS_TRUE@am__append_1 = -ltspi
+@USE_IMC_ATTESTATION_TRUE@am__append_2 = plugins/imc_attestation
+@USE_IMV_ATTESTATION_TRUE@am__append_3 = plugins/imv_attestation
 subdir = src/libpts
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -75,9 +76,17 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
-libpts_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la
+am__DEPENDENCIES_1 =
+libpts_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
+	$(am__DEPENDENCIES_1)
 am_libpts_la_OBJECTS = libpts.lo pts.lo pts_error.lo pts_pcr.lo \
 	pts_creds.lo pts_database.lo pts_dh_group.lo pts_file_meas.lo \
 	pts_file_meta.lo pts_file_type.lo pts_meas_algo.lo \
@@ -172,6 +181,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -199,6 +209,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -226,6 +237,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -238,6 +250,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -291,7 +304,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -340,7 +352,8 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libimcv
 ipseclib_LTLIBRARIES = libpts.la
-libpts_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la -ltspi
+libpts_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
+	$(am__append_1)
 libpts_la_SOURCES = \
 	libpts.h libpts.c \
 	pts/pts.h pts/pts.c \
@@ -384,7 +397,7 @@ libpts_la_SOURCES = \
 	tcg/tcg_pts_attr_req_file_meta.h tcg/tcg_pts_attr_req_file_meta.c \
 	tcg/tcg_pts_attr_unix_file_meta.h tcg/tcg_pts_attr_unix_file_meta.c
 
-SUBDIRS = . $(am__append_1) $(am__append_2)
+SUBDIRS = . $(am__append_2) $(am__append_3)
 all: all-recursive
 
 .SUFFIXES:
@@ -450,7 +463,7 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libpts.la: $(libpts_la_OBJECTS) $(libpts_la_DEPENDENCIES) 
+libpts.la: $(libpts_la_OBJECTS) $(libpts_la_DEPENDENCIES) $(EXTRA_libpts_la_DEPENDENCIES) 
 	$(LINK) -rpath $(ipseclibdir) $(libpts_la_OBJECTS) $(libpts_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -987,10 +1000,15 @@ install-am: all-am
 
 installcheck: installcheck-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libpts/libpts.c b/src/libpts/libpts.c
index 384ee4ed7..95110823c 100644
--- a/src/libpts/libpts.c
+++ b/src/libpts/libpts.c
@@ -23,7 +23,7 @@
 #include "pts/components/ita/ita_comp_tgrub.h"
 
 #include <imcv.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * PTS Functional Component manager
diff --git a/src/libpts/plugins/imc_attestation/Makefile.in b/src/libpts/plugins/imc_attestation/Makefile.in
index 4734379bf..15028d677 100644
--- a/src/libpts/plugins/imc_attestation/Makefile.in
+++ b/src/libpts/plugins/imc_attestation/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(imcvdir)"
 LTLIBRARIES = $(imcv_LTLIBRARIES)
 imc_attestation_la_DEPENDENCIES =  \
@@ -122,6 +128,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -149,6 +156,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,6 +184,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -188,6 +197,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -241,7 +251,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -367,7 +376,7 @@ clean-imcvLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-imc-attestation.la: $(imc_attestation_la_OBJECTS) $(imc_attestation_la_DEPENDENCIES) 
+imc-attestation.la: $(imc_attestation_la_OBJECTS) $(imc_attestation_la_DEPENDENCIES) $(EXTRA_imc_attestation_la_DEPENDENCIES) 
 	$(imc_attestation_la_LINK) -rpath $(imcvdir) $(imc_attestation_la_OBJECTS) $(imc_attestation_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -506,10 +515,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libpts/plugins/imc_attestation/imc_attestation.c b/src/libpts/plugins/imc_attestation/imc_attestation.c
index 7cb2a0671..bb327e936 100644
--- a/src/libpts/plugins/imc_attestation/imc_attestation.c
+++ b/src/libpts/plugins/imc_attestation/imc_attestation.c
@@ -17,11 +17,13 @@
 #include "imc_attestation_process.h"
 
 #include <imc/imc_agent.h>
-#include <pa_tnc/pa_tnc_msg.h>
+#include <imc/imc_msg.h>
 #include <ietf/ietf_attr.h>
 #include <ietf/ietf_attr_pa_tnc_error.h>
 #include <ietf/ietf_attr_product_info.h>
+#include <ietf/ietf_attr_string_version.h>
 #include <ietf/ietf_attr_assess_result.h>
+#include <os_info/os_info.h>
 
 #include <libpts.h>
 
@@ -33,15 +35,16 @@
 #include <tncif_pa_subtypes.h>
 
 #include <pen/pen.h>
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 /* IMC definitions */
 
 static const char imc_name[] = "Attestation";
 
-#define IMC_VENDOR_ID				PEN_TCG
-#define IMC_SUBTYPE					PA_SUBTYPE_TCG_PTS
+static pen_type_t msg_types[] = {
+	{ PEN_TCG, PA_SUBTYPE_TCG_PTS }
+};
 
 static imc_agent_t *imc_attestation;
 
@@ -73,7 +76,7 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
 	{
 		return TNC_RESULT_FATAL;
 	}
-	imc_attestation = imc_agent_create(imc_name, IMC_VENDOR_ID, IMC_SUBTYPE,
+	imc_attestation = imc_agent_create(imc_name, msg_types, countof(msg_types),
 									   imc_id, actual_version);
 	if (!imc_attestation)
 	{
@@ -81,7 +84,7 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
 	}
 
 	libpts_init();
-	
+
 	if (min_version > TNC_IFIMC_VERSION_1 || max_version < TNC_IFIMC_VERSION_1)
 	{
 		DBG1(DBG_IMC, "no common IF-IMC version");
@@ -135,94 +138,35 @@ TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
 TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
 								  TNC_ConnectionID connection_id)
 {
-	imc_state_t *state;
-	imc_attestation_state_t *attestation_state;
-	pts_t *pts;
-	char *platform_info;
-	TNC_Result result = TNC_RESULT_SUCCESS;
-
 	if (!imc_attestation)
 	{
 		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
 		return TNC_RESULT_NOT_INITIALIZED;
 	}
 
-	/* get current IMC state */
-	if (!imc_attestation->get_state(imc_attestation, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	attestation_state = (imc_attestation_state_t*)state;
-	pts = attestation_state->get_pts(attestation_state);
-
-	platform_info = pts->get_platform_info(pts);
-	if (platform_info)
-	{
-		linked_list_t *attr_list;
-		pa_tnc_attr_t *attr;
-
-		attr_list = linked_list_create();
-		attr = ietf_attr_product_info_create(0, 0, platform_info);
-		attr_list->insert_last(attr_list, attr);
-		result = imc_attestation->send_message(imc_attestation, connection_id,
-										FALSE, 0, TNC_IMVID_ANY, attr_list);
-		attr_list->destroy(attr_list);
-	}
-
-	return result;
+	return TNC_RESULT_SUCCESS;
 }
 
-static TNC_Result receive_message(TNC_IMCID imc_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_UInt32 msg_flags,
-								  chunk_t msg,
-								  TNC_VendorID msg_vid,
-								  TNC_MessageSubtype msg_subtype,
-								  TNC_UInt32 src_imv_id,
-								  TNC_UInt32 dst_imc_id)
+static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg)
 {
-	pa_tnc_msg_t *pa_tnc_msg;
-	pa_tnc_attr_t *attr;
-	pen_type_t type;
-	linked_list_t *attr_list;
-	imc_state_t *state;
+	imc_msg_t *out_msg;
 	imc_attestation_state_t *attestation_state;
 	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t type;
 	TNC_Result result;
-	TNC_UInt32 target_imc_id;
-
-	if (!imc_attestation)
-	{
-		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-
-	/* get current IMC state */
-	if (!imc_attestation->get_state(imc_attestation, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	attestation_state = (imc_attestation_state_t*)state;
-
-	/* parse received PA-TNC message and automatically handle any errors */
-	result = imc_attestation->receive_message(imc_attestation, state, msg,
-					msg_vid, msg_subtype, src_imv_id, dst_imc_id, &pa_tnc_msg);
+	bool fatal_error = FALSE;
 
-	/* no parsed PA-TNC attributes available if an error occurred */
-	if (!pa_tnc_msg)
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
 	{
 		return result;
 	}
-	target_imc_id = (dst_imc_id == TNC_IMCID_ANY) ? imc_id : dst_imc_id;
-	
-	/* preprocess any IETF standard error attributes */
-	result = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg) ?
-					TNC_RESULT_FATAL : TNC_RESULT_SUCCESS;
-
-	attr_list = linked_list_create();
+	out_msg = imc_msg_create_as_reply(in_msg);
 
 	/* analyze PA-TNC attributes */
-	enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
 	while (enumerator->enumerate(enumerator, &attr))
 	{
 		type = attr->get_type(attr);
@@ -249,18 +193,12 @@ static TNC_Result receive_message(TNC_IMCID imc_id,
 					result = TNC_RESULT_FATAL;
 				}
 			}
-			else if (type.type == IETF_ATTR_ASSESSMENT_RESULT)
-			{
-				ietf_attr_assess_result_t *ietf_attr;
-
-				ietf_attr = (ietf_attr_assess_result_t*)attr;
-				state->set_result(state, target_imc_id,
-								  ietf_attr->get_result(ietf_attr));
-			}
 		}
 		else if (type.vendor_id == PEN_TCG)
 		{
-			if (!imc_attestation_process(attr, attr_list, attestation_state,
+			attestation_state = (imc_attestation_state_t*)state;
+
+			if (!imc_attestation_process(attr, out_msg, attestation_state,
 				supported_algorithms, supported_dh_groups))
 			{
 				result = TNC_RESULT_FATAL;
@@ -269,14 +207,13 @@ static TNC_Result receive_message(TNC_IMCID imc_id,
 		}
 	}
 	enumerator->destroy(enumerator);
-	pa_tnc_msg->destroy(pa_tnc_msg);
 
-	if (result == TNC_RESULT_SUCCESS && attr_list->get_count(attr_list))
+	if (result == TNC_RESULT_SUCCESS)
 	{
-		result = imc_attestation->send_message(imc_attestation, connection_id,
-										FALSE, 0, TNC_IMVID_ANY, attr_list);
+		/* send PA-TNC message with the excl flag set */
+		result = out_msg->send(out_msg, TRUE);
 	}
-	attr_list->destroy(attr_list);
+	out_msg->destroy(out_msg);
 
 	return result;
 }
@@ -290,14 +227,26 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
 								  TNC_UInt32 msg_len,
 								  TNC_MessageType msg_type)
 {
-	TNC_VendorID msg_vid;
-	TNC_MessageSubtype msg_subtype;
+	imc_state_t *state;
+	imc_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imc_attestation)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_attestation->get_state(imc_attestation, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
 
-	msg_vid = msg_type >> 8;
-	msg_subtype = msg_type & TNC_SUBTYPE_ANY;
+	in_msg = imc_msg_create_from_data(imc_attestation, state, connection_id,
+									  msg_type, chunk_create(msg, msg_len));
+	result = receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
 
-	return receive_message(imc_id, connection_id, 0, chunk_create(msg, msg_len),
-						   msg_vid,	msg_subtype, 0, TNC_IMCID_ANY);
+	return result;
 }
 
 /**
@@ -313,9 +262,26 @@ TNC_Result TNC_IMC_ReceiveMessageLong(TNC_IMCID imc_id,
 									  TNC_UInt32 src_imv_id,
 									  TNC_UInt32 dst_imc_id)
 {
-	return receive_message(imc_id, connection_id, msg_flags,
-						   chunk_create(msg, msg_len), msg_vid, msg_subtype,
-						   src_imv_id, dst_imc_id);
+	imc_state_t *state;
+	imc_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imc_attestation)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_attestation->get_state(imc_attestation, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imc_msg_create_from_long_data(imc_attestation, state, connection_id,
+								src_imv_id, dst_imc_id, msg_vid, msg_subtype,
+								chunk_create(msg, msg_len));
+	result =receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
 }
 
 /**
diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_process.c b/src/libpts/plugins/imc_attestation/imc_attestation_process.c
index bd2fa649d..88d24dd88 100644
--- a/src/libpts/plugins/imc_attestation/imc_attestation_process.c
+++ b/src/libpts/plugins/imc_attestation/imc_attestation_process.c
@@ -43,12 +43,12 @@
 #include <tcg/tcg_pts_attr_req_file_meta.h>
 #include <tcg/tcg_pts_attr_unix_file_meta.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <utils/lexparser.h>
 
 #define DEFAULT_NONCE_LEN		20
 
-bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
+bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg,
 							 imc_attestation_state_t *attestation_state,
 							 pts_meas_algorithms_t supported_algorithms,
 							 pts_dh_group_t supported_dh_groups)
@@ -76,7 +76,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 
 			/* Send PTS Protocol Capabilities attribute */
 			attr = tcg_pts_attr_proto_caps_create(imc_caps & imv_caps, FALSE);
-			attr_list->insert_last(attr_list, attr);
+			msg->add_attribute(msg, attr);
 			break;
 		}
 		case TCG_PTS_MEAS_ALGO:
@@ -91,14 +91,14 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			if (selected_algorithm == PTS_MEAS_ALGO_NONE)
 			{
 				attr = pts_hash_alg_error_create(supported_algorithms);
-				attr_list->insert_last(attr_list, attr);
+				msg->add_attribute(msg, attr);
 				break;
 			}
 
 			/* Send Measurement Algorithm Selection attribute */
 			pts->set_meas_algorithm(pts, selected_algorithm);
 			attr = tcg_pts_attr_meas_algo_create(selected_algorithm, TRUE);
-			attr_list->insert_last(attr_list, attr);
+			msg->add_attribute(msg, attr);
 			break;
 		}
 		case TCG_PTS_DH_NONCE_PARAMS_REQ:
@@ -118,7 +118,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 				(min_nonce_len > 0 && nonce_len < min_nonce_len))
 			{
 				attr = pts_dh_nonce_error_create(nonce_len, PTS_MAX_NONCE_LEN);
-				attr_list->insert_last(attr_list, attr);
+				msg->add_attribute(msg, attr);
 				break;
 			}
 
@@ -128,7 +128,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			if (selected_dh_group == PTS_DH_GROUP_NONE)
 			{
 				attr = pts_dh_group_error_create(supported_dh_groups);
-				attr_list->insert_last(attr_list, attr);
+				msg->add_attribute(msg, attr);
 				break;
 			}
 
@@ -142,7 +142,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			/* Send DH Nonce Parameters Response attribute */
 			attr = tcg_pts_attr_dh_nonce_params_resp_create(selected_dh_group,
 					 supported_algorithms, responder_nonce, responder_value);
-			attr_list->insert_last(attr_list, attr);
+			msg->add_attribute(msg, attr);
 			break;
 		}
 		case TCG_PTS_DH_NONCE_FINISH:
@@ -173,7 +173,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 							  "have differing lengths");
 				return FALSE;
 			}
-					
+
 			pts->set_peer_public_value(pts, initiator_value, initiator_nonce);
 			if (!pts->calculate_secret(pts))
 			{
@@ -190,13 +190,13 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			{
 				attr_info = attr->get_value(attr);
 				attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
-				attr_list->insert_last(attr_list, attr);
+				msg->add_attribute(msg, attr);
 				break;
 			}
 
 			/* Send TPM Version Info attribute */
 			attr = tcg_pts_attr_tpm_version_info_create(tpm_version_info);
-			attr_list->insert_last(attr_list, attr);
+			msg->add_attribute(msg, attr);
 			break;
 		}
 		case TCG_PTS_GET_AIK:
@@ -212,7 +212,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 
 			/* Send AIK attribute */
 			attr = tcg_pts_attr_aik_create(aik);
-			attr_list->insert_last(attr_list, attr);
+			msg->add_attribute(msg, attr);
 			break;
 		}
 		case TCG_PTS_REQ_FILE_MEAS:
@@ -237,7 +237,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			{
 				error_code = pen_type_create(PEN_TCG, pts_error);
 				attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
-				attr_list->insert_last(attr_list, attr);
+				msg->add_attribute(msg, attr);
 				break;
 			}
 			else if (!valid_path)
@@ -250,7 +250,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 				error_code = pen_type_create(PEN_TCG,
 											 TCG_PTS_INVALID_DELIMITER);
 				attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
-				attr_list->insert_last(attr_list, attr);
+				msg->add_attribute(msg, attr);
 				break;
 			}
 
@@ -268,7 +268,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			}
 			attr = tcg_pts_attr_file_meas_create(measurements);
 			attr->set_noskip_flag(attr, TRUE);
-			attr_list->insert_last(attr_list, attr);
+			msg->add_attribute(msg, attr);
 			break;
 		}
 		case TCG_PTS_REQ_FILE_META:
@@ -291,7 +291,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			{
 				error_code = pen_type_create(PEN_TCG, pts_error);
 				attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
-				attr_list->insert_last(attr_list, attr);
+				msg->add_attribute(msg, attr);
 				break;
 			}
 			else if (!valid_path)
@@ -303,7 +303,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 				error_code = pen_type_create(PEN_TCG,
 											 TCG_PTS_INVALID_DELIMITER);
 				attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
-				attr_list->insert_last(attr_list, attr);
+				msg->add_attribute(msg, attr);
 				break;
 			}
 			/* Get File Metadata and send them to PTS-IMV */
@@ -319,8 +319,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			}
 			attr = tcg_pts_attr_unix_file_meta_create(metadata);
 			attr->set_noskip_flag(attr, TRUE);
-			attr_list->insert_last(attr_list, attr);
-
+			msg->add_attribute(msg, attr);
 			break;
 		}
 		case TCG_PTS_REQ_FUNC_COMP_EVID:
@@ -335,7 +334,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			u_int8_t flags;
 			status_t status;
 			enumerator_t *e;
-			
+
 			attr_info = attr->get_value(attr);
 			attr_cast = (tcg_pts_attr_req_func_comp_evid_t*)attr;
 
@@ -351,9 +350,9 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 				if (flags & PTS_REQ_FUNC_COMP_EVID_TTC)
 				{
 					error_code = pen_type_create(PEN_TCG,
-												 TCG_PTS_UNABLE_DET_TTC); 
+												 TCG_PTS_UNABLE_DET_TTC);
 					attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
-					attr_list->insert_last(attr_list, attr);
+					msg->add_attribute(msg, attr);
 					break;
 				}
 				if (flags & PTS_REQ_FUNC_COMP_EVID_VER &&
@@ -362,7 +361,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 					error_code = pen_type_create(PEN_TCG,
 												 TCG_PTS_UNABLE_LOCAL_VAL);
 					attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
-					attr_list->insert_last(attr_list, attr);
+					msg->add_attribute(msg, attr);
 					break;
 				}
 				if (flags & PTS_REQ_FUNC_COMP_EVID_CURR &&
@@ -371,7 +370,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 					error_code = pen_type_create(PEN_TCG,
 												 TCG_PTS_UNABLE_CUR_EVID);
 					attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
-					attr_list->insert_last(attr_list, attr);
+					msg->add_attribute(msg, attr);
 					break;
 				}
 				if (flags & PTS_REQ_FUNC_COMP_EVID_PCR &&
@@ -380,7 +379,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 					error_code = pen_type_create(PEN_TCG,
 												 TCG_PTS_UNABLE_DET_PCR);
 					attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
-					attr_list->insert_last(attr_list, attr);
+					msg->add_attribute(msg, attr);
 					break;
 				}
 				if (depth > 0)
@@ -425,7 +424,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			while (attestation_state->next_evidence(attestation_state, &evid))
 			{
 				attr = tcg_pts_attr_simple_comp_evid_create(evid);
-				attr_list->insert_last(attr_list, attr);
+				msg->add_attribute(msg, attr);
 			}
 
 			use_quote2 = lib->settings->get_bool(lib->settings,
@@ -443,7 +442,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 
 			attr = tcg_pts_attr_simple_evid_final_create(flags,
 								comp_hash_algorithm, pcr_composite, quote_sig);
-			attr_list->insert_last(attr_list, attr);
+			msg->add_attribute(msg, attr);
 			break;
 		}
 		/* TODO: Not implemented yet */
diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_process.h b/src/libpts/plugins/imc_attestation/imc_attestation_process.h
index b6dca1f56..5ada104fa 100644
--- a/src/libpts/plugins/imc_attestation/imc_attestation_process.h
+++ b/src/libpts/plugins/imc_attestation/imc_attestation_process.h
@@ -26,6 +26,7 @@
 
 #include <library.h>
 
+#include <imc/imc_msg.h>
 #include <pa_tnc/pa_tnc_attr.h>
 
 #include <pts/pts_dh_group.h>
@@ -35,13 +36,13 @@
  * Process a TCG PTS attribute
  *
  * @param attr					PA-TNC attribute to be processed
- * @param attr_list				list with PA-TNC error attributes
+ * @param msg					outbound PA-TNC message to be assembled
  * @param attestation_state		attestation state of a given connection
  * @param supported_algorithms	supported PTS measurement algorithms
  * @param supported_dh_groups	supported DH groups
  * @return						TRUE if successful
  */
-bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
+bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg,
 							 imc_attestation_state_t *attestation_state,
 							 pts_meas_algorithms_t supported_algorithms,
 							 pts_dh_group_t supported_dh_groups);
diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_state.c b/src/libpts/plugins/imc_attestation/imc_attestation_state.c
index 8ebabafa2..4fcbdfa8a 100644
--- a/src/libpts/plugins/imc_attestation/imc_attestation_state.c
+++ b/src/libpts/plugins/imc_attestation/imc_attestation_state.c
@@ -19,8 +19,8 @@
 
 #include <tncif_names.h>
 
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 typedef struct private_imc_attestation_state_t private_imc_attestation_state_t;
 typedef struct func_comp_t func_comp_t;
@@ -129,8 +129,6 @@ METHOD(imc_state_t, set_result, void,
 	private_imc_attestation_state_t *this, TNC_IMCID id,
 	TNC_IMV_Evaluation_Result result)
 {
-	DBG1(DBG_IMC, "set assessment result for IMC %u to '%N'",
-		 id, TNC_IMV_Evaluation_Result_names, result);
 	this->result = result;
 }
 
@@ -212,7 +210,6 @@ METHOD(imc_attestation_state_t, next_evidence, bool,
 imc_state_t *imc_attestation_state_create(TNC_ConnectionID connection_id)
 {
 	private_imc_attestation_state_t *this;
-	char *platform_info;
 
 	INIT(this,
 		.public = {
@@ -241,13 +238,6 @@ imc_state_t *imc_attestation_state_create(TNC_ConnectionID connection_id)
 		.list = linked_list_create(),
 	);
 
-	platform_info = lib->settings->get_str(lib->settings,
-						 "libimcv.plugins.imc-attestation.platform_info", NULL);
-	if (platform_info)
-	{
-		this->pts->set_platform_info(this->pts, platform_info);
-	}
-	
 	return &this->public.interface;
 }
 
diff --git a/src/libpts/plugins/imv_attestation/Makefile.in b/src/libpts/plugins/imv_attestation/Makefile.in
index afb4abed7..59ef5311e 100644
--- a/src/libpts/plugins/imv_attestation/Makefile.in
+++ b/src/libpts/plugins/imv_attestation/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -75,6 +75,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(imcvdir)" "$(DESTDIR)$(ipsecdir)"
 LTLIBRARIES = $(imcv_LTLIBRARIES)
 imv_attestation_la_DEPENDENCIES =  \
@@ -132,6 +138,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -159,6 +166,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -186,6 +194,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -198,6 +207,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -251,7 +261,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -393,7 +402,7 @@ clean-imcvLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-imv-attestation.la: $(imv_attestation_la_OBJECTS) $(imv_attestation_la_DEPENDENCIES) 
+imv-attestation.la: $(imv_attestation_la_OBJECTS) $(imv_attestation_la_DEPENDENCIES) $(EXTRA_imv_attestation_la_DEPENDENCIES) 
 	$(imv_attestation_la_LINK) -rpath $(imcvdir) $(imv_attestation_la_OBJECTS) $(imv_attestation_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
@@ -438,7 +447,7 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-attest$(EXEEXT): $(attest_OBJECTS) $(attest_DEPENDENCIES) 
+attest$(EXEEXT): $(attest_OBJECTS) $(attest_DEPENDENCIES) $(EXTRA_attest_DEPENDENCIES) 
 	@rm -f attest$(EXEEXT)
 	$(LINK) $(attest_OBJECTS) $(attest_LDADD) $(LIBS)
 
@@ -582,10 +591,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libpts/plugins/imv_attestation/attest.c b/src/libpts/plugins/imv_attestation/attest.c
index a202d128f..1cdacaeeb 100644
--- a/src/libpts/plugins/imv_attestation/attest.c
+++ b/src/libpts/plugins/imv_attestation/attest.c
@@ -22,7 +22,7 @@
 #include <syslog.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <imcv.h>
 #include <libpts.h>
@@ -99,9 +99,11 @@ static void do_args(int argc, char *argv[])
 		OP_USAGE,
 		OP_KEYS,
 		OP_COMPONENTS,
+		OP_DEVICES,
 		OP_FILES,
 		OP_HASHES,
 		OP_MEASUREMENTS,
+		OP_PACKAGES,
 		OP_PRODUCTS,
 		OP_ADD,
 		OP_DEL,
@@ -117,8 +119,10 @@ static void do_args(int argc, char *argv[])
 		struct option long_opts[] = {
 			{ "help", no_argument, NULL, 'h' },
 			{ "components", no_argument, NULL, 'c' },
+			{ "devices", no_argument, NULL, 'e' },
 			{ "files", no_argument, NULL, 'f' },
 			{ "keys", no_argument, NULL, 'k' },
+			{ "packages", no_argument, NULL, 'g' },
 			{ "products", no_argument, NULL, 'p' },
 			{ "hashes", no_argument, NULL, 'H' },
 			{ "measurements", no_argument, NULL, 'm' },
@@ -126,12 +130,14 @@ static void do_args(int argc, char *argv[])
 			{ "delete", no_argument, NULL, 'd' },
 			{ "del", no_argument, NULL, 'd' },
 			{ "aik", required_argument, NULL, 'A' },
+			{ "blacklist", no_argument, NULL, 'B' },
 			{ "component", required_argument, NULL, 'C' },
 			{ "comp", required_argument, NULL, 'C' },
 			{ "directory", required_argument, NULL, 'D' },
 			{ "dir", required_argument, NULL, 'D' },
 			{ "file", required_argument, NULL, 'F' },
 			{ "sha1-ima", no_argument, NULL, 'I' },
+			{ "package", required_argument, NULL, 'G' },
 			{ "key", required_argument, NULL, 'K' },
 			{ "owner", required_argument, NULL, 'O' },
 			{ "product", required_argument, NULL, 'P' },
@@ -139,6 +145,9 @@ static void do_args(int argc, char *argv[])
 			{ "rel", no_argument, NULL, 'R' },
 			{ "sequence", required_argument, NULL, 'S' },
 			{ "seq", required_argument, NULL, 'S' },
+			{ "utc", no_argument, NULL, 'U' },
+			{ "version", required_argument, NULL, 'V' },
+			{ "security", no_argument, NULL, 'Y' },
 			{ "sha1", no_argument, NULL, '1' },
 			{ "sha256", no_argument, NULL, '2' },
 			{ "sha384", no_argument, NULL, '3' },
@@ -147,6 +156,7 @@ static void do_args(int argc, char *argv[])
 			{ "pid", required_argument, NULL, '6' },
 			{ "cid", required_argument, NULL, '7' },
 			{ "kid", required_argument, NULL, '8' },
+			{ "gid", required_argument, NULL, '9' },
 			{ 0,0,0,0 }
 		};
 
@@ -161,9 +171,15 @@ static void do_args(int argc, char *argv[])
 			case 'c':
 				op = OP_COMPONENTS;
 				continue;
+			case 'e':
+				op = OP_DEVICES;
+				continue;
 			case 'f':
 				op = OP_FILES;
 				continue;
+			case 'g':
+				op = OP_PACKAGES;
+				continue;
 			case 'k':
 				op = OP_KEYS;
 				continue;
@@ -219,6 +235,9 @@ static void do_args(int argc, char *argv[])
 				}
 				continue;
 			}
+			case 'B':
+				attest->set_security(attest, OS_PACKAGE_STATE_BLACKLIST);
+				continue;
 			case 'C':
 				if (!attest->set_component(attest, optarg, op == OP_ADD))
 				{
@@ -237,6 +256,12 @@ static void do_args(int argc, char *argv[])
 					exit(EXIT_FAILURE);
 				}
 				continue;
+			case 'G':
+				if (!attest->set_package(attest, optarg, op == OP_ADD))
+				{
+					exit(EXIT_FAILURE);
+				}
+				continue;
 			case 'I':
 				attest->set_algo(attest, PTS_MEAS_ALGO_SHA1_IMA);
 				continue;
@@ -266,6 +291,18 @@ static void do_args(int argc, char *argv[])
 			case 'S':
 				attest->set_sequence(attest, atoi(optarg));
 				continue;
+			case 'U':
+				attest->set_utc(attest);
+				continue;
+			case 'V':
+				if (!attest->set_version(attest, optarg))
+				{
+					exit(EXIT_FAILURE);
+				}
+				continue;
+			case 'Y':
+				attest->set_security(attest, OS_PACKAGE_STATE_SECURITY);
+				continue;
 			case '1':
 				attest->set_algo(attest, PTS_MEAS_ALGO_SHA1);
 				continue;
@@ -305,6 +342,12 @@ static void do_args(int argc, char *argv[])
 					exit(EXIT_FAILURE);
 				}
 				continue;
+			case '9':
+				if (!attest->set_gid(attest, atoi(optarg)))
+				{
+					exit(EXIT_FAILURE);
+				}
+				continue;
 		}
 		break;
 	}
@@ -314,6 +357,9 @@ static void do_args(int argc, char *argv[])
 		case OP_USAGE:
 			usage();
 			break;
+		case OP_PACKAGES:
+			attest->list_packages(attest);
+			break;
 		case OP_PRODUCTS:
 			attest->list_products(attest);
 			break;
@@ -323,6 +369,9 @@ static void do_args(int argc, char *argv[])
 		case OP_COMPONENTS:
 			attest->list_components(attest);
 			break;
+		case OP_DEVICES:
+			attest->list_devices(attest);
+			break;
 		case OP_FILES:
 			attest->list_files(attest);
 			break;
diff --git a/src/libpts/plugins/imv_attestation/attest_db.c b/src/libpts/plugins/imv_attestation/attest_db.c
index 55afbf701..91e9766d0 100644
--- a/src/libpts/plugins/imv_attestation/attest_db.c
+++ b/src/libpts/plugins/imv_attestation/attest_db.c
@@ -21,6 +21,7 @@
 #include "pts/components/pts_comp_func_name.h"
 
 #include <libgen.h>
+#include <time.h>
 
 #define IMA_MAX_NAME_LEN	255
 
@@ -97,6 +98,21 @@ struct private_attest_db_t {
 	bool key_set;
 
 	/**
+	 * Software package to be queried
+	 */
+	char *package;
+
+	/**
+	 * Primary key of software package to be queried
+	 */
+	int gid;
+
+	/**
+	 * TRUE if package has been set
+	 */
+	bool package_set;
+
+	/**
 	 * Software product to be queried
 	 */
 	char *product;
@@ -112,11 +128,31 @@ struct private_attest_db_t {
 	bool product_set;
 
 	/**
+	 * Software package version to be queried
+	 */
+	char *version;
+
+	/**
+	 * TRUE if version has been set
+	 */
+	bool version_set;
+
+	/**
 	 * TRUE if relative filenames are to be used
 	 */
 	bool relative;
 
 	/**
+	 * TRUE if dates are to be displayed in UTC
+	 */
+	bool utc;
+
+	/**
+	 * Package security state
+	 */
+	os_package_state_t security;
+
+	/**
 	 * Sequence number for ordering entries
 	 */
 	int seq_no;
@@ -588,6 +624,96 @@ METHOD(attest_db_t, set_pid, bool,
 	return this->product_set;
 }
 
+METHOD(attest_db_t, set_package, bool,
+	private_attest_db_t *this, char *package, bool create)
+{
+	enumerator_t *e;
+
+	if (this->package_set)
+	{
+		printf("package has already been set\n");
+		return FALSE;
+	}
+	this->package = strdup(package);
+
+	e = this->db->query(this->db, "SELECT id FROM packages WHERE name = ?",
+						DB_TEXT, package, DB_INT);
+	if (e)
+	{
+		if (e->enumerate(e, &this->gid))
+		{
+			this->package_set = TRUE;
+		}
+		e->destroy(e);
+	}
+	if (this->package_set)
+	{
+		return TRUE;
+	}
+
+	if (!create)
+	{
+		printf("package '%s' not found in database\n", package);
+		return FALSE;
+	}
+
+	/* Add a new database entry */
+	this->package_set = this->db->execute(this->db, &this->gid,
+									"INSERT INTO packages (name) VALUES (?)",
+									DB_TEXT, package) == 1;
+
+	printf("package '%s' %sinserted into database\n", package,
+		   this->package_set ? "" : "could not be ");
+
+	return this->package_set;
+}
+
+METHOD(attest_db_t, set_gid, bool,
+	private_attest_db_t *this, int gid)
+{
+	enumerator_t *e;
+	char *package;
+
+	if (this->package_set)
+	{
+		printf("package has already been set\n");
+		return FALSE;
+	}
+	this->gid = gid;
+
+	e = this->db->query(this->db, "SELECT name FROM packages WHERE id = ?",
+						DB_UINT, gid, DB_TEXT);
+	if (e)
+	{
+		if (e->enumerate(e, &package))
+		{
+			this->package = strdup(package);
+			this->package_set = TRUE;
+		}
+		else
+		{
+			printf("no package found with gid %d in database\n", gid);
+		}
+		e->destroy(e);
+	}
+	return this->package_set;
+}
+
+METHOD(attest_db_t, set_version, bool,
+	private_attest_db_t *this, char *version)
+{
+	if (this->version_set)
+	{
+		printf("version has already been set\n");
+		return FALSE;
+	}
+	this->version = strdup(version);
+	this->version_set = TRUE;
+
+	return TRUE;
+}
+
+
 METHOD(attest_db_t, set_algo, void,
 	private_attest_db_t *this, pts_meas_algorithms_t algo)
 {
@@ -600,6 +726,12 @@ METHOD(attest_db_t, set_relative, void,
 	this->relative = TRUE;
 }
 
+METHOD(attest_db_t, set_security, void,
+	private_attest_db_t *this, os_package_state_t security)
+{
+	this->security = security;
+}
+
 METHOD(attest_db_t, set_sequence, void,
 	private_attest_db_t *this, int seq_no)
 {
@@ -613,6 +745,12 @@ METHOD(attest_db_t, set_owner, void,
 	this->owner = strdup(owner);
 }
 
+METHOD(attest_db_t, set_utc, void,
+	private_attest_db_t *this)
+{
+	this->utc = TRUE;
+}
+
 METHOD(attest_db_t, list_components, void,
 	private_attest_db_t *this)
 {
@@ -663,6 +801,46 @@ METHOD(attest_db_t, list_components, void,
 	}
 }
 
+METHOD(attest_db_t, list_devices, void,
+	private_attest_db_t *this)
+{
+	enumerator_t *e;
+	chunk_t value;
+	char *product;
+	time_t timestamp;
+	int id, last_id = 0, device_count = 0;
+	int count, count_update, count_blacklist;
+	u_int tstamp, flags = 0;
+
+	e = this->db->query(this->db,
+			"SELECT d.id, d.value, i.time, i.count, i.count_update, "
+			"i.count_blacklist, i.flags, p.name FROM devices AS d "
+			"JOIN device_infos AS i ON d.id = i.device "
+			"JOIN products AS p ON p.id = i.product "
+			"ORDER BY d.value, i.time DESC",
+			 DB_INT, DB_BLOB, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT, DB_TEXT);
+
+	if (e)
+	{
+		while (e->enumerate(e, &id, &value, &tstamp, &count, &count_update,
+							   &count_blacklist, &flags, &product))
+		{
+			if (id != last_id)
+			{
+				printf("%4d: %.*s\n", id, (int)value.len, value.ptr);
+				device_count++;
+				last_id = id;
+			}
+			timestamp = tstamp;
+			printf("      %T, %4d, %3d, %3d, %1u, '%s'\n", &timestamp, this->utc,
+				   count, count_update, count_blacklist, flags, product);
+		}
+		e->destroy(e);
+		printf("%d device%s found\n", device_count,
+									 (device_count == 1) ? "" : "s");
+	}
+}
+
 METHOD(attest_db_t, list_keys, void,
 	private_attest_db_t *this)
 {
@@ -765,6 +943,70 @@ METHOD(attest_db_t, list_files, void,
 	printf("\n");
 }
 
+METHOD(attest_db_t, list_packages, void,
+	private_attest_db_t *this)
+{
+	enumerator_t *e;
+	char *package, *version;
+	os_package_state_t security;
+	int gid, gid_old = 0, spaces, count = 0;
+	time_t t;
+
+	if (this->pid)
+	{
+		e = this->db->query(this->db,
+				"SELECT p.id, p.name, v.release, v.security, v.time "
+				"FROM packages AS p JOIN versions AS v ON v.package = p.id "
+				"WHERE v.product = ? ORDER BY p.name, v.release",
+				DB_INT, this->pid, DB_INT, DB_TEXT, DB_TEXT, DB_INT, DB_INT);
+		if (e)
+		{
+			while (e->enumerate(e, &gid, &package, &version, &security, &t))
+			{
+				if (gid != gid_old)
+				{
+					printf("%5d: %s,", gid, package);
+					gid_old = gid;
+				}
+				else
+				{
+					spaces = 8 + strlen(package);
+					while (spaces--)
+					{
+						printf(" ");
+					}
+				}
+				printf(" %T (%s)%N\n", &t, this->utc, version,
+					 os_package_state_names, security);
+				count++;
+			}
+			e->destroy(e);
+		}
+	}
+	else
+	{
+		e = this->db->query(this->db, "SELECT id, name FROM packages "
+				"ORDER BY name",
+				DB_INT, DB_TEXT);
+		if (e)
+		{
+			while (e->enumerate(e, &gid, &package))
+			{
+				printf("%4d: %s\n", gid, package);
+				count++;
+			}
+			e->destroy(e);
+		}
+	}
+
+	printf("%d package%s found", count, (count == 1) ? "" : "s");
+	if (this->product_set)
+	{
+		printf(" for product '%s'", this->product);
+	}
+	printf("\n");
+}
+
 METHOD(attest_db_t, list_products, void,
 	private_attest_db_t *this)
 {
@@ -858,7 +1100,7 @@ METHOD(attest_db_t, list_hashes, void,
 
 	dir = strdup("");
 
-	if (this->pid && this->fid)
+	if (this->pid && this->fid & this->did)
 	{
 		e = this->db->query(this->db,
 				"SELECT hash FROM file_hashes "
@@ -885,6 +1127,32 @@ METHOD(attest_db_t, list_hashes, void,
 				   (count == 1) ? "" : "s", this->product);
 		}
 	}
+	else if (this->pid && this->fid)
+	{
+		e = this->db->query(this->db,
+				"SELECT f.path, fh.hash FROM file_hashes AS fh "
+				"JOIN files AS f ON f.id = fh.file "
+				"WHERE algo = ? AND file = ? AND product = ?",
+				DB_INT, this->algo, DB_INT, this->fid, DB_INT, this->pid,
+				DB_TEXT, DB_BLOB);
+		if (e)
+		{
+			free(dir);
+			while (e->enumerate(e, &dir, &hash))
+			{
+				printf("%4d: %s%s%s\n", this->fid, dir,
+						   slash(dir, this->file) ? "/" : "", this->file);
+				printf("      %#B\n", &hash);
+				count++;
+			}
+			e->destroy(e);
+
+			printf("%d %N value%s found for product '%s'\n", count,
+				   pts_meas_algorithm_names, this->algo,
+				   (count == 1) ? "" : "s", this->product);
+			dir = NULL;
+		}
+	}
 	else if (this->pid)
 	{
 		e = this->db->query(this->db,
@@ -1089,7 +1357,7 @@ METHOD(attest_db_t, list_measurements, void,
 
 bool insert_file_hash(private_attest_db_t *this, pts_meas_algorithms_t algo,
 					  chunk_t measurement, int fid, int did, bool ima,
-					  int *hashes_added)
+					  int *hashes_added, int *hashes_updated)
 {
 	enumerator_t *e;
 	chunk_t hash;
@@ -1108,8 +1376,22 @@ bool insert_file_hash(private_attest_db_t *this, pts_meas_algorithms_t algo,
 	}
 	if (e->enumerate(e, &hash))
 	{
-		label = chunk_equals(measurement, hash) ?
-				"exists and equals" : "exists and differs";
+		if (chunk_equals(measurement, hash))
+		{
+			label = "exists and equals";
+		}
+		else
+		{
+			if (this->db->execute(this->db, NULL,
+				"UPDATE file_hashes SET hash = ? WHERE algo = ? "
+				"AND file = ? AND directory = ? AND product = ? and key = 0",
+				DB_BLOB, measurement, DB_INT, algo, DB_UINT, fid, DB_UINT, did,
+				DB_UINT, this->pid) == 1)
+			{
+				label = "updated";
+				(*hashes_updated)++;
+			}
+		}
 	}
 	else
 	{
@@ -1161,7 +1443,8 @@ METHOD(attest_db_t, add, bool,
 		hasher_t *hasher = NULL;
 		bool ima = FALSE;
 		int fid, did;
-		int files_added = 0, hashes_added = 0, ima_hashes_added = 0;
+		int files_added = 0, hashes_added = 0, hashes_updated = 0;
+		int ima_hashes_added = 0, ima_hashes_updated = 0;
 		enumerator_t *enumerator, *e;
 
 		if (this->algo == PTS_MEAS_ALGO_SHA1_IMA)
@@ -1225,7 +1508,8 @@ METHOD(attest_db_t, add, bool,
 
 			/* compute file measurement hash */
 			if (!insert_file_hash(this, this->algo, measurement,
-								  fid, did, FALSE, &hashes_added))
+								  fid, did, FALSE,
+								  &hashes_added, &hashes_updated))
 			{
 				break;
 			}
@@ -1246,25 +1530,49 @@ METHOD(attest_db_t, add, bool,
 				break;
 			}
 			if (!insert_file_hash(this, PTS_MEAS_ALGO_SHA1_IMA, measurement,
-								  fid, did, TRUE, &ima_hashes_added))
+								  fid, did, TRUE,
+								  &ima_hashes_added, &ima_hashes_updated))
 			{
 				break;
 			}
 		}
 		enumerator->destroy(enumerator);
 
-		printf("%d measurements, added %d new files, %d new file hashes",
-			    measurements->get_file_count(measurements),
-			    files_added, hashes_added);
+		printf("%d measurements, added %d new files, %d file hashes",
+			    measurements->get_file_count(measurements), files_added,
+				hashes_added);
 		if (ima)
 		{
-			printf(" , %d new ima hashes", ima_hashes_added);
+			printf(", %d ima hashes", ima_hashes_added);
 			hasher->destroy(hasher);
 		}
+		printf(", updated %d file hashes", hashes_updated);
+		if (ima)
+		{
+			printf(", %d ima hashes", ima_hashes_updated);
+		}
 		printf("\n");
 		measurements->destroy(measurements);
 		success = TRUE;
 	}
+
+	/* insert package version */
+	if (this->version_set && this->gid && this->pid)
+	{
+		time_t t = time(NULL);
+
+		success = this->db->execute(this->db, NULL,
+					"INSERT INTO versions "
+					"(package, product, release, security, time) "
+					"VALUES (?, ?, ?, ?, ?)",
+					DB_UINT, this->gid, DB_UINT, this->pid, DB_TEXT,
+					this->version, DB_UINT, this->security, DB_INT, t) == 1;
+
+		printf("'%s' package %s (%s)%N %sinserted into database\n",
+				this->product, this->package, this->version,
+				os_package_state_names, this->security,
+				success ? "" : "could not be ");
+	}
 	return success;
 }
 
@@ -1384,7 +1692,9 @@ METHOD(attest_db_t, destroy, void,
 {
 	DESTROY_IF(this->db);
 	DESTROY_IF(this->cfn);
+	free(this->package);
 	free(this->product);
+	free(this->version);
 	free(this->file);
 	free(this->dir);
 	free(this->owner);
@@ -1409,15 +1719,22 @@ attest_db_t *attest_db_create(char *uri)
 			.set_fid = _set_fid,
 			.set_key = _set_key,
 			.set_kid = _set_kid,
+			.set_package = _set_package,
+			.set_gid = _set_gid,
 			.set_product = _set_product,
 			.set_pid = _set_pid,
+			.set_version = _set_version,
 			.set_algo = _set_algo,
 			.set_relative = _set_relative,
+			.set_security = _set_security,
 			.set_sequence = _set_sequence,
 			.set_owner = _set_owner,
+			.set_utc = _set_utc,
+			.list_packages = _list_packages,
 			.list_products = _list_products,
 			.list_files = _list_files,
 			.list_components = _list_components,
+			.list_devices = _list_devices,
 			.list_keys = _list_keys,
 			.list_hashes = _list_hashes,
 			.list_measurements = _list_measurements,
diff --git a/src/libpts/plugins/imv_attestation/attest_db.h b/src/libpts/plugins/imv_attestation/attest_db.h
index e32a368d8..e2297d0c4 100644
--- a/src/libpts/plugins/imv_attestation/attest_db.h
+++ b/src/libpts/plugins/imv_attestation/attest_db.h
@@ -23,7 +23,7 @@
 #define ATTEST_DB_H_
 
 #include <pts/pts_meas_algo.h>
-
+#include <os_info/os_info.h>
 #include <library.h>
 
 typedef struct attest_db_t attest_db_t;
@@ -102,6 +102,23 @@ struct attest_db_t {
 	bool (*set_kid)(attest_db_t *this, int kid);
 
 	/**
+	 * Set software package to be queried
+	 *
+	 * @param product		software package
+	 * @param create		if TRUE create database entry if it doesn't exist
+	 * @return				TRUE if successful
+	 */
+	bool (*set_package)(attest_db_t *this, char *package, bool create);
+
+	/**
+	 * Set primary key of the software package to be queried
+	 *
+	 * @param gid			primary key of software package
+	 * @return				TRUE if successful
+	 */
+	bool (*set_gid)(attest_db_t *this, int gid);
+
+	/**
 	 * Set software product to be queried
 	 *
 	 * @param product		software product
@@ -119,6 +136,14 @@ struct attest_db_t {
 	bool (*set_pid)(attest_db_t *this, int pid);
 
 	/**
+	 * Set software package version to be queried
+	 *
+	 * @param version		software package version
+	 * @return				TRUE if successful
+	 */
+	bool (*set_version)(attest_db_t *this, char *version);
+
+	/**
 	 * Set measurement hash algorithm
 	 *
 	 * @param algo			hash algorithm
@@ -136,6 +161,11 @@ struct attest_db_t {
 	void (*set_relative)(attest_db_t *this);
 
 	/**
+	 * Set the package security state
+	 */
+	void (*set_security)(attest_db_t *this, os_package_state_t security);
+
+	/**
 	 * Set the sequence number
 	 */
 	void (*set_sequence)(attest_db_t *this, int seq_no);
@@ -149,6 +179,16 @@ struct attest_db_t {
 	void (*set_owner)(attest_db_t *this, char *owner);
 
 	/**
+	 * Display all dates in UTC
+	 */
+	void (*set_utc)(attest_db_t *this);
+
+	/**
+	 * List all packages stored in the database
+	 */
+	void (*list_packages)(attest_db_t *this);
+
+	/**
 	 * List all products stored in the database
 	 */
 	void (*list_products)(attest_db_t *this);
@@ -164,6 +204,11 @@ struct attest_db_t {
 	void (*list_components)(attest_db_t *this);
 
 	/**
+	 * List all devices stored in the database
+	 */
+	void (*list_devices)(attest_db_t *this);
+
+	/**
 	 * List all AIKs stored in the database
 	 */
 	void (*list_keys)(attest_db_t *this);
diff --git a/src/libpts/plugins/imv_attestation/attest_usage.c b/src/libpts/plugins/imv_attestation/attest_usage.c
index f7040f7ad..324fcafc3 100644
--- a/src/libpts/plugins/imv_attestation/attest_usage.c
+++ b/src/libpts/plugins/imv_attestation/attest_usage.c
@@ -24,16 +24,19 @@ void usage(void)
 {
 	printf("\
 Usage:\n\
-  ipsec attest --files|--products|--keys|--hashes [options]\n\
+  ipsec attest --components|--devices|--files|--hashes|--keys [options]\n\
   \n\
-  ipsec attest --components|-keys|--measurements|--add|--del [options]\n\
+  ipsec attest --measurements|--packages|--products|--add|--del [options]\n\
   \n\
-  ipsec attest --files [--product <name>|--pid <id>]\n\
-    Show a list of files with a software product name or\n\
+  ipsec attest --components [--key <digest>|--kid <id>]\n\
+    Show a list of components with an AIK digest or\n\
     its primary key as an optional selector.\n\
   \n\
-  ipsec attest --products [--file <path>|--fid <id>]\n\
-    Show a list of supported software products with a file path or\n\
+  ipsec attest --devices [--utc]\n\
+    Show a list of registered devices and associated collected information\n\
+  \n\
+  ipsec attest --files [--product <name>|--pid <id>]\n\
+    Show a list of files with a software product name or\n\
     its primary key as an optional selector.\n\
   \n\
   ipsec attest --hashes [--sha1|--sha256|--sha384] [--product <name>|--pid <id>]\n\
@@ -44,10 +47,6 @@ Usage:\n\
     Show a list of measurement hashes for a given file or\n\
     its primary key as an optional selector.\n\
   \n\
-  ipsec attest --components [--key <digest>|--kid <id>]\n\
-    Show a list of components with an AIK digest or\n\
-    its primary key as an optional selector.\n\
-  \n\
   ipsec attest --keys [--components <cfn>|--cid <id>]\n\
     Show a list of AIK key digests with a component or\n\
     its primary key as an optional selector.\n\
@@ -60,6 +59,14 @@ Usage:\n\
     Show a list of component measurements for a given AIK or\n\
     its primary key as an optional selector.\n\
   \n\
+  ipsec attest --packages [--product <name>|--pid <id>] [--utc]\n\
+    Show a list of software packages for a given product or\n\
+    its primary key as an optional selector.\n\
+  \n\
+  ipsec attest --products [--file <path>|--fid <id>]\n\
+    Show a list of supported software products with a file path or\n\
+    its primary key as an optional selector.\n\
+  \n\
   ipsec attest --add --file <path>|--dir <path>|--product <name>|--component <cfn>\n\
     Add a file, directory, product or component entry\n\
     Component <cfn> entries must be of the form <vendor_id>/<name>-<qualifier>\n\
@@ -74,6 +81,10 @@ Usage:\n\
   ipsec attest --add --key <digest|--kid <id> --component <cfn>|--cid <id> --sequence <no>|--seq <no>\n\
     Add an ordered key/component entry\n\
   \n\
+  ipsec attest --add --package <name> --version <string> [--security|--blacklist]\n\
+              [--product <name>|--pid <id>]\n\
+    Add a package version for a given product optionally with security or blacklist flag\n\
+  \n\
   ipsec attest --del --file <path>|--fid <id>|--dir <path>|--did <id>\n\
     Delete a file or directory entry referenced either by value or primary key\n\
   \n\
diff --git a/src/libpts/plugins/imv_attestation/build-database.sh b/src/libpts/plugins/imv_attestation/build-database.sh
index a89258e1d..be1024de0 100755
--- a/src/libpts/plugins/imv_attestation/build-database.sh
+++ b/src/libpts/plugins/imv_attestation/build-database.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-p="Ubuntu 12.04.1 LTS i686"
+p="Ubuntu 12.04 i686"
 
 ipsec attest --add --product "$p" --sha1-ima --dir  /sbin 
 ipsec attest --add --product "$p" --sha1-ima --dir  /usr/sbin
diff --git a/src/libpts/plugins/imv_attestation/data.sql b/src/libpts/plugins/imv_attestation/data.sql
index b1646b724..60c312e30 100644
--- a/src/libpts/plugins/imv_attestation/data.sql
+++ b/src/libpts/plugins/imv_attestation/data.sql
@@ -51,7 +51,7 @@ INSERT INTO products (
 INSERT INTO products (
   name
 ) VALUES (
- 'Ubuntu 12.04.1 LTS i686'
+ 'Ubuntu 12.04 i686'
 );
 
 /* Files */
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation.c b/src/libpts/plugins/imv_attestation/imv_attestation.c
index 201496e8a..3c5488eba 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation.c
@@ -18,10 +18,11 @@
 #include "imv_attestation_build.h"
 
 #include <imv/imv_agent.h>
-#include <pa_tnc/pa_tnc_msg.h>
+#include <imv/imv_msg.h>
 #include <ietf/ietf_attr.h>
 #include <ietf/ietf_attr_pa_tnc_error.h>
 #include <ietf/ietf_attr_product_info.h>
+#include <ietf/ietf_attr_string_version.h>
 
 #include <libpts.h>
 
@@ -34,16 +35,18 @@
 #include <tncif_pa_subtypes.h>
 
 #include <pen/pen.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/credential_manager.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /* IMV definitions */
 
 static const char imv_name[] = "Attestation";
 
-#define IMV_VENDOR_ID			PEN_TCG
-#define IMV_SUBTYPE				PA_SUBTYPE_TCG_PTS
+static pen_type_t msg_types[] = {
+	{ PEN_TCG,  PA_SUBTYPE_TCG_PTS },
+	{ PEN_IETF, PA_SUBTYPE_IETF_OPERATING_SYSTEM }
+};
 
 static imv_agent_t *imv_attestation;
 
@@ -92,7 +95,7 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
 	{
 		return TNC_RESULT_FATAL;
 	}
-	imv_attestation = imv_agent_create(imv_name, IMV_VENDOR_ID, IMV_SUBTYPE,
+	imv_attestation = imv_agent_create(imv_name, msg_types, countof(msg_types),
 									   imv_id, actual_version);
 	if (!imv_attestation)
 	{
@@ -100,7 +103,7 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
 	}
 
 	libpts_init();
-	
+
 	if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1)
 	{
 		DBG1(DBG_IMV, "no common IF-IMV version");
@@ -166,133 +169,106 @@ TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
 	}
 }
 
-static TNC_Result send_message(TNC_ConnectionID connection_id)
+static TNC_Result send_message(imv_state_t *state, imv_msg_t *out_msg)
 {
-	linked_list_t *attr_list;
-	imv_state_t *state;
 	imv_attestation_state_t *attestation_state;
 	TNC_Result result;
 
-	if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
 	attestation_state = (imv_attestation_state_t*)state;
-	attr_list = linked_list_create();
 
-	if (imv_attestation_build(attr_list, attestation_state, supported_algorithms,
+	if (imv_attestation_build(out_msg, attestation_state, supported_algorithms,
 							  supported_dh_groups, pts_db))
 	{
-		if (attr_list->get_count(attr_list))
-		{
-			result = imv_attestation->send_message(imv_attestation,
-							connection_id, FALSE, 0, TNC_IMCID_ANY,	attr_list);
-		}
-		else
-		{
-			result = TNC_RESULT_SUCCESS;
-		}
-		attr_list->destroy(attr_list);
+		result = out_msg->send(out_msg, TRUE);
 	}
 	else
 	{
-		attr_list->destroy_offset(attr_list, offsetof(pa_tnc_attr_t, destroy));
 		result = TNC_RESULT_FATAL;
 	}
 
 	return result;
 }
 
-static TNC_Result receive_message(TNC_IMVID imv_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_UInt32 msg_flags,
-								  chunk_t msg,
-								  TNC_VendorID msg_vid,
-								  TNC_MessageSubtype msg_subtype,
-								  TNC_UInt32 src_imc_id,
-								  TNC_UInt32 dst_imv_id)
+static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg)
 {
-	pa_tnc_msg_t *pa_tnc_msg;
-	pa_tnc_attr_t *attr;
-	pen_type_t type;
-	linked_list_t *attr_list;
-	imv_state_t *state;
 	imv_attestation_state_t *attestation_state;
-	pts_t *pts;
+	imv_msg_t *out_msg;
 	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t type;
 	TNC_Result result;
+	pts_t *pts;
+	chunk_t os_name = chunk_empty;
+	chunk_t os_version = chunk_empty;
+	bool fatal_error = FALSE;
 
-	if (!imv_attestation)
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
 	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
+		return result;
 	}
 
-	/* get current IMV state */
-	if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
 	attestation_state = (imv_attestation_state_t*)state;
 	pts = attestation_state->get_pts(attestation_state);
 
-	/* parse received PA-TNC message and automatically handle any errors */
-	result = imv_attestation->receive_message(imv_attestation, state, msg,
-					 msg_vid, msg_subtype, src_imc_id, dst_imv_id, &pa_tnc_msg);
-
-	/* no parsed PA-TNC attributes available if an error occurred */
-	if (!pa_tnc_msg)
-	{
-		return result;
-	}
-
-	/* preprocess any IETF standard error attributes */
-	result = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg) ?
-					TNC_RESULT_FATAL : TNC_RESULT_SUCCESS;
-
-	attr_list = linked_list_create();
+	out_msg = imv_msg_create_as_reply(in_msg);
+	out_msg->set_msg_type(out_msg, msg_types[0]);
 
 	/* analyze PA-TNC attributes */
-	enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
 	while (enumerator->enumerate(enumerator, &attr))
 	{
 		type = attr->get_type(attr);
 
 		if (type.vendor_id == PEN_IETF)
 		{
-			if (type.type == IETF_ATTR_PA_TNC_ERROR)
+			switch (type.type)
 			{
-				ietf_attr_pa_tnc_error_t *error_attr;
-				pen_type_t error_code;
-				chunk_t msg_info;
+				case IETF_ATTR_PA_TNC_ERROR:
+				{
+					ietf_attr_pa_tnc_error_t *error_attr;
+					pen_type_t error_code;
+					chunk_t msg_info;
 
-				error_attr = (ietf_attr_pa_tnc_error_t*)attr;
-				error_code = error_attr->get_error_code(error_attr);
+					error_attr = (ietf_attr_pa_tnc_error_t*)attr;
+					error_code = error_attr->get_error_code(error_attr);
 
-				if (error_code.vendor_id == PEN_TCG)
-				{
-					msg_info = error_attr->get_msg_info(error_attr);
+					if (error_code.vendor_id == PEN_TCG)
+					{
+						msg_info = error_attr->get_msg_info(error_attr);
 
-					DBG1(DBG_IMV, "received TCG-PTS error '%N'",
-						 pts_error_code_names, error_code.type);
-					DBG1(DBG_IMV, "error information: %B", &msg_info);
+						DBG1(DBG_IMV, "received TCG-PTS error '%N'",
+							 pts_error_code_names, error_code.type);
+						DBG1(DBG_IMV, "error information: %B", &msg_info);
 
-					result = TNC_RESULT_FATAL;
+						result = TNC_RESULT_FATAL;
+					}
+					break;
 				}
-			}
-			else if (type.type == IETF_ATTR_PRODUCT_INFORMATION)
-			{
-				ietf_attr_product_info_t *attr_cast;
-				char *platform_info;
+				case IETF_ATTR_PRODUCT_INFORMATION:
+				{
+					ietf_attr_product_info_t *attr_cast;
 
-				attr_cast = (ietf_attr_product_info_t*)attr;
-				platform_info = attr_cast->get_info(attr_cast, NULL, NULL);
-				pts->set_platform_info(pts, platform_info);
+					attr_cast = (ietf_attr_product_info_t*)attr;
+					os_name = attr_cast->get_info(attr_cast, NULL, NULL);
+					break;
+				}
+				case IETF_ATTR_STRING_VERSION:
+				{
+					ietf_attr_string_version_t *attr_cast;
+
+					attr_cast = (ietf_attr_string_version_t*)attr;
+					os_version = attr_cast->get_version(attr_cast, NULL, NULL);
+					break;
+				}
+				default:
+					break;
 			}
 		}
 		else if (type.vendor_id == PEN_TCG)
 		{
-			if (!imv_attestation_process(attr, attr_list, attestation_state,
+			if (!imv_attestation_process(attr, out_msg, attestation_state, 
 				supported_algorithms,supported_dh_groups, pts_db, pts_credmgr))
 			{
 				result = TNC_RESULT_FATAL;
@@ -301,36 +277,50 @@ static TNC_Result receive_message(TNC_IMVID imv_id,
 		}
 	}
 	enumerator->destroy(enumerator);
-	pa_tnc_msg->destroy(pa_tnc_msg);
 
-	if (result != TNC_RESULT_SUCCESS)
+	if (os_name.len && os_version.len)
+	{
+		pts->set_platform_info(pts, os_name, os_version);
+	}
+
+	if (fatal_error || result != TNC_RESULT_SUCCESS)
 	{
-		attr_list->destroy_offset(attr_list, offsetof(pa_tnc_attr_t, destroy));
 		state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
+								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
 								TNC_IMV_EVALUATION_RESULT_ERROR);
-		return imv_attestation->provide_recommendation(imv_attestation,
-													   connection_id, src_imc_id);
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}
+		return imv_attestation->provide_recommendation(imv_attestation, state);
 	}
 
-	if (attr_list->get_count(attr_list))
+	/* send PA-TNC message with excl flag set */
+	result = out_msg->send(out_msg, TRUE);
+
+	if (result != TNC_RESULT_SUCCESS)
 	{
-		result = imv_attestation->send_message(imv_attestation, connection_id,
-										FALSE, 0, TNC_IMCID_ANY, attr_list);
-		attr_list->destroy(attr_list);
+		out_msg->destroy(out_msg);
 		return result;
 	}
-	attr_list->destroy(attr_list);
 
 	/* check the IMV state for the next PA-TNC attributes to send */
-	result = send_message(connection_id);
+	result = send_message(state, out_msg);
+
 	if (result != TNC_RESULT_SUCCESS)
 	{
 		state->set_recommendation(state,
 								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
 								TNC_IMV_EVALUATION_RESULT_ERROR);
-		return imv_attestation->provide_recommendation(imv_attestation,
-													   connection_id, src_imc_id);
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}
+		return imv_attestation->provide_recommendation(imv_attestation, state);
 	}
 
 	if (attestation_state->get_handshake_state(attestation_state) ==
@@ -340,7 +330,8 @@ static TNC_Result receive_message(TNC_IMVID imv_id,
 		{
 			DBG1(DBG_IMV, "failure due to %d pending file measurements",
 				attestation_state->get_file_meas_request_count(attestation_state));
-			attestation_state->set_measurement_error(attestation_state);
+			attestation_state->set_measurement_error(attestation_state,
+								IMV_ATTESTATION_ERROR_FILE_MEAS_PEND);
 		}
 		if (attestation_state->get_measurement_error(attestation_state))
 		{
@@ -354,9 +345,15 @@ static TNC_Result receive_message(TNC_IMVID imv_id,
 								TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
 								TNC_IMV_EVALUATION_RESULT_COMPLIANT);
 		}
-		return imv_attestation->provide_recommendation(imv_attestation,
-													   connection_id, src_imc_id);
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}
+		return imv_attestation->provide_recommendation(imv_attestation, state);
 	}
+	out_msg->destroy(out_msg);
 
 	return result;
 }
@@ -370,14 +367,25 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
 								  TNC_UInt32 msg_len,
 								  TNC_MessageType msg_type)
 {
-	TNC_VendorID msg_vid;
-	TNC_MessageSubtype msg_subtype;
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
 
-	msg_vid = msg_type >> 8;
-	msg_subtype = msg_type & TNC_SUBTYPE_ANY;
+	if (!imv_attestation)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_data(imv_attestation, state, connection_id, 
+									  msg_type, chunk_create(msg, msg_len));
+	result = receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
 
-	return receive_message(imv_id, connection_id, 0, chunk_create(msg, msg_len),
-						   msg_vid,	msg_subtype, 0, TNC_IMVID_ANY);
+	return result;
 }
 
 /**
@@ -393,9 +401,26 @@ TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
 									  TNC_UInt32 src_imc_id,
 									  TNC_UInt32 dst_imv_id)
 {
-	return receive_message(imv_id, connection_id, msg_flags,
-						   chunk_create(msg, msg_len), msg_vid, msg_subtype,
-						   src_imc_id, dst_imv_id);
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imv_attestation)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_long_data(imv_attestation, state, connection_id,
+								src_imc_id, dst_imv_id, msg_vid, msg_subtype,
+								chunk_create(msg, msg_len));
+	result =receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
 }
 
 /**
@@ -404,13 +429,18 @@ TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
 TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
 										 TNC_ConnectionID connection_id)
 {
+	imv_state_t *state;
+
 	if (!imv_attestation)
 	{
 		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
 		return TNC_RESULT_NOT_INITIALIZED;
 	}
-	return imv_attestation->provide_recommendation(imv_attestation,
-												   connection_id, TNC_IMCID_ANY);
+	if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	return imv_attestation->provide_recommendation(imv_attestation, state);
 }
 
 /**
@@ -419,27 +449,11 @@ TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
 TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
 							   TNC_ConnectionID connection_id)
 {
-	imv_state_t *state;
-	imv_attestation_state_t *attestation_state;
-
 	if (!imv_attestation)
 	{
 		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
 		return TNC_RESULT_NOT_INITIALIZED;
 	}
-	/* get current IMV state */
-	if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	attestation_state = (imv_attestation_state_t*)state;
-
-	/* Check if IMV has to initiate the PA-TNC exchange */
-	if (attestation_state->get_handshake_state(attestation_state) ==
-		IMV_ATTESTATION_STATE_INIT)
-	{
-		return send_message(connection_id);
-	}
 	return TNC_RESULT_SUCCESS;
 }
 
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_build.c b/src/libpts/plugins/imv_attestation/imv_attestation_build.c
index 23195d6e3..b4feec7cd 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_build.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_build.c
@@ -27,9 +27,9 @@
 #include <tcg/tcg_pts_attr_req_file_meas.h>
 #include <tcg/tcg_pts_attr_req_file_meta.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
-bool imv_attestation_build(linked_list_t *attr_list,
+bool imv_attestation_build(imv_msg_t *out_msg,
 						   imv_attestation_state_t *attestation_state,
 						   pts_meas_algorithms_t supported_algorithms,
 						   pts_dh_group_t supported_dh_groups,
@@ -76,12 +76,12 @@ bool imv_attestation_build(linked_list_t *attr_list,
 			flags = pts->get_proto_caps(pts);
 			attr = tcg_pts_attr_proto_caps_create(flags, TRUE);
 			attr->set_noskip_flag(attr, TRUE);
-			attr_list->insert_last(attr_list, attr);
+			out_msg->add_attribute(out_msg, attr);
 
 			/* Send Measurement Algorithms attribute */
 			attr = tcg_pts_attr_meas_algo_create(supported_algorithms, FALSE);
 			attr->set_noskip_flag(attr, TRUE);
-			attr_list->insert_last(attr_list, attr);
+			out_msg->add_attribute(out_msg, attr);
 
 			attestation_state->set_handshake_state(attestation_state,
 										IMV_ATTESTATION_STATE_NONCE_REQ);
@@ -97,7 +97,7 @@ bool imv_attestation_build(linked_list_t *attr_list,
 			attr = tcg_pts_attr_dh_nonce_params_req_create(min_nonce_len,
 													 supported_dh_groups);
 			attr->set_noskip_flag(attr, TRUE);
-			attr_list->insert_last(attr_list, attr);
+			out_msg->add_attribute(out_msg, attr);
 
 			attestation_state->set_handshake_state(attestation_state,
 										IMV_ATTESTATION_STATE_TPM_INIT);
@@ -116,18 +116,18 @@ bool imv_attestation_build(linked_list_t *attr_list,
 				attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm,
 											initiator_value, initiator_nonce);
 				attr->set_noskip_flag(attr, TRUE);
-			attr_list->insert_last(attr_list, attr);
+				out_msg->add_attribute(out_msg, attr);
 			}
 
 			/* Send Get TPM Version attribute */
 			attr = tcg_pts_attr_get_tpm_version_info_create();
 			attr->set_noskip_flag(attr, TRUE);
-			attr_list->insert_last(attr_list, attr);
+			out_msg->add_attribute(out_msg, attr);
 
 			/* Send Get AIK attribute */
 			attr = tcg_pts_attr_get_aik_create();
 			attr->set_noskip_flag(attr, TRUE);
-			attr_list->insert_last(attr_list, attr);
+			out_msg->add_attribute(out_msg, attr);
 
 			attestation_state->set_handshake_state(attestation_state,
 										IMV_ATTESTATION_STATE_MEAS);
@@ -140,7 +140,7 @@ bool imv_attestation_build(linked_list_t *attr_list,
 			char *platform_info, *pathname;
 			u_int16_t request_id;
 			int id, type;
-			bool is_dir;
+			bool is_dir, have_request = FALSE;
 
 			attestation_state->set_handshake_state(attestation_state,
 										IMV_ATTESTATION_STATE_COMP_EVID);
@@ -173,10 +173,11 @@ bool imv_attestation_build(linked_list_t *attr_list,
 				attr = tcg_pts_attr_req_file_meta_create(is_dir, delimiter,
 														 pathname);
 				attr->set_noskip_flag(attr, TRUE);
-				attr_list->insert_last(attr_list, attr);
+				out_msg->add_attribute(out_msg, attr);
+				have_request = TRUE;
 			}
 			enumerator->destroy(enumerator);
-			
+
 			/* Send Request File Measurement attribute */
 			enumerator = pts_db->create_file_meas_enumerator(pts_db,
 															 platform_info);
@@ -194,12 +195,13 @@ bool imv_attestation_build(linked_list_t *attr_list,
 				attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id,
 													 delimiter, pathname);
 				attr->set_noskip_flag(attr, TRUE);
-				attr_list->insert_last(attr_list, attr);
+				out_msg->add_attribute(out_msg, attr);
+				have_request = TRUE;
 			}
 			enumerator->destroy(enumerator);
 
 			/* do we have any file metadata or measurement requests? */
-			if (attr_list->get_count(attr_list))
+			if (have_request)
 			{
 				break;
 			}
@@ -282,12 +284,12 @@ bool imv_attestation_build(linked_list_t *attr_list,
 			if (attr)
 			{
 				/* Send Request Functional Component Evidence attribute */
-				attr_list->insert_last(attr_list, attr);
+				out_msg->add_attribute(out_msg, attr);
 
 				/* Send Generate Attestation Evidence attribute */
 				attr = tcg_pts_attr_gen_attest_evid_create();
 				attr->set_noskip_flag(attr, TRUE);
-				attr_list->insert_last(attr_list, attr);
+				out_msg->add_attribute(out_msg, attr);
 
 				attestation_state->set_handshake_state(attestation_state,
 										IMV_ATTESTATION_STATE_EVID_FINAL);
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_build.h b/src/libpts/plugins/imv_attestation/imv_attestation_build.h
index 7f934fd09..0fc10f0ce 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_build.h
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_build.h
@@ -24,7 +24,7 @@
 
 #include "imv_attestation_state.h"
 
-#include <pa_tnc/pa_tnc_msg.h>
+#include <imv/imv_msg.h>
 #include <library.h>
 
 #include <pts/pts_database.h>
@@ -34,14 +34,14 @@
 /**
  * Process a TCG PTS attribute
  *
- * @param attr_list				list of PA-TNC attriubutes to be built
+ * @param out_msg				outbound PA-TNC message to be built
  * @param attestation_state		attestation state of a given connection
  * @param supported_algorithms	supported PTS measurement algorithms
  * @param supported_dh_groups	supported DH groups
  * @param pts_db				PTS configuration database
  * @return						TRUE if successful
  */
-bool imv_attestation_build(linked_list_t *attr_list,
+bool imv_attestation_build(imv_msg_t *out_msg,
 						   imv_attestation_state_t *attestation_state,
 						   pts_meas_algorithms_t supported_algorithms,
 						   pts_dh_group_t supported_dh_groups,
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.c b/src/libpts/plugins/imv_attestation/imv_attestation_process.c
index 37e9ac77a..4541075ef 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_process.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.c
@@ -29,12 +29,12 @@
 #include <tcg/tcg_pts_attr_tpm_version_info.h>
 #include <tcg/tcg_pts_attr_unix_file_meta.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <crypto/hashers/hasher.h>
 
 #include <inttypes.h>
 
-bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
+bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 							 imv_attestation_state_t *attestation_state,
 							 pts_meas_algorithms_t supported_algorithms,
 							 pts_dh_group_t supported_dh_groups,
@@ -43,7 +43,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 {
 	pen_type_t attr_type;
 	pts_t *pts;
-	
+
 	pts = attestation_state->get_pts(attestation_state);
 	attr_type = attr->get_type(attr);
 
@@ -96,7 +96,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 				attr = pts_dh_nonce_error_create(
 									max(PTS_MIN_NONCE_LEN, min_nonce_len),
 										PTS_MAX_NONCE_LEN);
-				attr_list->insert_last(attr_list, attr);
+				out_msg->add_attribute(out_msg, attr);
 				break;
 			}
 
@@ -113,7 +113,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			if (selected_algorithm == PTS_MEAS_ALGO_NONE)
 			{
 				attr = pts_hash_alg_error_create(supported_algorithms);
-				attr_list->insert_last(attr_list, attr);
+				out_msg->add_attribute(out_msg, attr);
 				break;
 			}
 			pts->set_dh_hash_algorithm(pts, selected_algorithm);
@@ -233,7 +233,8 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 								platform_info, algo, file_id, is_dir);
 				if (!measurements->verify(measurements, e_hash, is_dir))
 				{
-					attestation_state->set_measurement_error(attestation_state);
+					attestation_state->set_measurement_error(attestation_state,
+										IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL);
 				}
 				e_hash->destroy(e_hash);
 			}
@@ -299,7 +300,8 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			if (comp->verify(comp, name->get_qualifier(name), pts,
 							 evidence) != SUCCESS)
 			{
-				attestation_state->set_measurement_error(attestation_state);
+				attestation_state->set_measurement_error(attestation_state,
+									IMV_ATTESTATION_ERROR_COMP_EVID_FAIL);
 				name->log(name, "  measurement mismatch for ");
 			}
 			break;
@@ -335,17 +337,21 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 				{
 					DBG1(DBG_IMV, "received PCR Composite does not match "
 								  "constructed one");
+					attestation_state->set_measurement_error(attestation_state,
+										IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL);
 					free(pcr_composite.ptr);
 					free(quote_info.ptr);
-					return FALSE;
+					break;
 				}
 				DBG2(DBG_IMV, "received PCR Composite matches constructed one");
 				free(pcr_composite.ptr);
 
 				if (!pts->verify_quote_signature(pts, quote_info, tpm_quote_sig))
 				{
+					attestation_state->set_measurement_error(attestation_state,
+										IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL);
 					free(quote_info.ptr);
-					return FALSE;
+					break;
 				}
 				DBG2(DBG_IMV, "TPM Quote Info signature verification successful");
 				free(quote_info.ptr);
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.h b/src/libpts/plugins/imv_attestation/imv_attestation_process.h
index 4d4eeefbb..73b4251e0 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_process.h
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.h
@@ -25,10 +25,11 @@
 #include "imv_attestation_state.h"
 
 #include <library.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <credentials/credential_manager.h>
 #include <crypto/hashers/hasher.h>
 
+#include <imv/imv_msg.h>
 #include <pa_tnc/pa_tnc_attr.h>
 
 #include <pts/pts_database.h>
@@ -39,7 +40,7 @@
  * Process a TCG PTS attribute
  *
  * @param attr					PA-TNC attribute to be processed
- * @param attr_list				list with PA-TNC error attributes
+ * @param out_msg				PA-TNC message containing error messages
  * @param attestation_state		attestation state of a given connection
  * @param supported_algorithms	supported PTS measurement algorithms
  * @param supported_dh_groups	supported DH groups
@@ -47,7 +48,7 @@
  * @param pts_credmgr			PTS credential manager
  * @return						TRUE if successful
  */
-bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
+bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 							 imv_attestation_state_t *attestation_state,
 							 pts_meas_algorithms_t supported_algorithms,
 							 pts_dh_group_t supported_dh_groups,
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.c b/src/libpts/plugins/imv_attestation/imv_attestation_state.c
index 1dbc88309..93da9aee5 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_state.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.c
@@ -17,9 +17,11 @@
 
 #include <libpts.h>
 
-#include <utils/lexparser.h>
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <imv/imv_lang_string.h>
+#include "imv/imv_reason_string.h"
+
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 typedef struct private_imv_attestation_state_t private_imv_attestation_state_t;
 typedef struct file_meas_request_t file_meas_request_t;
@@ -44,7 +46,7 @@ struct private_imv_attestation_state_t {
 	 * TNCCS connection state
 	 */
 	TNC_ConnectionState state;
-	
+
 	/**
 	 * Does the TNCCS connection support long message types?
 	 */
@@ -96,9 +98,14 @@ struct private_imv_attestation_state_t {
 	pts_t *pts;
 
 	/**
-	 * Measurement error
+	 * Measurement error flags
+	 */
+	u_int32_t measurement_error;
+
+	/**
+	 * TNC Reason String
 	 */
-	bool measurement_error;
+	imv_reason_string_t *reason_string;
 
 };
 
@@ -128,26 +135,47 @@ static void free_func_comp(func_comp_t *this)
 	free(this);
 }
 
-typedef struct entry_t entry_t;
-
 /**
- * Define an internal reason string entry
+ * Supported languages
  */
-struct entry_t {
-	char *lang;
-	char *string;
-};
+static char* languages[] = { "en", "de", "mn" };
 
 /**
- * Table of multi-lingual reason string entries 
+ * Table of reason strings
  */
-static entry_t reasons[] = {
-	{ "en", "IMV Attestation: Incorrect/pending file measurement/component"
-			" evidence or invalid TPM Quote signature received" },
-	{ "mn", "IMV Attestation:  Буруу/хүлээгдэж байгаа файл/компонент хэмжилт "
-			"эсвэл буруу TPM Quote гарын үсэг" },
-	{ "de", "IMV Attestation: Falsche/Fehlende Dateimessung/Komponenten Beweis "
-			"oder ungültige TPM Quote Unterschrift ist erhalten" },
+static imv_lang_string_t reason_file_meas_fail[] = {
+	{ "en", "Incorrect file measurement" },
+	{ "de", "Falsche Dateimessung" },
+	{ "mn", "Буруу байгаа файл" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t reason_file_meas_pend[] = {
+	{ "en", "Pending file measurement" },
+	{ "de", "Ausstehende Dateimessung" },
+	{ "mn", "Xүлээгдэж байгаа файл" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t reason_comp_evid_fail[] = {
+	{ "en", "Incorrect component evidence" },
+	{ "de", "Falsche Komponenten-Evidenz" },
+	{ "mn", "Буруу компонент хэмжилт" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t reason_comp_evid_pend[] = {
+	{ "en", "Pending component evidence" },
+	{ "de", "Ausstehende Komponenten-Evidenz" },
+	{ "mn", "Xүлээгдэж компонент хэмжилт" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t reason_tpm_quote_fail[] = {
+	{ "en", "Invalid TPM Quote signature received" },
+	{ "de", "Falsche TPM Quote Signature erhalten" },
+	{ "mn", "Буруу TPM Quote гарын үсэг" },
+	{ NULL, NULL }
 };
 
 METHOD(imv_state_t, get_connection_id, TNC_ConnectionID,
@@ -210,52 +238,57 @@ METHOD(imv_state_t, set_recommendation, void,
 }
 
 METHOD(imv_state_t, get_reason_string, bool,
-	private_imv_attestation_state_t *this, chunk_t preferred_language,
-	chunk_t *reason_string, chunk_t *reason_language)
+	private_imv_attestation_state_t *this, enumerator_t *language_enumerator,
+	chunk_t *reason_string, char **reason_language)
 {
-	chunk_t pref_lang, lang;
-	u_char *pos;
-	int i;
+	*reason_language = imv_lang_string_select_lang(language_enumerator,
+											  languages, countof(languages));
 
-	while (eat_whitespace(&preferred_language))
-	{
-		if (!extract_token(&pref_lang, ',', &preferred_language))
-		{
-			/* last entry in a comma-separated list or single entry */
-			pref_lang = preferred_language;
-		}
+	/* Instantiate a TNC Reason String object */
+	DESTROY_IF(this->reason_string);
+	this->reason_string = imv_reason_string_create(*reason_language);
 
-		/* eat trailing whitespace */
-		pos = pref_lang.ptr + pref_lang.len - 1;
-		while (pref_lang.len && *pos-- == ' ')
-		{
-			pref_lang.len--;
-		}
-
-		for (i = 0 ; i < countof(reasons); i++)
-		{
-			lang = chunk_create(reasons[i].lang, strlen(reasons[i].lang));
-			if (chunk_equals(lang, pref_lang))
-			{
-				*reason_language = lang;
-				*reason_string = chunk_create(reasons[i].string,
-										strlen(reasons[i].string));
-				return TRUE;
-			}
-		}
+	if (this->measurement_error & IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL)
+	{
+		this->reason_string->add_reason(this->reason_string,
+										reason_file_meas_fail);
+	}
+	if (this->measurement_error & IMV_ATTESTATION_ERROR_FILE_MEAS_PEND)
+	{
+		this->reason_string->add_reason(this->reason_string,
+										reason_file_meas_pend);
+	}
+	if (this->measurement_error & IMV_ATTESTATION_ERROR_COMP_EVID_FAIL)
+	{
+		this->reason_string->add_reason(this->reason_string,
+										reason_comp_evid_fail);
+	}
+	if (this->measurement_error & IMV_ATTESTATION_ERROR_COMP_EVID_PEND)
+	{
+		this->reason_string->add_reason(this->reason_string,
+										reason_comp_evid_pend);
 	}
+	if (this->measurement_error & IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL)
+	{
+		this->reason_string->add_reason(this->reason_string,
+										reason_tpm_quote_fail);
+	}
+	*reason_string = this->reason_string->get_encoding(this->reason_string);
 
-	/* no preferred language match found - use the default language */
-	*reason_string =   chunk_create(reasons[0].string,
-									strlen(reasons[0].string));
-	*reason_language = chunk_create(reasons[0].lang,
-									strlen(reasons[0].lang));
 	return TRUE;
 }
 
+METHOD(imv_state_t, get_remediation_instructions, bool,
+	private_imv_attestation_state_t *this, enumerator_t *language_enumerator,
+	chunk_t *string, char **lang_code, char **uri)
+{
+	return FALSE;
+}
+
 METHOD(imv_state_t, destroy, void,
 	private_imv_attestation_state_t *this)
 {
+	DESTROY_IF(this->reason_string);
 	this->file_meas_requests->destroy_function(this->file_meas_requests, free);
 	this->components->destroy_function(this->components, (void *)free_func_comp);
 	this->pts->destroy(this->pts);
@@ -302,7 +335,7 @@ METHOD(imv_attestation_state_t, check_off_file_meas_request, bool,
 	enumerator_t *enumerator;
 	file_meas_request_t *request;
 	bool found = FALSE;
-	
+
 	enumerator = this->file_meas_requests->create_enumerator(this->file_meas_requests);
 	while (enumerator->enumerate(enumerator, &request))
 	{
@@ -396,16 +429,16 @@ METHOD(imv_attestation_state_t, get_component, pts_component_t*,
 	return found;
 }
 
-METHOD(imv_attestation_state_t, get_measurement_error, bool,
+METHOD(imv_attestation_state_t, get_measurement_error, u_int32_t,
 	private_imv_attestation_state_t *this)
 {
 	return this->measurement_error;
 }
 
 METHOD(imv_attestation_state_t, set_measurement_error, void,
-	private_imv_attestation_state_t *this)
+	private_imv_attestation_state_t *this, u_int32_t error)
 {
-	this->measurement_error = TRUE;
+	this->measurement_error |= error;
 }
 
 METHOD(imv_attestation_state_t, finalize_components, void,
@@ -418,7 +451,7 @@ METHOD(imv_attestation_state_t, finalize_components, void,
 	{
 		if (!entry->comp->finalize(entry->comp, entry->qualifier))
 		{
-			_set_measurement_error(this);
+			set_measurement_error(this, IMV_ATTESTATION_ERROR_COMP_EVID_PEND);
 		}
 		free_func_comp(entry);
 	}
@@ -436,7 +469,6 @@ METHOD(imv_attestation_state_t, components_finalized, bool,
 imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id)
 {
 	private_imv_attestation_state_t *this;
-	char *platform_info;
 
 	INIT(this,
 		.public = {
@@ -451,6 +483,7 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id)
 				.get_recommendation = _get_recommendation,
 				.set_recommendation = _set_recommendation,
 				.get_reason_string = _get_reason_string,
+				.get_remediation_instructions = _get_remediation_instructions,
 				.destroy = _destroy,
 			},
 			.get_handshake_state = _get_handshake_state,
@@ -476,12 +509,5 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id)
 		.pts = pts_create(FALSE),
 	);
 
-	platform_info = lib->settings->get_str(lib->settings,
-						 "libimcv.plugins.imv-attestation.platform_info", NULL);
-	if (platform_info)
-	{
-		this->pts->set_platform_info(this->pts, platform_info);
-	}
-	
 	return &this->public.interface;
 }
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.h b/src/libpts/plugins/imv_attestation/imv_attestation_state.h
index 901d4b19d..f64314e71 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_state.h
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.h
@@ -30,6 +30,7 @@
 
 typedef struct imv_attestation_state_t imv_attestation_state_t;
 typedef enum imv_attestation_handshake_state_t imv_attestation_handshake_state_t;
+typedef enum imv_meas_error_t imv_meas_error_t;
 
 /**
  * IMV Attestation Handshake States (state machine)
@@ -45,6 +46,17 @@ enum imv_attestation_handshake_state_t {
 };
 
 /**
+ * IMV Measurement Error Types
+ */
+enum imv_meas_error_t {
+	IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL =  1,
+	IMV_ATTESTATION_ERROR_FILE_MEAS_PEND =  2,
+	IMV_ATTESTATION_ERROR_COMP_EVID_FAIL =  4,
+	IMV_ATTESTATION_ERROR_COMP_EVID_PEND =  8,
+	IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL = 16
+};
+
+/**
  * Internal state of an imv_attestation_t connection instance
  */
 struct imv_attestation_state_t {
@@ -139,16 +151,19 @@ struct imv_attestation_state_t {
 	bool (*components_finalized)(imv_attestation_state_t *this);
 
 	/**
-	 * Indicates if a file measurement error occurred
+	 * Indicates the types of measurement errors that occurred
 	 *
-	 * @return					TRUE in case of measurement error
+	 * @return					Measurement error flags
 	 */
-	bool (*get_measurement_error)(imv_attestation_state_t *this);
+	u_int32_t (*get_measurement_error)(imv_attestation_state_t *this);
 
 	/**
-	 * Call if a file measurement error is encountered
+	 * Call if a measurement error is encountered
+	 *
+	 * @param error				Measurement error type
 	 */
-	void (*set_measurement_error)(imv_attestation_state_t *this);
+	void (*set_measurement_error)(imv_attestation_state_t *this,
+								  u_int32_t error);
 
 };
 
diff --git a/src/libpts/plugins/imv_attestation/tables.sql b/src/libpts/plugins/imv_attestation/tables.sql
index 42553bef0..8a79ea7cf 100644
--- a/src/libpts/plugins/imv_attestation/tables.sql
+++ b/src/libpts/plugins/imv_attestation/tables.sql
@@ -85,3 +85,54 @@ CREATE TABLE component_hashes (
   hash BLOB NOT NULL,
   PRIMARY KEY(component, key, seq_no, algo)
 );
+
+DROP TABLE IF EXISTS packages;
+CREATE TABLE packages (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  name TEXT NOT NULL
+);
+DROP INDEX IF EXISTS packages_name;
+CREATE INDEX packages_name ON packages (
+  name
+);
+
+DROP TABLE IF EXISTS versions;
+CREATE TABLE versions (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  package INTEGER NOT NULL,
+  product INTEGER NOT NULL,
+  release TEXT NOT NULL,
+  security INTEGER DEFAULT 0,
+  time INTEGER DEFAULT 0
+);
+DROP INDEX IF EXISTS versions_release;
+CREATE INDEX versions_release ON versions (
+  release
+);
+DROP INDEX IF EXISTS versions_package_product;
+CREATE INDEX versions_package_product ON versions (
+  package, product
+);
+
+DROP TABLE IF EXISTS devices;
+CREATE TABLE devices (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  value BLOB NOT NULL
+);
+DROP INDEX IF EXISTS devices_id;
+CREATE INDEX devices_value ON devices (
+  value
+);
+
+DROP TABLE IF EXISTS device_infos;
+CREATE TABLE device_infos (
+  device INTEGER NOT NULL,
+  time INTEGER NOT NULL,
+  product INTEGER DEFAULT 0,
+  count INTEGER DEFAULT 0,
+  count_update INTEGER DEFAULT 0,
+  count_blacklist INTEGER DEFAULT 0,
+  flags INTEGER DEFAULT 0,
+  PRIMARY KEY (device, time)
+);
+
diff --git a/src/libpts/pts/components/ita/ita_comp_ima.c b/src/libpts/pts/components/ita/ita_comp_ima.c
index a59732428..02470f5f5 100644
--- a/src/libpts/pts/components/ita/ita_comp_ima.c
+++ b/src/libpts/pts/components/ita/ita_comp_ima.c
@@ -20,7 +20,7 @@
 #include "pts/pts_pcr.h"
 #include "pts/components/pts_component.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <pen/pen.h>
 
 #include <sys/types.h>
@@ -96,12 +96,12 @@ struct pts_ita_comp_ima_t {
 	int ima_cid;
 
 	/**
-	 * Component is registering IMA BIOS measurements 
+	 * Component is registering IMA BIOS measurements
 	 */
 	bool is_bios_registering;
 
 	/**
-	 * Component is registering IMA boot aggregate measurement 
+	 * Component is registering IMA boot aggregate measurement
 	 */
 	bool is_ima_registering;
 
@@ -184,7 +184,7 @@ struct bios_entry_t {
 
 	/**
 	 * SHA1 measurement hash
-	 */	
+	 */
 	chunk_t measurement;
 };
 
@@ -291,6 +291,7 @@ static bool load_bios_measurements(char *file, linked_list_t *list,
 
 	DBG1(DBG_PTS, "loading bios measurements '%s' failed: %s", file,
 		 strerror(errno));
+	free_bios_entry(entry);
 	close(fd);
 	return FALSE;
 }
@@ -377,6 +378,7 @@ static bool load_runtime_measurements(char *file, linked_list_t *list,
 
 	DBG1(DBG_PTS, "loading ima measurements '%s' failed: %s",
 		 file, strerror(errno));
+	free_ima_entry(entry);
 	close(fd);
 	return FALSE;
 }
@@ -526,7 +528,7 @@ METHOD(pts_component_t, measure, status_t,
 				evid = extend_pcr(this, qualifier, pcrs, bios_entry->pcr,
 								  bios_entry->measurement);
 				free(bios_entry);
-	
+
 				this->state = this->bios_list->get_count(this->bios_list) ?
 										IMA_STATE_BIOS : IMA_STATE_INIT;
 				break;
@@ -821,7 +823,7 @@ METHOD(pts_component_t, finalize, bool,
 	u_int32_t vid, name;
 	enum_name_t *names;
 	bool success = TRUE;
-		
+
 	this->name->set_qualifier(this->name, qualifier);
 	vid = this->name->get_vendor_id(this->name);
 	name = this->name->get_name(this->name);
@@ -915,7 +917,7 @@ METHOD(pts_component_t, destroy, void,
 		}
 		this->bios_list->destroy_function(this->bios_list,
 										 (void *)free_bios_entry);
-		this->ima_list->destroy_function(this->ima_list, 
+		this->ima_list->destroy_function(this->ima_list,
 										 (void *)free_ima_entry);
 		this->name->destroy(this->name);
 		free(this->keyid.ptr);
diff --git a/src/libpts/pts/components/ita/ita_comp_tboot.c b/src/libpts/pts/components/ita/ita_comp_tboot.c
index 9deeb19b5..8fb5abddf 100644
--- a/src/libpts/pts/components/ita/ita_comp_tboot.c
+++ b/src/libpts/pts/components/ita/ita_comp_tboot.c
@@ -19,7 +19,7 @@
 #include "libpts.h"
 #include "pts/components/pts_component.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <pen/pen.h>
 
 typedef struct pts_ita_comp_tboot_t pts_ita_comp_tboot_t;
@@ -66,7 +66,7 @@ struct pts_ita_comp_tboot_t {
 	int kid;
 
 	/**
-	 * Component is registering measurements 
+	 * Component is registering measurements
 	 */
 	bool is_registering;
 
@@ -123,7 +123,7 @@ METHOD(pts_component_t, measure, status_t,
 	char *meas_hex, *pcr_before_hex, *pcr_after_hex;
 	chunk_t measurement, pcr_before, pcr_after;
 	u_int32_t extended_pcr;
-	
+
 	switch (this->seq_no++)
 	{
 		case 0:
@@ -286,7 +286,7 @@ METHOD(pts_component_t, finalize, bool,
 {
 	u_int32_t vid, name;
 	enum_name_t *names;
-		
+
 	vid = this->name->get_vendor_id(this->name);
 	name = this->name->get_name(this->name);
 	names = pts_components->get_comp_func_names(pts_components, vid);
diff --git a/src/libpts/pts/components/ita/ita_comp_tgrub.c b/src/libpts/pts/components/ita/ita_comp_tgrub.c
index 986f7ace2..e3acd8774 100644
--- a/src/libpts/pts/components/ita/ita_comp_tgrub.c
+++ b/src/libpts/pts/components/ita/ita_comp_tgrub.c
@@ -18,7 +18,7 @@
 
 #include "pts/components/pts_component.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <pen/pen.h>
 
 typedef struct pts_ita_comp_tgrub_t pts_ita_comp_tgrub_t;
@@ -90,7 +90,7 @@ METHOD(pts_component_t, measure, status_t,
 	/* Provisional implementation for TGRUB */
 	extended_pcr = PCR_DEBUG;
 	time(&measurement_time);
-		
+
 	if (!pts->read_pcr(pts, extended_pcr, &pcr_after))
 	{
 		DBG1(DBG_PTS, "error occurred while reading PCR: %d", extended_pcr);
@@ -103,7 +103,7 @@ METHOD(pts_component_t, measure, status_t,
 
 	measurement = chunk_alloc(pcr_len);
 	memset(measurement.ptr, 0x00, measurement.len);
-		
+
 	pcr_before = chunk_alloc(pcr_len);
 	memset(pcr_before.ptr, 0x00, pcr_before.len);
 
@@ -150,7 +150,7 @@ METHOD(pts_component_t, verify, status_t,
 			return SUCCESS;
 		}
 	}
-	
+
 	return SUCCESS;
 }
 
diff --git a/src/libpts/pts/components/pts_comp_evidence.c b/src/libpts/pts/components/pts_comp_evidence.c
index 050717472..08c3d5e9a 100644
--- a/src/libpts/pts/components/pts_comp_evidence.c
+++ b/src/libpts/pts/components/pts_comp_evidence.c
@@ -15,7 +15,7 @@
 
 #include "pts/components/pts_comp_evidence.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pts_comp_evidence_t private_pts_comp_evidence_t;
 
@@ -148,7 +148,7 @@ METHOD(pts_comp_evidence_t, get_pcr_info, bool,
 METHOD(pts_comp_evidence_t, set_pcr_info, void,
 	private_pts_comp_evidence_t *this, chunk_t pcr_before, chunk_t pcr_after)
 {
-	this->has_pcr_info = TRUE;	
+	this->has_pcr_info = TRUE;
 	this->pcr_before = pcr_before;
 	this->pcr_after =  pcr_after;
 
diff --git a/src/libpts/pts/components/pts_comp_func_name.c b/src/libpts/pts/components/pts_comp_func_name.c
index 7501be044..6c630f8fb 100644
--- a/src/libpts/pts/components/pts_comp_func_name.c
+++ b/src/libpts/pts/components/pts_comp_func_name.c
@@ -17,7 +17,7 @@
 #include "libpts.h"
 #include "pts/components/pts_comp_func_name.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pts_comp_func_name_t private_pts_comp_func_name_t;
 
diff --git a/src/libpts/pts/components/pts_component_manager.c b/src/libpts/pts/components/pts_component_manager.c
index e330aeebf..9c1375b79 100644
--- a/src/libpts/pts/components/pts_component_manager.c
+++ b/src/libpts/pts/components/pts_component_manager.c
@@ -15,8 +15,8 @@
 
 #include "pts/components/pts_component_manager.h"
 
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 typedef struct private_pts_component_manager_t private_pts_component_manager_t;
 typedef struct vendor_entry_t vendor_entry_t;
@@ -56,7 +56,7 @@ struct vendor_entry_t {
 
 	/**
 	 * List of vendor-specific registered Functional Components
-	 */	
+	 */
 	linked_list_t *components;
 };
 
@@ -103,7 +103,7 @@ struct private_pts_component_manager_t {
 };
 
 METHOD(pts_component_manager_t, add_vendor, void,
-	private_pts_component_manager_t *this, pen_t vendor_id, 
+	private_pts_component_manager_t *this, pen_t vendor_id,
 	enum_name_t *comp_func_names, int qualifier_type_size,
 	char *qualifier_flag_names, enum_name_t *qualifier_type_names)
 {
@@ -285,7 +285,7 @@ METHOD(pts_component_manager_t, create, pts_component_t*,
 METHOD(pts_component_manager_t, destroy, void,
 	private_pts_component_manager_t *this)
 {
-	this->list->destroy_function(this->list, (void *)vendor_entry_destroy); 
+	this->list->destroy_function(this->list, (void *)vendor_entry_destroy);
 	free(this);
 }
 
diff --git a/src/libpts/pts/pts.c b/src/libpts/pts/pts.c
index 4c6c5bc22..84a9961c8 100644
--- a/src/libpts/pts/pts.c
+++ b/src/libpts/pts/pts.c
@@ -15,13 +15,22 @@
 
 #include "pts.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <crypto/hashers/hasher.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
 
+#ifdef TSS_TROUSERS
 #include <trousers/tss.h>
 #include <trousers/trousers.h>
+#else
+#ifndef TPM_TAG_QUOTE_INFO2
+#define TPM_TAG_QUOTE_INFO2 0x0036
+#endif
+#ifndef TPM_LOC_ZERO
+#define TPM_LOC_ZERO 0x01
+#endif
+#endif
 
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -280,6 +289,8 @@ METHOD(pts_t, calculate_secret, bool,
 	return TRUE;
 }
 
+#ifdef TSS_TROUSERS
+
 /**
  * Print TPM 1.2 Version Info
  */
@@ -299,14 +310,26 @@ static void print_tpm_version_info(private_pts_t *this)
 	else
 	{
 		DBG2(DBG_PTS, "TPM 1.2 Version Info: Chip Version: %hhu.%hhu.%hhu.%hhu,"
-					  " Spec Level: %hu, Errata Rev: %hhu, Vendor ID: %.4s",
+					  " Spec Level: %hu, Errata Rev: %hhu, Vendor ID: %.4s [%.*s]",
 					  versionInfo.version.major, versionInfo.version.minor,
 					  versionInfo.version.revMajor, versionInfo.version.revMinor,
 					  versionInfo.specLevel, versionInfo.errataRev,
-					  versionInfo.tpmVendorID);
+					  versionInfo.tpmVendorID, versionInfo.vendorSpecificSize,
+					  versionInfo.vendorSpecificSize ?
+					  (char*)versionInfo.vendorSpecific : "");
 	}
+	free(versionInfo.vendorSpecific);
+}
+
+#else
+
+static void print_tpm_version_info(private_pts_t *this)
+{
+	DBG1(DBG_PTS, "unknown TPM version: no TSS implementation available");
 }
 
+#endif /* TSS_TROUSERS */
+
 METHOD(pts_t, get_platform_info, char*,
 	private_pts_t *this)
 {
@@ -314,10 +337,15 @@ METHOD(pts_t, get_platform_info, char*,
 }
 
 METHOD(pts_t, set_platform_info, void,
-	private_pts_t *this, char *info)
+	private_pts_t *this, chunk_t name, chunk_t version)
 {
+	int len = name.len + 1 + version.len + 1;
+
+	/* platform info is a concatenation of OS name and OS version */
 	free(this->platform_info);
-	this->platform_info = strdup(info);
+	this->platform_info = malloc(len);
+	snprintf(this->platform_info, len, "%.*s %.*s", (int)name.len, name.ptr,
+			(int)version.len, version.ptr);
 }
 
 METHOD(pts_t, get_tpm_version_info, bool,
@@ -606,6 +634,9 @@ METHOD(pts_t, get_metadata, pts_file_meta_t*,
 	return metadata;
 }
 
+
+#ifdef TSS_TROUSERS
+
 METHOD(pts_t, read_pcr, bool,
 	private_pts_t *this, u_int32_t pcr_num, chunk_t *pcr_value)
 {
@@ -857,21 +888,35 @@ err2:
 
 err1:
 	Tspi_Context_Close(hContext);
-
 	if (!success)
 	{
 		DBG1(DBG_PTS, "TPM not available: tss error 0x%x", result);
 	}
-
 	return success;
 }
 
-METHOD(pts_t, get_pcrs, pts_pcr_t*,
-	private_pts_t *this)
+#else /* TSS_TROUSERS */
+
+METHOD(pts_t, read_pcr, bool,
+	private_pts_t *this, u_int32_t pcr_num, chunk_t *pcr_value)
 {
-	return this->pcrs;
+	return FALSE;
 }
 
+METHOD(pts_t, extend_pcr, bool,
+	private_pts_t *this, u_int32_t pcr_num, chunk_t input, chunk_t *output)
+{
+	return FALSE;
+}
+
+METHOD(pts_t, quote_tpm, bool,
+	private_pts_t *this, bool use_quote2, chunk_t *pcr_comp, chunk_t *quote_sig)
+{
+	return FALSE;
+}
+
+#endif /* TSS_TROUSERS */
+
 /**
  * TPM_QUOTE_INFO structure:
  *	4 bytes of version
@@ -1032,6 +1077,12 @@ METHOD(pts_t, verify_quote_signature, bool,
 	return TRUE;
 }
 
+METHOD(pts_t, get_pcrs, pts_pcr_t*,
+	private_pts_t *this)
+{
+	return this->pcrs;
+}
+
 METHOD(pts_t, destroy, void,
 	private_pts_t *this)
 {
@@ -1047,121 +1098,8 @@ METHOD(pts_t, destroy, void,
 	free(this);
 }
 
-#define RELEASE_LSB		0
-#define RELEASE_DEBIAN	1
 
-/**
- * Determine Linux distribution and hardware platform
- */
-static char* extract_platform_info(void)
-{
-	FILE *file;
-	char buf[BUF_LEN], *pos = buf, *value = NULL;
-	int i, len = BUF_LEN - 1;
-	struct utsname uninfo;
-
-	/* Linux/Unix distribution release info (from http://linuxmafia.com) */
-	const char* releases[] = {
-		"/etc/lsb-release",           "/etc/debian_version",
-		"/etc/SuSE-release",          "/etc/novell-release",
-		"/etc/sles-release",          "/etc/redhat-release",
-		"/etc/fedora-release",        "/etc/gentoo-release",
-		"/etc/slackware-version",     "/etc/annvix-release",
-		"/etc/arch-release",          "/etc/arklinux-release",
-		"/etc/aurox-release",         "/etc/blackcat-release",
-		"/etc/cobalt-release",        "/etc/conectiva-release",
-		"/etc/debian_release",        "/etc/immunix-release",
-		"/etc/lfs-release",           "/etc/linuxppc-release",
-		"/etc/mandrake-release",      "/etc/mandriva-release",
-		"/etc/mandrakelinux-release", "/etc/mklinux-release",
-		"/etc/pld-release",           "/etc/redhat_version",
-		"/etc/slackware-release",     "/etc/e-smith-release",
-		"/etc/release",               "/etc/sun-release",
-		"/etc/tinysofa-release",      "/etc/turbolinux-release",
-		"/etc/ultrapenguin-release",  "/etc/UnitedLinux-release",
-		"/etc/va-release",            "/etc/yellowdog-release"
-	};
-
-	const char description[] = "DISTRIB_DESCRIPTION=\"";
-	const char str_debian[] = "Debian ";
-
-	for (i = 0; i < countof(releases); i++)
-	{
-		file = fopen(releases[i], "r");
-		if (!file)
-		{
-			continue;
-		}
-
-		if (i == RELEASE_DEBIAN)
-		{
-			strcpy(buf, str_debian);
-			pos += strlen(str_debian);
-			len -= strlen(str_debian);
-		}
-
-		fseek(file, 0, SEEK_END);
-		len = min(ftell(file), len);
-		rewind(file);
-		pos[len] = '\0';
-		if (fread(pos, 1, len, file) != len)
-		{
-			DBG1(DBG_PTS, "failed to read file '%s'", releases[i]);
-			fclose(file);
-			return NULL;
-		}
-		fclose(file);
-
-		if (i == RELEASE_LSB)
-		{
-			pos = strstr(buf, description);
-			if (!pos)
-			{
-				DBG1(DBG_PTS, "failed to find begin of lsb-release "
-							  "DESCRIPTION field");
-				return NULL;
-			}
-			value = pos + strlen(description);
-			pos = strchr(value, '"');
-			if (!pos)
-			{
-				DBG1(DBG_PTS, "failed to find end of lsb-release "
-							  "DESCRIPTION field");
-				return NULL;
-			 }
-		}
-		else
-		{
-			value = buf;
-			pos = strchr(pos, '\n');
-			if (!pos)
-			{
-				DBG1(DBG_PTS, "failed to find end of release string");
-				return NULL;
-			 }
-		}
-		break;
-	}
-
-	if (!value)
-	{
-		DBG1(DBG_PTS, "no distribution release file found");
-		return NULL;
-	}
-
-	if (uname(&uninfo) < 0)
-	{
-		DBG1(DBG_PTS, "could not retrieve machine architecture");
-		return NULL;
-	}
-
-	*pos++ = ' ';
-	len = sizeof(buf)-1 + (pos - buf);
-	strncpy(pos, uninfo.machine, len);
-
-	DBG1(DBG_PTS, "platform is '%s'", value);
-	return strdup(value);
-}
+#ifdef TSS_TROUSERS
 
 /**
  * Check for a TPM by querying for TPM Version Info
@@ -1211,6 +1149,16 @@ static bool has_tpm(private_pts_t *this)
 	return FALSE;
 }
 
+#else /* TSS_TROUSERS */
+
+static bool has_tpm(private_pts_t *this)
+{
+	return FALSE;
+}
+
+#endif /* TSS_TROUSERS */
+
+
 /**
  * See header
  */
@@ -1264,8 +1212,6 @@ pts_t *pts_create(bool is_imc)
 
 	if (is_imc)
 	{
-		this->platform_info = extract_platform_info();
-
 		if (has_tpm(this))
 		{
 			this->has_tpm = TRUE;
diff --git a/src/libpts/pts/pts.h b/src/libpts/pts/pts.h
index 5f88cd15c..423a4c802 100644
--- a/src/libpts/pts/pts.h
+++ b/src/libpts/pts/pts.h
@@ -35,7 +35,7 @@ typedef struct pts_t pts_t;
 #include "components/pts_comp_func_name.h"
 
 #include <library.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /**
  * UTF-8 encoding of the character used to delimiter the filename
@@ -171,9 +171,10 @@ struct pts_t {
 	/**
 	 * Set Platform and OS Info
 	 *
-	 * @param info				Platform and OS info
+	 * @param name				OS name
+	 * @param version			OS version
 	 */
-	void (*set_platform_info)(pts_t *this, char *info);
+	void (*set_platform_info)(pts_t *this, chunk_t name, chunk_t version);
 
 	/**
 	 * Get TPM 1.2 Version Info
diff --git a/src/libpts/pts/pts_creds.c b/src/libpts/pts/pts_creds.c
index 5a6197bdb..bc483eb84 100644
--- a/src/libpts/pts/pts_creds.c
+++ b/src/libpts/pts/pts_creds.c
@@ -15,7 +15,7 @@
 
 #include "pts_creds.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/sets/mem_cred.h>
 
diff --git a/src/libpts/pts/pts_database.c b/src/libpts/pts/pts_database.c
index 946f37e1e..e0778aaef 100644
--- a/src/libpts/pts/pts_database.c
+++ b/src/libpts/pts/pts_database.c
@@ -15,7 +15,7 @@
 
 #include "pts_database.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <crypto/hashers/hasher.h>
 
 
@@ -151,7 +151,7 @@ METHOD(pts_database_t, check_file_measurement, status_t,
 		{
 			status = VERIFY_ERROR;
 		}
-	}	
+	}
 	e->destroy(e);
 
 	return status;
@@ -179,7 +179,7 @@ METHOD(pts_database_t, check_comp_measurement, status_t,
 	enumerator_t *e;
 	chunk_t hash;
 	status_t status = NOT_FOUND;
-	
+
 	e = this->db->query(this->db,
 					"SELECT hash FROM component_hashes "
 					"WHERE component = ?  AND key = ? "
@@ -188,7 +188,7 @@ METHOD(pts_database_t, check_comp_measurement, status_t,
 					DB_INT, pcr, DB_INT, algo, DB_BLOB);
 	if (!e)
 	{
-		DBG1(DBG_PTS, "no database query enumerator returned"); 
+		DBG1(DBG_PTS, "no database query enumerator returned");
 		return FAILED;
 	}
 
@@ -225,7 +225,7 @@ METHOD(pts_database_t, insert_comp_measurement, status_t,
 	int seq_no, int pcr, pts_meas_algorithms_t algo)
 {
 	int id;
-	
+
 	if (this->db->execute(this->db, &id,
 					"INSERT INTO component_hashes "
 					"(component, key, seq_no, pcr, algo, hash) "
diff --git a/src/libpts/pts/pts_dh_group.c b/src/libpts/pts/pts_dh_group.c
index fb141327f..41a436036 100644
--- a/src/libpts/pts/pts_dh_group.c
+++ b/src/libpts/pts/pts_dh_group.c
@@ -15,7 +15,7 @@
 
 #include "pts_dh_group.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * Described in header.
@@ -27,7 +27,7 @@ bool pts_dh_group_probe(pts_dh_group_t *dh_groups)
 	const char *plugin_name;
 	char format1[] = "  %s PTS DH group %N[%s] available";
 	char format2[] = "  %s PTS DH group %N not available";
-	
+
 	*dh_groups = PTS_DH_GROUP_NONE;
 
 	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
diff --git a/src/libpts/pts/pts_file_meas.c b/src/libpts/pts/pts_file_meas.c
index 4fece6b3c..e69c32443 100644
--- a/src/libpts/pts/pts_file_meas.c
+++ b/src/libpts/pts/pts_file_meas.c
@@ -15,8 +15,8 @@
 
 #include "pts_file_meas.h"
 
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 #include <sys/stat.h>
 #include <libgen.h>
@@ -179,7 +179,7 @@ METHOD(pts_file_meas_t, verify, bool,
 			}
 		}
 		enumerator->destroy(enumerator);
-		
+
 		if (!found)
 		{
 			DBG1(DBG_PTS, "  no measurement found for '%s'", filename);
@@ -200,7 +200,7 @@ METHOD(pts_file_meas_t, verify, bool,
 			break;
 		}
 	}
-	return success;	
+	return success;
 }
 
 METHOD(pts_file_meas_t, destroy, void,
diff --git a/src/libpts/pts/pts_file_meta.c b/src/libpts/pts/pts_file_meta.c
index 6ed1c01b4..9cca0a5a5 100644
--- a/src/libpts/pts/pts_file_meta.c
+++ b/src/libpts/pts/pts_file_meta.c
@@ -15,8 +15,8 @@
 
 #include "pts_file_meta.h"
 
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 typedef struct private_pts_file_meta_t private_pts_file_meta_t;
 
diff --git a/src/libpts/pts/pts_meas_algo.c b/src/libpts/pts/pts_meas_algo.c
index fbc9c6959..16a66e7b3 100644
--- a/src/libpts/pts/pts_meas_algo.c
+++ b/src/libpts/pts/pts_meas_algo.c
@@ -15,7 +15,7 @@
 
 #include "pts_meas_algo.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM_BEGIN(pts_meas_algorithm_names, PTS_MEAS_ALGO_NONE, PTS_MEAS_ALGO_NONE,
 	"None");
@@ -43,7 +43,7 @@ bool pts_meas_algo_probe(pts_meas_algorithms_t *algorithms)
 	const char *plugin_name;
 	char format1[] = "  %s PTS measurement algorithm %N[%s] available";
 	char format2[] = "  %s PTS measurement algorithm %N not available";
-	
+
 	*algorithms = 0;
 
 	enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
diff --git a/src/libpts/pts/pts_pcr.c b/src/libpts/pts/pts_pcr.c
index a7a2f5fae..0af93b608 100644
--- a/src/libpts/pts/pts_pcr.c
+++ b/src/libpts/pts/pts_pcr.c
@@ -15,7 +15,7 @@
 
 #include "pts_pcr.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <stdarg.h>
 
diff --git a/src/libpts/tcg/tcg_pts_attr_aik.c b/src/libpts/tcg/tcg_pts_attr_aik.c
index 75f3f179c..d5bbdc9cd 100644
--- a/src/libpts/tcg/tcg_pts_attr_aik.c
+++ b/src/libpts/tcg/tcg_pts_attr_aik.c
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_aik_t private_tcg_pts_attr_aik_t;
 
@@ -57,7 +57,7 @@ struct private_tcg_pts_attr_aik_t {
 	 * Attribute value
 	 */
 	chunk_t value;
-	
+
 	/**
 	 * Noskip flag
 	 */
@@ -135,7 +135,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	u_int8_t flags;
 	certificate_type_t type;
 	chunk_t aik_blob;
-	
+
 	if (this->value.len < PTS_AIK_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for Attestation Identity Key");
diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c b/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c
index 3ca255cba..4d7281243 100644
--- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c
+++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_dh_nonce_finish_t
 					private_tcg_pts_attr_dh_nonce_finish_t;
@@ -36,7 +36,7 @@ typedef struct private_tcg_pts_attr_dh_nonce_finish_t
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |						D-H Initiator Nonce ...					|
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *  
+ *
  */
 
 #define PTS_DH_NONCE_FINISH_SIZE			12
@@ -66,7 +66,7 @@ struct private_tcg_pts_attr_dh_nonce_finish_t {
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * Selected Hashing Algorithm
 	 */
@@ -127,7 +127,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint16(writer, this->hash_algo);
 	writer->write_data  (writer, this->initiator_value);
 	writer->write_data  (writer, this->initiator_nonce);
-	
+
 	this->value = chunk_clone(writer->get_buf(writer));
 	writer->destroy(writer);
 }
diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c
index 828c09605..7796dbaab 100644
--- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c
+++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_dh_nonce_params_req_t
 					private_tcg_pts_attr_dh_nonce_params_req_t;
@@ -32,7 +32,7 @@ typedef struct private_tcg_pts_attr_dh_nonce_params_req_t
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |	Reserved  | Min. Nonce Len |		D-H Group Set			|
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *  
+ *
  */
 
 #define PTS_DH_NONCE_PARAMS_REQ_SIZE			4
@@ -62,7 +62,7 @@ struct private_tcg_pts_attr_dh_nonce_params_req_t {
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * Minimum acceptable length of nonce
 	 */
@@ -116,7 +116,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint8 (writer, PTS_DH_NONCE_PARAMS_REQ_RESERVED);
 	writer->write_uint8 (writer, this->min_nonce_len);
 	writer->write_uint16(writer, this->dh_groups);
-	
+
 	this->value = chunk_clone(writer->get_buf(writer));
 	writer->destroy(writer);
 }
diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c
index 66ac185b3..1e82e7098 100644
--- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c
+++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_dh_nonce_params_resp_t
 					private_tcg_pts_attr_dh_nonce_params_resp_t;
@@ -38,7 +38,7 @@ typedef struct private_tcg_pts_attr_dh_nonce_params_resp_t
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |					D-H Responder Public Value ...				|
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *  
+ *
  */
 
 #define PTS_DH_NONCE_PARAMS_RESP_SIZE			16
@@ -68,7 +68,7 @@ struct private_tcg_pts_attr_dh_nonce_params_resp_t {
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * Selected Diffie Hellman group
 	 */
@@ -135,7 +135,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint16(writer, this->hash_algo_set);
 	writer->write_data  (writer, this->responder_nonce);
 	writer->write_data  (writer, this->responder_value);
-	
+
 	this->value = chunk_clone(writer->get_buf(writer));
 	writer->destroy(writer);
 }
diff --git a/src/libpts/tcg/tcg_pts_attr_file_meas.c b/src/libpts/tcg/tcg_pts_attr_file_meas.c
index 01c4361e1..1daac70e5 100644
--- a/src/libpts/tcg/tcg_pts_attr_file_meas.c
+++ b/src/libpts/tcg/tcg_pts_attr_file_meas.c
@@ -18,15 +18,15 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_file_meas_t private_tcg_pts_attr_file_meas_t;
 
 /**
  * File Measurement
  * see section 3.19.2 of PTS Protocol: Binding to TNC IF-M Specification
- * 
+ *
  *					   1				   2				   3
  *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@@ -72,12 +72,12 @@ struct private_tcg_pts_attr_file_meas_t {
 	 * Attribute value
 	 */
 	chunk_t value;
-	
+
 	/**
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * PTS File Measurements
 	 */
@@ -123,7 +123,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	char *filename;
 	chunk_t measurement;
 	bool first = TRUE;
-	
+
 	if (this->value.ptr)
 	{
 		return;
@@ -144,8 +144,7 @@ METHOD(pa_tnc_attr_t, build, void,
 			first = FALSE;
 		}
 		writer->write_data  (writer, measurement);
-		writer->write_uint16(writer, strlen(filename));
-		writer->write_data  (writer, chunk_create(filename, strlen(filename)));
+		writer->write_data16(writer, chunk_create(filename, strlen(filename)));
 	}
 	enumerator->destroy(enumerator);
 
@@ -164,12 +163,12 @@ METHOD(pa_tnc_attr_t, process, status_t,
 {
 	bio_reader_t *reader;
 	u_int64_t number_of_files;
-	u_int16_t request_id, meas_len, filename_len;
-	size_t len;
+	u_int16_t request_id, meas_len;
 	chunk_t measurement, filename;
+	size_t len;
 	char buf[BUF_LEN];
 	status_t status = FAILED;
-	
+
 	if (this->value.len < PTS_FILE_MEAS_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for PTS file measurement header");
@@ -181,9 +180,10 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	reader->read_uint64(reader, &number_of_files);
 	reader->read_uint16(reader, &request_id);
 	reader->read_uint16(reader, &meas_len);
-	
+	*offset = PTS_FILE_MEAS_SIZE;
+
 	this->measurements = pts_file_meas_create(request_id);
-	
+
 	while (number_of_files--)
 	{
 		if (!reader->read_data(reader, meas_len, &measurement))
@@ -191,16 +191,14 @@ METHOD(pa_tnc_attr_t, process, status_t,
 			DBG1(DBG_TNC, "insufficient data for PTS file measurement");
 			goto end;
 		}
-		if (!reader->read_uint16(reader, &filename_len))
-		{
-			DBG1(DBG_TNC, "insufficient data for filename length");
-			goto end;
-		}
-		if (!reader->read_data(reader, filename_len, &filename))
+		*offset += meas_len;
+
+		if (!reader->read_data16(reader, &filename))
 		{
 			DBG1(DBG_TNC, "insufficient data for filename");
 			goto end;
 		}
+		*offset += 2 + filename.len;
 
 		len = min(filename.len, BUF_LEN-1);
 		memcpy(buf, filename.ptr, len);
@@ -225,7 +223,7 @@ METHOD(pa_tnc_attr_t, destroy, void,
 {
 	if (ref_put(&this->ref))
 	{
-		this->measurements->destroy(this->measurements);
+		DESTROY_IF(this->measurements);
 		free(this->value.ptr);
 		free(this);
 	}
diff --git a/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c b/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c
index 5eac5ecae..9103e06b2 100644
--- a/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c
+++ b/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_gen_attest_evid_t
 					private_tcg_pts_attr_gen_attest_evid_t;
@@ -33,7 +33,7 @@ typedef struct private_tcg_pts_attr_gen_attest_evid_t
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |						   Reserved								|
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *  
+ *
  */
 
 #define PTS_GEN_ATTEST_EVID_SIZE		4
@@ -115,7 +115,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 {
 	bio_reader_t *reader;
 	u_int32_t reserved;
-	
+
 	if (this->value.len < PTS_GEN_ATTEST_EVID_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for Generate Attestation Evidence");
diff --git a/src/libpts/tcg/tcg_pts_attr_get_aik.c b/src/libpts/tcg/tcg_pts_attr_get_aik.c
index 4b5eae7a7..6f35f5419 100644
--- a/src/libpts/tcg/tcg_pts_attr_get_aik.c
+++ b/src/libpts/tcg/tcg_pts_attr_get_aik.c
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_get_aik_t private_tcg_pts_attr_get_aik_t;
 
@@ -112,7 +112,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 {
 	bio_reader_t *reader;
 	u_int32_t reserved;
-	
+
 	if (this->value.len < PTS_GET_AIK_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for Get AIK");
diff --git a/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c b/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c
index 0cfc7efa9..4dd64e3a7 100644
--- a/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c
+++ b/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_get_tpm_version_info_t
 					private_tcg_pts_attr_get_tpm_version_info_t;
@@ -33,7 +33,7 @@ typedef struct private_tcg_pts_attr_get_tpm_version_info_t
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |						   Reserved								|
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *  
+ *
  */
 
 #define PTS_GET_TPM_VER_INFO_SIZE		4
@@ -115,7 +115,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 {
 	bio_reader_t *reader;
 	u_int32_t reserved;
-	
+
 	if (this->value.len < PTS_GET_TPM_VER_INFO_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for Get TPM Version Information");
diff --git a/src/libpts/tcg/tcg_pts_attr_meas_algo.c b/src/libpts/tcg/tcg_pts_attr_meas_algo.c
index bb95adc9e..abef45bdd 100644
--- a/src/libpts/tcg/tcg_pts_attr_meas_algo.c
+++ b/src/libpts/tcg/tcg_pts_attr_meas_algo.c
@@ -18,12 +18,12 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_meas_algo_t private_tcg_pts_attr_meas_algo_t;
 
 /**
- * PTS Measurement Algorithm 
+ * PTS Measurement Algorithm
  * see section 3.9.1 of PTS Protocol: Binding to TNC IF-M Specification
  *
  *					   1				   2				   3
@@ -31,7 +31,7 @@ typedef struct private_tcg_pts_attr_meas_algo_t private_tcg_pts_attr_meas_algo_t
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |			Reserved			|	   Hash Algorithm Set	  	|
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *  
+ *
  */
 
 #define PTS_MEAS_ALGO_SIZE		4
@@ -61,7 +61,7 @@ struct private_tcg_pts_attr_meas_algo_t {
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * Set of algorithms
 	 */
diff --git a/src/libpts/tcg/tcg_pts_attr_proto_caps.c b/src/libpts/tcg/tcg_pts_attr_proto_caps.c
index 83665ff69..360883282 100644
--- a/src/libpts/tcg/tcg_pts_attr_proto_caps.c
+++ b/src/libpts/tcg/tcg_pts_attr_proto_caps.c
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_proto_caps_t private_tcg_pts_attr_proto_caps_t;
 
@@ -31,7 +31,7 @@ typedef struct private_tcg_pts_attr_proto_caps_t private_tcg_pts_attr_proto_caps
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |						Reserved					  |C|V|D|T|X|
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *  
+ *
  */
 
 #define PTS_PROTO_CAPS_SIZE			4
@@ -61,7 +61,7 @@ struct private_tcg_pts_attr_proto_caps_t {
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * Set of flags
 	 */
@@ -109,7 +109,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer = bio_writer_create(PTS_PROTO_CAPS_SIZE);
 	writer->write_uint16(writer, PTS_PROTO_CAPS_RESERVED);
 	writer->write_uint16(writer, this->flags);
-	
+
 	this->value = chunk_clone(writer->get_buf(writer));
 	writer->destroy(writer);
 }
diff --git a/src/libpts/tcg/tcg_pts_attr_req_file_meas.c b/src/libpts/tcg/tcg_pts_attr_req_file_meas.c
index 65bdff579..8b4bfe54d 100644
--- a/src/libpts/tcg/tcg_pts_attr_req_file_meas.c
+++ b/src/libpts/tcg/tcg_pts_attr_req_file_meas.c
@@ -18,14 +18,16 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
+
+#include <string.h>
 
 typedef struct private_tcg_pts_attr_req_file_meas_t private_tcg_pts_attr_req_file_meas_t;
 
 /**
  * Request File Measurement
  * see section 3.19.1 of PTS Protocol: Binding to TNC IF-M Specification
- * 
+ *
  *					   1				   2				   3
  *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@@ -62,12 +64,12 @@ struct private_tcg_pts_attr_req_file_meas_t {
 	 * Attribute value
 	 */
 	chunk_t value;
-	
+
 	/**
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * Directory Contents flag
 	 */
@@ -77,12 +79,12 @@ struct private_tcg_pts_attr_req_file_meas_t {
 	 * Request ID
 	 */
 	u_int16_t request_id;
-	
+
 	/**
 	 * UTF8 Encoding of Delimiter Character
 	 */
 	u_int32_t delimiter;
-	
+
 	/**
 	 * Fully Qualified File Pathname
 	 */
@@ -124,7 +126,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	u_int8_t flags = PTS_REQ_FILE_MEAS_NO_FLAGS;
 	chunk_t pathname;
 	bio_writer_t *writer;
-	
+
 	if (this->value.ptr)
 	{
 		return;
@@ -152,7 +154,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	u_int8_t flags;
 	u_int8_t reserved;
 	chunk_t pathname;
-	
+
 	if (this->value.len < PTS_REQ_FILE_MEAS_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for Request File Measurement");
@@ -169,10 +171,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 
 	this->directory_flag = (flags & DIRECTORY_CONTENTS_FLAG) !=
 							PTS_REQ_FILE_MEAS_NO_FLAGS;
-
-	this->pathname = malloc(pathname.len + 1);
-	memcpy(this->pathname, pathname.ptr, pathname.len);
-	this->pathname[pathname.len] = '\0';
+	this->pathname = strndup(pathname.ptr, pathname.len);
 
 	reader->destroy(reader);
 	return SUCCESS;
diff --git a/src/libpts/tcg/tcg_pts_attr_req_file_meta.c b/src/libpts/tcg/tcg_pts_attr_req_file_meta.c
index eb5114172..ff5581435 100644
--- a/src/libpts/tcg/tcg_pts_attr_req_file_meta.c
+++ b/src/libpts/tcg/tcg_pts_attr_req_file_meta.c
@@ -18,14 +18,16 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
+
+#include <string.h>
 
 typedef struct private_tcg_pts_attr_req_file_meta_t private_tcg_pts_attr_req_file_meta_t;
 
 /**
  * Request File Metadata
  * see section 3.17.1 of PTS Protocol: Binding to TNC IF-M Specification
- * 
+ *
  *					   1				   2				   3
  *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@@ -60,22 +62,22 @@ struct private_tcg_pts_attr_req_file_meta_t {
 	 * Attribute value
 	 */
 	chunk_t value;
-	
+
 	/**
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * Directory Contents flag
 	 */
 	bool directory_flag;
-	
+
 	/**
 	 * UTF8 Encoding of Delimiter Character
 	 */
 	u_int8_t delimiter;
-	
+
 	/**
 	 * Fully Qualified File Pathname
 	 */
@@ -117,7 +119,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	u_int8_t flags = PTS_REQ_FILE_META_NO_FLAGS;
 	chunk_t pathname;
 	bio_writer_t *writer;
-	
+
 	if (this->value.ptr)
 	{
 		return;
@@ -132,7 +134,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint8 (writer, flags);
 	writer->write_uint8 (writer, this->delimiter);
 	writer->write_uint16(writer, PTS_REQ_FILE_META_RESERVED);
-	
+
 	writer->write_data  (writer, pathname);
 	this->value = chunk_clone(writer->get_buf(writer));
 	writer->destroy(writer);
@@ -145,7 +147,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	u_int8_t flags;
 	u_int16_t reserved;
 	chunk_t pathname;
-	
+
 	if (this->value.len < PTS_REQ_FILE_META_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for Request File Metadata");
@@ -157,15 +159,12 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	reader->read_uint8 (reader, &flags);
 	reader->read_uint8 (reader, &this->delimiter);
 	reader->read_uint16(reader, &reserved);
-	
+
 	reader->read_data  (reader, reader->remaining(reader), &pathname);
 
 	this->directory_flag = (flags & DIRECTORY_CONTENTS_FLAG) !=
 							PTS_REQ_FILE_META_NO_FLAGS;
-
-	this->pathname = malloc(pathname.len + 1);
-	memcpy(this->pathname, pathname.ptr, pathname.len);
-	this->pathname[pathname.len] = '\0';
+	this->pathname = strndup(pathname.ptr, pathname.len);
 
 	reader->destroy(reader);
 	return SUCCESS;
diff --git a/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c b/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c
index a631e9891..8bb43aef8 100644
--- a/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c
+++ b/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c
@@ -18,8 +18,8 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_req_func_comp_evid_t private_tcg_pts_attr_req_func_comp_evid_t;
 
@@ -47,7 +47,7 @@ typedef struct private_tcg_pts_attr_req_func_comp_evid_t private_tcg_pts_attr_re
  */
 
 /**
- * Component Functional Name Structure 
+ * Component Functional Name Structure
  * (see section 5.1 of PTS Protocol: Binding to TNC IF-M Specification)
  *
  *					   1				   2				   3
@@ -58,7 +58,7 @@ typedef struct private_tcg_pts_attr_req_func_comp_evid_t private_tcg_pts_attr_re
  *  |                   Component Functional Name                   |
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  */
- 
+
 #define PTS_REQ_FUNC_COMP_EVID_SIZE		12
 #define PTS_REQ_FUNC_COMP_FAMILY_MASK	0xC0
 
@@ -81,7 +81,7 @@ struct private_tcg_pts_attr_req_func_comp_evid_t {
 	 * Attribute value
 	 */
 	chunk_t value;
-	
+
 	/**
 	 * Noskip flag
 	 */
@@ -249,7 +249,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		entry->flags = flags;
 		entry->depth = depth;
 		entry->name = pts_comp_func_name_create(vendor_id, name, qualifier);
-		
+
 		this->list->insert_last(this->list, entry);
 	}
 	status = SUCCESS;
diff --git a/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c b/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c
index 387f4a115..c659443b7 100644
--- a/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c
+++ b/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c
@@ -18,16 +18,16 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <time.h>
 
 typedef struct private_tcg_pts_attr_simple_comp_evid_t private_tcg_pts_attr_simple_comp_evid_t;
 
 /**
- * Simple Component Evidence 
+ * Simple Component Evidence
  * see section 3.15.1 of PTS Protocol: Binding to TNC IF-M Specification
- * 
+ *
  *					   1				   2				   3
  *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@@ -66,7 +66,7 @@ typedef struct private_tcg_pts_attr_simple_comp_evid_t private_tcg_pts_attr_simp
  */
 
 /**
- * Specific Functional Component -> Component Functional Name Structure 
+ * Specific Functional Component -> Component Functional Name Structure
  * see section 5.1 of PTS Protocol: Binding to TNC IF-M Specification
  *
  *					   1				   2				   3
@@ -108,12 +108,12 @@ struct private_tcg_pts_attr_simple_comp_evid_t {
 	 * Attribute value
 	 */
 	chunk_t value;
-	
+
 	/**
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * PTS Component Evidence
 	 */
@@ -184,7 +184,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	pts_comp_evid_validation_t validation;
 	time_t measurement_time;
 	chunk_t measurement, utc_time, pcr_before, pcr_after;
-	
+
 	if (this->value.ptr)
 	{
 		return;
@@ -200,7 +200,7 @@ METHOD(pa_tnc_attr_t, build, void,
 							&pcr_before, &pcr_after);
 	validation   = this->evidence->get_validation(this->evidence,
 							&policy_uri);
-	
+
 	/* Determine the flags to set*/
 	flags = validation;
 	if (has_pcr_info)
@@ -208,7 +208,7 @@ METHOD(pa_tnc_attr_t, build, void,
 		flags |= PTS_SIMPLE_COMP_EVID_FLAG_PCR;
 	}
 
-	utc_time = chunk_create(utc_time_buf, PTS_SIMPLE_COMP_EVID_MEAS_TIME_SIZE);	
+	utc_time = chunk_create(utc_time_buf, PTS_SIMPLE_COMP_EVID_MEAS_TIME_SIZE);
 	measurement_time_to_utc(measurement_time, &utc_time);
 
 	writer = bio_writer_create(PTS_SIMPLE_COMP_EVID_SIZE);
@@ -224,7 +224,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint8 (writer, transform);
 	writer->write_uint8 (writer, PTS_SIMPLE_COMP_EVID_RESERVED);
 	writer->write_data  (writer, utc_time);
-	
+
 	/* Optional fields */
 	if (validation == PTS_COMP_EVID_VALIDATION_FAILED ||
 		validation == PTS_COMP_EVID_VALIDATION_PASSED)
@@ -241,7 +241,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	}
 
 	writer->write_data(writer, measurement);
-	
+
 	this->value = chunk_clone(writer->get_buf(writer));
 	writer->destroy(writer);
 }
@@ -250,7 +250,7 @@ static const int days[] = { 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 33
 static const int tm_leap_1970 = 477;
 
 /**
- * Convert Simple Component Evidence UTS string format to time_t  
+ * Convert Simple Component Evidence UTS string format to time_t
  */
 bool measurement_time_from_utc(time_t *measurement_time, chunk_t utc_time)
 {
@@ -314,7 +314,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		return FAILED;
 	}
 	reader = bio_reader_create(this->value);
-	
+
 	reader->read_uint8 (reader, &flags);
 	reader->read_uint24(reader, &depth);
 	reader->read_uint24(reader, &vendor_id);
@@ -364,7 +364,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		}
 		has_validation = TRUE;
 	}
-	
+
 	/*  Are optional PCR value fields included? */
 	if (flags & PTS_SIMPLE_COMP_EVID_FLAG_PCR)
 	{
@@ -389,11 +389,11 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		has_pcr_info = TRUE;
 	}
 
-	/* Measurement field comes at the very end */ 
+	/* Measurement field comes at the very end */
 	reader->read_data(reader,reader->remaining(reader), &measurement);
 	reader->destroy(reader);
 
-	/* Create Component Functional Name object */	
+	/* Create Component Functional Name object */
 	name = pts_comp_func_name_create(vendor_id, comp_name, qualifier);
 
 	/* Create Component Evidence object */
@@ -439,7 +439,7 @@ METHOD(pa_tnc_attr_t, destroy, void,
 {
 	if (ref_put(&this->ref))
 	{
-		this->evidence->destroy(this->evidence);
+		DESTROY_IF(this->evidence);
 		free(this->value.ptr);
 		free(this);
 	}
@@ -457,7 +457,7 @@ METHOD(tcg_pts_attr_simple_comp_evid_t, get_comp_evidence, pts_comp_evidence_t*,
 pa_tnc_attr_t *tcg_pts_attr_simple_comp_evid_create(pts_comp_evidence_t *evid)
 {
 	private_tcg_pts_attr_simple_comp_evid_t *this;
-	
+
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
diff --git a/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c b/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c
index 8d2d4f82d..8c76651d6 100644
--- a/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c
+++ b/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c
@@ -19,14 +19,14 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_simple_evid_final_t private_tcg_pts_attr_simple_evid_final_t;
 
 /**
  * Simple Evidence Final
  * see section 3.15.2 of PTS Protocol: Binding to TNC IF-M Specification
- * 
+ *
  *					   1				   2				   3
  *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@@ -66,7 +66,7 @@ struct private_tcg_pts_attr_simple_evid_final_t {
 	 * Attribute value
 	 */
 	chunk_t value;
-	
+
 	/**
 	 * Noskip flag
 	 */
@@ -81,22 +81,22 @@ struct private_tcg_pts_attr_simple_evid_final_t {
 	 * Optional Composite Hash Algorithm
 	 */
 	pts_meas_algorithms_t comp_hash_algorithm;
-	
+
 	/**
 	 * Optional TPM PCR Composite
 	 */
 	chunk_t pcr_comp;
-	
+
 	/**
 	 * Optional TPM Quote Signature
 	 */
 	chunk_t tpm_quote_sig;
-	
+
 	/**
 	 * Is Evidence Signature included?
 	 */
 	bool has_evid_sig;
-	
+
 	/**
 	 * Optional Evidence Signature
 	 */
@@ -157,7 +157,7 @@ METHOD(pa_tnc_attr_t, build, void,
 {
 	bio_writer_t *writer;
 	u_int8_t flags;
-	
+
 	if (this->value.ptr)
 	{
 		return;
@@ -172,7 +172,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer = bio_writer_create(PTS_SIMPLE_EVID_FINAL_SIZE);
 	writer->write_uint8 (writer, flags);
 	writer->write_uint8 (writer, PTS_SIMPLE_EVID_FINAL_RESERVED);
-	
+
 	/** Optional Composite Hash Algorithm field is always present
 	 * Field has value of all zeroes if not used.
 	 * Implemented adhering the suggestion of Paul Sangster 28.Oct.2011
@@ -193,7 +193,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	{
 		writer->write_data (writer, this->evid_sig);
 	}
-	
+
 	this->value = chunk_clone(writer->get_buf(writer));
 	writer->destroy(writer);
 }
@@ -206,7 +206,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	u_int16_t algorithm;
 	u_int32_t pcr_comp_len, tpm_quote_sig_len, evid_sig_len;
 	status_t status = FAILED;
-	
+
 	if (this->value.len < PTS_SIMPLE_EVID_FINAL_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for Simple Evidence Final");
@@ -214,7 +214,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		return FAILED;
 	}
 	reader = bio_reader_create(this->value);
-	
+
 	reader->read_uint8(reader, &flags);
 	reader->read_uint8(reader, &reserved);
 
@@ -226,10 +226,10 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	 * Field has value of all zeroes if not used.
 	 * Implemented adhering the suggestion of Paul Sangster 28.Oct.2011
 	 */
-	
+
 	reader->read_uint16(reader, &algorithm);
 	this->comp_hash_algorithm = algorithm;
-	
+
 	/*  Optional Composite Hash Algorithm and TPM PCR Composite fields */
 	if (this->flags != PTS_SIMPLE_EVID_FINAL_NO)
 	{
@@ -246,7 +246,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 			goto end;
 		}
 		this->pcr_comp = chunk_clone(this->pcr_comp);
-		
+
 		if (!reader->read_uint32(reader, &tpm_quote_sig_len))
 		{
 			DBG1(DBG_TNC, "insufficient data for PTS Simple Evidence Final "
@@ -261,7 +261,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		}
 		this->tpm_quote_sig = chunk_clone(this->tpm_quote_sig);
 	}
-	
+
 	/*  Optional Evidence Signature field */
 	if (this->has_evid_sig)
 	{
@@ -269,7 +269,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		reader->read_data(reader, evid_sig_len, &this->evid_sig);
 		this->evid_sig = chunk_clone(this->evid_sig);
 	}
-	
+
 	reader->destroy(reader);
 	return SUCCESS;
 
diff --git a/src/libpts/tcg/tcg_pts_attr_tpm_version_info.c b/src/libpts/tcg/tcg_pts_attr_tpm_version_info.c
index 8d1e78f18..5143e1676 100644
--- a/src/libpts/tcg/tcg_pts_attr_tpm_version_info.c
+++ b/src/libpts/tcg/tcg_pts_attr_tpm_version_info.c
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_tpm_version_info_t private_tcg_pts_attr_tpm_version_info_t;
 
@@ -62,7 +62,7 @@ struct private_tcg_pts_attr_tpm_version_info_t {
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * TPM Version Information
 	 */
@@ -118,7 +118,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	private_tcg_pts_attr_tpm_version_info_t *this, u_int32_t *offset)
 {
 	bio_reader_t *reader;
-	
+
 	if (this->value.len < PTS_TPM_VER_INFO_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for TPM Version Information");
diff --git a/src/libpts/tcg/tcg_pts_attr_unix_file_meta.c b/src/libpts/tcg/tcg_pts_attr_unix_file_meta.c
index 4f93ee885..56686d8ca 100644
--- a/src/libpts/tcg/tcg_pts_attr_unix_file_meta.c
+++ b/src/libpts/tcg/tcg_pts_attr_unix_file_meta.c
@@ -18,15 +18,17 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
+
+#include <string.h>
 
 typedef struct private_tcg_pts_attr_file_meta_t private_tcg_pts_attr_file_meta_t;
 
 /**
  * Unix-Style File Metadata
  * see section 3.17.3 of PTS Protocol: Binding to TNC IF-M Specification
- * 
+ *
  *					   1				   2				   3
  *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@@ -88,12 +90,12 @@ struct private_tcg_pts_attr_file_meta_t {
 	 * Attribute value
 	 */
 	chunk_t value;
-	
+
 	/**
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * PTS File Metadata
 	 */
@@ -136,7 +138,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	enumerator_t *enumerator;
 	pts_file_metadata_t *entry;
 	u_int64_t number_of_files;
-	
+
 	if (this->value.ptr)
 	{
 		return;
@@ -163,7 +165,7 @@ METHOD(pa_tnc_attr_t, build, void,
 												  strlen(entry->filename)));
 	}
 	enumerator->destroy(enumerator);
-	
+
 	this->value = chunk_clone(writer->get_buf(writer));
 	writer->destroy(writer);
 }
@@ -179,7 +181,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	u_int64_t owner, group;
 	chunk_t filename;
 	status_t status = FAILED;
-	
+
 	if (this->value.len < PTS_FILE_META_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for PTS Unix-Style file metadata header");
@@ -190,7 +192,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	reader->read_uint64(reader, &number_of_files);
 
 	this->metadata = pts_file_meta_create();
-	
+
 	while (number_of_files--)
 	{
 		if (!reader->read_uint16(reader, &len))
@@ -243,7 +245,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 			DBG1(DBG_TNC, "insufficient data for filename");
 			goto end;
 		}
-		
+
 		entry = malloc_thing(pts_file_metadata_t);
 		entry->type = type;
 		entry->filesize = filesize;
@@ -252,9 +254,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		entry->accessed = accessed;
 		entry->owner = owner;
 		entry->group = group;
-		entry->filename = malloc(filename.len + 1);
-		entry->filename[filename.len] = '\0';
-		memcpy(entry->filename, filename.ptr, filename.len);
+		entry->filename = strndup(filename.ptr, filename.len);
 
 		this->metadata->add(this->metadata, entry);
 	}
@@ -277,7 +277,7 @@ METHOD(pa_tnc_attr_t, destroy, void,
 {
 	if (ref_put(&this->ref))
 	{
-		this->metadata->destroy(this->metadata);
+		DESTROY_IF(this->metadata);
 		free(this->value.ptr);
 		free(this);
 	}
diff --git a/src/libradius/Makefile.in b/src/libradius/Makefile.in
index 15642db64..ea306d748 100644
--- a/src/libradius/Makefile.in
+++ b/src/libradius/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libradius_la_LIBADD =
@@ -116,6 +122,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -143,6 +150,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -170,6 +178,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -182,6 +191,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -235,7 +245,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -356,7 +365,7 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libradius.la: $(libradius_la_OBJECTS) $(libradius_la_DEPENDENCIES) 
+libradius.la: $(libradius_la_OBJECTS) $(libradius_la_DEPENDENCIES) $(EXTRA_libradius_la_DEPENDENCIES) 
 	$(LINK) -rpath $(ipseclibdir) $(libradius_la_OBJECTS) $(libradius_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -496,10 +505,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libradius/radius_client.c b/src/libradius/radius_client.c
index acdac78c9..1478c3d9e 100644
--- a/src/libradius/radius_client.c
+++ b/src/libradius/radius_client.c
@@ -19,9 +19,9 @@
 #include <unistd.h>
 #include <errno.h>
 
-#include <debug.h>
-#include <utils/host.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <networking/host.h>
+#include <collections/linked_list.h>
 #include <threading/condvar.h>
 #include <threading/mutex.h>
 
diff --git a/src/libradius/radius_config.c b/src/libradius/radius_config.c
index 6e3394bb0..5dbd1d7e0 100644
--- a/src/libradius/radius_config.c
+++ b/src/libradius/radius_config.c
@@ -17,7 +17,7 @@
 
 #include <threading/mutex.h>
 #include <threading/condvar.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_radius_config_t private_radius_config_t;
 
diff --git a/src/libradius/radius_message.c b/src/libradius/radius_message.c
index 77f9b0398..059dcda4b 100644
--- a/src/libradius/radius_message.c
+++ b/src/libradius/radius_message.c
@@ -15,7 +15,7 @@
 
 #include "radius_message.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <crypto/hashers/hasher.h>
 
 typedef struct private_radius_message_t private_radius_message_t;
diff --git a/src/libradius/radius_socket.c b/src/libradius/radius_socket.c
index ba7cb14b0..7dab968d8 100644
--- a/src/libradius/radius_socket.c
+++ b/src/libradius/radius_socket.c
@@ -20,7 +20,7 @@
 #include <unistd.h>
 
 #include <pen/pen.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_radius_socket_t private_radius_socket_t;
 
diff --git a/src/libradius/radius_socket.h b/src/libradius/radius_socket.h
index 07d642c08..eb510ea89 100644
--- a/src/libradius/radius_socket.h
+++ b/src/libradius/radius_socket.h
@@ -25,7 +25,7 @@ typedef struct radius_socket_t radius_socket_t;
 
 #include "radius_message.h"
 
-#include <utils/host.h>
+#include <networking/host.h>
 
 /**
  * RADIUS socket to a server.
diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in
index cdc7799ae..cf9bd61d8 100644
--- a/src/libsimaka/Makefile.in
+++ b/src/libsimaka/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libsimaka_la_LIBADD =
@@ -116,6 +122,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -143,6 +150,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -170,6 +178,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -182,6 +191,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -235,7 +245,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -353,7 +362,7 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libsimaka.la: $(libsimaka_la_OBJECTS) $(libsimaka_la_DEPENDENCIES) 
+libsimaka.la: $(libsimaka_la_OBJECTS) $(libsimaka_la_DEPENDENCIES) $(EXTRA_libsimaka_la_DEPENDENCIES) 
 	$(LINK) -rpath $(ipseclibdir) $(libsimaka_la_OBJECTS) $(libsimaka_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -492,10 +501,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libsimaka/simaka_crypto.c b/src/libsimaka/simaka_crypto.c
index 92db19317..e60c02a1a 100644
--- a/src/libsimaka/simaka_crypto.c
+++ b/src/libsimaka/simaka_crypto.c
@@ -17,7 +17,7 @@
 
 #include "simaka_manager.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 /** length of the k_encr key */
 #define KENCR_LEN 16
@@ -150,7 +150,6 @@ METHOD(simaka_crypto_t, derive_keys_full, bool,
 
 	k_encr = chunk_create(str.ptr, KENCR_LEN);
 	k_auth = chunk_create(str.ptr + KENCR_LEN, KAUTH_LEN);
-	DBG3(DBG_LIB, "K_encr %B\nK_auth %B\nMSK %B", &k_encr, &k_auth, &msk);
 
 	if (!this->signer->set_key(this->signer, k_auth) ||
 		!this->crypter->set_key(this->crypter, k_encr))
@@ -160,6 +159,7 @@ METHOD(simaka_crypto_t, derive_keys_full, bool,
 	}
 
 	*msk = chunk_clone(chunk_create(str.ptr + KENCR_LEN + KAUTH_LEN, MSK_LEN));
+	DBG3(DBG_LIB, "K_encr %B\nK_auth %B\nMSK %B", &k_encr, &k_auth, msk);
 
 	call_hook(this, k_encr, k_auth);
 
diff --git a/src/libsimaka/simaka_manager.c b/src/libsimaka/simaka_manager.c
index 65de1c5ab..e85dd660b 100644
--- a/src/libsimaka/simaka_manager.c
+++ b/src/libsimaka/simaka_manager.c
@@ -15,8 +15,8 @@
 
 #include "simaka_manager.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 typedef struct private_simaka_manager_t private_simaka_manager_t;
diff --git a/src/libsimaka/simaka_manager.h b/src/libsimaka/simaka_manager.h
index 64a67e56c..810cb0685 100644
--- a/src/libsimaka/simaka_manager.h
+++ b/src/libsimaka/simaka_manager.h
@@ -23,7 +23,7 @@
 
 #include <crypto/hashers/hasher.h>
 #include <utils/identification.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <plugins/plugin.h>
 
 typedef struct simaka_manager_t simaka_manager_t;
diff --git a/src/libsimaka/simaka_message.c b/src/libsimaka/simaka_message.c
index aa36a0974..7dd15480b 100644
--- a/src/libsimaka/simaka_message.c
+++ b/src/libsimaka/simaka_message.c
@@ -17,8 +17,8 @@
 
 #include "simaka_manager.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 typedef struct private_simaka_message_t private_simaka_message_t;
 typedef struct hdr_t hdr_t;
diff --git a/src/libsimaka/simaka_message.h b/src/libsimaka/simaka_message.h
index 209067c70..32c39a348 100644
--- a/src/libsimaka/simaka_message.h
+++ b/src/libsimaka/simaka_message.h
@@ -26,7 +26,7 @@
 #ifndef SIMAKA_MESSAGE_H_
 #define SIMAKA_MESSAGE_H_
 
-#include <enum.h>
+#include <utils/enum.h>
 #include <eap/eap.h>
 
 #include "simaka_crypto.h"
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index 4912576df..65cfe5292 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -3,9 +3,10 @@ include $(CLEAR_VARS)
 
 # copy-n-paste from Makefile.am
 LOCAL_SRC_FILES := \
-library.c chunk.c debug.c enum.c settings.c printf_hook.c asn1/asn1.c \
-asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c bio/bio_writer.c \
-crypto/crypters/crypter.c crypto/hashers/hasher.c crypto/pkcs7.c crypto/pkcs9.c \
+library.c \
+asn1/asn1.c asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c bio/bio_writer.c \
+collections/blocking_queue.c collections/enumerator.c collections/hashtable.c \
+collections/linked_list.c crypto/crypters/crypter.c crypto/hashers/hasher.c \
 crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords_static.c \
 crypto/prfs/prf.c crypto/prfs/mac_prf.c \
 crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \
@@ -16,19 +17,22 @@ credentials/cred_encoding.c credentials/keys/private_key.c \
 credentials/keys/public_key.c credentials/keys/shared_key.c \
 credentials/certificates/certificate.c credentials/certificates/crl.c \
 credentials/certificates/ocsp_response.c \
+credentials/containers/container.c \
 credentials/ietf_attributes/ietf_attributes.c credentials/credential_manager.c \
 credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \
 credentials/sets/cert_cache.c credentials/sets/mem_cred.c \
 credentials/sets/callback_cred.c credentials/auth_cfg.c database/database.c \
 database/database_factory.c fetcher/fetcher.c fetcher/fetcher_manager.c eap/eap.c \
 ipsec/ipsec_types.c \
+networking/host.c networking/host_resolver.c networking/packet.c \
+networking/tun_device.c \
 pen/pen.c plugins/plugin_loader.c plugins/plugin_feature.c processing/jobs/job.c \
 processing/jobs/callback_job.c processing/processor.c processing/scheduler.c \
 selectors/traffic_selector.c threading/thread.c threading/thread_value.c \
 threading/mutex.c threading/semaphore.c threading/rwlock.c threading/spinlock.c \
-utils.c utils/host.c utils/packet.c utils/identification.c utils/lexparser.c \
-utils/linked_list.c utils/blocking_queue.c utils/hashtable.c utils/enumerator.c \
-utils/optionsfrom.c utils/capabilities.c utils/backtrace.c utils/tun_device.c
+utils/utils.c utils/chunk.c utils/debug.c utils/enum.c utils/identification.c \
+utils/lexparser.c utils/optionsfrom.c utils/capabilities.c utils/backtrace.c \
+utils/printf_hook.c utils/settings.c
 
 # adding the plugin source files
 
@@ -68,6 +72,8 @@ LOCAL_SRC_FILES += $(call add_plugin, pem)
 
 LOCAL_SRC_FILES += $(call add_plugin, pkcs1)
 
+LOCAL_SRC_FILES += $(call add_plugin, pkcs7)
+
 LOCAL_SRC_FILES += $(call add_plugin, pkcs8)
 
 LOCAL_SRC_FILES += $(call add_plugin, pkcs11)
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 463d57d95..9c4665eeb 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -1,9 +1,10 @@
 ipseclib_LTLIBRARIES = libstrongswan.la
 
 libstrongswan_la_SOURCES = \
-library.c chunk.c debug.c enum.c settings.c printf_hook.c asn1/asn1.c \
-asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c bio/bio_writer.c \
-crypto/crypters/crypter.c crypto/hashers/hasher.c crypto/pkcs7.c crypto/pkcs9.c \
+library.c \
+asn1/asn1.c asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c bio/bio_writer.c \
+collections/blocking_queue.c collections/enumerator.c collections/hashtable.c \
+collections/linked_list.c crypto/crypters/crypter.c crypto/hashers/hasher.c \
 crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords_static.c \
 crypto/prfs/prf.c crypto/prfs/mac_prf.c \
 crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \
@@ -14,28 +15,32 @@ credentials/cred_encoding.c credentials/keys/private_key.c \
 credentials/keys/public_key.c credentials/keys/shared_key.c \
 credentials/certificates/certificate.c credentials/certificates/crl.c \
 credentials/certificates/ocsp_response.c \
+credentials/containers/container.c \
 credentials/ietf_attributes/ietf_attributes.c credentials/credential_manager.c \
 credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \
 credentials/sets/cert_cache.c credentials/sets/mem_cred.c \
 credentials/sets/callback_cred.c credentials/auth_cfg.c database/database.c \
 database/database_factory.c fetcher/fetcher.c fetcher/fetcher_manager.c eap/eap.c \
 ipsec/ipsec_types.c \
+networking/host.c networking/host_resolver.c networking/packet.c \
+networking/tun_device.c \
 pen/pen.c plugins/plugin_loader.c plugins/plugin_feature.c processing/jobs/job.c \
 processing/jobs/callback_job.c processing/processor.c processing/scheduler.c \
 selectors/traffic_selector.c threading/thread.c threading/thread_value.c \
 threading/mutex.c threading/semaphore.c threading/rwlock.c threading/spinlock.c \
-utils.c utils/host.c utils/packet.c utils/identification.c utils/lexparser.c \
-utils/linked_list.c utils/blocking_queue.c utils/hashtable.c utils/enumerator.c \
-utils/optionsfrom.c utils/capabilities.c utils/backtrace.c utils/tun_device.c
+utils/utils.c utils/chunk.c utils/debug.c utils/enum.c utils/identification.c \
+utils/lexparser.c utils/optionsfrom.c utils/capabilities.c utils/backtrace.c \
+utils/printf_hook.c utils/settings.c
 
 if USE_DEV_HEADERS
 strongswan_includedir = ${dev_headers}
 nobase_strongswan_include_HEADERS = \
-library.h chunk.h debug.h enum.h settings.h printf_hook.h \
+library.h \
 asn1/asn1.h asn1/asn1_parser.h asn1/oid.h bio/bio_reader.h bio/bio_writer.h \
+collections/blocking_queue.h collections/enumerator.h collections/hashtable.h \
+collections/linked_list.h \
 crypto/crypters/crypter.h crypto/hashers/hasher.h crypto/mac.h \
-crypto/pkcs7.h crypto/pkcs9.h crypto/proposal/proposal_keywords.h \
-crypto/proposal/proposal_keywords_static.h \
+crypto/proposal/proposal_keywords.h crypto/proposal/proposal_keywords_static.h \
 crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \
 crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \
 crypto/crypto_factory.h crypto/crypto_tester.h crypto/diffie_hellman.h \
@@ -48,6 +53,7 @@ credentials/certificates/ac.h credentials/certificates/crl.h \
 credentials/certificates/pkcs10.h credentials/certificates/ocsp_request.h \
 credentials/certificates/ocsp_response.h \
 credentials/certificates/pgp_certificate.h \
+credentials/containers/container.h credentials/containers/pkcs7.h \
 credentials/ietf_attributes/ietf_attributes.h \
 credentials/credential_manager.h credentials/sets/auth_cfg_wrapper.h \
 credentials/sets/ocsp_response_wrapper.h credentials/sets/cert_cache.h \
@@ -55,16 +61,17 @@ credentials/sets/mem_cred.h credentials/sets/callback_cred.h \
 credentials/auth_cfg.h credentials/credential_set.h credentials/cert_validator.h \
 database/database.h database/database_factory.h fetcher/fetcher.h \
 fetcher/fetcher_manager.h eap/eap.h pen/pen.h ipsec/ipsec_types.h \
+networking/host.h networking/host_resolver.h networking/packet.h \
+networking/tun_device.h \
 plugins/plugin_loader.h plugins/plugin.h plugins/plugin_feature.h \
 processing/jobs/job.h processing/jobs/callback_job.h processing/processor.h \
 processing/scheduler.h selectors/traffic_selector.h \
 threading/thread.h threading/thread_value.h \
 threading/mutex.h threading/condvar.h threading/spinlock.h threading/semaphore.h \
 threading/rwlock.h threading/rwlock_condvar.h threading/lock_profiler.h \
-utils.h utils/host.h utils/packet.h utils/identification.h utils/lexparser.h \
-utils/linked_list.h utils/blocking_queue.h utils/hashtable.h utils/enumerator.h \
-utils/optionsfrom.h utils/capabilities.h utils/backtrace.h utils/tun_device.h \
-utils/leak_detective.h integrity_checker.h
+utils/utils.h utils/chunk.h utils/debug.h utils/enum.h utils/identification.h \
+utils/lexparser.h utils/optionsfrom.h utils/capabilities.h utils/backtrace.h \
+utils/leak_detective.h utils/printf_hook.h utils/settings.h utils/integrity_checker.h
 endif
 
 library.lo :	$(top_builddir)/config.status
@@ -89,7 +96,7 @@ endif
 
 if USE_INTEGRITY_TEST
   AM_CFLAGS += -DINTEGRITY_TEST
-  libstrongswan_la_SOURCES += integrity_checker.c
+  libstrongswan_la_SOURCES += utils/integrity_checker.c
 endif
 
 if USE_VSTR
@@ -197,6 +204,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_RDRAND
+  SUBDIRS += plugins/rdrand
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/rdrand/libstrongswan-rdrand.la
+endif
+endif
+
 if USE_RANDOM
   SUBDIRS += plugins/random
 if MONOLITHIC
@@ -267,6 +281,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_PKCS7
+  SUBDIRS += plugins/pkcs7
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/pkcs7/libstrongswan-pkcs7.la
+endif
+endif
+
 if USE_PKCS8
   SUBDIRS += plugins/pkcs8
 if MONOLITHIC
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index aeebb25c0..6c0ce7a88 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -39,7 +39,7 @@ host_triplet = @host@
 @USE_LEAK_DETECTIVE_TRUE@am__append_2 = utils/leak_detective.c
 @USE_LOCK_PROFILER_TRUE@am__append_3 = -DLOCK_PROFILER
 @USE_INTEGRITY_TEST_TRUE@am__append_4 = -DINTEGRITY_TEST
-@USE_INTEGRITY_TEST_TRUE@am__append_5 = integrity_checker.c
+@USE_INTEGRITY_TEST_TRUE@am__append_5 = utils/integrity_checker.c
 @USE_VSTR_TRUE@am__append_6 = -lvstr
 @USE_LIBCAP_TRUE@am__append_7 = -lcap
 @USE_AF_ALG_TRUE@am__append_8 = plugins/af_alg
@@ -60,64 +60,68 @@ host_triplet = @host@
 @MONOLITHIC_TRUE@@USE_SHA2_TRUE@am__append_23 = plugins/sha2/libstrongswan-sha2.la
 @USE_GMP_TRUE@am__append_24 = plugins/gmp
 @MONOLITHIC_TRUE@@USE_GMP_TRUE@am__append_25 = plugins/gmp/libstrongswan-gmp.la
-@USE_RANDOM_TRUE@am__append_26 = plugins/random
-@MONOLITHIC_TRUE@@USE_RANDOM_TRUE@am__append_27 = plugins/random/libstrongswan-random.la
-@USE_NONCE_TRUE@am__append_28 = plugins/nonce
-@MONOLITHIC_TRUE@@USE_NONCE_TRUE@am__append_29 = plugins/nonce/libstrongswan-nonce.la
-@USE_HMAC_TRUE@am__append_30 = plugins/hmac
-@MONOLITHIC_TRUE@@USE_HMAC_TRUE@am__append_31 = plugins/hmac/libstrongswan-hmac.la
-@USE_CMAC_TRUE@am__append_32 = plugins/cmac
-@MONOLITHIC_TRUE@@USE_CMAC_TRUE@am__append_33 = plugins/cmac/libstrongswan-cmac.la
-@USE_XCBC_TRUE@am__append_34 = plugins/xcbc
-@MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_35 = plugins/xcbc/libstrongswan-xcbc.la
-@USE_X509_TRUE@am__append_36 = plugins/x509
-@MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_37 = plugins/x509/libstrongswan-x509.la
-@USE_REVOCATION_TRUE@am__append_38 = plugins/revocation
-@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_39 = plugins/revocation/libstrongswan-revocation.la
-@USE_CONSTRAINTS_TRUE@am__append_40 = plugins/constraints
-@MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE@am__append_41 = plugins/constraints/libstrongswan-constraints.la
-@USE_PUBKEY_TRUE@am__append_42 = plugins/pubkey
-@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_43 = plugins/pubkey/libstrongswan-pubkey.la
-@USE_PKCS1_TRUE@am__append_44 = plugins/pkcs1
-@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_45 = plugins/pkcs1/libstrongswan-pkcs1.la
-@USE_PKCS8_TRUE@am__append_46 = plugins/pkcs8
-@MONOLITHIC_TRUE@@USE_PKCS8_TRUE@am__append_47 = plugins/pkcs8/libstrongswan-pkcs8.la
-@USE_PGP_TRUE@am__append_48 = plugins/pgp
-@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_49 = plugins/pgp/libstrongswan-pgp.la
-@USE_DNSKEY_TRUE@am__append_50 = plugins/dnskey
-@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_51 = plugins/dnskey/libstrongswan-dnskey.la
-@USE_PEM_TRUE@am__append_52 = plugins/pem
-@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_53 = plugins/pem/libstrongswan-pem.la
-@USE_CURL_TRUE@am__append_54 = plugins/curl
-@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_55 = plugins/curl/libstrongswan-curl.la
-@USE_SOUP_TRUE@am__append_56 = plugins/soup
-@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_57 = plugins/soup/libstrongswan-soup.la
-@USE_LDAP_TRUE@am__append_58 = plugins/ldap
-@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_59 = plugins/ldap/libstrongswan-ldap.la
-@USE_MYSQL_TRUE@am__append_60 = plugins/mysql
-@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_61 = plugins/mysql/libstrongswan-mysql.la
-@USE_SQLITE_TRUE@am__append_62 = plugins/sqlite
-@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_63 = plugins/sqlite/libstrongswan-sqlite.la
-@USE_PADLOCK_TRUE@am__append_64 = plugins/padlock
-@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_65 = plugins/padlock/libstrongswan-padlock.la
-@USE_OPENSSL_TRUE@am__append_66 = plugins/openssl
-@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_67 = plugins/openssl/libstrongswan-openssl.la
-@USE_GCRYPT_TRUE@am__append_68 = plugins/gcrypt
-@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_69 = plugins/gcrypt/libstrongswan-gcrypt.la
-@USE_FIPS_PRF_TRUE@am__append_70 = plugins/fips_prf
-@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_71 = plugins/fips_prf/libstrongswan-fips-prf.la
-@USE_AGENT_TRUE@am__append_72 = plugins/agent
-@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_73 = plugins/agent/libstrongswan-agent.la
-@USE_PKCS11_TRUE@am__append_74 = plugins/pkcs11
-@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_75 = plugins/pkcs11/libstrongswan-pkcs11.la
-@USE_CTR_TRUE@am__append_76 = plugins/ctr
-@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_77 = plugins/ctr/libstrongswan-ctr.la
-@USE_CCM_TRUE@am__append_78 = plugins/ccm
-@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_79 = plugins/ccm/libstrongswan-ccm.la
-@USE_GCM_TRUE@am__append_80 = plugins/gcm
-@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_81 = plugins/gcm/libstrongswan-gcm.la
-@USE_TEST_VECTORS_TRUE@am__append_82 = plugins/test_vectors
-@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_83 = plugins/test_vectors/libstrongswan-test-vectors.la
+@USE_RDRAND_TRUE@am__append_26 = plugins/rdrand
+@MONOLITHIC_TRUE@@USE_RDRAND_TRUE@am__append_27 = plugins/rdrand/libstrongswan-rdrand.la
+@USE_RANDOM_TRUE@am__append_28 = plugins/random
+@MONOLITHIC_TRUE@@USE_RANDOM_TRUE@am__append_29 = plugins/random/libstrongswan-random.la
+@USE_NONCE_TRUE@am__append_30 = plugins/nonce
+@MONOLITHIC_TRUE@@USE_NONCE_TRUE@am__append_31 = plugins/nonce/libstrongswan-nonce.la
+@USE_HMAC_TRUE@am__append_32 = plugins/hmac
+@MONOLITHIC_TRUE@@USE_HMAC_TRUE@am__append_33 = plugins/hmac/libstrongswan-hmac.la
+@USE_CMAC_TRUE@am__append_34 = plugins/cmac
+@MONOLITHIC_TRUE@@USE_CMAC_TRUE@am__append_35 = plugins/cmac/libstrongswan-cmac.la
+@USE_XCBC_TRUE@am__append_36 = plugins/xcbc
+@MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_37 = plugins/xcbc/libstrongswan-xcbc.la
+@USE_X509_TRUE@am__append_38 = plugins/x509
+@MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_39 = plugins/x509/libstrongswan-x509.la
+@USE_REVOCATION_TRUE@am__append_40 = plugins/revocation
+@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_41 = plugins/revocation/libstrongswan-revocation.la
+@USE_CONSTRAINTS_TRUE@am__append_42 = plugins/constraints
+@MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE@am__append_43 = plugins/constraints/libstrongswan-constraints.la
+@USE_PUBKEY_TRUE@am__append_44 = plugins/pubkey
+@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_45 = plugins/pubkey/libstrongswan-pubkey.la
+@USE_PKCS1_TRUE@am__append_46 = plugins/pkcs1
+@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_47 = plugins/pkcs1/libstrongswan-pkcs1.la
+@USE_PKCS7_TRUE@am__append_48 = plugins/pkcs7
+@MONOLITHIC_TRUE@@USE_PKCS7_TRUE@am__append_49 = plugins/pkcs7/libstrongswan-pkcs7.la
+@USE_PKCS8_TRUE@am__append_50 = plugins/pkcs8
+@MONOLITHIC_TRUE@@USE_PKCS8_TRUE@am__append_51 = plugins/pkcs8/libstrongswan-pkcs8.la
+@USE_PGP_TRUE@am__append_52 = plugins/pgp
+@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_53 = plugins/pgp/libstrongswan-pgp.la
+@USE_DNSKEY_TRUE@am__append_54 = plugins/dnskey
+@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_55 = plugins/dnskey/libstrongswan-dnskey.la
+@USE_PEM_TRUE@am__append_56 = plugins/pem
+@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_57 = plugins/pem/libstrongswan-pem.la
+@USE_CURL_TRUE@am__append_58 = plugins/curl
+@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_59 = plugins/curl/libstrongswan-curl.la
+@USE_SOUP_TRUE@am__append_60 = plugins/soup
+@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_61 = plugins/soup/libstrongswan-soup.la
+@USE_LDAP_TRUE@am__append_62 = plugins/ldap
+@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_63 = plugins/ldap/libstrongswan-ldap.la
+@USE_MYSQL_TRUE@am__append_64 = plugins/mysql
+@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_65 = plugins/mysql/libstrongswan-mysql.la
+@USE_SQLITE_TRUE@am__append_66 = plugins/sqlite
+@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_67 = plugins/sqlite/libstrongswan-sqlite.la
+@USE_PADLOCK_TRUE@am__append_68 = plugins/padlock
+@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_69 = plugins/padlock/libstrongswan-padlock.la
+@USE_OPENSSL_TRUE@am__append_70 = plugins/openssl
+@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_71 = plugins/openssl/libstrongswan-openssl.la
+@USE_GCRYPT_TRUE@am__append_72 = plugins/gcrypt
+@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_73 = plugins/gcrypt/libstrongswan-gcrypt.la
+@USE_FIPS_PRF_TRUE@am__append_74 = plugins/fips_prf
+@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_75 = plugins/fips_prf/libstrongswan-fips-prf.la
+@USE_AGENT_TRUE@am__append_76 = plugins/agent
+@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_77 = plugins/agent/libstrongswan-agent.la
+@USE_PKCS11_TRUE@am__append_78 = plugins/pkcs11
+@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_79 = plugins/pkcs11/libstrongswan-pkcs11.la
+@USE_CTR_TRUE@am__append_80 = plugins/ctr
+@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_81 = plugins/ctr/libstrongswan-ctr.la
+@USE_CCM_TRUE@am__append_82 = plugins/ccm
+@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_83 = plugins/ccm/libstrongswan-ccm.la
+@USE_GCM_TRUE@am__append_84 = plugins/gcm
+@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_85 = plugins/gcm/libstrongswan-gcm.la
+@USE_TEST_VECTORS_TRUE@am__append_86 = plugins/test_vectors
+@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_87 = plugins/test_vectors/libstrongswan-test-vectors.la
 subdir = src/libstrongswan
 DIST_COMMON = $(am__nobase_strongswan_include_HEADERS_DIST) \
 	$(srcdir)/Makefile.am $(srcdir)/Makefile.in
@@ -158,6 +162,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)" \
 	"$(DESTDIR)$(strongswan_includedir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
@@ -178,13 +188,14 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__append_61) $(am__append_63) $(am__append_65) \
 	$(am__append_67) $(am__append_69) $(am__append_71) \
 	$(am__append_73) $(am__append_75) $(am__append_77) \
-	$(am__append_79) $(am__append_81) $(am__append_83)
-am__libstrongswan_la_SOURCES_DIST = library.c chunk.c debug.c enum.c \
-	settings.c printf_hook.c asn1/asn1.c asn1/asn1_parser.c \
-	asn1/oid.c bio/bio_reader.c bio/bio_writer.c \
-	crypto/crypters/crypter.c crypto/hashers/hasher.c \
-	crypto/pkcs7.c crypto/pkcs9.c \
-	crypto/proposal/proposal_keywords.c \
+	$(am__append_79) $(am__append_81) $(am__append_83) \
+	$(am__append_85) $(am__append_87)
+am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
+	asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c \
+	bio/bio_writer.c collections/blocking_queue.c \
+	collections/enumerator.c collections/hashtable.c \
+	collections/linked_list.c crypto/crypters/crypter.c \
+	crypto/hashers/hasher.c crypto/proposal/proposal_keywords.c \
 	crypto/proposal/proposal_keywords_static.c crypto/prfs/prf.c \
 	crypto/prfs/mac_prf.c crypto/rngs/rng.c crypto/prf_plus.c \
 	crypto/signers/signer.c crypto/signers/mac_signer.c \
@@ -196,6 +207,7 @@ am__libstrongswan_la_SOURCES_DIST = library.c chunk.c debug.c enum.c \
 	credentials/certificates/certificate.c \
 	credentials/certificates/crl.c \
 	credentials/certificates/ocsp_response.c \
+	credentials/containers/container.c \
 	credentials/ietf_attributes/ietf_attributes.c \
 	credentials/credential_manager.c \
 	credentials/sets/auth_cfg_wrapper.c \
@@ -204,39 +216,41 @@ am__libstrongswan_la_SOURCES_DIST = library.c chunk.c debug.c enum.c \
 	credentials/sets/callback_cred.c credentials/auth_cfg.c \
 	database/database.c database/database_factory.c \
 	fetcher/fetcher.c fetcher/fetcher_manager.c eap/eap.c \
-	ipsec/ipsec_types.c pen/pen.c plugins/plugin_loader.c \
+	ipsec/ipsec_types.c networking/host.c \
+	networking/host_resolver.c networking/packet.c \
+	networking/tun_device.c pen/pen.c plugins/plugin_loader.c \
 	plugins/plugin_feature.c processing/jobs/job.c \
 	processing/jobs/callback_job.c processing/processor.c \
 	processing/scheduler.c selectors/traffic_selector.c \
 	threading/thread.c threading/thread_value.c threading/mutex.c \
 	threading/semaphore.c threading/rwlock.c threading/spinlock.c \
-	utils.c utils/host.c utils/packet.c utils/identification.c \
-	utils/lexparser.c utils/linked_list.c utils/blocking_queue.c \
-	utils/hashtable.c utils/enumerator.c utils/optionsfrom.c \
-	utils/capabilities.c utils/backtrace.c utils/tun_device.c \
-	utils/leak_detective.c integrity_checker.c
+	utils/utils.c utils/chunk.c utils/debug.c utils/enum.c \
+	utils/identification.c utils/lexparser.c utils/optionsfrom.c \
+	utils/capabilities.c utils/backtrace.c utils/printf_hook.c \
+	utils/settings.c utils/leak_detective.c \
+	utils/integrity_checker.c
 @USE_LEAK_DETECTIVE_TRUE@am__objects_1 = leak_detective.lo
 @USE_INTEGRITY_TEST_TRUE@am__objects_2 = integrity_checker.lo
-am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \
-	settings.lo printf_hook.lo asn1.lo asn1_parser.lo oid.lo \
-	bio_reader.lo bio_writer.lo crypter.lo hasher.lo pkcs7.lo \
-	pkcs9.lo proposal_keywords.lo proposal_keywords_static.lo \
-	prf.lo mac_prf.lo rng.lo prf_plus.lo signer.lo mac_signer.lo \
+am_libstrongswan_la_OBJECTS = library.lo asn1.lo asn1_parser.lo oid.lo \
+	bio_reader.lo bio_writer.lo blocking_queue.lo enumerator.lo \
+	hashtable.lo linked_list.lo crypter.lo hasher.lo \
+	proposal_keywords.lo proposal_keywords_static.lo prf.lo \
+	mac_prf.lo rng.lo prf_plus.lo signer.lo mac_signer.lo \
 	crypto_factory.lo crypto_tester.lo diffie_hellman.lo aead.lo \
 	transform.lo credential_factory.lo builder.lo cred_encoding.lo \
 	private_key.lo public_key.lo shared_key.lo certificate.lo \
-	crl.lo ocsp_response.lo ietf_attributes.lo \
+	crl.lo ocsp_response.lo container.lo ietf_attributes.lo \
 	credential_manager.lo auth_cfg_wrapper.lo \
 	ocsp_response_wrapper.lo cert_cache.lo mem_cred.lo \
 	callback_cred.lo auth_cfg.lo database.lo database_factory.lo \
-	fetcher.lo fetcher_manager.lo eap.lo ipsec_types.lo pen.lo \
+	fetcher.lo fetcher_manager.lo eap.lo ipsec_types.lo host.lo \
+	host_resolver.lo packet.lo tun_device.lo pen.lo \
 	plugin_loader.lo plugin_feature.lo job.lo callback_job.lo \
 	processor.lo scheduler.lo traffic_selector.lo thread.lo \
 	thread_value.lo mutex.lo semaphore.lo rwlock.lo spinlock.lo \
-	utils.lo host.lo packet.lo identification.lo lexparser.lo \
-	linked_list.lo blocking_queue.lo hashtable.lo enumerator.lo \
-	optionsfrom.lo capabilities.lo backtrace.lo tun_device.lo \
-	$(am__objects_1) $(am__objects_2)
+	utils.lo chunk.lo debug.lo enum.lo identification.lo \
+	lexparser.lo optionsfrom.lo capabilities.lo backtrace.lo \
+	printf_hook.lo settings.lo $(am__objects_1) $(am__objects_2)
 libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS)
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
@@ -260,11 +274,12 @@ RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	install-pdf-recursive install-ps-recursive install-recursive \
 	installcheck-recursive installdirs-recursive pdf-recursive \
 	ps-recursive uninstall-recursive
-am__nobase_strongswan_include_HEADERS_DIST = library.h chunk.h debug.h \
-	enum.h settings.h printf_hook.h asn1/asn1.h asn1/asn1_parser.h \
-	asn1/oid.h bio/bio_reader.h bio/bio_writer.h \
-	crypto/crypters/crypter.h crypto/hashers/hasher.h crypto/mac.h \
-	crypto/pkcs7.h crypto/pkcs9.h \
+am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \
+	asn1/asn1_parser.h asn1/oid.h bio/bio_reader.h \
+	bio/bio_writer.h collections/blocking_queue.h \
+	collections/enumerator.h collections/hashtable.h \
+	collections/linked_list.h crypto/crypters/crypter.h \
+	crypto/hashers/hasher.h crypto/mac.h \
 	crypto/proposal/proposal_keywords.h \
 	crypto/proposal/proposal_keywords_static.h crypto/prfs/prf.h \
 	crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \
@@ -282,6 +297,8 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h chunk.h debug.h \
 	credentials/certificates/ocsp_request.h \
 	credentials/certificates/ocsp_response.h \
 	credentials/certificates/pgp_certificate.h \
+	credentials/containers/container.h \
+	credentials/containers/pkcs7.h \
 	credentials/ietf_attributes/ietf_attributes.h \
 	credentials/credential_manager.h \
 	credentials/sets/auth_cfg_wrapper.h \
@@ -291,19 +308,20 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h chunk.h debug.h \
 	credentials/credential_set.h credentials/cert_validator.h \
 	database/database.h database/database_factory.h \
 	fetcher/fetcher.h fetcher/fetcher_manager.h eap/eap.h \
-	pen/pen.h ipsec/ipsec_types.h plugins/plugin_loader.h \
+	pen/pen.h ipsec/ipsec_types.h networking/host.h \
+	networking/host_resolver.h networking/packet.h \
+	networking/tun_device.h plugins/plugin_loader.h \
 	plugins/plugin.h plugins/plugin_feature.h \
 	processing/jobs/job.h processing/jobs/callback_job.h \
 	processing/processor.h processing/scheduler.h \
 	selectors/traffic_selector.h threading/thread.h \
 	threading/thread_value.h threading/mutex.h threading/condvar.h \
 	threading/spinlock.h threading/semaphore.h threading/rwlock.h \
-	threading/rwlock_condvar.h threading/lock_profiler.h utils.h \
-	utils/host.h utils/packet.h utils/identification.h \
-	utils/lexparser.h utils/linked_list.h utils/blocking_queue.h \
-	utils/hashtable.h utils/enumerator.h utils/optionsfrom.h \
-	utils/capabilities.h utils/backtrace.h utils/tun_device.h \
-	utils/leak_detective.h integrity_checker.h
+	threading/rwlock_condvar.h threading/lock_profiler.h \
+	utils/utils.h utils/chunk.h utils/debug.h utils/enum.h \
+	utils/identification.h utils/lexparser.h utils/optionsfrom.h \
+	utils/capabilities.h utils/backtrace.h utils/leak_detective.h \
+	utils/printf_hook.h utils/settings.h utils/integrity_checker.h
 HEADERS = $(nobase_strongswan_include_HEADERS)
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
@@ -314,14 +332,15 @@ ETAGS = etags
 CTAGS = ctags
 DIST_SUBDIRS = . plugins/af_alg plugins/aes plugins/des \
 	plugins/blowfish plugins/md4 plugins/md5 plugins/sha1 \
-	plugins/sha2 plugins/gmp plugins/random plugins/nonce \
-	plugins/hmac plugins/cmac plugins/xcbc plugins/x509 \
-	plugins/revocation plugins/constraints plugins/pubkey \
-	plugins/pkcs1 plugins/pkcs8 plugins/pgp plugins/dnskey \
-	plugins/pem plugins/curl plugins/soup plugins/ldap \
-	plugins/mysql plugins/sqlite plugins/padlock plugins/openssl \
-	plugins/gcrypt plugins/fips_prf plugins/agent plugins/pkcs11 \
-	plugins/ctr plugins/ccm plugins/gcm plugins/test_vectors
+	plugins/sha2 plugins/gmp plugins/rdrand plugins/random \
+	plugins/nonce plugins/hmac plugins/cmac plugins/xcbc \
+	plugins/x509 plugins/revocation plugins/constraints \
+	plugins/pubkey plugins/pkcs1 plugins/pkcs7 plugins/pkcs8 \
+	plugins/pgp plugins/dnskey plugins/pem plugins/curl \
+	plugins/soup plugins/ldap plugins/mysql plugins/sqlite \
+	plugins/padlock plugins/openssl plugins/gcrypt \
+	plugins/fips_prf plugins/agent plugins/pkcs11 plugins/ctr \
+	plugins/ccm plugins/gcm plugins/test_vectors
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -367,6 +386,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -394,6 +414,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -421,6 +442,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -433,6 +455,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -486,7 +509,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -534,10 +556,11 @@ urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 ipseclib_LTLIBRARIES = libstrongswan.la
-libstrongswan_la_SOURCES = library.c chunk.c debug.c enum.c settings.c \
-	printf_hook.c asn1/asn1.c asn1/asn1_parser.c asn1/oid.c \
-	bio/bio_reader.c bio/bio_writer.c crypto/crypters/crypter.c \
-	crypto/hashers/hasher.c crypto/pkcs7.c crypto/pkcs9.c \
+libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
+	asn1/oid.c bio/bio_reader.c bio/bio_writer.c \
+	collections/blocking_queue.c collections/enumerator.c \
+	collections/hashtable.c collections/linked_list.c \
+	crypto/crypters/crypter.c crypto/hashers/hasher.c \
 	crypto/proposal/proposal_keywords.c \
 	crypto/proposal/proposal_keywords_static.c crypto/prfs/prf.c \
 	crypto/prfs/mac_prf.c crypto/rngs/rng.c crypto/prf_plus.c \
@@ -550,6 +573,7 @@ libstrongswan_la_SOURCES = library.c chunk.c debug.c enum.c settings.c \
 	credentials/certificates/certificate.c \
 	credentials/certificates/crl.c \
 	credentials/certificates/ocsp_response.c \
+	credentials/containers/container.c \
 	credentials/ietf_attributes/ietf_attributes.c \
 	credentials/credential_manager.c \
 	credentials/sets/auth_cfg_wrapper.c \
@@ -558,24 +582,26 @@ libstrongswan_la_SOURCES = library.c chunk.c debug.c enum.c settings.c \
 	credentials/sets/callback_cred.c credentials/auth_cfg.c \
 	database/database.c database/database_factory.c \
 	fetcher/fetcher.c fetcher/fetcher_manager.c eap/eap.c \
-	ipsec/ipsec_types.c pen/pen.c plugins/plugin_loader.c \
+	ipsec/ipsec_types.c networking/host.c \
+	networking/host_resolver.c networking/packet.c \
+	networking/tun_device.c pen/pen.c plugins/plugin_loader.c \
 	plugins/plugin_feature.c processing/jobs/job.c \
 	processing/jobs/callback_job.c processing/processor.c \
 	processing/scheduler.c selectors/traffic_selector.c \
 	threading/thread.c threading/thread_value.c threading/mutex.c \
 	threading/semaphore.c threading/rwlock.c threading/spinlock.c \
-	utils.c utils/host.c utils/packet.c utils/identification.c \
-	utils/lexparser.c utils/linked_list.c utils/blocking_queue.c \
-	utils/hashtable.c utils/enumerator.c utils/optionsfrom.c \
-	utils/capabilities.c utils/backtrace.c utils/tun_device.c \
-	$(am__append_2) $(am__append_5)
+	utils/utils.c utils/chunk.c utils/debug.c utils/enum.c \
+	utils/identification.c utils/lexparser.c utils/optionsfrom.c \
+	utils/capabilities.c utils/backtrace.c utils/printf_hook.c \
+	utils/settings.c $(am__append_2) $(am__append_5)
 @USE_DEV_HEADERS_TRUE@strongswan_includedir = ${dev_headers}
 @USE_DEV_HEADERS_TRUE@nobase_strongswan_include_HEADERS = \
-@USE_DEV_HEADERS_TRUE@library.h chunk.h debug.h enum.h settings.h printf_hook.h \
+@USE_DEV_HEADERS_TRUE@library.h \
 @USE_DEV_HEADERS_TRUE@asn1/asn1.h asn1/asn1_parser.h asn1/oid.h bio/bio_reader.h bio/bio_writer.h \
+@USE_DEV_HEADERS_TRUE@collections/blocking_queue.h collections/enumerator.h collections/hashtable.h \
+@USE_DEV_HEADERS_TRUE@collections/linked_list.h \
 @USE_DEV_HEADERS_TRUE@crypto/crypters/crypter.h crypto/hashers/hasher.h crypto/mac.h \
-@USE_DEV_HEADERS_TRUE@crypto/pkcs7.h crypto/pkcs9.h crypto/proposal/proposal_keywords.h \
-@USE_DEV_HEADERS_TRUE@crypto/proposal/proposal_keywords_static.h \
+@USE_DEV_HEADERS_TRUE@crypto/proposal/proposal_keywords.h crypto/proposal/proposal_keywords_static.h \
 @USE_DEV_HEADERS_TRUE@crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \
 @USE_DEV_HEADERS_TRUE@crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \
 @USE_DEV_HEADERS_TRUE@crypto/crypto_factory.h crypto/crypto_tester.h crypto/diffie_hellman.h \
@@ -588,6 +614,7 @@ libstrongswan_la_SOURCES = library.c chunk.c debug.c enum.c settings.c \
 @USE_DEV_HEADERS_TRUE@credentials/certificates/pkcs10.h credentials/certificates/ocsp_request.h \
 @USE_DEV_HEADERS_TRUE@credentials/certificates/ocsp_response.h \
 @USE_DEV_HEADERS_TRUE@credentials/certificates/pgp_certificate.h \
+@USE_DEV_HEADERS_TRUE@credentials/containers/container.h credentials/containers/pkcs7.h \
 @USE_DEV_HEADERS_TRUE@credentials/ietf_attributes/ietf_attributes.h \
 @USE_DEV_HEADERS_TRUE@credentials/credential_manager.h credentials/sets/auth_cfg_wrapper.h \
 @USE_DEV_HEADERS_TRUE@credentials/sets/ocsp_response_wrapper.h credentials/sets/cert_cache.h \
@@ -595,16 +622,17 @@ libstrongswan_la_SOURCES = library.c chunk.c debug.c enum.c settings.c \
 @USE_DEV_HEADERS_TRUE@credentials/auth_cfg.h credentials/credential_set.h credentials/cert_validator.h \
 @USE_DEV_HEADERS_TRUE@database/database.h database/database_factory.h fetcher/fetcher.h \
 @USE_DEV_HEADERS_TRUE@fetcher/fetcher_manager.h eap/eap.h pen/pen.h ipsec/ipsec_types.h \
+@USE_DEV_HEADERS_TRUE@networking/host.h networking/host_resolver.h networking/packet.h \
+@USE_DEV_HEADERS_TRUE@networking/tun_device.h \
 @USE_DEV_HEADERS_TRUE@plugins/plugin_loader.h plugins/plugin.h plugins/plugin_feature.h \
 @USE_DEV_HEADERS_TRUE@processing/jobs/job.h processing/jobs/callback_job.h processing/processor.h \
 @USE_DEV_HEADERS_TRUE@processing/scheduler.h selectors/traffic_selector.h \
 @USE_DEV_HEADERS_TRUE@threading/thread.h threading/thread_value.h \
 @USE_DEV_HEADERS_TRUE@threading/mutex.h threading/condvar.h threading/spinlock.h threading/semaphore.h \
 @USE_DEV_HEADERS_TRUE@threading/rwlock.h threading/rwlock_condvar.h threading/lock_profiler.h \
-@USE_DEV_HEADERS_TRUE@utils.h utils/host.h utils/packet.h utils/identification.h utils/lexparser.h \
-@USE_DEV_HEADERS_TRUE@utils/linked_list.h utils/blocking_queue.h utils/hashtable.h utils/enumerator.h \
-@USE_DEV_HEADERS_TRUE@utils/optionsfrom.h utils/capabilities.h utils/backtrace.h utils/tun_device.h \
-@USE_DEV_HEADERS_TRUE@utils/leak_detective.h integrity_checker.h
+@USE_DEV_HEADERS_TRUE@utils/utils.h utils/chunk.h utils/debug.h utils/enum.h utils/identification.h \
+@USE_DEV_HEADERS_TRUE@utils/lexparser.h utils/optionsfrom.h utils/capabilities.h utils/backtrace.h \
+@USE_DEV_HEADERS_TRUE@utils/leak_detective.h utils/printf_hook.h utils/settings.h utils/integrity_checker.h
 
 libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \
 	$(RTLIB) $(BFDLIB) $(am__append_6) $(am__append_7) \
@@ -620,7 +648,8 @@ libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \
 	$(am__append_63) $(am__append_65) $(am__append_67) \
 	$(am__append_69) $(am__append_71) $(am__append_73) \
 	$(am__append_75) $(am__append_77) $(am__append_79) \
-	$(am__append_81) $(am__append_83)
+	$(am__append_81) $(am__append_83) $(am__append_85) \
+	$(am__append_87)
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_LIB_DIR=\"${ipseclibdir}\" \
@@ -658,7 +687,8 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c
 @MONOLITHIC_FALSE@	$(am__append_68) $(am__append_70) \
 @MONOLITHIC_FALSE@	$(am__append_72) $(am__append_74) \
 @MONOLITHIC_FALSE@	$(am__append_76) $(am__append_78) \
-@MONOLITHIC_FALSE@	$(am__append_80) $(am__append_82)
+@MONOLITHIC_FALSE@	$(am__append_80) $(am__append_82) \
+@MONOLITHIC_FALSE@	$(am__append_84) $(am__append_86)
 
 # build plugins with their own Makefile
 #######################################
@@ -680,7 +710,8 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c
 @MONOLITHIC_TRUE@	$(am__append_68) $(am__append_70) \
 @MONOLITHIC_TRUE@	$(am__append_72) $(am__append_74) \
 @MONOLITHIC_TRUE@	$(am__append_76) $(am__append_78) \
-@MONOLITHIC_TRUE@	$(am__append_80) $(am__append_82)
+@MONOLITHIC_TRUE@	$(am__append_80) $(am__append_82) \
+@MONOLITHIC_TRUE@	$(am__append_84) $(am__append_86)
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
@@ -747,7 +778,7 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan.la: $(libstrongswan_la_OBJECTS) $(libstrongswan_la_DEPENDENCIES) 
+libstrongswan.la: $(libstrongswan_la_OBJECTS) $(libstrongswan_la_DEPENDENCIES) $(EXTRA_libstrongswan_la_DEPENDENCIES) 
 	$(LINK) -rpath $(ipseclibdir) $(libstrongswan_la_OBJECTS) $(libstrongswan_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -772,6 +803,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_cache.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certificate.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/chunk.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/container.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cred_encoding.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/credential_factory.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/credential_manager.Plo@am__quote@
@@ -791,6 +823,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hasher.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hashtable.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/host.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/host_resolver.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/identification.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attributes.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/integrity_checker.Plo@am__quote@
@@ -810,8 +843,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/optionsfrom.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pen.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs9.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/plugin_feature.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/plugin_loader.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prf.Plo@am__quote@
@@ -893,6 +924,34 @@ bio_writer.lo: bio/bio_writer.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bio_writer.lo `test -f 'bio/bio_writer.c' || echo '$(srcdir)/'`bio/bio_writer.c
 
+blocking_queue.lo: collections/blocking_queue.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT blocking_queue.lo -MD -MP -MF $(DEPDIR)/blocking_queue.Tpo -c -o blocking_queue.lo `test -f 'collections/blocking_queue.c' || echo '$(srcdir)/'`collections/blocking_queue.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/blocking_queue.Tpo $(DEPDIR)/blocking_queue.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='collections/blocking_queue.c' object='blocking_queue.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o blocking_queue.lo `test -f 'collections/blocking_queue.c' || echo '$(srcdir)/'`collections/blocking_queue.c
+
+enumerator.lo: collections/enumerator.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT enumerator.lo -MD -MP -MF $(DEPDIR)/enumerator.Tpo -c -o enumerator.lo `test -f 'collections/enumerator.c' || echo '$(srcdir)/'`collections/enumerator.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/enumerator.Tpo $(DEPDIR)/enumerator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='collections/enumerator.c' object='enumerator.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o enumerator.lo `test -f 'collections/enumerator.c' || echo '$(srcdir)/'`collections/enumerator.c
+
+hashtable.lo: collections/hashtable.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hashtable.lo -MD -MP -MF $(DEPDIR)/hashtable.Tpo -c -o hashtable.lo `test -f 'collections/hashtable.c' || echo '$(srcdir)/'`collections/hashtable.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/hashtable.Tpo $(DEPDIR)/hashtable.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='collections/hashtable.c' object='hashtable.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hashtable.lo `test -f 'collections/hashtable.c' || echo '$(srcdir)/'`collections/hashtable.c
+
+linked_list.lo: collections/linked_list.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT linked_list.lo -MD -MP -MF $(DEPDIR)/linked_list.Tpo -c -o linked_list.lo `test -f 'collections/linked_list.c' || echo '$(srcdir)/'`collections/linked_list.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/linked_list.Tpo $(DEPDIR)/linked_list.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='collections/linked_list.c' object='linked_list.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o linked_list.lo `test -f 'collections/linked_list.c' || echo '$(srcdir)/'`collections/linked_list.c
+
 crypter.lo: crypto/crypters/crypter.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypter.lo -MD -MP -MF $(DEPDIR)/crypter.Tpo -c -o crypter.lo `test -f 'crypto/crypters/crypter.c' || echo '$(srcdir)/'`crypto/crypters/crypter.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/crypter.Tpo $(DEPDIR)/crypter.Plo
@@ -907,20 +966,6 @@ hasher.lo: crypto/hashers/hasher.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hasher.lo `test -f 'crypto/hashers/hasher.c' || echo '$(srcdir)/'`crypto/hashers/hasher.c
 
-pkcs7.lo: crypto/pkcs7.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pkcs7.lo -MD -MP -MF $(DEPDIR)/pkcs7.Tpo -c -o pkcs7.lo `test -f 'crypto/pkcs7.c' || echo '$(srcdir)/'`crypto/pkcs7.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pkcs7.Tpo $(DEPDIR)/pkcs7.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/pkcs7.c' object='pkcs7.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs7.lo `test -f 'crypto/pkcs7.c' || echo '$(srcdir)/'`crypto/pkcs7.c
-
-pkcs9.lo: crypto/pkcs9.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pkcs9.lo -MD -MP -MF $(DEPDIR)/pkcs9.Tpo -c -o pkcs9.lo `test -f 'crypto/pkcs9.c' || echo '$(srcdir)/'`crypto/pkcs9.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pkcs9.Tpo $(DEPDIR)/pkcs9.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/pkcs9.c' object='pkcs9.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs9.lo `test -f 'crypto/pkcs9.c' || echo '$(srcdir)/'`crypto/pkcs9.c
-
 proposal_keywords.lo: crypto/proposal/proposal_keywords.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_keywords.lo -MD -MP -MF $(DEPDIR)/proposal_keywords.Tpo -c -o proposal_keywords.lo `test -f 'crypto/proposal/proposal_keywords.c' || echo '$(srcdir)/'`crypto/proposal/proposal_keywords.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/proposal_keywords.Tpo $(DEPDIR)/proposal_keywords.Plo
@@ -1075,6 +1120,13 @@ ocsp_response.lo: credentials/certificates/ocsp_response.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp_response.lo `test -f 'credentials/certificates/ocsp_response.c' || echo '$(srcdir)/'`credentials/certificates/ocsp_response.c
 
+container.lo: credentials/containers/container.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT container.lo -MD -MP -MF $(DEPDIR)/container.Tpo -c -o container.lo `test -f 'credentials/containers/container.c' || echo '$(srcdir)/'`credentials/containers/container.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/container.Tpo $(DEPDIR)/container.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/containers/container.c' object='container.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o container.lo `test -f 'credentials/containers/container.c' || echo '$(srcdir)/'`credentials/containers/container.c
+
 ietf_attributes.lo: credentials/ietf_attributes/ietf_attributes.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attributes.lo -MD -MP -MF $(DEPDIR)/ietf_attributes.Tpo -c -o ietf_attributes.lo `test -f 'credentials/ietf_attributes/ietf_attributes.c' || echo '$(srcdir)/'`credentials/ietf_attributes/ietf_attributes.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attributes.Tpo $(DEPDIR)/ietf_attributes.Plo
@@ -1173,6 +1225,34 @@ ipsec_types.lo: ipsec/ipsec_types.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ipsec_types.lo `test -f 'ipsec/ipsec_types.c' || echo '$(srcdir)/'`ipsec/ipsec_types.c
 
+host.lo: networking/host.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT host.lo -MD -MP -MF $(DEPDIR)/host.Tpo -c -o host.lo `test -f 'networking/host.c' || echo '$(srcdir)/'`networking/host.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/host.Tpo $(DEPDIR)/host.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='networking/host.c' object='host.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o host.lo `test -f 'networking/host.c' || echo '$(srcdir)/'`networking/host.c
+
+host_resolver.lo: networking/host_resolver.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT host_resolver.lo -MD -MP -MF $(DEPDIR)/host_resolver.Tpo -c -o host_resolver.lo `test -f 'networking/host_resolver.c' || echo '$(srcdir)/'`networking/host_resolver.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/host_resolver.Tpo $(DEPDIR)/host_resolver.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='networking/host_resolver.c' object='host_resolver.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o host_resolver.lo `test -f 'networking/host_resolver.c' || echo '$(srcdir)/'`networking/host_resolver.c
+
+packet.lo: networking/packet.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.lo -MD -MP -MF $(DEPDIR)/packet.Tpo -c -o packet.lo `test -f 'networking/packet.c' || echo '$(srcdir)/'`networking/packet.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/packet.Tpo $(DEPDIR)/packet.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='networking/packet.c' object='packet.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o packet.lo `test -f 'networking/packet.c' || echo '$(srcdir)/'`networking/packet.c
+
+tun_device.lo: networking/tun_device.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tun_device.lo -MD -MP -MF $(DEPDIR)/tun_device.Tpo -c -o tun_device.lo `test -f 'networking/tun_device.c' || echo '$(srcdir)/'`networking/tun_device.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tun_device.Tpo $(DEPDIR)/tun_device.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='networking/tun_device.c' object='tun_device.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tun_device.lo `test -f 'networking/tun_device.c' || echo '$(srcdir)/'`networking/tun_device.c
+
 pen.lo: pen/pen.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pen.lo -MD -MP -MF $(DEPDIR)/pen.Tpo -c -o pen.lo `test -f 'pen/pen.c' || echo '$(srcdir)/'`pen/pen.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pen.Tpo $(DEPDIR)/pen.Plo
@@ -1271,19 +1351,33 @@ spinlock.lo: threading/spinlock.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o spinlock.lo `test -f 'threading/spinlock.c' || echo '$(srcdir)/'`threading/spinlock.c
 
-host.lo: utils/host.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT host.lo -MD -MP -MF $(DEPDIR)/host.Tpo -c -o host.lo `test -f 'utils/host.c' || echo '$(srcdir)/'`utils/host.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/host.Tpo $(DEPDIR)/host.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/host.c' object='host.lo' libtool=yes @AMDEPBACKSLASH@
+utils.lo: utils/utils.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT utils.lo -MD -MP -MF $(DEPDIR)/utils.Tpo -c -o utils.lo `test -f 'utils/utils.c' || echo '$(srcdir)/'`utils/utils.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/utils.Tpo $(DEPDIR)/utils.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/utils.c' object='utils.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o host.lo `test -f 'utils/host.c' || echo '$(srcdir)/'`utils/host.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o utils.lo `test -f 'utils/utils.c' || echo '$(srcdir)/'`utils/utils.c
 
-packet.lo: utils/packet.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.lo -MD -MP -MF $(DEPDIR)/packet.Tpo -c -o packet.lo `test -f 'utils/packet.c' || echo '$(srcdir)/'`utils/packet.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/packet.Tpo $(DEPDIR)/packet.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/packet.c' object='packet.lo' libtool=yes @AMDEPBACKSLASH@
+chunk.lo: utils/chunk.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT chunk.lo -MD -MP -MF $(DEPDIR)/chunk.Tpo -c -o chunk.lo `test -f 'utils/chunk.c' || echo '$(srcdir)/'`utils/chunk.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/chunk.Tpo $(DEPDIR)/chunk.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/chunk.c' object='chunk.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o chunk.lo `test -f 'utils/chunk.c' || echo '$(srcdir)/'`utils/chunk.c
+
+debug.lo: utils/debug.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT debug.lo -MD -MP -MF $(DEPDIR)/debug.Tpo -c -o debug.lo `test -f 'utils/debug.c' || echo '$(srcdir)/'`utils/debug.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/debug.Tpo $(DEPDIR)/debug.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/debug.c' object='debug.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o packet.lo `test -f 'utils/packet.c' || echo '$(srcdir)/'`utils/packet.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o debug.lo `test -f 'utils/debug.c' || echo '$(srcdir)/'`utils/debug.c
+
+enum.lo: utils/enum.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT enum.lo -MD -MP -MF $(DEPDIR)/enum.Tpo -c -o enum.lo `test -f 'utils/enum.c' || echo '$(srcdir)/'`utils/enum.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/enum.Tpo $(DEPDIR)/enum.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/enum.c' object='enum.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o enum.lo `test -f 'utils/enum.c' || echo '$(srcdir)/'`utils/enum.c
 
 identification.lo: utils/identification.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT identification.lo -MD -MP -MF $(DEPDIR)/identification.Tpo -c -o identification.lo `test -f 'utils/identification.c' || echo '$(srcdir)/'`utils/identification.c
@@ -1299,34 +1393,6 @@ lexparser.lo: utils/lexparser.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lexparser.lo `test -f 'utils/lexparser.c' || echo '$(srcdir)/'`utils/lexparser.c
 
-linked_list.lo: utils/linked_list.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT linked_list.lo -MD -MP -MF $(DEPDIR)/linked_list.Tpo -c -o linked_list.lo `test -f 'utils/linked_list.c' || echo '$(srcdir)/'`utils/linked_list.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/linked_list.Tpo $(DEPDIR)/linked_list.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/linked_list.c' object='linked_list.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o linked_list.lo `test -f 'utils/linked_list.c' || echo '$(srcdir)/'`utils/linked_list.c
-
-blocking_queue.lo: utils/blocking_queue.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT blocking_queue.lo -MD -MP -MF $(DEPDIR)/blocking_queue.Tpo -c -o blocking_queue.lo `test -f 'utils/blocking_queue.c' || echo '$(srcdir)/'`utils/blocking_queue.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/blocking_queue.Tpo $(DEPDIR)/blocking_queue.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/blocking_queue.c' object='blocking_queue.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o blocking_queue.lo `test -f 'utils/blocking_queue.c' || echo '$(srcdir)/'`utils/blocking_queue.c
-
-hashtable.lo: utils/hashtable.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hashtable.lo -MD -MP -MF $(DEPDIR)/hashtable.Tpo -c -o hashtable.lo `test -f 'utils/hashtable.c' || echo '$(srcdir)/'`utils/hashtable.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/hashtable.Tpo $(DEPDIR)/hashtable.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/hashtable.c' object='hashtable.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hashtable.lo `test -f 'utils/hashtable.c' || echo '$(srcdir)/'`utils/hashtable.c
-
-enumerator.lo: utils/enumerator.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT enumerator.lo -MD -MP -MF $(DEPDIR)/enumerator.Tpo -c -o enumerator.lo `test -f 'utils/enumerator.c' || echo '$(srcdir)/'`utils/enumerator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/enumerator.Tpo $(DEPDIR)/enumerator.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/enumerator.c' object='enumerator.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o enumerator.lo `test -f 'utils/enumerator.c' || echo '$(srcdir)/'`utils/enumerator.c
-
 optionsfrom.lo: utils/optionsfrom.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT optionsfrom.lo -MD -MP -MF $(DEPDIR)/optionsfrom.Tpo -c -o optionsfrom.lo `test -f 'utils/optionsfrom.c' || echo '$(srcdir)/'`utils/optionsfrom.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/optionsfrom.Tpo $(DEPDIR)/optionsfrom.Plo
@@ -1348,12 +1414,19 @@ backtrace.lo: utils/backtrace.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o backtrace.lo `test -f 'utils/backtrace.c' || echo '$(srcdir)/'`utils/backtrace.c
 
-tun_device.lo: utils/tun_device.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tun_device.lo -MD -MP -MF $(DEPDIR)/tun_device.Tpo -c -o tun_device.lo `test -f 'utils/tun_device.c' || echo '$(srcdir)/'`utils/tun_device.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tun_device.Tpo $(DEPDIR)/tun_device.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/tun_device.c' object='tun_device.lo' libtool=yes @AMDEPBACKSLASH@
+printf_hook.lo: utils/printf_hook.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT printf_hook.lo -MD -MP -MF $(DEPDIR)/printf_hook.Tpo -c -o printf_hook.lo `test -f 'utils/printf_hook.c' || echo '$(srcdir)/'`utils/printf_hook.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/printf_hook.Tpo $(DEPDIR)/printf_hook.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/printf_hook.c' object='printf_hook.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o printf_hook.lo `test -f 'utils/printf_hook.c' || echo '$(srcdir)/'`utils/printf_hook.c
+
+settings.lo: utils/settings.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT settings.lo -MD -MP -MF $(DEPDIR)/settings.Tpo -c -o settings.lo `test -f 'utils/settings.c' || echo '$(srcdir)/'`utils/settings.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/settings.Tpo $(DEPDIR)/settings.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/settings.c' object='settings.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tun_device.lo `test -f 'utils/tun_device.c' || echo '$(srcdir)/'`utils/tun_device.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o settings.lo `test -f 'utils/settings.c' || echo '$(srcdir)/'`utils/settings.c
 
 leak_detective.lo: utils/leak_detective.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT leak_detective.lo -MD -MP -MF $(DEPDIR)/leak_detective.Tpo -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c
@@ -1362,6 +1435,13 @@ leak_detective.lo: utils/leak_detective.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c
 
+integrity_checker.lo: utils/integrity_checker.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT integrity_checker.lo -MD -MP -MF $(DEPDIR)/integrity_checker.Tpo -c -o integrity_checker.lo `test -f 'utils/integrity_checker.c' || echo '$(srcdir)/'`utils/integrity_checker.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/integrity_checker.Tpo $(DEPDIR)/integrity_checker.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/integrity_checker.c' object='integrity_checker.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o integrity_checker.lo `test -f 'utils/integrity_checker.c' || echo '$(srcdir)/'`utils/integrity_checker.c
+
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -1387,9 +1467,7 @@ uninstall-nobase_strongswan_includeHEADERS:
 	@$(NORMAL_UNINSTALL)
 	@list='$(nobase_strongswan_include_HEADERS)'; test -n "$(strongswan_includedir)" || list=; \
 	$(am__nobase_strip_setup); files=`$(am__nobase_strip)`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(strongswan_includedir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(strongswan_includedir)" && rm -f $$files
+	dir='$(DESTDIR)$(strongswan_includedir)'; $(am__uninstall_files_from_dir)
 
 # This directory's subdirectories are mostly independent; you can cd
 # into them and run `make' without going through this Makefile.
@@ -1604,10 +1682,15 @@ install-am: all-am
 
 installcheck: installcheck-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index c9f6fce25..f438cb20e 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -19,7 +19,7 @@
 #include <string.h>
 #include <time.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "oid.h"
 #include "asn1.h"
diff --git a/src/libstrongswan/asn1/asn1_parser.c b/src/libstrongswan/asn1/asn1_parser.c
index 40e11b321..c31fb75f0 100644
--- a/src/libstrongswan/asn1/asn1_parser.c
+++ b/src/libstrongswan/asn1/asn1_parser.c
@@ -19,7 +19,7 @@
 #include <string.h>
 #include <time.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "asn1.h"
 #include "asn1_parser.h"
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index b21299620..ec60be811 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -333,11 +333,11 @@ const oid_t oid_names[] = {
  {        0x25,               321, 0,  4, "sect409r1"                 }, /* 320 */
  {        0x26,               322, 0,  4, "sect571k1"                 }, /* 321 */
  {        0x27,                 0, 0,  4, "sect571r1"                 }, /* 322 */
- {0x60,                       369, 1,  0, ""                          }, /* 323 */
+ {0x60,                       371, 1,  0, ""                          }, /* 323 */
  {  0x86,                       0, 1,  1, ""                          }, /* 324 */
  {    0x48,                     0, 1,  2, ""                          }, /* 325 */
  {      0x01,                   0, 1,  3, "organization"              }, /* 326 */
- {        0x65,               345, 1,  4, "gov"                       }, /* 327 */
+ {        0x65,               347, 1,  4, "gov"                       }, /* 327 */
  {          0x03,               0, 1,  5, "csor"                      }, /* 328 */
  {            0x04,             0, 1,  6, "nistalgorithm"             }, /* 329 */
  {              0x01,         340, 1,  7, "aes"                       }, /* 330 */
@@ -354,37 +354,39 @@ const oid_t oid_names[] = {
  {                0x01,       342, 0,  8, "id-SHA-256"                }, /* 341 */
  {                0x02,       343, 0,  8, "id-SHA-384"                }, /* 342 */
  {                0x03,       344, 0,  8, "id-SHA-512"                }, /* 343 */
- {                0x04,         0, 0,  8, "id-SHA-224"                }, /* 344 */
- {        0x86,                 0, 1,  4, ""                          }, /* 345 */
- {          0xf8,               0, 1,  5, ""                          }, /* 346 */
- {            0x42,           359, 1,  6, "netscape"                  }, /* 347 */
- {              0x01,         354, 1,  7, ""                          }, /* 348 */
- {                0x01,       350, 0,  8, "nsCertType"                }, /* 349 */
- {                0x03,       351, 0,  8, "nsRevocationUrl"           }, /* 350 */
- {                0x04,       352, 0,  8, "nsCaRevocationUrl"         }, /* 351 */
- {                0x08,       353, 0,  8, "nsCaPolicyUrl"             }, /* 352 */
- {                0x0d,         0, 0,  8, "nsComment"                 }, /* 353 */
- {              0x03,         357, 1,  7, "directory"                 }, /* 354 */
- {                0x01,         0, 1,  8, ""                          }, /* 355 */
- {                  0x03,       0, 0,  9, "employeeNumber"            }, /* 356 */
- {              0x04,           0, 1,  7, "policy"                    }, /* 357 */
- {                0x01,         0, 0,  8, "nsSGC"                     }, /* 358 */
- {            0x45,             0, 1,  6, "verisign"                  }, /* 359 */
- {              0x01,           0, 1,  7, "pki"                       }, /* 360 */
- {                0x09,         0, 1,  8, "attributes"                }, /* 361 */
- {                  0x02,     363, 0,  9, "messageType"               }, /* 362 */
- {                  0x03,     364, 0,  9, "pkiStatus"                 }, /* 363 */
- {                  0x04,     365, 0,  9, "failInfo"                  }, /* 364 */
- {                  0x05,     366, 0,  9, "senderNonce"               }, /* 365 */
- {                  0x06,     367, 0,  9, "recipientNonce"            }, /* 366 */
- {                  0x07,     368, 0,  9, "transID"                   }, /* 367 */
- {                  0x08,       0, 0,  9, "extensionReq"              }, /* 368 */
- {0x67,                         0, 1,  0, ""                          }, /* 369 */
- {  0x81,                       0, 1,  1, ""                          }, /* 370 */
- {    0x05,                     0, 1,  2, ""                          }, /* 371 */
- {      0x02,                   0, 1,  3, "tcg-attribute"             }, /* 372 */
- {        0x01,               374, 0,  4, "tcg-at-tpmManufacturer"    }, /* 373 */
- {        0x02,               375, 0,  4, "tcg-at-tpmModel"           }, /* 374 */
- {        0x03,               376, 0,  4, "tcg-at-tpmVersion"         }, /* 375 */
- {        0x0F,                 0, 0,  4, "tcg-at-tpmIdLabel"         }  /* 376 */
+ {                0x04,       345, 0,  8, "id-SHA-224"                }, /* 344 */
+ {                0x05,       346, 0,  8, "id-SHA-512-224"            }, /* 345 */
+ {                0x06,         0, 0,  8, "id-SHA-512-256"            }, /* 346 */
+ {        0x86,                 0, 1,  4, ""                          }, /* 347 */
+ {          0xf8,               0, 1,  5, ""                          }, /* 348 */
+ {            0x42,           361, 1,  6, "netscape"                  }, /* 349 */
+ {              0x01,         356, 1,  7, ""                          }, /* 350 */
+ {                0x01,       352, 0,  8, "nsCertType"                }, /* 351 */
+ {                0x03,       353, 0,  8, "nsRevocationUrl"           }, /* 352 */
+ {                0x04,       354, 0,  8, "nsCaRevocationUrl"         }, /* 353 */
+ {                0x08,       355, 0,  8, "nsCaPolicyUrl"             }, /* 354 */
+ {                0x0d,         0, 0,  8, "nsComment"                 }, /* 355 */
+ {              0x03,         359, 1,  7, "directory"                 }, /* 356 */
+ {                0x01,         0, 1,  8, ""                          }, /* 357 */
+ {                  0x03,       0, 0,  9, "employeeNumber"            }, /* 358 */
+ {              0x04,           0, 1,  7, "policy"                    }, /* 359 */
+ {                0x01,         0, 0,  8, "nsSGC"                     }, /* 360 */
+ {            0x45,             0, 1,  6, "verisign"                  }, /* 361 */
+ {              0x01,           0, 1,  7, "pki"                       }, /* 362 */
+ {                0x09,         0, 1,  8, "attributes"                }, /* 363 */
+ {                  0x02,     365, 0,  9, "messageType"               }, /* 364 */
+ {                  0x03,     366, 0,  9, "pkiStatus"                 }, /* 365 */
+ {                  0x04,     367, 0,  9, "failInfo"                  }, /* 366 */
+ {                  0x05,     368, 0,  9, "senderNonce"               }, /* 367 */
+ {                  0x06,     369, 0,  9, "recipientNonce"            }, /* 368 */
+ {                  0x07,     370, 0,  9, "transID"                   }, /* 369 */
+ {                  0x08,       0, 0,  9, "extensionReq"              }, /* 370 */
+ {0x67,                         0, 1,  0, ""                          }, /* 371 */
+ {  0x81,                       0, 1,  1, ""                          }, /* 372 */
+ {    0x05,                     0, 1,  2, ""                          }, /* 373 */
+ {      0x02,                   0, 1,  3, "tcg-attribute"             }, /* 374 */
+ {        0x01,               376, 0,  4, "tcg-at-tpmManufacturer"    }, /* 375 */
+ {        0x02,               377, 0,  4, "tcg-at-tpmModel"           }, /* 376 */
+ {        0x03,               378, 0,  4, "tcg-at-tpmVersion"         }, /* 377 */
+ {        0x0F,                 0, 0,  4, "tcg-at-tpmIdLabel"         }  /* 378 */
 };
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index 5e30a3675..d9838ccd8 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -205,22 +205,22 @@ extern const oid_t oid_names[];
 #define OID_SHA384							342
 #define OID_SHA512							343
 #define OID_SHA224							344
-#define OID_NS_REVOCATION_URL				350
-#define OID_NS_CA_REVOCATION_URL			351
-#define OID_NS_CA_POLICY_URL				352
-#define OID_NS_COMMENT						353
-#define OID_EMPLOYEE_NUMBER					356
-#define OID_PKI_MESSAGE_TYPE				362
-#define OID_PKI_STATUS						363
-#define OID_PKI_FAIL_INFO					364
-#define OID_PKI_SENDER_NONCE				365
-#define OID_PKI_RECIPIENT_NONCE				366
-#define OID_PKI_TRANS_ID					367
-#define OID_TPM_MANUFACTURER				373
-#define OID_TPM_MODEL						374
-#define OID_TPM_VERSION						375
-#define OID_TPM_ID_LABEL					376
+#define OID_NS_REVOCATION_URL				352
+#define OID_NS_CA_REVOCATION_URL			353
+#define OID_NS_CA_POLICY_URL				354
+#define OID_NS_COMMENT						355
+#define OID_EMPLOYEE_NUMBER					358
+#define OID_PKI_MESSAGE_TYPE				364
+#define OID_PKI_STATUS						365
+#define OID_PKI_FAIL_INFO					366
+#define OID_PKI_SENDER_NONCE				367
+#define OID_PKI_RECIPIENT_NONCE				368
+#define OID_PKI_TRANS_ID					369
+#define OID_TPM_MANUFACTURER				375
+#define OID_TPM_MODEL						376
+#define OID_TPM_VERSION						377
+#define OID_TPM_ID_LABEL					378
 
-#define OID_MAX								377
+#define OID_MAX								379
 
 #endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index 51a29eb33..c4677a537 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -343,6 +343,8 @@
                 0x02         "id-SHA-384"				OID_SHA384
                 0x03         "id-SHA-512"				OID_SHA512
                 0x04         "id-SHA-224"				OID_SHA224
+                0x05         "id-SHA-512-224"
+                0x06         "id-SHA-512-256"
         0x86                 ""
           0xf8               ""
             0x42             "netscape"
diff --git a/src/libstrongswan/bio/bio_reader.c b/src/libstrongswan/bio/bio_reader.c
index 3a62bb541..17815d6c0 100644
--- a/src/libstrongswan/bio/bio_reader.c
+++ b/src/libstrongswan/bio/bio_reader.c
@@ -18,7 +18,7 @@
 
 #include "bio_reader.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_bio_reader_t private_bio_reader_t;
 
diff --git a/src/libstrongswan/bio/bio_writer.h b/src/libstrongswan/bio/bio_writer.h
index 57a5c3d38..2ac4f3556 100644
--- a/src/libstrongswan/bio/bio_writer.h
+++ b/src/libstrongswan/bio/bio_writer.h
@@ -126,8 +126,11 @@ struct bio_writer_t {
 	void (*wrap32)(bio_writer_t *this);
 
 	/**
-	 * Skips len bytes in the buffer before the next data is written, returns
-	 * a chunk covering the skipped bytes.
+	 * Skips len bytes in the buffer, return chunk of skipped data.
+	 *
+	 * The returned chunk is not valid after calling any other writer function
+	 * (except get_buf()), because a buffer reallocation might move the
+	 * internal buffer to a different memory location!
 	 *
 	 * @param len		number of bytes to skip
 	 * @return			chunk pointing to skipped bytes in the internal buffer
diff --git a/src/libstrongswan/utils/blocking_queue.c b/src/libstrongswan/collections/blocking_queue.c
index c70184198..da3356970 100644
--- a/src/libstrongswan/utils/blocking_queue.c
+++ b/src/libstrongswan/collections/blocking_queue.c
@@ -20,7 +20,7 @@
 #include <threading/mutex.h>
 #include <threading/thread.h>
 #include <threading/condvar.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_blocking_queue_t private_blocking_queue_t;
 
diff --git a/src/libstrongswan/utils/blocking_queue.h b/src/libstrongswan/collections/blocking_queue.h
index cf2712cf4..9b014f719 100644
--- a/src/libstrongswan/utils/blocking_queue.h
+++ b/src/libstrongswan/collections/blocking_queue.h
@@ -17,7 +17,7 @@
 
 /**
  * @defgroup blocking_queue blocking_queue
- * @{ @ingroup utils
+ * @{ @ingroup collections
  */
 
 #ifndef BLOCKING_QUEUE_H_
diff --git a/src/libstrongswan/utils/enumerator.c b/src/libstrongswan/collections/enumerator.c
index 53c94f9dd..f80cdabd2 100644
--- a/src/libstrongswan/utils/enumerator.c
+++ b/src/libstrongswan/collections/enumerator.c
@@ -25,7 +25,7 @@
 #include <errno.h>
 #include <string.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * Implementation of enumerator_create_empty().enumerate
diff --git a/src/libstrongswan/utils/enumerator.h b/src/libstrongswan/collections/enumerator.h
index 8c3d70173..299373a3e 100644
--- a/src/libstrongswan/utils/enumerator.h
+++ b/src/libstrongswan/collections/enumerator.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup enumerator enumerator
- * @{ @ingroup utils
+ * @{ @ingroup collections
  */
 
 #ifndef ENUMERATOR_H_
@@ -23,7 +23,7 @@
 
 typedef struct enumerator_t enumerator_t;
 
-#include "../utils.h"
+#include <utils/utils.h>
 
 /**
  * Enumerator interface, allows enumeration over collections.
diff --git a/src/libstrongswan/utils/hashtable.c b/src/libstrongswan/collections/hashtable.c
index d181d8ec8..d181d8ec8 100644
--- a/src/libstrongswan/utils/hashtable.c
+++ b/src/libstrongswan/collections/hashtable.c
diff --git a/src/libstrongswan/utils/hashtable.h b/src/libstrongswan/collections/hashtable.h
index 0a21ca373..e38850ded 100644
--- a/src/libstrongswan/utils/hashtable.h
+++ b/src/libstrongswan/collections/hashtable.h
@@ -15,13 +15,13 @@
 
 /**
  * @defgroup hashtable hashtable
- * @{ @ingroup utils
+ * @{ @ingroup collections
  */
 
 #ifndef HASHTABLE_H_
 #define HASHTABLE_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 typedef struct hashtable_t hashtable_t;
 
diff --git a/src/libstrongswan/utils/linked_list.c b/src/libstrongswan/collections/linked_list.c
index 1ff80999b..1ff80999b 100644
--- a/src/libstrongswan/utils/linked_list.c
+++ b/src/libstrongswan/collections/linked_list.c
diff --git a/src/libstrongswan/utils/linked_list.h b/src/libstrongswan/collections/linked_list.h
index 1b5518480..da539a231 100644
--- a/src/libstrongswan/utils/linked_list.h
+++ b/src/libstrongswan/collections/linked_list.h
@@ -17,7 +17,7 @@
 
 /**
  * @defgroup linked_list linked_list
- * @{ @ingroup utils
+ * @{ @ingroup collections
  */
 
 #ifndef LINKED_LIST_H_
@@ -25,7 +25,7 @@
 
 typedef struct linked_list_t linked_list_t;
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 /**
  * Method to match elements in a linked list (used in find_* functions)
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index 6ee4f9b6e..a718de3dc 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -17,8 +17,8 @@
 #include "auth_cfg.h"
 
 #include <library.h>
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <utils/identification.h>
 #include <eap/eap.h>
 #include <credentials/certificates/certificate.h>
diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h
index 79484a04c..d87935589 100644
--- a/src/libstrongswan/credentials/auth_cfg.h
+++ b/src/libstrongswan/credentials/auth_cfg.h
@@ -22,7 +22,7 @@
 #ifndef AUTH_CFG_H_
 #define AUTH_CFG_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 typedef struct auth_cfg_t auth_cfg_t;
 typedef enum auth_rule_t auth_rule_t;
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index d3157c80e..f5858382f 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -19,6 +19,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_FROM_FILE",
 	"BUILD_FROM_FD",
 	"BUILD_AGENT_SOCKET",
+	"BUILD_BLOB",
 	"BUILD_BLOB_ASN1_DER",
 	"BUILD_BLOB_PEM",
 	"BUILD_BLOB_PGP",
@@ -36,6 +37,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_NOT_AFTER_TIME",
 	"BUILD_SERIAL",
 	"BUILD_DIGEST_ALG",
+	"BUILD_ENCRYPTION_ALG",
 	"BUILD_IETF_GROUP_ATTR",
 	"BUILD_CA_CERT",
 	"BUILD_CERT",
@@ -53,6 +55,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_REVOKED_ENUMERATOR",
 	"BUILD_BASE_CRL",
 	"BUILD_CHALLENGE_PWD",
+	"BUILD_PKCS7_ATTRIBUTE",
 	"BUILD_PKCS11_MODULE",
 	"BUILD_PKCS11_SLOT",
 	"BUILD_PKCS11_KEYID",
@@ -64,6 +67,9 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_RSA_EXP1",
 	"BUILD_RSA_EXP2",
 	"BUILD_RSA_COEFF",
+	"BUILD_SAFE_PRIMES",
+	"BUILD_SHARES",
+	"BUILD_THRESHOLD",
 	"BUILD_END",
 );
 
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index 41250ccae..740041aac 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -49,6 +49,8 @@ enum builder_part_t {
 	BUILD_FROM_FD,
 	/** unix socket of a ssh/pgp agent, char* */
 	BUILD_AGENT_SOCKET,
+	/** An arbitrary blob of data, chunk_t */
+	BUILD_BLOB,
 	/** DER encoded ASN.1 blob, chunk_t */
 	BUILD_BLOB_ASN1_DER,
 	/** PEM encoded ASN.1/PGP blob, chunk_t */
@@ -81,8 +83,10 @@ enum builder_part_t {
 	BUILD_NOT_AFTER_TIME,
 	/** a serial number in binary form, chunk_t */
 	BUILD_SERIAL,
-	/** digest algorithm to be used for signature, int */
+	/** digest algorithm to be used for signature, hash_algorithm_t */
 	BUILD_DIGEST_ALG,
+	/** encryption algorithm to use, encryption_algorithm_t */
+	BUILD_ENCRYPTION_ALG,
 	/** a comma-separated list of ietf group attributes, char* */
 	BUILD_IETF_GROUP_ATTR,
 	/** a ca certificate, certificate_t* */
@@ -117,6 +121,8 @@ enum builder_part_t {
 	BUILD_BASE_CRL,
 	/** PKCS#10 challenge password */
 	BUILD_CHALLENGE_PWD,
+	/** PKCS#7 attribute, int oid, chunk_t with ASN1 type encoded value */
+	BUILD_PKCS7_ATTRIBUTE,
 	/** friendly name of a PKCS#11 module, null terminated char* */
 	BUILD_PKCS11_MODULE,
 	/** slot specifier for a token in a PKCS#11 module, int */
@@ -139,6 +145,12 @@ enum builder_part_t {
 	BUILD_RSA_EXP2,
 	/** coefficient (coeff) of a RSA key, chunk_t */
 	BUILD_RSA_COEFF,
+	/** generate (p) and (q) as safe primes */
+	BUILD_SAFE_PRIMES,
+	/** number of private key shares */
+	BUILD_SHARES,
+	/** minimum number of participating private key shares */
+	BUILD_THRESHOLD,
 	/** end of variable argument builder list */
 	BUILD_END,
 };
diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c
index 33ba4e907..bc4209ca7 100644
--- a/src/libstrongswan/credentials/certificates/certificate.c
+++ b/src/libstrongswan/credentials/certificates/certificate.c
@@ -15,7 +15,7 @@
 
 #include "certificate.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/certificates/x509.h>
 
 ENUM(certificate_type_names, CERT_ANY, CERT_PLUTO_CRL,
diff --git a/src/libstrongswan/credentials/certificates/crl.c b/src/libstrongswan/credentials/certificates/crl.c
index 69bd80b84..09fd0bfc8 100644
--- a/src/libstrongswan/credentials/certificates/crl.c
+++ b/src/libstrongswan/credentials/certificates/crl.c
@@ -16,7 +16,7 @@
 
 #include "crl.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(crl_reason_names, CRL_REASON_UNSPECIFIED, CRL_REASON_REMOVE_FROM_CRL,
 	"unspecified",
diff --git a/src/libstrongswan/credentials/certificates/pkcs10.h b/src/libstrongswan/credentials/certificates/pkcs10.h
index 9a4979757..2f35eb6a5 100644
--- a/src/libstrongswan/credentials/certificates/pkcs10.h
+++ b/src/libstrongswan/credentials/certificates/pkcs10.h
@@ -21,7 +21,7 @@
 #ifndef PKCS10_H_
 #define PKCS10_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <credentials/certificates/certificate.h>
 
 typedef struct pkcs10_t pkcs10_t;
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index 00171a718..4e8d4317f 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -21,7 +21,7 @@
 #ifndef X509_H_
 #define X509_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <credentials/certificates/certificate.h>
 
 /* constraints are currently restricted to the range 0..127 */
diff --git a/src/libstrongswan/credentials/containers/container.c b/src/libstrongswan/credentials/containers/container.c
new file mode 100644
index 000000000..d1e67b21b
--- /dev/null
+++ b/src/libstrongswan/credentials/containers/container.c
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "container.h"
+
+ENUM(container_type_names, CONTAINER_PKCS7, CONTAINER_PKCS7_ENVELOPED_DATA,
+	"PKCS7",
+	"PKCS7_DATA",
+	"PKCS7_SIGNED_DATA",
+	"PKCS7_ENVELOPED_DATA",
+);
diff --git a/src/libstrongswan/credentials/containers/container.h b/src/libstrongswan/credentials/containers/container.h
new file mode 100644
index 000000000..fc5c09041
--- /dev/null
+++ b/src/libstrongswan/credentials/containers/container.h
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup container container
+ * @{ @ingroup containers
+ */
+
+#ifndef CONTAINER_H_
+#define CONTAINER_H_
+
+typedef struct container_t container_t;
+typedef enum container_type_t container_type_t;
+
+#include <utils/chunk.h>
+#include <collections/enumerator.h>
+
+/**
+ * Type of the container.
+ */
+enum container_type_t {
+	/** Any kind of PKCS7/CMS container */
+	CONTAINER_PKCS7,
+	/** PKCS7/CMS plain "data" */
+	CONTAINER_PKCS7_DATA,
+	/** PKCS7/CMS "signed-data" */
+	CONTAINER_PKCS7_SIGNED_DATA,
+	/** PKCS7/CMS "enveloped-data" */
+	CONTAINER_PKCS7_ENVELOPED_DATA,
+};
+
+/**
+ * Enum names for container_type_t
+ */
+extern enum_name_t *container_type_names;
+
+/**
+ * Generic interface for cryptographic containers.
+ */
+struct container_t {
+
+	/**
+	 * Get the type of the container.
+	 *
+	 * @return		container type
+	 */
+	container_type_t (*get_type)(container_t *this);
+
+	/**
+	 * Create an enumerator over trustchains for valid container signatures.
+	 *
+	 * @return		enumerator over auth_cfg_t*
+	 */
+	enumerator_t* (*create_signature_enumerator)(container_t *this);
+
+	/**
+	 * Get signed/decrypted data wrapped in this container.
+	 *
+	 * This function does not verify any associated signatures, use
+	 * create_signature_enumerator() to verify them.
+	 *
+	 * @param data	allocated data wrapped in this container
+	 * @return		TRUE if data decrypted successfully
+	 */
+	bool (*get_data)(container_t *this, chunk_t *data);
+
+	/**
+	 * Get the encoding of the full signed/encrypted container.
+	 *
+	 * @param data	allocated container encoding
+	 * @return		TRUE if encodign successful
+	 */
+	bool (*get_encoding)(container_t *this, chunk_t *encoding);
+
+	/**
+	 * Destroy a container_t.
+	 */
+	void (*destroy)(container_t *this);
+};
+
+#endif /** CONTAINER_H_ @}*/
diff --git a/src/libstrongswan/credentials/containers/pkcs7.h b/src/libstrongswan/credentials/containers/pkcs7.h
new file mode 100644
index 000000000..d42d82b0b
--- /dev/null
+++ b/src/libstrongswan/credentials/containers/pkcs7.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs7 pkcs7
+ * @{ @ingroup containers
+ */
+
+#ifndef PKCS7_H_
+#define PKCS7_H_
+
+#include <credentials/containers/container.h>
+
+typedef struct pkcs7_t pkcs7_t;
+
+/**
+ * PKCS#7/CMS container type.
+ */
+struct pkcs7_t {
+
+	/**
+	 * Implements container_t.
+	 */
+	container_t container;
+
+	/**
+	 * Get an authenticated PKCS#9 attribute from PKCS#7 signerInfo.
+	 *
+	 * To select the signerInfo structure to get the attribute from, pass
+	 * the enumerator position from container_t.create_signature_enumerator().
+	 *
+	 * The attribute returned does not contain type information and must be
+	 * freed after use.
+	 *
+	 * @param oid			OID from the attribute to get
+	 * @param enumerator	enumerator to select signerInfo
+	 * @param value			chunk receiving attribute value, allocated
+	 * @return				TRUE if attribute found
+	 */
+	bool (*get_attribute)(pkcs7_t *this, int oid, enumerator_t *enumerator,
+						  chunk_t *value);
+
+	/**
+	 * Create an enumerator over attached certificates.
+	 *
+	 * @return				enumerator over certificate_t
+	 */
+	enumerator_t* (*create_cert_enumerator)(pkcs7_t *this);
+};
+
+#endif /** PKCS7_H_ @}*/
diff --git a/src/libstrongswan/credentials/cred_encoding.c b/src/libstrongswan/credentials/cred_encoding.c
index 4865984dd..53ac13cbb 100644
--- a/src/libstrongswan/credentials/cred_encoding.c
+++ b/src/libstrongswan/credentials/cred_encoding.c
@@ -17,8 +17,8 @@
 
 #include <stdint.h>
 
-#include <utils/linked_list.h>
-#include <utils/hashtable.h>
+#include <collections/linked_list.h>
+#include <collections/hashtable.h>
 #include <threading/rwlock.h>
 
 typedef struct private_cred_encoding_t private_cred_encoding_t;
diff --git a/src/libstrongswan/credentials/credential_factory.c b/src/libstrongswan/credentials/credential_factory.c
index ff621012f..94c7820e1 100644
--- a/src/libstrongswan/credentials/credential_factory.c
+++ b/src/libstrongswan/credentials/credential_factory.c
@@ -17,17 +17,18 @@
 
 #include "credential_factory.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <threading/thread_value.h>
 #include <threading/rwlock.h>
 #include <credentials/certificates/x509.h>
+#include <credentials/containers/container.h>
 
-ENUM(credential_type_names, CRED_PRIVATE_KEY, CRED_CERTIFICATE,
+ENUM(credential_type_names, CRED_PRIVATE_KEY, CRED_CONTAINER,
 	"CRED_PRIVATE_KEY",
 	"CRED_PUBLIC_KEY",
 	"CRED_CERTIFICATE",
-	"CRED_PLUTO_CERT",
+	"CRED_CONTAINER",
 );
 
 typedef struct private_credential_factory_t private_credential_factory_t;
@@ -139,11 +140,21 @@ METHOD(credential_factory_t, create, void*,
 
 	if (!construct && !level)
 	{
-		enum_name_t *names = key_type_names;
+		enum_name_t *names;
 
-		if (type == CRED_CERTIFICATE)
+		switch (type)
 		{
-			names = certificate_type_names;
+			case CRED_CERTIFICATE:
+				names = certificate_type_names;
+				break;
+			case CRED_CONTAINER:
+				names = container_type_names;
+				break;
+			case CRED_PRIVATE_KEY:
+			case CRED_PUBLIC_KEY:
+			default:
+				names = key_type_names;
+				break;
 		}
 		DBG1(DBG_LIB, "building %N - %N failed, tried %d builders",
 			 credential_type_names, type, names, subtype, failures);
diff --git a/src/libstrongswan/credentials/credential_factory.h b/src/libstrongswan/credentials/credential_factory.h
index c31601245..55b669529 100644
--- a/src/libstrongswan/credentials/credential_factory.h
+++ b/src/libstrongswan/credentials/credential_factory.h
@@ -28,6 +28,9 @@ typedef enum credential_type_t credential_type_t;
 
 /**
  * Kind of credential.
+ *
+ * While crypto containers are not really credentials, we still use the
+ * credential factory and builders create them.
  */
 enum credential_type_t {
 	/** private key, implemented in private_key_t */
@@ -36,6 +39,8 @@ enum credential_type_t {
 	CRED_PUBLIC_KEY,
 	/** certificates, implemented in certificate_t */
 	CRED_CERTIFICATE,
+	/** crypto container, implemented in container_t */
+	CRED_CONTAINER,
 };
 
 /**
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index a96abdc69..9e40c5a10 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -16,11 +16,11 @@
 #include "credential_manager.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/thread_value.h>
 #include <threading/mutex.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <credentials/sets/cert_cache.h>
 #include <credentials/sets/auth_cfg_wrapper.h>
 #include <credentials/certificates/x509.h>
diff --git a/src/libstrongswan/credentials/credential_manager.h b/src/libstrongswan/credentials/credential_manager.h
index d9a47b7d7..73c585734 100644
--- a/src/libstrongswan/credentials/credential_manager.h
+++ b/src/libstrongswan/credentials/credential_manager.h
@@ -24,7 +24,7 @@
 typedef struct credential_manager_t credential_manager_t;
 
 #include <utils/identification.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <credentials/auth_cfg.h>
 #include <credentials/credential_set.h>
 #include <credentials/keys/private_key.h>
diff --git a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
index fb18fb53d..49af5a079 100644
--- a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
+++ b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
@@ -17,7 +17,7 @@
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/lexparser.h>
 
 #include "ietf_attributes.h"
diff --git a/src/libstrongswan/credentials/keys/shared_key.h b/src/libstrongswan/credentials/keys/shared_key.h
index d00b8d12e..900c6613e 100644
--- a/src/libstrongswan/credentials/keys/shared_key.h
+++ b/src/libstrongswan/credentials/keys/shared_key.h
@@ -21,7 +21,7 @@
 #ifndef SHARED_KEY_H_
 #define SHARED_KEY_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <utils/identification.h>
 
 typedef struct shared_key_t shared_key_t;
diff --git a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
index 2cef23328..46bfb5c6e 100644
--- a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
+++ b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
@@ -15,7 +15,7 @@
  */
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "auth_cfg_wrapper.h"
 
diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c
index a7d0ed8f9..e8f0e7ec0 100644
--- a/src/libstrongswan/credentials/sets/cert_cache.c
+++ b/src/libstrongswan/credentials/sets/cert_cache.c
@@ -20,7 +20,7 @@
 
 #include <library.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /** cache size, a power of 2 for fast modulo */
 #define CACHE_SIZE 32
diff --git a/src/libstrongswan/credentials/sets/mem_cred.c b/src/libstrongswan/credentials/sets/mem_cred.c
index e023e8443..d697a56ef 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.c
+++ b/src/libstrongswan/credentials/sets/mem_cred.c
@@ -18,7 +18,7 @@
 #include "mem_cred.h"
 
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_mem_cred_t private_mem_cred_t;
 
diff --git a/src/libstrongswan/credentials/sets/mem_cred.h b/src/libstrongswan/credentials/sets/mem_cred.h
index eb46b065b..20447207c 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.h
+++ b/src/libstrongswan/credentials/sets/mem_cred.h
@@ -27,7 +27,7 @@ typedef struct mem_cred_t mem_cred_t;
 
 #include <credentials/credential_set.h>
 #include <credentials/certificates/crl.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /**
  * Generic in-memory credential set.
diff --git a/src/libstrongswan/crypto/aead.c b/src/libstrongswan/crypto/aead.c
index 02fb8d50a..32a0e6759 100644
--- a/src/libstrongswan/crypto/aead.c
+++ b/src/libstrongswan/crypto/aead.c
@@ -15,7 +15,7 @@
 
 #include "aead.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_aead_t private_aead_t;
 
diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c
index 3736ae38f..5a363e9f0 100644
--- a/src/libstrongswan/crypto/crypto_factory.c
+++ b/src/libstrongswan/crypto/crypto_factory.c
@@ -15,9 +15,9 @@
 
 #include "crypto_factory.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <crypto/crypto_tester.h>
 
 const char *default_plugin_name = "default";
diff --git a/src/libstrongswan/crypto/crypto_factory.h b/src/libstrongswan/crypto/crypto_factory.h
index 611ca0bbb..5d23c8977 100644
--- a/src/libstrongswan/crypto/crypto_factory.h
+++ b/src/libstrongswan/crypto/crypto_factory.h
@@ -24,6 +24,7 @@
 typedef struct crypto_factory_t crypto_factory_t;
 
 #include <library.h>
+#include <collections/enumerator.h>
 #include <crypto/crypters/crypter.h>
 #include <crypto/aead.h>
 #include <crypto/signers/signer.h>
diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c
index 01e84a133..08b226468 100644
--- a/src/libstrongswan/crypto/crypto_tester.c
+++ b/src/libstrongswan/crypto/crypto_tester.c
@@ -20,8 +20,8 @@
 
 #include "crypto_tester.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 typedef struct private_crypto_tester_t private_crypto_tester_t;
 
diff --git a/src/libstrongswan/crypto/nonce_gen.h b/src/libstrongswan/crypto/nonce_gen.h
index 50f3c0090..7dae4f776 100644
--- a/src/libstrongswan/crypto/nonce_gen.h
+++ b/src/libstrongswan/crypto/nonce_gen.h
@@ -35,7 +35,7 @@ struct nonce_gen_t {
 	 *
 	 * @param size		size of nonce in bytes
 	 * @param buffer	pointer where the generated nonce will be written
-	 * @return			TRUE if nonce allocation was succesful, FALSE otherwise
+	 * @return			TRUE if nonce allocation was successful, FALSE otherwise
 	 */
 	bool (*get_nonce)(nonce_gen_t *this, size_t size,
 					  u_int8_t *buffer) __attribute__((warn_unused_result));
@@ -45,7 +45,7 @@ struct nonce_gen_t {
 	 *
 	 * @param size		size of nonce in bytes
 	 * @param chunk		chunk which will hold the generated nonce
-	 * @return			TRUE if nonce allocation was succesful, FALSE otherwise
+	 * @return			TRUE if nonce allocation was successful, FALSE otherwise
 	 */
 	bool (*allocate_nonce)(nonce_gen_t *this, size_t size,
 						   chunk_t *chunk) __attribute__((warn_unused_result));
diff --git a/src/libstrongswan/crypto/pkcs7.c b/src/libstrongswan/crypto/pkcs7.c
deleted file mode 100644
index 0ec19f2cd..000000000
--- a/src/libstrongswan/crypto/pkcs7.c
+++ /dev/null
@@ -1,1061 +0,0 @@
-/*
- * Copyright (C) 2012 Tobias Brunner
- * Copyright (C) 2002-2008 Andreas Steffen
- * Copyright (C) 2005 Jan Hutter, Martin Willi
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-
-#include <library.h>
-#include <debug.h>
-
-#include <asn1/oid.h>
-#include <asn1/asn1.h>
-#include <asn1/asn1_parser.h>
-#include <credentials/certificates/x509.h>
-#include <credentials/keys/public_key.h>
-#include <crypto/pkcs9.h>
-#include <crypto/hashers/hasher.h>
-#include <crypto/crypters/crypter.h>
-#include <utils/linked_list.h>
-
-#include "pkcs7.h"
-
-typedef struct private_pkcs7_t private_pkcs7_t;
-
-/**
- * Private data of a pkcs7_t object.
- */
-struct private_pkcs7_t {
-	/**
-	 * Public interface for this certificate.
-	 */
-	pkcs7_t public;
-
-	/**
-	 * contentInfo type
-	 */
-	int type;
-
-	/**
-	 * ASN.1 encoded content
-	 */
-	chunk_t content;
-
-	/**
-	 * ASN.1 parsing start level
-	 */
-	u_int level;
-
-	/**
-	 * retrieved data
-	 */
-	chunk_t data;
-
-	/**
-	 * ASN.1 encoded attributes
-	 */
-	pkcs9_t *attributes;
-
-	/**
-	 * Linked list of X.509 certificates
-	 */
-	linked_list_t *certs;
-};
-
-METHOD(pkcs7_t, is_data, bool,
-	private_pkcs7_t *this)
-{
-	return this->type == OID_PKCS7_DATA;
-}
-
-METHOD(pkcs7_t, is_signedData, bool,
-	private_pkcs7_t *this)
-{
-	return this->type == OID_PKCS7_SIGNED_DATA;
-}
-
-METHOD(pkcs7_t, is_envelopedData, bool,
-	private_pkcs7_t *this)
-{
-	return this->type == OID_PKCS7_ENVELOPED_DATA;
-}
-
-/**
- * ASN.1 definition of the PKCS#7 ContentInfo type
- */
-static const asn1Object_t contentInfoObjects[] = {
-	{ 0, "contentInfo",		ASN1_SEQUENCE,		ASN1_NONE }, /* 0 */
-	{ 1,   "contentType",	ASN1_OID,			ASN1_BODY }, /* 1 */
-	{ 1,   "content",		ASN1_CONTEXT_C_0,	ASN1_OPT |
-												ASN1_BODY }, /* 2 */
-	{ 1,   "end opt",		ASN1_EOC,			ASN1_END  }, /* 3 */
-	{ 0, "exit",			ASN1_EOC,			ASN1_EXIT }
-};
-#define PKCS7_INFO_TYPE		1
-#define PKCS7_INFO_CONTENT	2
-
-/**
- * Parse PKCS#7 contentInfo object
- */
-static bool parse_contentInfo(private_pkcs7_t *this)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID;
-	bool success = FALSE;
-
-	if (!this->data.ptr)
-	{
-		return FALSE;
-	}
-
-	parser = asn1_parser_create(contentInfoObjects, this->data);
-	parser->set_top_level(parser, this->level);
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		if (objectID == PKCS7_INFO_TYPE)
-		{
-			this->type = asn1_known_oid(object);
-			if (this->type < OID_PKCS7_DATA ||
-				this->type > OID_PKCS7_ENCRYPTED_DATA)
-			{
-				DBG1(DBG_LIB, "unknown pkcs7 content type");
-				goto end;
-			}
-		}
-		else if (objectID == PKCS7_INFO_CONTENT && object.len > 0)
-		{
-			chunk_free(&this->content);
-			this->content = chunk_clone(object);
-		}
-	}
-	success = parser->success(parser);
-
-	if (success)
-	{
-		this->level += 2;
-		chunk_free(&this->data);
-	}
-
-end:
-	parser->destroy(parser);
-	return success;
-}
-
-/**
- * Check whether to abort the requested parsing
- */
-static bool abort_parsing(private_pkcs7_t *this, int type)
-{
-	if (this->type != type)
-	{
-		DBG1(DBG_LIB, "pkcs7 content to be parsed is not of type '%s'",
-			 oid_names[type].name);
-		return TRUE;
-	}
-	return FALSE;
-}
-
-METHOD(pkcs7_t, parse_data, bool,
-	private_pkcs7_t *this)
-{
-	chunk_t data;
-
-	if (!parse_contentInfo(this) ||
-		 abort_parsing(this, OID_PKCS7_DATA))
-	{
-		return FALSE;
-	}
-	data = this->content;
-	if (data.len == 0)
-	{
-		this->data = chunk_empty;
-		return TRUE;
-	}
-	if (asn1_parse_simple_object(&data, ASN1_OCTET_STRING,
-								 this->level, "data"))
-	{
-		this->data = chunk_clone(data);
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * ASN.1 definition of the PKCS#7 signedData type
- */
-static const asn1Object_t signedDataObjects[] = {
-	{ 0, "signedData",						ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
-	{ 1,   "version",						ASN1_INTEGER,		ASN1_BODY }, /*  1 */
-	{ 1,   "digestAlgorithms",				ASN1_SET,			ASN1_LOOP }, /*  2 */
-	{ 2,     "algorithm",					ASN1_EOC,			ASN1_RAW  }, /*  3 */
-	{ 1,   "end loop",						ASN1_EOC,			ASN1_END  }, /*  4 */
-	{ 1,   "contentInfo",					ASN1_EOC,			ASN1_RAW  }, /*  5 */
-	{ 1,   "certificates",					ASN1_CONTEXT_C_0,	ASN1_OPT |
-																ASN1_LOOP }, /*  6 */
-	{ 2,      "certificate",				ASN1_SEQUENCE,		ASN1_OBJ  }, /*  7 */
-	{ 1,   "end opt or loop",				ASN1_EOC,			ASN1_END  }, /*  8 */
-	{ 1,   "crls",							ASN1_CONTEXT_C_1,	ASN1_OPT |
-																ASN1_LOOP }, /*  9 */
-	{ 2,	    "crl",						ASN1_SEQUENCE,		ASN1_OBJ  }, /* 10 */
-	{ 1,   "end opt or loop",				ASN1_EOC,			ASN1_END  }, /* 11 */
-	{ 1,   "signerInfos",					ASN1_SET,			ASN1_LOOP }, /* 12 */
-	{ 2,     "signerInfo",					ASN1_SEQUENCE,		ASN1_NONE }, /* 13 */
-	{ 3,       "version",					ASN1_INTEGER,		ASN1_BODY }, /* 14 */
-	{ 3,       "issuerAndSerialNumber",		ASN1_SEQUENCE,		ASN1_BODY }, /* 15 */
-	{ 4,         "issuer",					ASN1_SEQUENCE,		ASN1_OBJ  }, /* 16 */
-	{ 4,         "serial",					ASN1_INTEGER,		ASN1_BODY }, /* 17 */
-	{ 3,       "digestAlgorithm",			ASN1_EOC,			ASN1_RAW  }, /* 18 */
-	{ 3,       "authenticatedAttributes",	ASN1_CONTEXT_C_0,	ASN1_OPT |
-																ASN1_OBJ  }, /* 19 */
-	{ 3,       "end opt",					ASN1_EOC,			ASN1_END  }, /* 20 */
-	{ 3,       "digestEncryptionAlgorithm",	ASN1_EOC,			ASN1_RAW  }, /* 21 */
-	{ 3,       "encryptedDigest",			ASN1_OCTET_STRING,	ASN1_BODY }, /* 22 */
-	{ 3,       "unauthenticatedAttributes", ASN1_CONTEXT_C_1,	ASN1_OPT  }, /* 23 */
-	{ 3,       "end opt",					ASN1_EOC,			ASN1_END  }, /* 24 */
-	{ 1,   "end loop",						ASN1_EOC,			ASN1_END  }, /* 25 */
-	{ 0, "exit",							ASN1_EOC,			ASN1_EXIT }
-};
-#define PKCS7_SIGNED_VERSION		 1
-#define PKCS7_DIGEST_ALG			 3
-#define PKCS7_SIGNED_CONTENT_INFO	 5
-#define PKCS7_SIGNED_CERT			 7
-#define PKCS7_SIGNER_INFO			13
-#define PKCS7_SIGNER_INFO_VERSION	14
-#define PKCS7_SIGNED_ISSUER			16
-#define PKCS7_SIGNED_SERIAL_NUMBER	17
-#define PKCS7_DIGEST_ALGORITHM		18
-#define PKCS7_AUTH_ATTRIBUTES		19
-#define PKCS7_DIGEST_ENC_ALGORITHM	21
-#define PKCS7_ENCRYPTED_DIGEST		22
-
-METHOD(pkcs7_t, parse_signedData, bool,
-	private_pkcs7_t *this, certificate_t *cacert)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID, version;
-	int digest_alg = OID_UNKNOWN;
-	int enc_alg    = OID_UNKNOWN;
-	int signerInfos = 0;
-	bool success = FALSE;
-
-	chunk_t encrypted_digest = chunk_empty;
-
-	if (!parse_contentInfo(this) ||
-		 abort_parsing(this, OID_PKCS7_SIGNED_DATA))
-	{
-		return FALSE;
-	}
-
-	parser = asn1_parser_create(signedDataObjects, this->content);
-	parser->set_top_level(parser, this->level);
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		u_int level = parser->get_level(parser);
-
-		switch (objectID)
-		{
-			case PKCS7_SIGNED_VERSION:
-				version = object.len ? (int)*object.ptr : 0;
-				DBG2(DBG_LIB, "  v%d", version);
-				break;
-			case PKCS7_DIGEST_ALG:
-				digest_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
-				break;
-			case PKCS7_SIGNED_CONTENT_INFO:
-			{
-				pkcs7_t *data = pkcs7_create_from_chunk(object, level+1);
-
-				if (!data || !data->parse_data(data))
-				{
-					DESTROY_IF(data);
-					goto end;
-				}
-				this->data = chunk_clone(data->get_data(data));
-				data->destroy(data);
-				break;
-			}
-			case PKCS7_SIGNED_CERT:
-			{
-				certificate_t *cert;
-
-				DBG2(DBG_LIB, "  parsing pkcs7-wrapped certificate");
-				cert = lib->creds->create(lib->creds,
-										  CRED_CERTIFICATE, CERT_X509,
-										  BUILD_BLOB_ASN1_DER, object,
-										  BUILD_END);
-				if (cert)
-				{
-					this->certs->insert_last(this->certs, cert);
-				}
-				break;
-			}
-			case PKCS7_SIGNER_INFO:
-				signerInfos++;
-				DBG2(DBG_LIB, "  signer #%d", signerInfos);
-				break;
-			case PKCS7_SIGNER_INFO_VERSION:
-				version = object.len ? (int)*object.ptr : 0;
-				DBG2(DBG_LIB, "  v%d", version);
-				break;
-			case PKCS7_SIGNED_ISSUER:
-			{
-				identification_t *issuer;
-
-				issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
-				DBG2(DBG_LIB, "  '%Y'", issuer);
-				issuer->destroy(issuer);
-				break;
-			}
-			case PKCS7_AUTH_ATTRIBUTES:
-				*object.ptr = ASN1_SET;
-				this->attributes = pkcs9_create_from_chunk(object, level+1);
-				*object.ptr = ASN1_CONTEXT_C_0;
-				break;
-			case PKCS7_DIGEST_ALGORITHM:
-				digest_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
-				break;
-			case PKCS7_DIGEST_ENC_ALGORITHM:
-				enc_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
-				break;
-			case PKCS7_ENCRYPTED_DIGEST:
-				encrypted_digest = object;
-		}
-	}
-	success = parser->success(parser);
-
-end:
-	parser->destroy(parser);
-	if (!success)
-	{
-		return FALSE;
-	}
-
-	/* check the signature only if a cacert is available */
-	if (cacert != NULL)
-	{
-		signature_scheme_t scheme;
-		public_key_t *key;
-
-		scheme = signature_scheme_from_oid(digest_alg);
-		if (scheme == SIGN_UNKNOWN)
-		{
-			DBG1(DBG_LIB, "unsupported signature scheme");
-			return FALSE;
-		}
-		if (signerInfos == 0)
-		{
-			DBG1(DBG_LIB, "no signerInfo object found");
-			return FALSE;
-		}
-		else if (signerInfos > 1)
-		{
-			DBG1(DBG_LIB, "more than one signerInfo object found");
-			return FALSE;
-		}
-		if (this->attributes == NULL)
-		{
-			DBG1(DBG_LIB, "no authenticatedAttributes object found");
-			return FALSE;
-		}
-		if (enc_alg != OID_RSA_ENCRYPTION)
-		{
-			DBG1(DBG_LIB, "only RSA digest encryption supported");
-			return FALSE;
-		}
-
-		/* verify the signature */
-		key = cacert->get_public_key(cacert);
-		if (key == NULL)
-		{
-			DBG1(DBG_LIB, "no public key found in CA certificate");
-			return FALSE;
-		}
-		if (key->verify(key, scheme,
-			this->attributes->get_encoding(this->attributes), encrypted_digest))
-		{
-			DBG2(DBG_LIB, "signature is valid");
-		}
-		else
-		{
-			DBG1(DBG_LIB, "invalid signature");
-			key->destroy(key);
-			return FALSE;
-		}
-		key->destroy(key);
-
-		if (this->data.ptr != NULL)
-		{
-			chunk_t messageDigest;
-
-			messageDigest = this->attributes->get_attribute(this->attributes,
-													OID_PKCS9_MESSAGE_DIGEST);
-			if (messageDigest.ptr == NULL)
-			{
-				DBG1(DBG_LIB, "messageDigest attribute not found");
-				return FALSE;
-			}
-			else
-			{
-				hash_algorithm_t algorithm;
-				hasher_t *hasher;
-				chunk_t hash;
-				bool valid;
-
-				algorithm = hasher_algorithm_from_oid(digest_alg);
-				hasher = lib->crypto->create_hasher(lib->crypto, algorithm);
-				if (!hasher || !hasher->allocate_hash(hasher, this->data, &hash))
-				{
-					DESTROY_IF(hasher);
-					DBG1(DBG_LIB, "hash algorithm %N not supported",
-						 hash_algorithm_names, algorithm);
-					return FALSE;
-				}
-				hasher->destroy(hasher);
-				DBG3(DBG_LIB, "hash: %B", &hash);
-
-				valid = chunk_equals(messageDigest, hash);
-				free(hash.ptr);
-				if (valid)
-				{
-					DBG2(DBG_LIB, "messageDigest is valid");
-				}
-				else
-				{
-					DBG1(DBG_LIB, "invalid messageDigest");
-					return FALSE;
-				}
-			}
-		}
-	}
-	return TRUE;
-}
-
-/**
- * ASN.1 definition of the PKCS#7 envelopedData type
- */
-static const asn1Object_t envelopedDataObjects[] = {
-	{ 0, "envelopedData",					ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
-	{ 1,   "version",						ASN1_INTEGER, 		ASN1_BODY }, /*  1 */
-	{ 1,   "recipientInfos",				ASN1_SET,    		ASN1_LOOP }, /*  2 */
-	{ 2,     "recipientInfo",				ASN1_SEQUENCE, 		ASN1_BODY }, /*  3 */
-	{ 3,       "version",					ASN1_INTEGER, 		ASN1_BODY }, /*  4 */
-	{ 3,       "issuerAndSerialNumber",		ASN1_SEQUENCE,		ASN1_BODY }, /*  5 */
-	{ 4,         "issuer",					ASN1_SEQUENCE,		ASN1_OBJ  }, /*  6 */
-	{ 4,         "serial",					ASN1_INTEGER,		ASN1_BODY }, /*  7 */
-	{ 3,       "encryptionAlgorithm",		ASN1_EOC,			ASN1_RAW  }, /*  8 */
-	{ 3,       "encryptedKey",				ASN1_OCTET_STRING,	ASN1_BODY }, /*  9 */
-	{ 1,   "end loop",						ASN1_EOC,			ASN1_END  }, /* 10 */
-	{ 1,   "encryptedContentInfo",			ASN1_SEQUENCE,		ASN1_OBJ  }, /* 11 */
-	{ 2,     "contentType",					ASN1_OID,			ASN1_BODY }, /* 12 */
-	{ 2,     "contentEncryptionAlgorithm",	ASN1_EOC,			ASN1_RAW  }, /* 13 */
-	{ 2,     "encryptedContent",			ASN1_CONTEXT_S_0, 	ASN1_BODY }, /* 14 */
-	{ 0, "exit",							ASN1_EOC,			ASN1_EXIT }
-};
-#define PKCS7_ENVELOPED_VERSION			 1
-#define PKCS7_RECIPIENT_INFO_VERSION	 4
-#define PKCS7_ISSUER					 6
-#define PKCS7_SERIAL_NUMBER				 7
-#define PKCS7_ENCRYPTION_ALG			 8
-#define PKCS7_ENCRYPTED_KEY				 9
-#define PKCS7_CONTENT_TYPE				12
-#define PKCS7_CONTENT_ENC_ALGORITHM		13
-#define PKCS7_ENCRYPTED_CONTENT			14
-
-METHOD(pkcs7_t, parse_envelopedData, bool,
-	private_pkcs7_t *this, chunk_t serialNumber, private_key_t *key)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID, version;
-	bool success = FALSE;
-
-	chunk_t iv                = chunk_empty;
-	chunk_t symmetric_key     = chunk_empty;
-	chunk_t encrypted_content = chunk_empty;
-
-	crypter_t *crypter = NULL;
-
-	if (!parse_contentInfo(this) ||
-		 abort_parsing(this, OID_PKCS7_ENVELOPED_DATA))
-	{
-		return FALSE;
-	}
-
-	parser = asn1_parser_create(envelopedDataObjects, this->content);
-	parser->set_top_level(parser, this->level);
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		u_int level = parser->get_level(parser);
-
-		switch (objectID)
-		{
-			case PKCS7_ENVELOPED_VERSION:
-			{
-				version = object.len ? (int)*object.ptr : 0;
-				DBG2(DBG_LIB, "  v%d", version);
-				if (version != 0)
-				{
-					DBG1(DBG_LIB, "envelopedData version is not 0");
-					goto end;
-				}
-				break;
-			}
-			case PKCS7_RECIPIENT_INFO_VERSION:
-			{
-				version = object.len ? (int)*object.ptr : 0;
-				DBG2(DBG_LIB, "  v%d", version);
-				if (version != 0)
-				{
-					DBG1(DBG_LIB, "recipient info version is not 0");
-					goto end;
-				}
-				break;
-			}
-			case PKCS7_ISSUER:
-			{
-				identification_t *issuer;
-
-				issuer = identification_create_from_encoding(ID_DER_ASN1_DN,
-															 object);
-				DBG2(DBG_LIB, "  '%Y'", issuer);
-				issuer->destroy(issuer);
-				break;
-			}
-			case PKCS7_SERIAL_NUMBER:
-			{
-				if (!chunk_equals(serialNumber, object))
-				{
-					DBG1(DBG_LIB, "serial numbers do not match");
-					goto end;
-				}
-				break;
-			}
-			case PKCS7_ENCRYPTION_ALG:
-			{
-				int alg;
-
-				alg = asn1_parse_algorithmIdentifier(object, level, NULL);
-				if (alg != OID_RSA_ENCRYPTION)
-				{
-					DBG1(DBG_LIB, "only rsa encryption supported");
-					goto end;
-				}
-				break;
-			}
-			case PKCS7_ENCRYPTED_KEY:
-			{
-				if (!key->decrypt(key, ENCRYPT_RSA_PKCS1, object, &symmetric_key))
-				{
-					DBG1(DBG_LIB, "symmetric key could not be decrypted with rsa");
-					goto end;
-				}
-				DBG4(DBG_LIB, "symmetric key %B", &symmetric_key);
-				break;
-			}
-			case PKCS7_CONTENT_TYPE:
-			{
-				if (asn1_known_oid(object) != OID_PKCS7_DATA)
-				{
-					DBG1(DBG_LIB, "encrypted content not of type pkcs7 data");
-					goto end;
-				}
-				break;
-			}
-			case PKCS7_CONTENT_ENC_ALGORITHM:
-			{
-				encryption_algorithm_t enc_alg;
-				size_t key_size;
-				int alg;
-
-				alg = asn1_parse_algorithmIdentifier(object, level, &iv);
-				enc_alg = encryption_algorithm_from_oid(alg, &key_size);
-				if (enc_alg == ENCR_UNDEFINED)
-				{
-					DBG1(DBG_LIB, "unsupported content encryption algorithm");
-					goto end;
-				}
-				crypter = lib->crypto->create_crypter(lib->crypto, enc_alg,
-													  key_size);
-				if (crypter == NULL)
-				{
-					DBG1(DBG_LIB, "crypter %N not available",
-						 encryption_algorithm_names, enc_alg);
-					goto end;
-				}
-				if (symmetric_key.len != crypter->get_key_size(crypter))
-				{
-					DBG1(DBG_LIB, "symmetric key length %d is wrong",
-						 symmetric_key.len);
-					goto end;
-				}
-				if (!asn1_parse_simple_object(&iv, ASN1_OCTET_STRING,
-											  level + 1, "IV"))
-				{
-					DBG1(DBG_LIB, "IV could not be parsed");
-					goto end;
-				}
-				if (iv.len != crypter->get_iv_size(crypter))
-				{
-					DBG1(DBG_LIB, "IV length %d is wrong", iv.len);
-					goto end;
-				}
-				break;
-			}
-			case PKCS7_ENCRYPTED_CONTENT:
-			{
-				encrypted_content = object;
-				break;
-			}
-		}
-	}
-	success = parser->success(parser);
-
-end:
-	parser->destroy(parser);
-	if (!success)
-	{
-		goto failed;
-	}
-	success = FALSE;
-
-	/* decrypt the content */
-	if (!crypter->set_key(crypter, symmetric_key) ||
-		!crypter->decrypt(crypter, encrypted_content, iv, &this->data))
-	{
-		success = FALSE;
-		goto failed;
-	}
-	DBG4(DBG_LIB, "decrypted content with padding: %B", &this->data);
-
-	/* remove the padding */
-	{
-		u_char *pos = this->data.ptr + this->data.len - 1;
-		u_char pattern = *pos;
-		size_t padding = pattern;
-
-		if (padding > this->data.len)
-		{
-			DBG1(DBG_LIB, "padding greater than data length");
-			goto failed;
-		}
-		this->data.len -= padding;
-
-		while (padding-- > 0)
-		{
-			if (*pos-- != pattern)
-			{
-				DBG1(DBG_LIB, "wrong padding pattern");
-				goto failed;
-			}
-		}
-	}
-	success = TRUE;
-
-failed:
-	DESTROY_IF(crypter);
-	chunk_clear(&symmetric_key);
-	if (!success)
-	{
-		chunk_free(&this->data);
-	}
-	return success;
-}
-
-METHOD(pkcs7_t, get_data, chunk_t,
-	private_pkcs7_t *this)
-{
-	return this->data;
-}
-
-METHOD(pkcs7_t, get_contentInfo, chunk_t,
-	private_pkcs7_t *this)
-{
-	chunk_t content_type;
-
-	/* create DER-encoded OID for pkcs7_contentInfo type */
-	switch(this->type)
-	{
-		case OID_PKCS7_DATA:
-		case OID_PKCS7_SIGNED_DATA:
-		case OID_PKCS7_ENVELOPED_DATA:
-		case OID_PKCS7_SIGNED_ENVELOPED_DATA:
-		case OID_PKCS7_DIGESTED_DATA:
-		case OID_PKCS7_ENCRYPTED_DATA:
-			content_type = asn1_build_known_oid(this->type);
-			break;
-		case OID_UNKNOWN:
-		default:
-			DBG1(DBG_LIB, "invalid pkcs7 contentInfo type");
-			return chunk_empty;
-	}
-
-	return this->content.ptr == NULL
-				? asn1_wrap(ASN1_SEQUENCE, "m", content_type)
-				: asn1_wrap(ASN1_SEQUENCE, "mm", content_type,
-					asn1_simple_object(ASN1_CONTEXT_C_0, this->content));
-}
-
-METHOD(pkcs7_t, create_certificate_enumerator, enumerator_t*,
-	private_pkcs7_t *this)
-{
-	return this->certs->create_enumerator(this->certs);
-}
-
-METHOD(pkcs7_t, set_certificate, void,
-	private_pkcs7_t *this, certificate_t *cert)
-{
-	if (cert)
-	{
-		this->certs->insert_last(this->certs, cert);
-	}
-}
-
-METHOD(pkcs7_t, set_attributes, void,
-	private_pkcs7_t *this, pkcs9_t *attributes)
-{
-	this->attributes = attributes;
-}
-
-METHOD(pkcs7_t, get_attributes, pkcs9_t*,
-	private_pkcs7_t *this)
-{
-	return this->attributes;
-}
-
-/**
- * build a DER-encoded issuerAndSerialNumber object
- */
-chunk_t pkcs7_build_issuerAndSerialNumber(certificate_t *cert)
-{
-	identification_t *issuer = cert->get_issuer(cert);
-	chunk_t serial = chunk_empty;
-
-	if (cert->get_type(cert) == CERT_X509)
-	{
-		x509_t *x509 = (x509_t*)cert;
-		serial = x509->get_serial(x509);
-	}
-
-	return asn1_wrap(ASN1_SEQUENCE, "cm",
-					 issuer->get_encoding(issuer),
-					 asn1_integer("c", serial));
-}
-
-METHOD(pkcs7_t, build_envelopedData, bool,
-	private_pkcs7_t *this, certificate_t *cert, encryption_algorithm_t alg,
-	size_t key_size)
-{
-	chunk_t iv, symmetricKey, protectedKey, in, out;
-	crypter_t *crypter;
-	int alg_oid;
-
-	/* select OID of symmetric encryption algorithm */
-	alg_oid = encryption_algorithm_to_oid(alg, key_size);
-	if (alg_oid == OID_UNKNOWN)
-	{
-		DBG1(DBG_LIB, "  encryption algorithm %N not supported",
-			 encryption_algorithm_names, alg);
-		return FALSE;
-	}
-	crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
-	if (crypter == NULL)
-	{
-		DBG1(DBG_LIB, "  could not create crypter for algorithm %N",
-			 encryption_algorithm_names, alg);
-		return FALSE;
-	}
-
-	/* generate a true random symmetric encryption key
-	 * and a pseudo-random iv
-	 */
-	{
-		rng_t *rng;
-
-		rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
-		if (!rng || !rng->allocate_bytes(rng, crypter->get_key_size(crypter),
-										 &symmetricKey))
-		{
-			DBG1(DBG_LIB, "  failed to allocate symmetric encryption key");
-			DESTROY_IF(rng);
-			return FALSE;
-		}
-		DBG4(DBG_LIB, "  symmetric encryption key: %B", &symmetricKey);
-		rng->destroy(rng);
-
-		rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-		if (!rng || !rng->allocate_bytes(rng, crypter->get_iv_size(crypter),
-										 &iv))
-		{
-			DBG1(DBG_LIB, "  failed to allocate initialization vector");
-			DESTROY_IF(rng);
-			return FALSE;
-		}
-		DBG4(DBG_LIB, "  initialization vector: %B", &iv);
-		rng->destroy(rng);
-	}
-
-	/* pad the data so that the total length becomes
-	 * a multiple of the block size
-	 */
-	{
-		size_t block_size = crypter->get_block_size(crypter);
-		size_t padding = block_size - this->data.len % block_size;
-
-		in.len = this->data.len + padding;
-		in.ptr = malloc(in.len);
-
-		DBG2(DBG_LIB, "  padding %d bytes of data to multiple block size of %d bytes",
-			(int)this->data.len, (int)in.len);
-
-		/* copy data */
-		memcpy(in.ptr, this->data.ptr, this->data.len);
-		/* append padding */
-		memset(in.ptr + this->data.len, padding, padding);
-	}
-	DBG3(DBG_LIB, "  padded unencrypted data: %B", &in);
-
-	/* symmetric encryption of data object */
-	if (!crypter->set_key(crypter, symmetricKey) ||
-		!crypter->encrypt(crypter, in, iv, &out))
-	{
-		crypter->destroy(crypter);
-		chunk_clear(&in);
-		chunk_clear(&symmetricKey);
-		chunk_free(&iv);
-		return FALSE;
-	}
-	crypter->destroy(crypter);
-	chunk_clear(&in);
-	DBG3(DBG_LIB, "  encrypted data: %B", &out);
-
-	/* protect symmetric key by public key encryption */
-	{
-		public_key_t *key = cert->get_public_key(cert);
-
-		if (key == NULL)
-		{
-			DBG1(DBG_LIB, "  public key not found in encryption certificate");
-			chunk_clear(&symmetricKey);
-			chunk_free(&iv);
-			chunk_free(&out);
-			return FALSE;
-		}
-		key->encrypt(key, ENCRYPT_RSA_PKCS1, symmetricKey, &protectedKey);
-		key->destroy(key);
-		chunk_clear(&symmetricKey);
-	}
-
-	/* build pkcs7 enveloped data object */
-	{
-		chunk_t contentEncryptionAlgorithm = asn1_wrap(ASN1_SEQUENCE, "mm",
-					asn1_build_known_oid(alg_oid),
-					asn1_wrap(ASN1_OCTET_STRING, "m", iv));
-
-		chunk_t encryptedContentInfo = asn1_wrap(ASN1_SEQUENCE, "mmm",
-					asn1_build_known_oid(OID_PKCS7_DATA),
-					contentEncryptionAlgorithm,
-					asn1_wrap(ASN1_CONTEXT_S_0, "m", out));
-
-		chunk_t encryptedKey = asn1_wrap(ASN1_OCTET_STRING, "m", protectedKey);
-
-		chunk_t recipientInfo = asn1_wrap(ASN1_SEQUENCE, "cmmm",
-					ASN1_INTEGER_0,
-					pkcs7_build_issuerAndSerialNumber(cert),
-					asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
-					encryptedKey);
-
-		this->content = asn1_wrap(ASN1_SEQUENCE, "cmm",
-					ASN1_INTEGER_0,
-					asn1_wrap(ASN1_SET, "m", recipientInfo),
-					encryptedContentInfo);
-		chunk_free(&this->data);
-		this->type = OID_PKCS7_ENVELOPED_DATA;
-		this->data = get_contentInfo(this);
-	}
-	return TRUE;
-}
-
-METHOD(pkcs7_t, build_signedData, bool,
-	private_pkcs7_t *this, private_key_t *private_key, hash_algorithm_t alg)
-{
-	chunk_t authenticatedAttributes = chunk_empty;
-	chunk_t encryptedDigest = chunk_empty;
-	chunk_t signerInfo, encoding = chunk_empty;
-	signature_scheme_t scheme;
-	int digest_oid;
-	certificate_t *cert;
-
-	if (this->certs->get_first(this->certs, (void**)&cert) != SUCCESS)
-	{
-		DBG1(DBG_LIB, "  no pkcs7 signer certificate found");
-		return FALSE;
-	}
-	digest_oid = hasher_algorithm_to_oid(alg);
-	scheme = signature_scheme_from_oid(digest_oid);
-
-	if (this->attributes != NULL)
-	{
-		if (this->data.ptr != NULL)
-		{
-			chunk_t messageDigest, signingTime, attributes;
-			hasher_t *hasher;
-			time_t now;
-
-			hasher = lib->crypto->create_hasher(lib->crypto, alg);
-			if (!hasher ||
-				!hasher->allocate_hash(hasher, this->data, &messageDigest))
-			{
-				DESTROY_IF(hasher);
-				DBG1(DBG_LIB, "  hash algorithm %N not support",
-					 hash_algorithm_names, alg);
-				return FALSE;
-			}
-			hasher->destroy(hasher);
-			this->attributes->set_attribute(this->attributes,
-									OID_PKCS9_MESSAGE_DIGEST,
-									messageDigest);
-			free(messageDigest.ptr);
-
-			/* take the current time as signingTime */
-			now = time(NULL);
-			signingTime = asn1_from_time(&now, ASN1_UTCTIME);
-			this->attributes->set_attribute_raw(this->attributes,
-									OID_PKCS9_SIGNING_TIME, signingTime);
-			this->attributes->set_attribute_raw(this->attributes,
-									OID_PKCS9_CONTENT_TYPE,
-									asn1_build_known_oid(OID_PKCS7_DATA));
-
-			attributes = this->attributes->get_encoding(this->attributes);
-
-			private_key->sign(private_key, scheme, attributes, &encryptedDigest);
-			authenticatedAttributes = chunk_clone(attributes);
-			*authenticatedAttributes.ptr = ASN1_CONTEXT_C_0;
-		}
-	}
-	else if (this->data.ptr != NULL)
-	{
-		private_key->sign(private_key, scheme, this->data, &encryptedDigest);
-	}
-	if (encryptedDigest.ptr)
-	{
-		encryptedDigest = asn1_wrap(ASN1_OCTET_STRING, "m", encryptedDigest);
-	}
-	signerInfo = asn1_wrap(ASN1_SEQUENCE, "cmmmmm",
-					ASN1_INTEGER_1,
-					pkcs7_build_issuerAndSerialNumber(cert),
-					asn1_algorithmIdentifier(digest_oid),
-					authenticatedAttributes,
-					asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
-					encryptedDigest);
-
-	if (this->data.ptr != NULL)
-	{
-		chunk_free(&this->content);
-		this->content = asn1_simple_object(ASN1_OCTET_STRING, this->data);
-		chunk_free(&this->data);
-	}
-	this->type = OID_PKCS7_DATA;
-	this->data = get_contentInfo(this);
-	chunk_free(&this->content);
-
-	cert->get_encoding(cert, CERT_ASN1_DER, &encoding);
-
-	this->content = asn1_wrap(ASN1_SEQUENCE, "cmcmm",
-			ASN1_INTEGER_1,
-			asn1_wrap(ASN1_SET, "m", asn1_algorithmIdentifier(digest_oid)),
-			this->data,
-			asn1_wrap(ASN1_CONTEXT_C_0, "m", encoding),
-			asn1_wrap(ASN1_SET, "m", signerInfo));
-	chunk_free(&this->data);
-	this->type = OID_PKCS7_SIGNED_DATA;
-	this->data = get_contentInfo(this);
-
-	return TRUE;
-}
-
-METHOD(pkcs7_t, destroy, void,
-	private_pkcs7_t *this)
-{
-	DESTROY_IF(this->attributes);
-	this->certs->destroy_offset(this->certs, offsetof(certificate_t, destroy));
-	free(this->content.ptr);
-	free(this->data.ptr);
-	free(this);
-}
-
-/**
- * Generic private constructor
- */
-static private_pkcs7_t *pkcs7_create_empty(void)
-{
-	private_pkcs7_t *this;
-
-	INIT(this,
-		.public = {
-			.is_data = _is_data,
-			.is_signedData = _is_signedData,
-			.is_envelopedData = _is_envelopedData,
-			.parse_data = _parse_data,
-			.parse_signedData = _parse_signedData,
-			.parse_envelopedData = _parse_envelopedData,
-			.get_data = _get_data,
-			.get_contentInfo = _get_contentInfo,
-			.create_certificate_enumerator = _create_certificate_enumerator,
-			.set_certificate = _set_certificate,
-			.set_attributes = _set_attributes,
-			.get_attributes = _get_attributes,
-			.build_envelopedData = _build_envelopedData,
-			.build_signedData = _build_signedData,
-			.destroy = _destroy,
-		},
-		.type = OID_UNKNOWN,
-		.certs = linked_list_create(),
-	);
-
-	return this;
-}
-
-/*
- * Described in header.
- */
-pkcs7_t *pkcs7_create_from_chunk(chunk_t chunk, u_int level)
-{
-	private_pkcs7_t *this = pkcs7_create_empty();
-
-	this->level = level;
-	this->data = chunk_clone(chunk);
-
-	return &this->public;
-}
-
-/*
- * Described in header.
- */
-pkcs7_t *pkcs7_create_from_data(chunk_t data)
-{
-	private_pkcs7_t *this = pkcs7_create_empty();
-
-	this->data = chunk_clone(data);
-
-	return &this->public;
-}
-
diff --git a/src/libstrongswan/crypto/pkcs7.h b/src/libstrongswan/crypto/pkcs7.h
deleted file mode 100644
index 7c9a6b037..000000000
--- a/src/libstrongswan/crypto/pkcs7.h
+++ /dev/null
@@ -1,178 +0,0 @@
-/*
- * Copyright (C) 2005 Jan Hutter, Martin Willi
- * Copyright (C) 2002-2008 Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup pkcs7 pkcs7
- * @{ @ingroup crypto
- */
-
-#ifndef PKCS7_H_
-#define PKCS7_H_
-
-typedef struct pkcs7_t pkcs7_t;
-
-#include <library.h>
-#include <credentials/keys/private_key.h>
-#include <crypto/pkcs9.h>
-#include <crypto/crypters/crypter.h>
-#include <utils/enumerator.h>
-
-/**
- * PKCS#7 contentInfo object.
- */
-struct pkcs7_t {
-
-	/**
-	 * Check if the PKCS#7 contentType is data
-	 *
-	 * @return				TRUE if the contentType is data
-	 */
-	bool (*is_data) (pkcs7_t *this);
-
-	/**
-	 * Check if the PKCS#7 contentType is signedData
-	 *
-	 * @return				TRUE if the contentType is signedData
-	 */
-	bool (*is_signedData) (pkcs7_t *this);
-
-	/**
-	 * Check if the PKCS#7 contentType is envelopedData
-	 *
-	 * @return				TRUE if the contentType is envelopedData
-	 */
-	bool (*is_envelopedData) (pkcs7_t *this);
-
-	/**
-	 * Parse a PKCS#7 data content.
-	 *
-	 * @return				TRUE if parsing was successful
-	 */
-	bool (*parse_data) (pkcs7_t *this);
-
-	/**
-	 * Parse a PKCS#7 signedData content.  The contained PKCS#7 data is parsed
-	 * and verified.
-	 *
-	 * @param cacert		cacert used to verify the signature
-	 * @return				TRUE if parsing was successful
-	 */
-	bool (*parse_signedData) (pkcs7_t *this, certificate_t *cacert);
-
-	/**
-	 * Parse a PKCS#7 envelopedData content.
-	 *
-	 * @param serialNumber	serialNumber of the request
-	 * @param key			private key used to decrypt the symmetric key
-	 * @return				TRUE if parsing was successful
-	 */
-	bool (*parse_envelopedData) (pkcs7_t *this, chunk_t serialNumber,
-								 private_key_t *key);
-
-	/**
-	 * Returns the parsed data object
-	 *
-	 * @return				chunk containing the data object
-	 */
-	chunk_t (*get_data) (pkcs7_t *this);
-
-	/**
-	 * Returns the a DER-encoded contentInfo object
-	 *
-	 * @return				chunk containing the contentInfo object
-	 */
-	chunk_t (*get_contentInfo) (pkcs7_t *this);
-
-	/**
-	 * Create an enumerator for the certificates.
-	 *
-	 * @return				enumerator for the certificates
-	 */
-	enumerator_t *(*create_certificate_enumerator) (pkcs7_t *this);
-
-	/**
-	 * Add a certificate.
-	 *
-	 * @param cert			certificate to be included (gets adopted)
-	 */
-	void (*set_certificate) (pkcs7_t *this, certificate_t *cert);
-
-	/**
-	 * Add authenticated attributes.
-	 *
-	 * @param attributes	attributes to be included (gets adopted)
-	 */
-	void (*set_attributes) (pkcs7_t *this, pkcs9_t *attributes);
-
-	/**
-	 * Get attributes.
-	 *
-	 * @return				attributes (internal data)
-	 */
-	pkcs9_t *(*get_attributes) (pkcs7_t *this);
-
-	/**
-	 * Build a data object
-	 *
-	 * @return				TRUE if build was successful
-	 */
-	bool (*build_data) (pkcs7_t *this);
-
-	/**
-	 * Build an envelopedData object
-	 *
-	 * @param cert			receivers's certificate
-	 * @param alg			encryption algorithm
-	 * @param key_size		key size to use
-	 * @return				TRUE if build was successful
-	 */
-	bool (*build_envelopedData) (pkcs7_t *this, certificate_t *cert,
-								 encryption_algorithm_t alg, size_t key_size);
-
-	/**
-	 * Build an signedData object
-	 *
-	 * @param key			signer's private key
-	 * @param alg			digest algorithm used for signature
-	 * @return				TRUE if build was successful
-	 */
-	bool (*build_signedData) (pkcs7_t *this, private_key_t *key,
-							  hash_algorithm_t alg);
-
-	/**
-	 * Destroys the contentInfo object.
-	 */
-	void (*destroy) (pkcs7_t *this);
-};
-
-/**
- * Read a PKCS#7 contentInfo object from a DER encoded chunk.
- *
- * @param chunk		chunk containing DER encoded data
- * @param level		ASN.1 parsing start level
- * @return			created pkcs7_contentInfo object, or NULL if invalid.
- */
-pkcs7_t *pkcs7_create_from_chunk(chunk_t chunk, u_int level);
-
-/**
- * Create a PKCS#7 contentInfo object
- *
- * @param data			chunk containing data
- * @return				created pkcs7_contentInfo object.
- */
-pkcs7_t *pkcs7_create_from_data(chunk_t data);
-
-#endif /** PKCS7_H_ @}*/
diff --git a/src/libstrongswan/crypto/pkcs9.c b/src/libstrongswan/crypto/pkcs9.c
deleted file mode 100644
index d24ab1b80..000000000
--- a/src/libstrongswan/crypto/pkcs9.c
+++ /dev/null
@@ -1,369 +0,0 @@
-/*
- * Copyright (C) 2012 Tobias Brunner
- * Copyright (C) 2008 Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <debug.h>
-
-#include <asn1/oid.h>
-#include <asn1/asn1.h>
-#include <asn1/asn1_parser.h>
-#include <utils/linked_list.h>
-
-#include "pkcs9.h"
-
-typedef struct private_pkcs9_t private_pkcs9_t;
-
-/**
- * Private data of a pkcs9_t attribute list.
- */
-struct private_pkcs9_t {
-	/**
-	 * Public interface
-	 */
-	pkcs9_t public;
-
-	/**
-	 * DER encoding of PKCS#9 attributes
-	 */
-	chunk_t encoding;
-
-	/**
-	 * Linked list of PKCS#9 attributes
-	 */
-	linked_list_t *attributes;
-};
-
-typedef struct attribute_t attribute_t;
-
-/**
- * Definition of an attribute_t object.
- */
-struct attribute_t {
-	/**
-	 * Object Identifier (OID)
-	 */
-	int oid;
-
-	/**
-	 * Attribute value
-	 */
-	chunk_t value;
-
-	/**
-	 * ASN.1 encoding
-	 */
-	chunk_t encoding;
-
-	/**
-	 * Destroys the attribute.
-	 */
-	void (*destroy) (attribute_t *this);
-
-};
-
-/**
- * return the ASN.1 encoding of a PKCS#9 attribute
- */
-static asn1_t asn1_attributeType(int oid)
-{
-	asn1_t type;
-
-	switch (oid)
-	{
-		case OID_PKCS9_CONTENT_TYPE:
-			type = ASN1_OID;
-			break;
-		case OID_PKCS9_SIGNING_TIME:
-			type = ASN1_UTCTIME;
-			break;
-		case OID_PKCS9_MESSAGE_DIGEST:
-			type = ASN1_OCTET_STRING;
-			break;
-		case OID_PKI_MESSAGE_TYPE:
-			type = ASN1_PRINTABLESTRING;
-			break;
-		case OID_PKI_STATUS:
-			type = ASN1_PRINTABLESTRING;
-			break;
-		case OID_PKI_FAIL_INFO:
-			type = ASN1_PRINTABLESTRING;
-			break;
-		case OID_PKI_SENDER_NONCE:
-			type = ASN1_OCTET_STRING;
-			break;
-		case OID_PKI_RECIPIENT_NONCE:
-			type = ASN1_OCTET_STRING;
-			break;
-		case OID_PKI_TRANS_ID:
-			type = ASN1_PRINTABLESTRING;
-			break;
-		default:
-			type = ASN1_EOC;
-	}
-	return type;
-}
-
-/**
- * Destroy an attribute_t object.
- */
-static void attribute_destroy(attribute_t *this)
-{
-	free(this->value.ptr);
-	free(this->encoding.ptr);
-	free(this);
-}
-
-/**
- * Create an attribute_t object.
- */
-static attribute_t *attribute_create(int oid, chunk_t value)
-{
-	attribute_t *this;
-
-	INIT(this,
-		.destroy = attribute_destroy,
-		.oid = oid,
-		.value = chunk_clone(value),
-		.encoding = asn1_wrap(ASN1_SEQUENCE, "mm",
-							asn1_build_known_oid(oid),
-							asn1_simple_object(ASN1_SET, value)),
-	);
-
-	return this;
-}
-
-METHOD(pkcs9_t, build_encoding, void,
-	private_pkcs9_t *this)
-{
-	enumerator_t *enumerator;
-	attribute_t *attribute;
-	u_int attributes_len = 0;
-
-	if (this->encoding.ptr)
-	{
-		chunk_free(&this->encoding);
-	}
-	if (this->attributes->get_count(this->attributes) == 0)
-	{
-		return;
-	}
-
-	/* compute the total length of the encoded attributes */
-	enumerator = this->attributes->create_enumerator(this->attributes);
-
-	while (enumerator->enumerate(enumerator, (void**)&attribute))
-	{
-		attributes_len += attribute->encoding.len;
-	}
-	enumerator->destroy(enumerator);
-
-	/* allocate memory for the attributes and build the encoding */
-	{
-		u_char *pos = asn1_build_object(&this->encoding, ASN1_SET, attributes_len);
-
-		enumerator = this->attributes->create_enumerator(this->attributes);
-
-		while (enumerator->enumerate(enumerator, (void**)&attribute))
-		{
-			memcpy(pos, attribute->encoding.ptr, attribute->encoding.len);
-			pos += attribute->encoding.len;
-		}
-		enumerator->destroy(enumerator);
-	}
-}
-
-METHOD(pkcs9_t, get_encoding, chunk_t,
-	private_pkcs9_t *this)
-{
-	if (this->encoding.ptr == NULL)
-	{
-		build_encoding(this);
-	}
-	return this->encoding;
-}
-
-METHOD(pkcs9_t, get_attribute, chunk_t,
-	private_pkcs9_t *this, int oid)
-{
-	enumerator_t *enumerator;
-	chunk_t value = chunk_empty;
-	attribute_t *attribute;
-
-	enumerator = this->attributes->create_enumerator(this->attributes);
-	while (enumerator->enumerate(enumerator, (void**)&attribute))
-	{
-		if (attribute->oid == oid)
-		{
-			value = attribute->value;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	if (value.ptr &&
-		!asn1_parse_simple_object(&value, asn1_attributeType(oid), 0,
-								  oid_names[oid].name))
-	{
-		return chunk_empty;
-	}
-	return value;
-}
-
-METHOD(pkcs9_t, set_attribute_raw, void,
-	private_pkcs9_t *this, int oid, chunk_t value)
-{
-	attribute_t *attribute = attribute_create(oid, value);
-
-	this->attributes->insert_last(this->attributes, attribute);
-	chunk_free(&value);
-}
-
-METHOD(pkcs9_t, set_attribute, void,
-	private_pkcs9_t *this, int oid, chunk_t value)
-{
-	chunk_t attr = asn1_simple_object(asn1_attributeType(oid), value);
-
-	set_attribute_raw(this, oid, attr);
-}
-
-METHOD(pkcs9_t, destroy, void,
-	private_pkcs9_t *this)
-{
-	this->attributes->destroy_offset(this->attributes, offsetof(attribute_t, destroy));
-	free(this->encoding.ptr);
-	free(this);
-}
-
-/**
- * Generic private constructor
- */
-static private_pkcs9_t *pkcs9_create_empty(void)
-{
-	private_pkcs9_t *this;
-
-	INIT(this,
-		.public = {
-			.build_encoding = _build_encoding,
-			.get_encoding = _get_encoding,
-			.get_attribute = _get_attribute,
-			.set_attribute = _set_attribute,
-			.set_attribute_raw = _set_attribute_raw,
-			.destroy = _destroy,
-		},
-		.attributes = linked_list_create(),
-	);
-
-	return this;
-}
-
-/*
- * Described in header.
- */
-pkcs9_t *pkcs9_create(void)
-{
-	private_pkcs9_t *this = pkcs9_create_empty();
-
-	return &this->public;
-}
-
-/**
- * ASN.1 definition of the X.501 atttribute type
- */
-static const asn1Object_t attributesObjects[] = {
-	{ 0, "attributes",		ASN1_SET,		ASN1_LOOP }, /* 0 */
-	{ 1,   "attribute",		ASN1_SEQUENCE,	ASN1_NONE }, /* 1 */
-	{ 2,     "type",		ASN1_OID,		ASN1_BODY }, /* 2 */
-	{ 2,     "values",		ASN1_SET,		ASN1_LOOP }, /* 3 */
-	{ 3,       "value",		ASN1_EOC,		ASN1_RAW  }, /* 4 */
-	{ 2,     "end loop",	ASN1_EOC,		ASN1_END  }, /* 5 */
-	{ 0, "end loop",		ASN1_EOC,		ASN1_END  }, /* 6 */
-	{ 0, "exit",			ASN1_EOC,		ASN1_EXIT }
-};
-#define ATTRIBUTE_OBJ_TYPE 	2
-#define ATTRIBUTE_OBJ_VALUE	4
-
-/**
- * Parse a PKCS#9 attribute list
- */
-static bool parse_attributes(chunk_t chunk, int level0, private_pkcs9_t* this)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID;
-	int oid = OID_UNKNOWN;
-	bool success = FALSE;
-
-	parser = asn1_parser_create(attributesObjects, chunk);
-	parser->set_top_level(parser, level0);
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		switch (objectID)
-		{
-			case ATTRIBUTE_OBJ_TYPE:
-				oid = asn1_known_oid(object);
-				break;
-			case ATTRIBUTE_OBJ_VALUE:
-				if (oid == OID_UNKNOWN)
-				{
-					break;
-				}
-				/* add the attribute to a linked list */
-				{
-					attribute_t *attribute = attribute_create(oid, object);
-
-					this->attributes->insert_last(this->attributes,
-												 (void*)attribute);
-				}
-				/* parse known attributes  */
-				{
-					asn1_t type = asn1_attributeType(oid);
-
-					if (type != ASN1_EOC)
-					{
-						if (!asn1_parse_simple_object(&object, type,
-										parser->get_level(parser)+1,
-										oid_names[oid].name))
-						{
-							goto end;
-						}
-					}
-				}
-		}
-	}
-	success = parser->success(parser);
-
-end:
-	parser->destroy(parser);
-	return success;
-}
-
-
- /*
- * Described in header.
- */
-pkcs9_t *pkcs9_create_from_chunk(chunk_t chunk, u_int level)
-{
-	private_pkcs9_t *this = pkcs9_create_empty();
-
-	this->encoding = chunk_clone(chunk);
-
-	if (!parse_attributes(chunk, level, this))
-	{
-		destroy(this);
-		return NULL;
-	}
-	return &this->public;
-}
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.c b/src/libstrongswan/crypto/proposal/proposal_keywords.c
index 7356dc367..4db504eb0 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords.c
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.c
@@ -38,7 +38,7 @@
 #include "proposal_keywords.h"
 #include "proposal_keywords_static.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 typedef struct private_proposal_keywords_t private_proposal_keywords_t;
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
index ce52bc2ce..d85bfebd0 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
@@ -59,11 +59,11 @@ struct proposal_token {
 	u_int16_t         keysize;
 };
 
-#define TOTAL_KEYWORDS 122
+#define TOTAL_KEYWORDS 130
 #define MIN_WORD_LENGTH 3
 #define MAX_WORD_LENGTH 17
-#define MIN_HASH_VALUE 9
-#define MAX_HASH_VALUE 213
+#define MIN_HASH_VALUE 12
+#define MAX_HASH_VALUE 216
 /* maximum key range = 205, duplicates = 0 */
 
 #ifdef __GNUC__
@@ -80,32 +80,32 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214,  14,   9,
-        4,  34,  66,  19,   8,   4,   5,   3, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 131, 214,   3,  22,  21,
-        3,   1, 101,  48,   3,   4, 214, 214,   3,  10,
-       57,   4, 214, 214,  94,   6,   3,  32, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217,  35,  10,
+        5,  34,  68,  21,   9,  16,   6,   4, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 117, 217,  15,  22,  23,
+        4,  29,   4,  51,  57,   4, 217, 217,   4,  16,
+       58,   4, 217,   5,  81, 104,   6,  34, 217, 217,
+        5, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217
     };
   register int hval = len;
 
@@ -142,23 +142,21 @@ hash (str, len)
 
 static const struct proposal_token wordlist[] =
   {
-    {"sha",              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
-    {"des",              ENCRYPTION_ALGORITHM, ENCR_DES,                  0},
     {"null",             ENCRYPTION_ALGORITHM, ENCR_NULL,                 0},
+    {"ecp192",           DIFFIE_HELLMAN_GROUP, ECP_192_BIT,               0},
     {"sha1",             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
-    {"serpent",          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
-    {"camellia",         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
+    {"sha",              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
+    {"ecp521",           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,               0},
     {"sha512",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
-    {"serpent192",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        192},
-    {"serpent128",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
     {"camellia192",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       192},
     {"cast128",          ENCRYPTION_ALGORITHM, ENCR_CAST,               128},
     {"camellia128",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
-    {"aes",              ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
-    {"serpent256",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        256},
+    {"camellia",         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
+    {"prfmd5",           PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5,            0},
     {"aes192",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            192},
-    {"sha256",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
     {"aes128",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
+    {"ecp256",           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,               0},
+    {"sha256",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
     {"camellia192ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192},
     {"camellia128ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128},
     {"camellia192ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192},
@@ -170,17 +168,18 @@ static const struct proposal_token wordlist[] =
     {"camellia192ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192},
     {"camellia128ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128},
     {"camellia256",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       256},
-    {"twofish",          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
-    {"camellia256ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
+    {"serpent",          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
     {"aes256",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            256},
+    {"camellia256ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
+    {"serpent192",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        192},
     {"camellia256ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
-    {"twofish192",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        192},
+    {"serpent128",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
     {"camellia256ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
-    {"twofish128",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
+    {"esn",              EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS,      0},
     {"camellia256ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
     {"camellia256ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
+    {"serpent256",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        256},
     {"camelliaxcbc",     INTEGRITY_ALGORITHM,  AUTH_CAMELLIA_XCBC_96,     0},
-    {"twofish256",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        256},
     {"aes192ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
     {"aes128ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
     {"aes192ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192},
@@ -191,18 +190,23 @@ static const struct proposal_token wordlist[] =
     {"aes128ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128},
     {"aes192ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      192},
     {"aes128ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128},
-    {"3des",             ENCRYPTION_ALGORITHM, ENCR_3DES,                 0},
     {"modp8192",         DIFFIE_HELLMAN_GROUP, MODP_8192_BIT,             0},
-    {"modp768",          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,              0},
     {"md5",              INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,          0},
+    {"ecp224",           DIFFIE_HELLMAN_GROUP, ECP_224_BIT,               0},
+    {"ecp384",           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,               0},
+    {"prfsha256",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256,       0},
     {"sha384",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
-    {"aescmac",          INTEGRITY_ALGORITHM,  AUTH_AES_CMAC_96,          0},
-    {"aes256ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
     {"md5_128",          INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_128,         0},
+    {"aes256ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
+    {"prfsha1",          PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1,           0},
     {"aes256ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
+    {"aescmac",          INTEGRITY_ALGORITHM,  AUTH_AES_CMAC_96,          0},
     {"aes256ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
+    {"modp768",          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,              0},
     {"aes256ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256},
+    {"prfaesxcbc",       PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC,         0},
     {"aes256ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256},
+    {"prfsha512",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512,       0},
     {"aesxcbc",          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,          0},
     {"aes192gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
     {"aes128gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
@@ -216,80 +220,84 @@ static const struct proposal_token wordlist[] =
     {"aes128gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      128},
     {"camellia192ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192},
     {"camellia128ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128},
-    {"modp1024s160",     DIFFIE_HELLMAN_GROUP, MODP_1024_160,             0},
-    {"modp3072",         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,             0},
+    {"camellia192ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       192},
+    {"camellia128ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       128},
+    {"prfaescmac",       PSEUDO_RANDOM_FUNCTION, PRF_AES128_CMAC,         0},
+    {"prfcamelliaxcbc",  PSEUDO_RANDOM_FUNCTION, PRF_CAMELLIA128_XCBC,    0},
+    {"twofish192",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        192},
     {"aes256gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
+    {"twofish128",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
     {"aes256gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256},
+    {"modp1536",         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,             0},
     {"aes256gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256},
-    {"ecp192",           DIFFIE_HELLMAN_GROUP, ECP_192_BIT,               0},
+    {"modp3072",         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,             0},
     {"aes256gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256},
-    {"modp1536",         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,             0},
+    {"twofish256",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        256},
     {"aes256gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256},
-    {"camellia256ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
-    {"ecp521",           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,               0},
-    {"camellia192ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       192},
-    {"camellia128ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       128},
     {"noesn",            EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,   0},
+    {"camellia256ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
+    {"camellia256ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       256},
+    {"aes",              ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
+    {"modp1024s160",     DIFFIE_HELLMAN_GROUP, MODP_1024_160,             0},
+    {"modpnull",         DIFFIE_HELLMAN_GROUP, MODP_NULL,                 0},
     {"aes192gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192},
     {"aes128gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128},
-    {"modpnull",         DIFFIE_HELLMAN_GROUP, MODP_NULL,                 0},
+    {"des",              ENCRYPTION_ALGORITHM, ENCR_DES,                  0},
     {"aes192ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
     {"aes128ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
-    {"ecp256",           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,               0},
-    {"camellia256ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       256},
-    {"blowfish",         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
+    {"aes192ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            192},
+    {"aes128ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            128},
     {"modp2048",         DIFFIE_HELLMAN_GROUP, MODP_2048_BIT,             0},
-    {"aes256gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256},
+    {"sha2_512",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
     {"modp4096",         DIFFIE_HELLMAN_GROUP, MODP_4096_BIT,             0},
     {"modp1024",         DIFFIE_HELLMAN_GROUP, MODP_1024_BIT,             0},
+    {"aes256gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256},
     {"blowfish192",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           192},
-    {"aes256ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
     {"blowfish128",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
-    {"aes192ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            192},
-    {"aes128ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            128},
+    {"aes256ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
+    {"aes256ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            256},
     {"modp2048s256",     DIFFIE_HELLMAN_GROUP, MODP_2048_256,             0},
-    {"sha2_512",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
+    {"twofish",          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
+    {"sha2_256",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
+    {"sha256_96",        INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
     {"aes192gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
     {"aes128gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
-    {"esn",              EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS,      0},
-    {"sha1_160",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_160,        0},
-    {"aes256ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            256},
+    {"sha2_256_96",      INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
     {"blowfish256",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           256},
-    {"sha2_256",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
-    {"sha256_96",        INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
+    {"prfsha384",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384,       0},
+    {"sha1_160",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_160,        0},
+    {"3des",             ENCRYPTION_ALGORITHM, ENCR_3DES,                 0},
     {"aes256gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
-    {"sha2_256_96",      INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
-    {"ecp224",           DIFFIE_HELLMAN_GROUP, ECP_224_BIT,               0},
-    {"ecp384",           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,               0},
+    {"blowfish",         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
+    {"sha2_384",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
     {"modp6144",         DIFFIE_HELLMAN_GROUP, MODP_6144_BIT,             0},
-    {"modp2048s224",     DIFFIE_HELLMAN_GROUP, MODP_2048_224,             0},
-    {"sha2_384",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0}
+    {"modp2048s224",     DIFFIE_HELLMAN_GROUP, MODP_2048_224,             0}
   };
 
 static const short lookup[] =
   {
-     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,   0,
-      1,   2,  -1,  -1,  -1,  -1,   3,   4,  -1,  -1,
-     -1,   5,   6,  -1,  -1,   7,  -1,   8,   9,  10,
-     11,  12,  -1,  13,  -1,  14,  15,  16,  17,  18,
-     19,  20,  21,  22,  23,  24,  25,  26,  27,  28,
-     -1,  -1,  -1,  -1,  29,  30,  31,  32,  33,  34,
-     35,  -1,  36,  -1,  37,  38,  39,  40,  41,  42,
-     43,  44,  45,  46,  47,  48,  49,  50,  51,  52,
-     53,  54,  55,  56,  57,  -1,  58,  -1,  59,  -1,
-     60,  -1,  61,  62,  63,  64,  65,  66,  67,  68,
-     69,  70,  71,  72,  73,  74,  -1,  75,  -1,  76,
-     -1,  77,  -1,  78,  79,  80,  81,  82,  -1,  83,
-     84,  85,  86,  87,  -1,  88,  89,  -1,  90,  -1,
-     -1,  91,  92,  -1,  93,  -1,  -1,  94,  -1,  95,
-     96,  97,  98,  -1,  99,  -1, 100, 101, 102, 103,
-    104, 105,  -1,  -1,  -1, 106,  -1,  -1, 107, 108,
-     -1, 109,  -1,  -1, 110, 111, 112,  -1,  -1, 113,
-    114,  -1,  -1,  -1, 115, 116,  -1, 117, 118,  -1,
-     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
      -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-     -1,  -1,  -1,  -1,  -1, 119,  -1,  -1,  -1, 120,
-     -1,  -1,  -1, 121
+     -1,  -1,   0,  -1,  -1,  -1,  -1,  -1,  -1,   1,
+      2,  -1,  -1,  -1,   3,   4,  -1,   5,  -1,  -1,
+     -1,  -1,   6,   7,   8,   9,  10,  11,  -1,  12,
+     13,  -1,  14,  15,  16,  17,  18,  19,  20,  21,
+     22,  23,  24,  25,  26,  -1,  -1,  -1,  27,  -1,
+     28,  29,  30,  31,  32,  33,  34,  -1,  35,  36,
+     37,  38,  39,  40,  41,  42,  43,  44,  45,  46,
+     47,  48,  49,  50,  51,  52,  53,  54,  55,  56,
+     57,  58,  59,  60,  61,  62,  63,  64,  65,  66,
+     67,  68,  69,  70,  71,  72,  73,  74,  75,  76,
+     77,  78,  79,  80,  81,  82,  83,  84,  85,  86,
+     87,  88,  89,  90,  91,  92,  93,  -1,  94,  95,
+     96,  -1,  97,  98,  99,  -1, 100, 101, 102, 103,
+    104,  -1,  -1,  -1,  -1, 105, 106, 107,  -1, 108,
+    109, 110,  -1, 111, 112,  -1, 113, 114,  -1, 115,
+     -1, 116, 117,  -1,  -1, 118, 119,  -1, 120,  -1,
+     -1,  -1, 121, 122,  -1, 123, 124,  -1,  -1,  -1,
+     -1,  -1, 125,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1, 126,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1, 127,  -1,  -1,  -1,  -1,
+     -1, 128,  -1,  -1,  -1,  -1, 129
   };
 
 #ifdef __GNUC__
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
index 7f8c95757..445438f03 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
@@ -132,6 +132,14 @@ md5_128,          INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_128,         0
 aesxcbc,          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,          0
 camelliaxcbc,     INTEGRITY_ALGORITHM,  AUTH_CAMELLIA_XCBC_96,     0
 aescmac,          INTEGRITY_ALGORITHM,  AUTH_AES_CMAC_96,          0
+prfsha1,          PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1,           0
+prfsha256,        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256,       0
+prfsha384,        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384,       0
+prfsha512,        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512,       0
+prfmd5,           PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5,            0
+prfaesxcbc,       PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC,         0
+prfcamelliaxcbc,  PSEUDO_RANDOM_FUNCTION, PRF_CAMELLIA128_XCBC,    0
+prfaescmac,       PSEUDO_RANDOM_FUNCTION, PRF_AES128_CMAC,         0
 modpnull,         DIFFIE_HELLMAN_GROUP, MODP_NULL,                 0
 modp768,          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,              0
 modp1024,         DIFFIE_HELLMAN_GROUP, MODP_1024_BIT,             0
diff --git a/src/libstrongswan/crypto/transform.h b/src/libstrongswan/crypto/transform.h
index 311df068f..4a98f81e9 100644
--- a/src/libstrongswan/crypto/transform.h
+++ b/src/libstrongswan/crypto/transform.h
@@ -23,7 +23,7 @@
 
 typedef enum transform_type_t transform_type_t;
 
-#include <enum.h>
+#include <utils/enum.h>
 
 /**
  * Type of a transform, as in IKEv2 RFC 3.3.2.
diff --git a/src/libstrongswan/database/database.h b/src/libstrongswan/database/database.h
index dda29b5fb..d46fc3d34 100644
--- a/src/libstrongswan/database/database.h
+++ b/src/libstrongswan/database/database.h
@@ -25,7 +25,7 @@ typedef enum db_type_t db_type_t;
 typedef enum db_driver_t db_driver_t;
 typedef struct database_t database_t;
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 /**
  * Database column types
diff --git a/src/libstrongswan/database/database_factory.c b/src/libstrongswan/database/database_factory.c
index 909522d64..6c714ba51 100644
--- a/src/libstrongswan/database/database_factory.c
+++ b/src/libstrongswan/database/database_factory.c
@@ -15,7 +15,7 @@
 
 #include "database_factory.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/mutex.h>
 
 typedef struct private_database_factory_t private_database_factory_t;
diff --git a/src/libstrongswan/eap/eap.c b/src/libstrongswan/eap/eap.c
index 1e4cf11bf..c181c5de7 100644
--- a/src/libstrongswan/eap/eap.c
+++ b/src/libstrongswan/eap/eap.c
@@ -19,7 +19,7 @@
 
 #include "eap.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(eap_code_names, EAP_REQUEST, EAP_FAILURE,
 	"EAP_REQUEST",
diff --git a/src/libstrongswan/fetcher/fetcher.h b/src/libstrongswan/fetcher/fetcher.h
index 5b734da3d..58451aef2 100644
--- a/src/libstrongswan/fetcher/fetcher.h
+++ b/src/libstrongswan/fetcher/fetcher.h
@@ -26,7 +26,7 @@ typedef struct fetcher_t fetcher_t;
 typedef enum fetcher_option_t fetcher_option_t;
 
 #include <stdarg.h>
-#include <chunk.h>
+#include <utils/chunk.h>
 
 /**
  * Constructor function which creates fetcher instances.
diff --git a/src/libstrongswan/fetcher/fetcher_manager.c b/src/libstrongswan/fetcher/fetcher_manager.c
index 9b363c7eb..a638eef2f 100644
--- a/src/libstrongswan/fetcher/fetcher_manager.c
+++ b/src/libstrongswan/fetcher/fetcher_manager.c
@@ -15,9 +15,9 @@
 
 #include "fetcher_manager.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_fetcher_manager_t private_fetcher_manager_t;
 
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index 1179b468c..30a7774df 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -18,11 +18,11 @@
 
 #include <stdlib.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/thread.h>
 #include <utils/identification.h>
-#include <utils/host.h>
-#include <utils/hashtable.h>
+#include <networking/host.h>
+#include <collections/hashtable.h>
 #include <utils/backtrace.h>
 #include <selectors/traffic_selector.h>
 
@@ -44,12 +44,22 @@ struct private_library_t {
 	 * Hashtable with registered objects (name => object)
 	 */
 	hashtable_t *objects;
+
+	/**
+	 * Integrity check failed?
+	 */
+	bool integrity_failed;
+
+	/**
+	 * Number of times we have been initialized
+	 */
+	refcount_t ref;
 };
 
 /**
  * library instance
  */
-library_t *lib;
+library_t *lib = NULL;
 
 /**
  * Deinitialize library
@@ -59,6 +69,11 @@ void library_deinit()
 	private_library_t *this = (private_library_t*)lib;
 	bool detailed;
 
+	if (!this || !ref_put(&this->ref))
+	{	/* have more users */
+		return;
+	}
+
 	detailed = lib->settings->get_bool(lib->settings,
 								"libstrongswan.leak_detective.detailed", TRUE);
 
@@ -68,6 +83,7 @@ void library_deinit()
 	this->public.scheduler->destroy(this->public.scheduler);
 	this->public.processor->destroy(this->public.processor);
 	this->public.plugins->destroy(this->public.plugins);
+	this->public.hosts->destroy(this->public.hosts);
 	this->public.settings->destroy(this->public.settings);
 	this->public.credmgr->destroy(this->public.credmgr);
 	this->public.creds->destroy(this->public.creds);
@@ -141,11 +157,19 @@ bool library_init(char *settings)
 	private_library_t *this;
 	printf_hook_t *pfh;
 
+	if (lib)
+	{	/* already initialized, increase refcount */
+		this = (private_library_t*)lib;
+		ref_get(&this->ref);
+		return !this->integrity_failed;
+	}
+
 	INIT(this,
 		.public = {
 			.get = _get,
 			.set = _set,
 		},
+		.ref = 1,
 	);
 	lib = &this->public;
 
@@ -183,6 +207,7 @@ bool library_init(char *settings)
 	this->objects = hashtable_create((hashtable_hash_t)hash,
 									 (hashtable_equals_t)equals, 4);
 	this->public.settings = settings_create(settings);
+	this->public.hosts = host_resolver_create();
 	this->public.proposal = proposal_keywords_create();
 	this->public.crypto = crypto_factory_create();
 	this->public.creds = credential_factory_create();
@@ -202,14 +227,14 @@ bool library_init(char *settings)
 		if (!lib->integrity->check(lib->integrity, "libstrongswan", library_init))
 		{
 			DBG1(DBG_LIB, "integrity check of libstrongswan failed");
-			return FALSE;
+			this->integrity_failed = TRUE;
 		}
 #else /* !INTEGRITY_TEST */
 		DBG1(DBG_LIB, "integrity test enabled, but not supported");
-		return FALSE;
+		this->integrity_failed = TRUE;
 #endif /* INTEGRITY_TEST */
 	}
 
-	return TRUE;
+	return !this->integrity_failed;
 }
 
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index b79bd91be..f164a6052 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -22,6 +22,9 @@
  * @defgroup bio bio
  * @ingroup libstrongswan
  *
+ * @defgroup collections collections
+ * @ingroup libstrongswan
+ *
  * @defgroup credentials credentials
  * @ingroup libstrongswan
  *
@@ -31,6 +34,9 @@
  * @defgroup certificates certificates
  * @ingroup credentials
  *
+ * @defgroup containers containers
+ * @ingroup credentials
+ *
  * @defgroup sets sets
  * @ingroup credentials
  *
@@ -46,6 +52,9 @@
  * @defgroup ipsec ipsec
  * @ingroup libstrongswan
  *
+ * @defgroup networking networking
+ * @ingroup libstrongswan
+ *
  * @defgroup plugins plugins
  * @ingroup libstrongswan
  *
@@ -74,11 +83,10 @@
 # error config.h not included, pass "-include [...]/config.h" to gcc
 #endif
 
-#include "printf_hook.h"
-#include "utils.h"
-#include "chunk.h"
-#include "settings.h"
-#include "integrity_checker.h"
+/* make sure we include printf_hook.h and utils.h first */
+#include "utils/printf_hook.h"
+#include "utils/utils.h"
+#include "networking/host_resolver.h"
 #include "processing/processor.h"
 #include "processing/scheduler.h"
 #include "crypto/crypto_factory.h"
@@ -88,7 +96,10 @@
 #include "credentials/credential_factory.h"
 #include "credentials/credential_manager.h"
 #include "credentials/cred_encoding.h"
+#include "utils/chunk.h"
+#include "utils/integrity_checker.h"
 #include "utils/leak_detective.h"
+#include "utils/settings.h"
 #include "plugins/plugin_loader.h"
 
 typedef struct library_t library_t;
@@ -171,6 +182,11 @@ struct library_t {
 	scheduler_t *scheduler;
 
 	/**
+	 * resolve hosts by DNS name
+	 */
+	host_resolver_t *hosts;
+
+	/**
 	 * various settings loaded from settings file
 	 */
 	settings_t *settings;
@@ -189,6 +205,9 @@ struct library_t {
 /**
  * Initialize library, creates "lib" instance.
  *
+ * library_init() may be called multiple times in a single process, but each
+ * caller should call library_deinit() for each call to library_init().
+ *
  * @param settings		file to read settings from, may be NULL for default
  * @return				FALSE if integrity check failed
  */
diff --git a/src/libstrongswan/utils/host.c b/src/libstrongswan/networking/host.c
index e17b6ad02..bffa96064 100644
--- a/src/libstrongswan/utils/host.c
+++ b/src/libstrongswan/networking/host.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2009 Tobias Brunner
+ * Copyright (C) 2006-2012 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -16,14 +16,10 @@
  * for more details.
  */
 
-#define _GNU_SOURCE
-#include <sys/socket.h>
-#include <netdb.h>
-#include <string.h>
-
 #include "host.h"
 
-#include <debug.h>
+#include <utils/debug.h>
+#include <library.h>
 
 #define IPV4_LEN	 4
 #define IPV6_LEN	16
@@ -362,57 +358,72 @@ static host_t *host_create_any_port(int family, u_int16_t port)
 /*
  * Described in header.
  */
-host_t *host_create_from_string(char *string, u_int16_t port)
+host_t *host_create_from_string_and_family(char *string, int family,
+										   u_int16_t port)
 {
-	private_host_t *this;
+	union {
+		struct sockaddr_in v4;
+		struct sockaddr_in6 v6;
+	} addr;
 
 	if (streq(string, "%any"))
 	{
-		return host_create_any_port(AF_INET, port);
+		return host_create_any_port(family ? family : AF_INET, port);
 	}
-	if (streq(string, "%any6"))
+	if (family == AF_UNSPEC || family == AF_INET)
 	{
-		return host_create_any_port(AF_INET6, port);
-	}
-
-	this = host_create_empty();
-	if (strchr(string, '.'))
-	{
-		this->address.sa_family = AF_INET;
+		if (streq(string, "%any4") || streq(string, "0.0.0.0"))
+		{
+			return host_create_any_port(AF_INET, port);
+		}
 	}
-	else
+	if (family == AF_UNSPEC || family == AF_INET6)
 	{
-		this->address.sa_family = AF_INET6;
+		if (streq(string, "%any6") || streq(string, "::"))
+		{
+			return host_create_any_port(AF_INET6, port);
+		}
 	}
-	switch (this->address.sa_family)
+	switch (family)
 	{
-		case AF_INET:
-		{
-			if (inet_pton(AF_INET, string, &this->address4.sin_addr) <=0)
+		case AF_UNSPEC:
+			if (strchr(string, '.'))
 			{
-				break;
+				goto af_inet;
 			}
-			this->address4.sin_port = htons(port);
-			this->socklen = sizeof(struct sockaddr_in);
-			return &this->public;
-		}
+			/* FALL */
 		case AF_INET6:
-		{
-			if (inet_pton(AF_INET6, string, &this->address6.sin6_addr) <=0)
+			if (inet_pton(AF_INET6, string, &addr.v6.sin6_addr) != 1)
 			{
-				break;
+				return NULL;
 			}
-			this->address6.sin6_port = htons(port);
-			this->socklen = sizeof(struct sockaddr_in6);
-			return &this->public;
-		}
+			addr.v6.sin6_port = htons(port);
+			addr.v6.sin6_family = AF_INET6;
+			return host_create_from_sockaddr((sockaddr_t*)&addr);
+		case AF_INET:
+			if (strchr(string, ':'))
+			{	/* do not try to convert v6 addresses for v4 family */
+				return NULL;
+			}
+		af_inet:
+			if (inet_pton(AF_INET, string, &addr.v4.sin_addr) != 1)
+			{
+				return NULL;
+			}
+			addr.v4.sin_port = htons(port);
+			addr.v4.sin_family = AF_INET;
+			return host_create_from_sockaddr((sockaddr_t*)&addr);
 		default:
-		{
-			break;
-		}
+			return NULL;
 	}
-	free(this);
-	return NULL;
+}
+
+/*
+ * Described in header.
+ */
+host_t *host_create_from_string(char *string, u_int16_t port)
+{
+	return host_create_from_string_and_family(string, AF_UNSPEC, port);
 }
 
 /*
@@ -450,48 +461,18 @@ host_t *host_create_from_sockaddr(sockaddr_t *sockaddr)
  */
 host_t *host_create_from_dns(char *string, int af, u_int16_t port)
 {
-	private_host_t *this;
-	struct addrinfo hints, *result;
-	int error;
-
-	if (streq(string, "%any"))
-	{
-		return host_create_any_port(af ? af : AF_INET, port);
-	}
-	if (streq(string, "%any6"))
-	{
-		return host_create_any_port(af ? af : AF_INET6, port);
-	}
-	if (af == AF_INET && strchr(string, ':'))
-	{	/* do not try to convert v6 addresses for v4 family */
-		return NULL;
-	}
+	host_t *this;
 
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_family = af;
-	error = getaddrinfo(string, NULL, &hints, &result);
-	if (error != 0)
+	this = host_create_from_string_and_family(string, af, port);
+	if (!this)
 	{
-		DBG1(DBG_LIB, "resolving '%s' failed: %s", string, gai_strerror(error));
-		return NULL;
+		this = lib->hosts->resolve(lib->hosts, string, af);
 	}
-	/* result is a linked list, but we use only the first address */
-	this = (private_host_t*)host_create_from_sockaddr(result->ai_addr);
-	freeaddrinfo(result);
 	if (this)
 	{
-		switch (this->address.sa_family)
-		{
-			case AF_INET:
-				this->address4.sin_port = htons(port);
-				break;
-			case AF_INET6:
-				this->address6.sin6_port = htons(port);
-				break;
-		}
-		return &this->public;
+		this->set_port(this, port);
 	}
-	return NULL;
+	return this;
 }
 
 /*
diff --git a/src/libstrongswan/utils/host.h b/src/libstrongswan/networking/host.h
index a8b010544..25f334779 100644
--- a/src/libstrongswan/utils/host.h
+++ b/src/libstrongswan/networking/host.h
@@ -18,7 +18,7 @@
 
 /**
  * @defgroup host host
- * @{ @ingroup utils
+ * @{ @ingroup networking
  */
 
 #ifndef HOST_H_
@@ -34,7 +34,7 @@ typedef struct host_t host_t;
 #include <netinet/in.h>
 #include <arpa/inet.h>
 
-#include <chunk.h>
+#include <utils/chunk.h>
 
 /**
  * Differences between two hosts. They differ in
@@ -160,6 +160,17 @@ struct host_t {
 host_t *host_create_from_string(char *string, u_int16_t port);
 
 /**
+ * Same as host_create_from_string(), but with the option to enforce a family.
+ *
+ * @param string		string of an address
+ * @param family		address family, or AF_UNSPEC
+ * @param port			port number
+ * @return				host_t, NULL if string not an address.
+ */
+host_t *host_create_from_string_and_family(char *string, int family,
+										   u_int16_t port);
+
+/**
  * Constructor to create a host_t from a DNS name.
  *
  * @param string		hostname to resolve
diff --git a/src/libstrongswan/networking/host_resolver.c b/src/libstrongswan/networking/host_resolver.c
new file mode 100644
index 000000000..5e244f114
--- /dev/null
+++ b/src/libstrongswan/networking/host_resolver.c
@@ -0,0 +1,351 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
+
+#include "host_resolver.h"
+
+#include <library.h>
+#include <utils/debug.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
+#include <threading/thread.h>
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
+
+/**
+ * Default minimum and maximum number of threads
+ */
+#define MIN_THREADS_DEFAULT 0
+#define MAX_THREADS_DEFAULT 3
+
+/**
+ * Timeout in seconds to wait for new queries until a thread may be stopped
+ */
+#define NEW_QUERY_WAIT_TIMEOUT 30
+
+typedef struct private_host_resolver_t private_host_resolver_t;
+
+/**
+ * Private data of host_resolver_t
+ */
+struct private_host_resolver_t {
+
+	/**
+	 * Public interface
+	 */
+	host_resolver_t public;
+
+	/**
+	 * Hashtable to check for queued queries, query_t*
+	 */
+	hashtable_t *queries;
+
+	/**
+	 * Queue for queries, query_t*
+	 */
+	linked_list_t *queue;
+
+	/**
+	 * Mutex to safely access private data
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Condvar to signal arrival of new queries
+	 */
+	condvar_t *new_query;
+
+	/**
+	 * Minimum number of resolver threads
+	 */
+	u_int min_threads;
+
+	/**
+	 * Maximum number of resolver threads
+	 */
+	u_int max_threads;
+
+	/**
+	 * Current number of threads
+	 */
+	u_int threads;
+
+	/**
+	 * Current number of busy threads
+	 */
+	u_int busy_threads;
+
+	/**
+	 * Pool of threads, thread_t*
+	 */
+	linked_list_t *pool;
+
+	/**
+	 * TRUE if no new queries are accepted
+	 */
+	bool disabled;
+
+};
+
+typedef struct {
+	/** DNS name we are looking for */
+	char *name;
+	/** address family we request */
+	int family;
+	/** Condvar to signal completion of a query */
+	condvar_t *done;
+	/** refcount */
+	refcount_t refcount;
+	/** the result if successful */
+	host_t *result;
+} query_t;
+
+/**
+ * Destroy the given query_t object if refcount is zero
+ */
+static void query_destroy(query_t *this)
+{
+	if (ref_put(&this->refcount))
+	{
+		DESTROY_IF(this->result);
+		this->done->destroy(this->done);
+		free(this->name);
+		free(this);
+	}
+}
+
+/**
+ * Signals all waiting threads and destroys the query
+ */
+static void query_signal_and_destroy(query_t *this)
+{
+	this->done->broadcast(this->done);
+	query_destroy(this);
+}
+
+/**
+ * Hash a queued query
+ */
+static u_int query_hash(query_t *this)
+{
+	return chunk_hash_inc(chunk_create(this->name, strlen(this->name)),
+						  chunk_hash(chunk_from_thing(this->family)));
+}
+
+/**
+ * Compare two queued queries
+ */
+static bool query_equals(query_t *this, query_t *other)
+{
+	return this->family == other->family && streq(this->name, other->name);
+}
+
+/**
+ * Main function of resolver threads
+ */
+static void *resolve_hosts(private_host_resolver_t *this)
+{
+	struct addrinfo hints, *result;
+	query_t *query;
+	int error;
+	bool old, timed_out;
+
+	while (TRUE)
+	{
+		this->mutex->lock(this->mutex);
+		thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
+		while (this->queue->remove_first(this->queue,
+										(void**)&query) != SUCCESS)
+		{
+			old = thread_cancelability(TRUE);
+			timed_out = this->new_query->timed_wait(this->new_query,
+									this->mutex, NEW_QUERY_WAIT_TIMEOUT * 1000);
+			thread_cancelability(old);
+			if (this->disabled)
+			{
+				thread_cleanup_pop(TRUE);
+				return NULL;
+			}
+			else if (timed_out && (this->threads > this->min_threads))
+			{	/* terminate this thread by detaching it */
+				thread_t *thread = thread_current();
+
+				this->threads--;
+				this->pool->remove(this->pool, thread, NULL);
+				thread_cleanup_pop(TRUE);
+				thread->detach(thread);
+				return NULL;
+			}
+		}
+		this->busy_threads++;
+		thread_cleanup_pop(TRUE);
+
+		memset(&hints, 0, sizeof(hints));
+		hints.ai_family = query->family;
+		hints.ai_socktype = SOCK_DGRAM;
+
+		thread_cleanup_push((thread_cleanup_t)query_signal_and_destroy, query);
+		old = thread_cancelability(TRUE);
+		error = getaddrinfo(query->name, NULL, &hints, &result);
+		thread_cancelability(old);
+		thread_cleanup_pop(FALSE);
+
+		this->mutex->lock(this->mutex);
+		this->busy_threads--;
+		if (error != 0)
+		{
+			DBG1(DBG_LIB, "resolving '%s' failed: %s", query->name,
+				 gai_strerror(error));
+		}
+		else
+		{	/* result is a linked list, but we use only the first address */
+			query->result = host_create_from_sockaddr(result->ai_addr);
+			freeaddrinfo(result);
+		}
+		this->queries->remove(this->queries, query);
+		query->done->broadcast(query->done);
+		this->mutex->unlock(this->mutex);
+		query_destroy(query);
+	}
+	return NULL;
+}
+
+METHOD(host_resolver_t, resolve, host_t*,
+	private_host_resolver_t *this, char *name, int family)
+{
+	query_t *query, lookup = {
+		.name = name,
+		.family = family,
+	};
+	host_t *result;
+
+	if (family == AF_INET && strchr(name, ':'))
+	{	/* do not try to convert v6 addresses for v4 family */
+		return NULL;
+	}
+	this->mutex->lock(this->mutex);
+	if (this->disabled)
+	{
+		this->mutex->unlock(this->mutex);
+		return NULL;
+	}
+	query = this->queries->get(this->queries, &lookup);
+	if (!query)
+	{
+		INIT(query,
+			.name = strdup(name),
+			.family = family,
+			.done = condvar_create(CONDVAR_TYPE_DEFAULT),
+			.refcount = 1,
+		);
+		this->queries->put(this->queries, query, query);
+		this->queue->insert_last(this->queue, query);
+		this->new_query->signal(this->new_query);
+	}
+	ref_get(&query->refcount);
+	if (this->busy_threads == this->threads &&
+		this->threads < this->max_threads)
+	{
+		thread_t *thread;
+
+		thread = thread_create((thread_main_t)resolve_hosts, this);
+		if (thread)
+		{
+			this->threads++;
+			this->pool->insert_last(this->pool, thread);
+		}
+	}
+	query->done->wait(query->done, this->mutex);
+	this->mutex->unlock(this->mutex);
+
+	result = query->result ? query->result->clone(query->result) : NULL;
+	query_destroy(query);
+	return result;
+}
+
+METHOD(host_resolver_t, flush, void,
+	private_host_resolver_t *this)
+{
+	enumerator_t *enumerator;
+	query_t *query;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->queries->create_enumerator(this->queries);
+	while (enumerator->enumerate(enumerator, &query, NULL))
+	{	/* use the hashtable here as we also want to signal dequeued queries */
+		this->queries->remove_at(this->queries, enumerator);
+		query->done->broadcast(query->done);
+	}
+	enumerator->destroy(enumerator);
+	this->queue->destroy_function(this->queue, (void*)query_destroy);
+	this->queue = linked_list_create();
+	this->disabled = TRUE;
+	/* this will already terminate most idle threads */
+	this->new_query->broadcast(this->new_query);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(host_resolver_t, destroy, void,
+	private_host_resolver_t *this)
+{
+	thread_t *thread;
+
+	flush(this);
+	this->pool->invoke_offset(this->pool, offsetof(thread_t, cancel));
+	while (this->pool->remove_first(this->pool, (void**)&thread) == SUCCESS)
+	{
+		thread->join(thread);
+	}
+	this->pool->destroy(this->pool);
+	this->queue->destroy(this->queue);
+	this->queries->destroy(this->queries);
+	this->new_query->destroy(this->new_query);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+host_resolver_t *host_resolver_create()
+{
+	private_host_resolver_t *this;
+
+	INIT(this,
+		.public = {
+			.resolve = _resolve,
+			.flush = _flush,
+			.destroy = _destroy,
+		},
+		.queries = hashtable_create((hashtable_hash_t)query_hash,
+									(hashtable_equals_t)query_equals, 8),
+		.queue = linked_list_create(),
+		.pool = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.new_query = condvar_create(CONDVAR_TYPE_DEFAULT),
+	);
+
+	this->min_threads = max(0, lib->settings->get_int(lib->settings,
+									"libstrongswan.host_resolver.min_threads",
+									 MIN_THREADS_DEFAULT));
+	this->max_threads = max(this->min_threads ?: 1,
+							lib->settings->get_int(lib->settings,
+									"libstrongswan.host_resolver.max_threads",
+									 MAX_THREADS_DEFAULT));
+	return &this->public;
+}
diff --git a/src/libstrongswan/networking/host_resolver.h b/src/libstrongswan/networking/host_resolver.h
new file mode 100644
index 000000000..f944a9cdf
--- /dev/null
+++ b/src/libstrongswan/networking/host_resolver.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup host_resolver host_resolver
+ * @{ @ingroup networking
+ */
+
+#ifndef HOST_RESOLVER_H_
+#define HOST_RESOLVER_H_
+
+#include "host.h"
+
+typedef struct host_resolver_t host_resolver_t;
+
+/**
+ * Resolve hosts by DNS name but do so in a separate thread (calling
+ * getaddrinfo(3) directly might block indefinitely, or at least a very long
+ * time if no DNS servers are reachable).
+ */
+struct host_resolver_t {
+
+	/**
+	 * Resolve host from the given DNS name.
+	 *
+	 * @param name		name to lookup
+	 * @param family	requested address family
+	 * @return			resolved host or NULL if failed or canceled
+	 */
+	host_t *(*resolve)(host_resolver_t *this, char *name, int family);
+
+	/**
+	 * Flush the queue of queries. No new queries will be accepted afterwards.
+	 */
+	void (*flush)(host_resolver_t *this);
+
+	/**
+	 * Destroy a host_resolver_t.
+	 */
+	void (*destroy)(host_resolver_t *this);
+};
+
+/**
+ * Create a host_resolver_t instance.
+ */
+host_resolver_t *host_resolver_create();
+
+#endif /** HOST_RESOLVER_H_ @}*/
diff --git a/src/libstrongswan/utils/packet.c b/src/libstrongswan/networking/packet.c
index a2c329d60..a2c329d60 100644
--- a/src/libstrongswan/utils/packet.c
+++ b/src/libstrongswan/networking/packet.c
diff --git a/src/libstrongswan/utils/packet.h b/src/libstrongswan/networking/packet.h
index 5c4440115..6fb9cece2 100644
--- a/src/libstrongswan/utils/packet.h
+++ b/src/libstrongswan/networking/packet.h
@@ -17,7 +17,7 @@
 
 /**
  * @defgroup packet packet
- * @{ @ingroup utils
+ * @{ @ingroup networking
  */
 
 #ifndef PACKET_H_
@@ -26,7 +26,7 @@
 typedef struct packet_t packet_t;
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 
 /**
  * Abstraction of an IP/UDP-Packet, contains data, sender and receiver.
diff --git a/src/libstrongswan/utils/tun_device.c b/src/libstrongswan/networking/tun_device.c
index 36f3359c0..d07327e5c 100644
--- a/src/libstrongswan/utils/tun_device.c
+++ b/src/libstrongswan/networking/tun_device.c
@@ -40,7 +40,7 @@
 #include "tun_device.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/thread.h>
 
 #define TUN_DEFAULT_MTU 1500
diff --git a/src/libstrongswan/utils/tun_device.h b/src/libstrongswan/networking/tun_device.h
index 71af0386b..b22a5d170 100644
--- a/src/libstrongswan/utils/tun_device.h
+++ b/src/libstrongswan/networking/tun_device.h
@@ -17,14 +17,14 @@
 
 /**
  * @defgroup tun_device tun_device
- * @{ @ingroup utils
+ * @{ @ingroup networking
  */
 
 #ifndef TUN_DEVICE_H_
 #define TUN_DEVICE_H_
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 
 typedef struct tun_device_t tun_device_t;
 
diff --git a/src/libstrongswan/pen/pen.c b/src/libstrongswan/pen/pen.c
index a80e949e3..b1b0731d4 100644
--- a/src/libstrongswan/pen/pen.c
+++ b/src/libstrongswan/pen/pen.c
@@ -21,11 +21,21 @@ ENUM_NEXT(pen_names, PEN_IBM, PEN_IBM, PEN_IETF,
 	"IBM");
 ENUM_NEXT(pen_names, PEN_MICROSOFT, PEN_MICROSOFT, PEN_IBM,
 	"Microsoft");
-ENUM_NEXT(pen_names, PEN_OSC, PEN_OSC, PEN_MICROSOFT,
+ENUM_NEXT(pen_names, PEN_REDHAT, PEN_REDHAT, PEN_MICROSOFT,
+    "Redhat");
+ENUM_NEXT(pen_names, PEN_OSC, PEN_OSC, PEN_REDHAT,
 	"OSC");
-ENUM_NEXT(pen_names, PEN_TCG, PEN_TCG, PEN_OSC,
+ENUM_NEXT(pen_names, PEN_DEBIAN, PEN_DEBIAN, PEN_OSC,
+	"Debian Project");
+ENUM_NEXT(pen_names, PEN_GOOGLE, PEN_GOOGLE, PEN_DEBIAN,
+	"Google");
+ENUM_NEXT(pen_names, PEN_TCG, PEN_TCG, PEN_GOOGLE,
 	"TCG");
-ENUM_NEXT(pen_names, PEN_FHH, PEN_FHH, PEN_TCG,
+ENUM_NEXT(pen_names, PEN_CANONICAL, PEN_CANONICAL, PEN_TCG,
+    "Canonical");
+ENUM_NEXT(pen_names, PEN_FEDORA, PEN_FEDORA, PEN_CANONICAL,
+	"Fedora Project");
+ENUM_NEXT(pen_names, PEN_FHH, PEN_FHH, PEN_FEDORA,
 	"FHH");
 ENUM_NEXT(pen_names, PEN_ITA, PEN_ITA, PEN_FHH,
 	"ITA-HSR");
diff --git a/src/libstrongswan/pen/pen.h b/src/libstrongswan/pen/pen.h
index 78b6e4df2..9d5df7d49 100644
--- a/src/libstrongswan/pen/pen.h
+++ b/src/libstrongswan/pen/pen.h
@@ -33,8 +33,13 @@ enum pen_t {
 	PEN_IETF =		0x000000,	/*        0 */
 	PEN_IBM	=		0x000002,	/*        2 */
 	PEN_MICROSOFT = 0x000137,	/*      311 */
+	PEN_REDHAT =	0x000908,	/*     2312 */
 	PEN_OSC =		0x002358,	/*     9048 */
+	PEN_DEBIAN =	0x002572,	/*     9586 */
+	PEN_GOOGLE =    0x002B79,	/*    11129 */
 	PEN_TCG =		0x005597,	/*    21911 */
+	PEN_CANONICAL = 0x007132,	/*    28978 */
+	PEN_FEDORA =	0x0076C1,	/*    30401 */
 	PEN_FHH =		0x0080ab,	/*    32939 */
 	PEN_ITA =		0x00902a,	/*    36906 */
 	PEN_OPENPTS =	0x00950e,	/*    38158 */
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index c09cf66a7..99cc71e2c 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_aes_la_LIBADD =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -368,7 +377,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-aes.la: $(libstrongswan_aes_la_OBJECTS) $(libstrongswan_aes_la_DEPENDENCIES) 
+libstrongswan-aes.la: $(libstrongswan_aes_la_OBJECTS) $(libstrongswan_aes_la_DEPENDENCIES) $(EXTRA_libstrongswan_aes_la_DEPENDENCIES) 
 	$(libstrongswan_aes_la_LINK) $(am_libstrongswan_aes_la_rpath) $(libstrongswan_aes_la_OBJECTS) $(libstrongswan_aes_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -506,10 +515,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in
index d3da24718..66b525016 100644
--- a/src/libstrongswan/plugins/af_alg/Makefile.in
+++ b/src/libstrongswan/plugins/af_alg/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_af_alg_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -377,7 +386,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-af-alg.la: $(libstrongswan_af_alg_la_OBJECTS) $(libstrongswan_af_alg_la_DEPENDENCIES) 
+libstrongswan-af-alg.la: $(libstrongswan_af_alg_la_OBJECTS) $(libstrongswan_af_alg_la_DEPENDENCIES) $(EXTRA_libstrongswan_af_alg_la_DEPENDENCIES) 
 	$(libstrongswan_af_alg_la_LINK) $(am_libstrongswan_af_alg_la_rpath) $(libstrongswan_af_alg_la_OBJECTS) $(libstrongswan_af_alg_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -519,10 +528,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_ops.c b/src/libstrongswan/plugins/af_alg/af_alg_ops.c
index 7fe47c578..331d1e801 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_ops.c
+++ b/src/libstrongswan/plugins/af_alg/af_alg_ops.c
@@ -19,7 +19,7 @@
 #include <errno.h>
 #include <linux/socket.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_af_alg_ops_t private_af_alg_ops_t;
 
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index 8e606bf39..ec98cacb9 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_agent_la_LIBADD =
@@ -122,6 +128,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -149,6 +156,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,6 +184,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -188,6 +197,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -241,7 +251,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -371,7 +380,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-agent.la: $(libstrongswan_agent_la_OBJECTS) $(libstrongswan_agent_la_DEPENDENCIES) 
+libstrongswan-agent.la: $(libstrongswan_agent_la_OBJECTS) $(libstrongswan_agent_la_DEPENDENCIES) $(EXTRA_libstrongswan_agent_la_DEPENDENCIES) 
 	$(libstrongswan_agent_la_LINK) $(am_libstrongswan_agent_la_rpath) $(libstrongswan_agent_la_OBJECTS) $(libstrongswan_agent_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -509,10 +518,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c
index 60b57ad2d..42c78c172 100644
--- a/src/libstrongswan/plugins/agent/agent_private_key.c
+++ b/src/libstrongswan/plugins/agent/agent_private_key.c
@@ -24,8 +24,8 @@
 #include <errno.h>
 
 #include <library.h>
-#include <chunk.h>
-#include <debug.h>
+#include <utils/chunk.h>
+#include <utils/debug.h>
 
 #ifndef UNIX_PATH_MAX
 #define UNIX_PATH_MAX 108
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index c8b904eb9..7904719a4 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_blowfish_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -373,7 +382,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-blowfish.la: $(libstrongswan_blowfish_la_OBJECTS) $(libstrongswan_blowfish_la_DEPENDENCIES) 
+libstrongswan-blowfish.la: $(libstrongswan_blowfish_la_OBJECTS) $(libstrongswan_blowfish_la_DEPENDENCIES) $(EXTRA_libstrongswan_blowfish_la_DEPENDENCIES) 
 	$(libstrongswan_blowfish_la_LINK) $(am_libstrongswan_blowfish_la_rpath) $(libstrongswan_blowfish_la_OBJECTS) $(libstrongswan_blowfish_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -513,10 +522,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in
index bb094f04c..2b00c4c46 100644
--- a/src/libstrongswan/plugins/ccm/Makefile.in
+++ b/src/libstrongswan/plugins/ccm/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_ccm_la_LIBADD =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -369,7 +378,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-ccm.la: $(libstrongswan_ccm_la_OBJECTS) $(libstrongswan_ccm_la_DEPENDENCIES) 
+libstrongswan-ccm.la: $(libstrongswan_ccm_la_OBJECTS) $(libstrongswan_ccm_la_DEPENDENCIES) $(EXTRA_libstrongswan_ccm_la_DEPENDENCIES) 
 	$(libstrongswan_ccm_la_LINK) $(am_libstrongswan_ccm_la_rpath) $(libstrongswan_ccm_la_OBJECTS) $(libstrongswan_ccm_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -507,10 +516,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/cmac/Makefile.in b/src/libstrongswan/plugins/cmac/Makefile.in
index eba059a29..883469557 100644
--- a/src/libstrongswan/plugins/cmac/Makefile.in
+++ b/src/libstrongswan/plugins/cmac/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_cmac_la_LIBADD =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -368,7 +377,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-cmac.la: $(libstrongswan_cmac_la_OBJECTS) $(libstrongswan_cmac_la_DEPENDENCIES) 
+libstrongswan-cmac.la: $(libstrongswan_cmac_la_OBJECTS) $(libstrongswan_cmac_la_DEPENDENCIES) $(EXTRA_libstrongswan_cmac_la_DEPENDENCIES) 
 	$(libstrongswan_cmac_la_LINK) $(am_libstrongswan_cmac_la_rpath) $(libstrongswan_cmac_la_OBJECTS) $(libstrongswan_cmac_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -506,10 +515,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/cmac/cmac.c b/src/libstrongswan/plugins/cmac/cmac.c
index 725d02d76..c8cb7fbf2 100644
--- a/src/libstrongswan/plugins/cmac/cmac.c
+++ b/src/libstrongswan/plugins/cmac/cmac.c
@@ -17,7 +17,7 @@
 
 #include "cmac.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <crypto/mac.h>
 #include <crypto/prfs/mac_prf.h>
 #include <crypto/signers/mac_signer.h>
diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in
index 693d76334..65f36db54 100644
--- a/src/libstrongswan/plugins/constraints/Makefile.in
+++ b/src/libstrongswan/plugins/constraints/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_constraints_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -373,7 +382,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-constraints.la: $(libstrongswan_constraints_la_OBJECTS) $(libstrongswan_constraints_la_DEPENDENCIES) 
+libstrongswan-constraints.la: $(libstrongswan_constraints_la_OBJECTS) $(libstrongswan_constraints_la_DEPENDENCIES) $(EXTRA_libstrongswan_constraints_la_DEPENDENCIES) 
 	$(libstrongswan_constraints_la_LINK) $(am_libstrongswan_constraints_la_rpath) $(libstrongswan_constraints_la_OBJECTS) $(libstrongswan_constraints_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -511,10 +520,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c
index b54d813df..83a74299a 100644
--- a/src/libstrongswan/plugins/constraints/constraints_validator.c
+++ b/src/libstrongswan/plugins/constraints/constraints_validator.c
@@ -15,9 +15,9 @@
 
 #include "constraints_validator.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/asn1.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <credentials/certificates/x509.h>
 
 typedef struct private_constraints_validator_t private_constraints_validator_t;
diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in
index adab5d7d5..8b4ee6771 100644
--- a/src/libstrongswan/plugins/ctr/Makefile.in
+++ b/src/libstrongswan/plugins/ctr/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_ctr_la_LIBADD =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -369,7 +378,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-ctr.la: $(libstrongswan_ctr_la_OBJECTS) $(libstrongswan_ctr_la_DEPENDENCIES) 
+libstrongswan-ctr.la: $(libstrongswan_ctr_la_OBJECTS) $(libstrongswan_ctr_la_DEPENDENCIES) $(EXTRA_libstrongswan_ctr_la_DEPENDENCIES) 
 	$(libstrongswan_ctr_la_LINK) $(am_libstrongswan_ctr_la_rpath) $(libstrongswan_ctr_la_OBJECTS) $(libstrongswan_ctr_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -507,10 +516,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index b6f38681f..93b9ba114 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_curl_la_DEPENDENCIES =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -369,7 +378,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-curl.la: $(libstrongswan_curl_la_OBJECTS) $(libstrongswan_curl_la_DEPENDENCIES) 
+libstrongswan-curl.la: $(libstrongswan_curl_la_OBJECTS) $(libstrongswan_curl_la_DEPENDENCIES) $(EXTRA_libstrongswan_curl_la_DEPENDENCIES) 
 	$(libstrongswan_curl_la_LINK) $(am_libstrongswan_curl_la_rpath) $(libstrongswan_curl_la_OBJECTS) $(libstrongswan_curl_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -507,10 +516,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c
index 7f8c0aec2..c68b74f96 100644
--- a/src/libstrongswan/plugins/curl/curl_fetcher.c
+++ b/src/libstrongswan/plugins/curl/curl_fetcher.c
@@ -17,7 +17,7 @@
 #include <curl/curl.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "curl_fetcher.h"
 
diff --git a/src/libstrongswan/plugins/curl/curl_plugin.c b/src/libstrongswan/plugins/curl/curl_plugin.c
index 8628c4bb5..062fe129f 100644
--- a/src/libstrongswan/plugins/curl/curl_plugin.c
+++ b/src/libstrongswan/plugins/curl/curl_plugin.c
@@ -16,7 +16,7 @@
 #include "curl_plugin.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include "curl_fetcher.h"
 
 #include <curl/curl.h>
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index 04d489824..49d9f6b6f 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_des_la_LIBADD =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -368,7 +377,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-des.la: $(libstrongswan_des_la_OBJECTS) $(libstrongswan_des_la_DEPENDENCIES) 
+libstrongswan-des.la: $(libstrongswan_des_la_OBJECTS) $(libstrongswan_des_la_DEPENDENCIES) $(EXTRA_libstrongswan_des_la_DEPENDENCIES) 
 	$(libstrongswan_des_la_LINK) $(am_libstrongswan_des_la_rpath) $(libstrongswan_des_la_OBJECTS) $(libstrongswan_des_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -506,10 +515,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in
index 2f86f7558..d49cac8a7 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.in
+++ b/src/libstrongswan/plugins/dnskey/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_dnskey_la_LIBADD =
@@ -123,6 +129,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -150,6 +157,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,6 +185,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -189,6 +198,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -242,7 +252,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -372,7 +381,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-dnskey.la: $(libstrongswan_dnskey_la_OBJECTS) $(libstrongswan_dnskey_la_DEPENDENCIES) 
+libstrongswan-dnskey.la: $(libstrongswan_dnskey_la_OBJECTS) $(libstrongswan_dnskey_la_DEPENDENCIES) $(EXTRA_libstrongswan_dnskey_la_DEPENDENCIES) 
 	$(libstrongswan_dnskey_la_LINK) $(am_libstrongswan_dnskey_la_rpath) $(libstrongswan_dnskey_la_OBJECTS) $(libstrongswan_dnskey_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -510,10 +519,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/dnskey/dnskey_builder.c b/src/libstrongswan/plugins/dnskey/dnskey_builder.c
index ea4eb6cda..b8a451500 100644
--- a/src/libstrongswan/plugins/dnskey/dnskey_builder.c
+++ b/src/libstrongswan/plugins/dnskey/dnskey_builder.c
@@ -15,7 +15,7 @@
 
 #include "dnskey_builder.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/keys/private_key.h>
 
 
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index 017f00e50..8192b7f37 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_fips_prf_la_LIBADD =
@@ -123,6 +129,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -150,6 +157,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,6 +185,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -189,6 +198,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -242,7 +252,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -371,7 +380,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-fips-prf.la: $(libstrongswan_fips_prf_la_OBJECTS) $(libstrongswan_fips_prf_la_DEPENDENCIES) 
+libstrongswan-fips-prf.la: $(libstrongswan_fips_prf_la_OBJECTS) $(libstrongswan_fips_prf_la_DEPENDENCIES) $(EXTRA_libstrongswan_fips_prf_la_DEPENDENCIES) 
 	$(libstrongswan_fips_prf_la_LINK) $(am_libstrongswan_fips_prf_la_rpath) $(libstrongswan_fips_prf_la_OBJECTS) $(libstrongswan_fips_prf_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -509,10 +518,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf.c b/src/libstrongswan/plugins/fips_prf/fips_prf.c
index 3fe204d35..23825078e 100644
--- a/src/libstrongswan/plugins/fips_prf/fips_prf.c
+++ b/src/libstrongswan/plugins/fips_prf/fips_prf.c
@@ -17,7 +17,7 @@
 
 #include <arpa/inet.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_fips_prf_t private_fips_prf_t;
 
diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in
index 0c5eea0a7..e8f89a7c5 100644
--- a/src/libstrongswan/plugins/gcm/Makefile.in
+++ b/src/libstrongswan/plugins/gcm/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_gcm_la_LIBADD =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -369,7 +378,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-gcm.la: $(libstrongswan_gcm_la_OBJECTS) $(libstrongswan_gcm_la_DEPENDENCIES) 
+libstrongswan-gcm.la: $(libstrongswan_gcm_la_OBJECTS) $(libstrongswan_gcm_la_DEPENDENCIES) $(EXTRA_libstrongswan_gcm_la_DEPENDENCIES) 
 	$(libstrongswan_gcm_la_LINK) $(am_libstrongswan_gcm_la_rpath) $(libstrongswan_gcm_la_OBJECTS) $(libstrongswan_gcm_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -507,10 +516,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index 72e525b16..ee300b8f3 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_gcrypt_la_DEPENDENCIES =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -379,7 +388,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-gcrypt.la: $(libstrongswan_gcrypt_la_OBJECTS) $(libstrongswan_gcrypt_la_DEPENDENCIES) 
+libstrongswan-gcrypt.la: $(libstrongswan_gcrypt_la_OBJECTS) $(libstrongswan_gcrypt_la_DEPENDENCIES) $(EXTRA_libstrongswan_gcrypt_la_DEPENDENCIES) 
 	$(libstrongswan_gcrypt_la_LINK) $(am_libstrongswan_gcrypt_la_rpath) $(libstrongswan_gcrypt_la_OBJECTS) $(libstrongswan_gcrypt_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -522,10 +531,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
index 0b5dc0365..a737cb13d 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
@@ -17,7 +17,7 @@
 
 #include <gcrypt.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_gcrypt_crypter_t private_gcrypt_crypter_t;
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
index 0efd3ba16..f418b941d 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
@@ -18,7 +18,7 @@
 
 #include "gcrypt_dh.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_gcrypt_dh_t private_gcrypt_dh_t;
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
index 3155a4aa0..af7993101 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
@@ -15,7 +15,7 @@
 
 #include "gcrypt_hasher.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <gcrypt.h>
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
index 5ebdcebce..78d75a238 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
@@ -23,7 +23,7 @@
 #include "gcrypt_rsa_public_key.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/mutex.h>
 
 #include <errno.h>
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
index 9fdb2d45b..938a46490 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
@@ -17,7 +17,7 @@
 
 #include "gcrypt_rsa_private_key.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
index c54f2c0cf..291287a8f 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
@@ -17,7 +17,7 @@
 
 #include "gcrypt_rsa_public_key.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index f1bb28c1f..aeb48ff8a 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_gmp_la_DEPENDENCIES =
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -373,7 +382,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-gmp.la: $(libstrongswan_gmp_la_OBJECTS) $(libstrongswan_gmp_la_DEPENDENCIES) 
+libstrongswan-gmp.la: $(libstrongswan_gmp_la_OBJECTS) $(libstrongswan_gmp_la_DEPENDENCIES) $(EXTRA_libstrongswan_gmp_la_DEPENDENCIES) 
 	$(libstrongswan_gmp_la_LINK) $(am_libstrongswan_gmp_la_rpath) $(libstrongswan_gmp_la_OBJECTS) $(libstrongswan_gmp_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -513,10 +522,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
index 7d232e4f1..b74d35169 100644
--- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
+++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
@@ -21,7 +21,7 @@
 
 #include "gmp_diffie_hellman.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #ifdef HAVE_MPZ_POWM_SEC
 # undef mpz_powm
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
index 590ab6cb4..052b10741 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
@@ -1,7 +1,8 @@
 /*
- * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -22,7 +23,7 @@
 #include "gmp_rsa_private_key.h"
 #include "gmp_rsa_public_key.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
@@ -69,9 +70,14 @@ struct private_gmp_rsa_private_key_t {
 	mpz_t q;
 
 	/**
-	 * Private exponent.
+	 * Carmichael function m = lambda(n) = lcm(p-1,q-1).
+	*/
+	mpz_t m;
+
+	/**
+	 * Private exponent and optional secret sharing polynomial coefficients.
 	 */
-	mpz_t d;
+	mpz_t *d;
 
 	/**
 	 * Private exponent 1.
@@ -89,6 +95,21 @@ struct private_gmp_rsa_private_key_t {
 	mpz_t coeff;
 
 	/**
+	 * Total number of private key shares
+	 */
+	u_int shares;
+
+	/**
+	 * Secret sharing threshold
+	 */
+	u_int threshold;
+
+	/**
+	 * Optional verification key (threshold > 1).
+	 */
+	mpz_t v;
+
+	/**
 	 * Keysize in bytes.
 	 */
 	size_t k;
@@ -121,22 +142,22 @@ chunk_t gmp_mpz_to_chunk(const mpz_t value)
 static void mpz_clear_sensitive(mpz_t z)
 {
 	size_t len = mpz_size(z) * GMP_LIMB_BITS / BITS_PER_BYTE;
-	u_int8_t *random = alloca(len);
+	u_int8_t *zeros = alloca(len);
 
-	memset(random, 0, len);
+	memset(zeros, 0, len);
 	/* overwrite mpz_t with zero bytes before clearing it */
-	mpz_import(z, len, 1, 1, 1, 0, random);
+	mpz_import(z, len, 1, 1, 1, 0, zeros);
 	mpz_clear(z);
 }
 
 /**
  * Create a mpz prime of at least prime_size
  */
-static status_t compute_prime(private_gmp_rsa_private_key_t *this,
-							  size_t prime_size, mpz_t *prime)
+static status_t compute_prime(size_t prime_size, bool safe, mpz_t *p, mpz_t *q)
 {
 	rng_t *rng;
 	chunk_t random_bytes;
+	int count = 0;
 
 	rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
 	if (!rng)
@@ -146,26 +167,53 @@ static status_t compute_prime(private_gmp_rsa_private_key_t *this,
 		return FAILED;
 	}
 
-	mpz_init(*prime);
+	mpz_init(*p);
+	mpz_init(*q);
+
 	do
 	{
 		if (!rng->allocate_bytes(rng, prime_size, &random_bytes))
 		{
 			DBG1(DBG_LIB, "failed to allocate random prime");
+			mpz_clear(*p);
+			mpz_clear(*q);
 			rng->destroy(rng);
 			return FAILED;
 		}
-		/* make sure the two most significant bits are set */
-		random_bytes.ptr[0] = random_bytes.ptr[0] | 0xC0;
 
-		mpz_import(*prime, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
-		mpz_nextprime (*prime, *prime);
+		/* make sure the two most significant bits are set */
+		if (safe)
+		{
+			random_bytes.ptr[0] &= 0x7F;
+			random_bytes.ptr[0] |= 0x60;
+			mpz_import(*q, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
+			do
+			{
+				count++;
+				mpz_nextprime (*q, *q);
+				mpz_mul_ui(*p, *q, 2);
+				mpz_add_ui(*p, *p, 1);
+			}
+			while (mpz_probab_prime_p(*p, 10) == 0);
+			DBG2(DBG_LIB, "safe prime found after %d iterations", count);
+		}
+		else
+		{
+			random_bytes.ptr[0] |= 0xC0;
+			mpz_import(*p, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
+			mpz_nextprime (*p, *p);
+		}
 		chunk_clear(&random_bytes);
 	}
-	/* check if it isn't too large */
-	while (((mpz_sizeinbase(*prime, 2) + 7) / 8) > prime_size);
+
+	/* check if the prime isn't too large */
+	while (((mpz_sizeinbase(*p, 2) + 7) / 8) > prime_size);
 
 	rng->destroy(rng);
+
+	/* additionally return p-1 */
+	mpz_sub_ui(*q, *p, 1);
+
 	return SUCCESS;
 }
 
@@ -393,7 +441,7 @@ METHOD(private_key_t, get_encoding, bool,
 
 	n = gmp_mpz_to_chunk(this->n);
 	e = gmp_mpz_to_chunk(this->e);
-	d = gmp_mpz_to_chunk(this->d);
+	d = gmp_mpz_to_chunk(*this->d);
 	p = gmp_mpz_to_chunk(this->p);
 	q = gmp_mpz_to_chunk(this->q);
 	exp1 = gmp_mpz_to_chunk(this->exp1);
@@ -451,14 +499,24 @@ METHOD(private_key_t, destroy, void,
 {
 	if (ref_put(&this->ref))
 	{
-		mpz_clear_sensitive(this->n);
-		mpz_clear_sensitive(this->e);
+		int i;
+
+		mpz_clear(this->n);
+		mpz_clear(this->e);
+		mpz_clear(this->v);
 		mpz_clear_sensitive(this->p);
 		mpz_clear_sensitive(this->q);
-		mpz_clear_sensitive(this->d);
+		mpz_clear_sensitive(this->m);
 		mpz_clear_sensitive(this->exp1);
 		mpz_clear_sensitive(this->exp2);
 		mpz_clear_sensitive(this->coeff);
+
+		for (i = 0; i < this->threshold; i++)
+		{
+			mpz_clear_sensitive(*this->d + i);
+		}
+		free(this->d);
+
 		lib->encoding->clear_cache(lib->encoding, this);
 		free(this);
 	}
@@ -469,7 +527,7 @@ METHOD(private_key_t, destroy, void,
  */
 static status_t check(private_gmp_rsa_private_key_t *this)
 {
-	mpz_t t, u, q1;
+	mpz_t u, p1, q1;
 	status_t status = SUCCESS;
 
 	/* PKCS#1 1.5 section 6 requires modulus to have at least 12 octets.
@@ -488,10 +546,14 @@ static status_t check(private_gmp_rsa_private_key_t *this)
 		return FAILED;
 	}
 
-	mpz_init(t);
 	mpz_init(u);
+	mpz_init(p1);
 	mpz_init(q1);
 
+	/* precompute p1 = p-1 and q1 = q-1 */
+	mpz_sub_ui(p1, this->p, 1);
+	mpz_sub_ui(q1, this->q, 1);
+
 	/* check that n == p * q */
 	mpz_mul(u, this->p, this->q);
 	if (mpz_cmp(u, this->n) != 0)
@@ -500,62 +562,54 @@ static status_t check(private_gmp_rsa_private_key_t *this)
 	}
 
 	/* check that e divides neither p-1 nor q-1 */
-	mpz_sub_ui(t, this->p, 1);
-	mpz_mod(t, t, this->e);
-	if (mpz_cmp_ui(t, 0) == 0)
+	mpz_mod(u, p1, this->e);
+	if (mpz_cmp_ui(u, 0) == 0)
 	{
 		status = FAILED;
 	}
 
-	mpz_sub_ui(t, this->q, 1);
-	mpz_mod(t, t, this->e);
-	if (mpz_cmp_ui(t, 0) == 0)
+	mpz_mod(u, q1, this->e);
+	if (mpz_cmp_ui(u, 0) == 0)
 	{
 		status = FAILED;
 	}
 
 	/* check that d is e^-1 (mod lcm(p-1, q-1)) */
 	/* see PKCS#1v2, aka RFC 2437, for the "lcm" */
-	mpz_sub_ui(q1, this->q, 1);
-	mpz_sub_ui(u, this->p, 1);
-	mpz_gcd(t, u, q1);		/* t := gcd(p-1, q-1) */
-	mpz_mul(u, u, q1);		/* u := (p-1) * (q-1) */
-	mpz_divexact(u, u, t);	/* u := lcm(p-1, q-1) */
-
-	mpz_mul(t, this->d, this->e);
-	mpz_mod(t, t, u);
-	if (mpz_cmp_ui(t, 1) != 0)
+	mpz_lcm(this->m, p1, q1);
+	mpz_mul(u, *this->d, this->e);
+	mpz_mod(u, u, this->m);
+	if (mpz_cmp_ui(u, 1) != 0)
 	{
 		status = FAILED;
 	}
 
 	/* check that exp1 is d mod (p-1) */
-	mpz_sub_ui(u, this->p, 1);
-	mpz_mod(t, this->d, u);
-	if (mpz_cmp(t, this->exp1) != 0)
+	mpz_mod(u, *this->d, p1);
+	if (mpz_cmp(u, this->exp1) != 0)
 	{
 		status = FAILED;
 	}
 
 	/* check that exp2 is d mod (q-1) */
-	mpz_sub_ui(u, this->q, 1);
-	mpz_mod(t, this->d, u);
-	if (mpz_cmp(t, this->exp2) != 0)
+	mpz_mod(u, *this->d, q1);
+	if (mpz_cmp(u, this->exp2) != 0)
 	{
 		status = FAILED;
 	}
 
 	/* check that coeff is (q^-1) mod p */
-	mpz_mul(t, this->coeff, this->q);
-	mpz_mod(t, t, this->p);
-	if (mpz_cmp_ui(t, 1) != 0)
+	mpz_mul(u, this->coeff, this->q);
+	mpz_mod(u, u, this->p);
+	if (mpz_cmp_ui(u, 1) != 0)
 	{
 		status = FAILED;
 	}
 
-	mpz_clear_sensitive(t);
 	mpz_clear_sensitive(u);
+	mpz_clear_sensitive(p1);
 	mpz_clear_sensitive(q1);
+
 	if (status != SUCCESS)
 	{
 		DBG1(DBG_LIB, "key integrity tests failed");
@@ -587,6 +641,7 @@ static private_gmp_rsa_private_key_t *gmp_rsa_private_key_create_empty(void)
 				.destroy = _destroy,
 			},
 		},
+		.threshold = 1,
 		.ref = 1,
 	);
 	return this;
@@ -597,9 +652,11 @@ static private_gmp_rsa_private_key_t *gmp_rsa_private_key_create_empty(void)
  */
 gmp_rsa_private_key_t *gmp_rsa_private_key_gen(key_type_t type, va_list args)
 {
-	mpz_t p, q, n, e, d, exp1, exp2, coeff, m, q1, t;
 	private_gmp_rsa_private_key_t *this;
-	u_int key_size = 0;
+	u_int key_size = 0, shares = 0, threshold = 1;
+	bool safe_prime = FALSE, rng_failed = FALSE, invert_failed = FALSE;
+	mpz_t p, q, p1, q1, d;
+;
 
 	while (TRUE)
 	{
@@ -608,6 +665,15 @@ gmp_rsa_private_key_t *gmp_rsa_private_key_gen(key_type_t type, va_list args)
 			case BUILD_KEY_SIZE:
 				key_size = va_arg(args, u_int);
 				continue;
+			case BUILD_SAFE_PRIMES:
+				safe_prime = TRUE;
+				continue;
+			case BUILD_SHARES:
+				shares = va_arg(args, u_int);
+				continue;
+			case BUILD_THRESHOLD:
+				threshold = va_arg(args, u_int);
+				continue;
 			case BUILD_END:
 				break;
 			default:
@@ -619,76 +685,112 @@ gmp_rsa_private_key_t *gmp_rsa_private_key_gen(key_type_t type, va_list args)
 	{
 		return NULL;
 	}
-
-	this = gmp_rsa_private_key_create_empty();
 	key_size = key_size / BITS_PER_BYTE;
 
 	/* Get values of primes p and q  */
-	if (compute_prime(this, key_size/2, &p) != SUCCESS)
+	if (compute_prime(key_size/2, safe_prime, &p, &p1) != SUCCESS)
 	{
-		free(this);
 		return NULL;
 	}
-	if (compute_prime(this, key_size/2, &q) != SUCCESS)
+	if (compute_prime(key_size/2, safe_prime, &q, &q1) != SUCCESS)
 	{
 		mpz_clear(p);
-		free(this);
+		mpz_clear(p1);
 		return NULL;
 	}
 
-	mpz_init(t);
-	mpz_init(n);
-	mpz_init(d);
-	mpz_init(exp1);
-	mpz_init(exp2);
-	mpz_init(coeff);
-
 	/* Swapping Primes so p is larger then q */
 	if (mpz_cmp(p, q) < 0)
 	{
 		mpz_swap(p, q);
+		mpz_swap(p1, q1);
 	}
 
-	mpz_mul(n, p, q);						/* n = p*q */
-	mpz_init_set_ui(e, PUBLIC_EXPONENT);	/* assign public exponent */
-	mpz_init_set(m, p);					/* m = p */
-	mpz_sub_ui(m, m, 1);					/* m = m -1 */
-	mpz_init_set(q1, q);					/* q1 = q */
-	mpz_sub_ui(q1, q1, 1);					/* q1 = q1 -1 */
-	mpz_gcd(t, m, q1);						/* t = gcd(p-1, q-1) */
-	mpz_mul(m, m, q1);						/* m = (p-1)*(q-1) */
-	mpz_divexact(m, m, t);					/* m = m / t */
-	mpz_gcd(t, m, e);						/* t = gcd(m, e) */
+	/* Create and initialize RSA private key object */
+	this = gmp_rsa_private_key_create_empty();
+	this->shares = shares;
+	this->threshold = threshold;
+	this->d = malloc(threshold * sizeof(mpz_t));
+	*this->p = *p;
+	*this->q = *q;
 
-	mpz_invert(d, e, m);					/* e has an inverse mod m */
-	if (mpz_cmp_ui(d, 0) < 0)				/* make sure d is positive */
-	{
-		mpz_add(d, d, m);
-	}
-	mpz_sub_ui(t, p, 1);					/* t = p-1 */
-	mpz_mod(exp1, d, t);					/* exp1 = d mod p-1 */
-	mpz_sub_ui(t, q, 1);					/* t = q-1 */
-	mpz_mod(exp2, d, t);					/* exp2 = d mod q-1 */
+	mpz_init_set_ui(this->e, PUBLIC_EXPONENT);
+	mpz_init(this->n);
+	mpz_init(this->m);
+	mpz_init(this->exp1);
+	mpz_init(this->exp2);
+	mpz_init(this->coeff);
+	mpz_init(this->v);
+	mpz_init(d);
 
-	mpz_invert(coeff, q, p);				/* coeff = q^-1 mod p */
-	if (mpz_cmp_ui(coeff, 0) < 0)			/* make coeff d is positive */
+	mpz_mul(this->n, p, q);					/* n = p*q */
+	mpz_lcm(this->m, p1, q1);				/* m = lcm(p-1,q-1) */
+	mpz_invert(d, this->e, this->m);		/* e has an inverse mod m */
+	mpz_mod(this->exp1, d, p1);				/* exp1 = d mod p-1 */
+	mpz_mod(this->exp2, d, q1);				/* exp2 = d mod q-1 */
+	mpz_invert(this->coeff, q, p);			/* coeff = q^-1 mod p */
+
+	invert_failed = mpz_cmp_ui(this->m, 0) == 0 ||
+					mpz_cmp_ui(this->coeff, 0) == 0;
+
+    /* store secret exponent d */
+	(*this->d)[0] = *d;
+
+	/* generate and store random coefficients of secret sharing polynomial */
+	if (threshold > 1)
 	{
-		mpz_add(coeff, coeff, p);
+		rng_t *rng;
+		chunk_t random_bytes;
+		mpz_t u;
+		int i;
+
+		rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
+		mpz_init(u);
+
+		for (i = 1; i < threshold; i++)
+		{
+			mpz_init(d);
+
+			if (!rng->allocate_bytes(rng, key_size, &random_bytes))
+			{
+				rng_failed = TRUE;
+				continue;
+			}
+			mpz_import(d, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
+			mpz_mod(d, d, this->m);
+			(*this->d)[i] = *d;
+			chunk_clear(&random_bytes);
+		}
+
+		/* generate verification key v as a square number */
+		do
+		{
+			if (!rng->allocate_bytes(rng, key_size, &random_bytes))
+			{
+				rng_failed = TRUE;
+				break;
+			}
+			mpz_import(this->v, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
+			mpz_mul(this->v, this->v, this->v);
+			mpz_mod(this->v, this->v, this->n);
+			mpz_gcd(u, this->v, this->n);
+			chunk_free(&random_bytes);
+		}
+		while (mpz_cmp_ui(u, 1) != 0);
+
+		mpz_clear(u);
+		rng->destroy(rng);
 	}
 
+	mpz_clear_sensitive(p1);
 	mpz_clear_sensitive(q1);
-	mpz_clear_sensitive(m);
-	mpz_clear_sensitive(t);
-
-	/* apply values */
-	*(this->p) = *p;
-	*(this->q) = *q;
-	*(this->n) = *n;
-	*(this->e) = *e;
-	*(this->d) = *d;
-	*(this->exp1) = *exp1;
-	*(this->exp2) = *exp2;
-	*(this->coeff) = *coeff;
+
+	if (rng_failed || invert_failed)
+	{
+		DBG1(DBG_LIB, "rsa key generation failed");
+		destroy(this);
+		return NULL;
+	}
 
 	/* set key size in bytes */
 	this->k = key_size;
@@ -701,8 +803,8 @@ gmp_rsa_private_key_t *gmp_rsa_private_key_gen(key_type_t type, va_list args)
  */
 gmp_rsa_private_key_t *gmp_rsa_private_key_load(key_type_t type, va_list args)
 {
-	chunk_t n, e, d, p, q, exp1, exp2, coeff;
 	private_gmp_rsa_private_key_t *this;
+	chunk_t n, e, d, p, q, exp1, exp2, coeff;
 
 	n = e = d = p = q = exp1 = exp2 = coeff = chunk_empty;
 	while (TRUE)
@@ -743,25 +845,28 @@ gmp_rsa_private_key_t *gmp_rsa_private_key_load(key_type_t type, va_list args)
 
 	this = gmp_rsa_private_key_create_empty();
 
+	this->d = malloc(sizeof(mpz_t));
 	mpz_init(this->n);
 	mpz_init(this->e);
+	mpz_init(*this->d);
 	mpz_init(this->p);
 	mpz_init(this->q);
-	mpz_init(this->d);
+	mpz_init(this->m);
 	mpz_init(this->exp1);
 	mpz_init(this->exp2);
 	mpz_init(this->coeff);
+	mpz_init(this->v);
 
 	mpz_import(this->n, n.len, 1, 1, 1, 0, n.ptr);
 	mpz_import(this->e, e.len, 1, 1, 1, 0, e.ptr);
-	mpz_import(this->d, d.len, 1, 1, 1, 0, d.ptr);
+	mpz_import(*this->d, d.len, 1, 1, 1, 0, d.ptr);
 	mpz_import(this->p, p.len, 1, 1, 1, 0, p.ptr);
 	mpz_import(this->q, q.len, 1, 1, 1, 0, q.ptr);
 	mpz_import(this->coeff, coeff.len, 1, 1, 1, 0, coeff.ptr);
 	if (!exp1.len)
 	{	/* exp1 missing in key, recalculate: exp1 = d mod (p-1) */
 		mpz_sub_ui(this->exp1, this->p, 1);
-		mpz_mod(this->exp1, this->d, this->exp1);
+		mpz_mod(this->exp1, *this->d, this->exp1);
 	}
 	else
 	{
@@ -770,7 +875,7 @@ gmp_rsa_private_key_t *gmp_rsa_private_key_load(key_type_t type, va_list args)
 	if (!exp2.len)
 	{	/* exp2 missing in key, recalculate: exp2 = d mod (q-1) */
 		mpz_sub_ui(this->exp2, this->q, 1);
-		mpz_mod(this->exp2, this->d, this->exp2);
+		mpz_mod(this->exp2, *this->d, this->exp2);
 	}
 	else
 	{
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
index 2d84f0025..ad659e4d7 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -22,7 +22,7 @@
 
 #include "gmp_rsa_public_key.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
@@ -361,6 +361,8 @@ METHOD(public_key_t, encrypt_, bool,
 	}
 	rng->destroy(rng);
 
+	pos += padding;
+
 	/* append the padding terminator */
 	*pos++ = 0x00;
 
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index aed35cf16..6af056617 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_hmac_la_LIBADD =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -368,7 +377,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-hmac.la: $(libstrongswan_hmac_la_OBJECTS) $(libstrongswan_hmac_la_DEPENDENCIES) 
+libstrongswan-hmac.la: $(libstrongswan_hmac_la_OBJECTS) $(libstrongswan_hmac_la_DEPENDENCIES) $(EXTRA_libstrongswan_hmac_la_DEPENDENCIES) 
 	$(libstrongswan_hmac_la_LINK) $(am_libstrongswan_hmac_la_rpath) $(libstrongswan_hmac_la_OBJECTS) $(libstrongswan_hmac_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -506,10 +515,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index d11feddb1..95c1932bc 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_ldap_la_DEPENDENCIES =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -369,7 +378,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-ldap.la: $(libstrongswan_ldap_la_OBJECTS) $(libstrongswan_ldap_la_DEPENDENCIES) 
+libstrongswan-ldap.la: $(libstrongswan_ldap_la_OBJECTS) $(libstrongswan_ldap_la_DEPENDENCIES) $(EXTRA_libstrongswan_ldap_la_DEPENDENCIES) 
 	$(libstrongswan_ldap_la_LINK) $(am_libstrongswan_ldap_la_rpath) $(libstrongswan_ldap_la_OBJECTS) $(libstrongswan_ldap_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -507,10 +516,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/ldap/ldap_fetcher.c b/src/libstrongswan/plugins/ldap/ldap_fetcher.c
index 75f964853..40b6d1f63 100644
--- a/src/libstrongswan/plugins/ldap/ldap_fetcher.c
+++ b/src/libstrongswan/plugins/ldap/ldap_fetcher.c
@@ -22,7 +22,7 @@
 #include <errno.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "ldap_fetcher.h"
 
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index 14b6370f4..1abdfecd6 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_md4_la_LIBADD =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -368,7 +377,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-md4.la: $(libstrongswan_md4_la_OBJECTS) $(libstrongswan_md4_la_DEPENDENCIES) 
+libstrongswan-md4.la: $(libstrongswan_md4_la_OBJECTS) $(libstrongswan_md4_la_DEPENDENCIES) $(EXTRA_libstrongswan_md4_la_DEPENDENCIES) 
 	$(libstrongswan_md4_la_LINK) $(am_libstrongswan_md4_la_rpath) $(libstrongswan_md4_la_OBJECTS) $(libstrongswan_md4_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -506,10 +515,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index ba228f8ea..2e005e084 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_md5_la_LIBADD =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -368,7 +377,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-md5.la: $(libstrongswan_md5_la_OBJECTS) $(libstrongswan_md5_la_DEPENDENCIES) 
+libstrongswan-md5.la: $(libstrongswan_md5_la_OBJECTS) $(libstrongswan_md5_la_DEPENDENCIES) $(EXTRA_libstrongswan_md5_la_DEPENDENCIES) 
 	$(libstrongswan_md5_la_LINK) $(am_libstrongswan_md5_la_rpath) $(libstrongswan_md5_la_OBJECTS) $(libstrongswan_md5_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -506,10 +515,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index 88dba0967..347b57e11 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 am__DEPENDENCIES_1 =
@@ -122,6 +128,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -149,6 +156,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,6 +184,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -188,6 +197,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -241,7 +251,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -372,7 +381,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-mysql.la: $(libstrongswan_mysql_la_OBJECTS) $(libstrongswan_mysql_la_DEPENDENCIES) 
+libstrongswan-mysql.la: $(libstrongswan_mysql_la_OBJECTS) $(libstrongswan_mysql_la_DEPENDENCIES) $(EXTRA_libstrongswan_mysql_la_DEPENDENCIES) 
 	$(libstrongswan_mysql_la_LINK) $(am_libstrongswan_mysql_la_rpath) $(libstrongswan_mysql_la_OBJECTS) $(libstrongswan_mysql_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -510,10 +519,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/mysql/mysql_database.c b/src/libstrongswan/plugins/mysql/mysql_database.c
index 1a20a804a..7e1da683e 100644
--- a/src/libstrongswan/plugins/mysql/mysql_database.c
+++ b/src/libstrongswan/plugins/mysql/mysql_database.c
@@ -19,11 +19,11 @@
 
 #include "mysql_database.h"
 
-#include <debug.h>
-#include <chunk.h>
+#include <utils/debug.h>
+#include <utils/chunk.h>
 #include <threading/thread_value.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /* Older mysql.h headers do not define it, but we need it. It is not returned
  * in in MySQL 4 by default, but by MySQL 5. To avoid this problem, we catch
diff --git a/src/libstrongswan/plugins/mysql/mysql_plugin.c b/src/libstrongswan/plugins/mysql/mysql_plugin.c
index dd8b32761..23d709739 100644
--- a/src/libstrongswan/plugins/mysql/mysql_plugin.c
+++ b/src/libstrongswan/plugins/mysql/mysql_plugin.c
@@ -16,7 +16,7 @@
 #include "mysql_plugin.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include "mysql_database.h"
 
 typedef struct private_mysql_plugin_t private_mysql_plugin_t;
diff --git a/src/libstrongswan/plugins/nonce/Makefile.in b/src/libstrongswan/plugins/nonce/Makefile.in
index 7ce23b4d9..03ccb8119 100644
--- a/src/libstrongswan/plugins/nonce/Makefile.in
+++ b/src/libstrongswan/plugins/nonce/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_nonce_la_LIBADD =
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -370,7 +379,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-nonce.la: $(libstrongswan_nonce_la_OBJECTS) $(libstrongswan_nonce_la_DEPENDENCIES) 
+libstrongswan-nonce.la: $(libstrongswan_nonce_la_OBJECTS) $(libstrongswan_nonce_la_DEPENDENCIES) $(EXTRA_libstrongswan_nonce_la_DEPENDENCIES) 
 	$(libstrongswan_nonce_la_LINK) $(am_libstrongswan_nonce_la_rpath) $(libstrongswan_nonce_la_OBJECTS) $(libstrongswan_nonce_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -508,10 +517,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/nonce/nonce_nonceg.c b/src/libstrongswan/plugins/nonce/nonce_nonceg.c
index 0402e3574..64ed2e08d 100644
--- a/src/libstrongswan/plugins/nonce/nonce_nonceg.c
+++ b/src/libstrongswan/plugins/nonce/nonce_nonceg.c
@@ -15,7 +15,7 @@
 
 #include "nonce_nonceg.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_nonce_nonceg_t private_nonce_nonceg_t;
 
diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am
index c59888663..f971a5e08 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.am
+++ b/src/libstrongswan/plugins/openssl/Makefile.am
@@ -23,6 +23,7 @@ libstrongswan_openssl_la_SOURCES = \
 	openssl_ec_public_key.c openssl_ec_public_key.h \
 	openssl_x509.c openssl_x509.h \
 	openssl_crl.c openssl_crl.h \
+	openssl_pkcs7.c openssl_pkcs7.h \
 	openssl_rng.c openssl_rng.h \
 	openssl_hmac.c openssl_hmac.h
 
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index ada44ead3..6d4e2b0d8 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_openssl_la_DEPENDENCIES =
@@ -82,7 +88,7 @@ am_libstrongswan_openssl_la_OBJECTS = openssl_plugin.lo \
 	openssl_rsa_private_key.lo openssl_rsa_public_key.lo \
 	openssl_ec_diffie_hellman.lo openssl_ec_private_key.lo \
 	openssl_ec_public_key.lo openssl_x509.lo openssl_crl.lo \
-	openssl_rng.lo openssl_hmac.lo
+	openssl_pkcs7.lo openssl_rng.lo openssl_hmac.lo
 libstrongswan_openssl_la_OBJECTS =  \
 	$(am_libstrongswan_openssl_la_OBJECTS)
 libstrongswan_openssl_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
@@ -128,6 +134,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -155,6 +162,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -182,6 +190,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -194,6 +203,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -247,7 +257,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -312,6 +321,7 @@ libstrongswan_openssl_la_SOURCES = \
 	openssl_ec_public_key.c openssl_ec_public_key.h \
 	openssl_x509.c openssl_x509.h \
 	openssl_crl.c openssl_crl.h \
+	openssl_pkcs7.c openssl_pkcs7.h \
 	openssl_rng.c openssl_rng.h \
 	openssl_hmac.c openssl_hmac.h
 
@@ -391,7 +401,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-openssl.la: $(libstrongswan_openssl_la_OBJECTS) $(libstrongswan_openssl_la_DEPENDENCIES) 
+libstrongswan-openssl.la: $(libstrongswan_openssl_la_OBJECTS) $(libstrongswan_openssl_la_DEPENDENCIES) $(EXTRA_libstrongswan_openssl_la_DEPENDENCIES) 
 	$(libstrongswan_openssl_la_LINK) $(am_libstrongswan_openssl_la_rpath) $(libstrongswan_openssl_la_OBJECTS) $(libstrongswan_openssl_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -408,6 +418,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ec_public_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_hasher.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_hmac.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_pkcs7.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_plugin.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_rng.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_rsa_private_key.Plo@am__quote@
@@ -542,10 +553,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c
index e529ff8a5..d4f36f58b 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crl.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@@ -42,8 +42,8 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
-#include <debug.h>
-#include <utils/enumerator.h>
+#include <utils/debug.h>
+#include <collections/enumerator.h>
 #include <credentials/certificates/x509.h>
 
 typedef struct private_openssl_crl_t private_openssl_crl_t;
diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
index b27aa3391..4dc5663f1 100644
--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
@@ -18,7 +18,7 @@
 
 #include "openssl_diffie_hellman.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_openssl_diffie_hellman_t private_openssl_diffie_hellman_t;
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
index 9e4067589..d846278c8 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
@@ -23,7 +23,7 @@
 #include "openssl_ec_diffie_hellman.h"
 #include "openssl_util.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_openssl_ec_diffie_hellman_t private_openssl_ec_diffie_hellman_t;
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
index 950504573..d350d050b 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
@@ -22,7 +22,7 @@
 #include "openssl_ec_public_key.h"
 #include "openssl_util.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <openssl/evp.h>
 #include <openssl/ecdsa.h>
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
index 9cb68a3ab..3f5125b31 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
@@ -21,7 +21,7 @@
 #include "openssl_ec_public_key.h"
 #include "openssl_util.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <openssl/evp.h>
 #include <openssl/ecdsa.h>
diff --git a/src/libstrongswan/plugins/openssl/openssl_pkcs7.c b/src/libstrongswan/plugins/openssl/openssl_pkcs7.c
new file mode 100644
index 000000000..ccc426235
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_pkcs7.c
@@ -0,0 +1,790 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_NO_CMS
+
+#include "openssl_pkcs7.h"
+#include "openssl_util.h"
+
+#include <library.h>
+#include <utils/debug.h>
+#include <asn1/oid.h>
+#include <credentials/sets/mem_cred.h>
+
+#include <openssl/cms.h>
+
+typedef struct private_openssl_pkcs7_t private_openssl_pkcs7_t;
+
+/**
+ * Private data of an openssl_pkcs7_t object.
+ */
+struct private_openssl_pkcs7_t {
+
+	/**
+	 * Public pkcs7_t interface.
+	 */
+	pkcs7_t public;
+
+	/**
+	 * Type of this container
+	 */
+	container_type_t type;
+
+	/**
+	 * OpenSSL CMS structure
+	 */
+	CMS_ContentInfo *cms;
+};
+
+/**
+ * OpenSSL does not allow us to read the signature to verify it with our own
+ * crypto API. We define the internal CMS_SignerInfo structure here to get it.
+ */
+struct CMS_SignerInfo_st {
+	long version;
+	void *sid;
+	X509_ALGOR *digestAlgorithm;
+	STACK_OF(X509_ATTRIBUTE) *signedAttrs;
+	X509_ALGOR *signatureAlgorithm;
+	ASN1_OCTET_STRING *signature;
+	/* and more... */
+};
+
+/**
+ * And we also need access to the wrappend CMS_KeyTransRecipientInfo to
+ * read the encrypted key
+ */
+struct CMS_KeyTransRecipientInfo_st {
+	long version;
+	void *rid;
+	X509_ALGOR *keyEncryptionAlgorithm;
+	ASN1_OCTET_STRING *encryptedKey;
+};
+
+struct CMS_RecipientInfo_st {
+	int type;
+	struct CMS_KeyTransRecipientInfo_st *ktri;
+	/* and more in union... */
+};
+
+struct CMS_EncryptedContentInfo_st {
+	ASN1_OBJECT *contentType;
+	X509_ALGOR *contentEncryptionAlgorithm;
+	ASN1_OCTET_STRING *encryptedContent;
+	/* and more... */
+};
+
+struct CMS_EnvelopedData_st {
+	long version;
+	void *originatorInfo;
+	STACK_OF(CMS_RecipientInfo) *recipientInfos;
+	struct CMS_EncryptedContentInfo_st *encryptedContentInfo;
+	/* and more... */
+};
+
+struct CMS_ContentInfo_st {
+	ASN1_OBJECT *contentType;
+	struct CMS_EnvelopedData_st *envelopedData;
+	/* and more in union... */
+};
+
+/**
+ * We can't include asn1.h, declare function prototypes directly
+ */
+chunk_t asn1_wrap(int, const char *mode, ...);
+int asn1_unwrap(chunk_t*, chunk_t*);
+
+/**
+ * Enumerator over certificates
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** Stack of X509 certificates */
+	STACK_OF(X509) *certs;
+	/** current enumerator position in certificates */
+	int i;
+	/** currently enumerating certificate_t */
+	certificate_t *cert;
+} cert_enumerator_t;
+
+METHOD(enumerator_t, cert_destroy, void,
+	cert_enumerator_t *this)
+{
+	DESTROY_IF(this->cert);
+	free(this);
+}
+
+METHOD(enumerator_t, cert_enumerate, bool,
+	cert_enumerator_t *this, certificate_t **out)
+{
+	if (!this->certs)
+	{
+		return FALSE;
+	}
+	while (this->i < sk_X509_num(this->certs))
+	{
+		chunk_t encoding;
+		X509 *x509;
+
+		/* clean up previous round */
+		DESTROY_IF(this->cert);
+		this->cert = NULL;
+
+		x509 = sk_X509_value(this->certs, this->i++);
+		encoding = openssl_i2chunk(X509, x509);
+		this->cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+										BUILD_BLOB_ASN1_DER, encoding,
+										BUILD_END);
+		free(encoding.ptr);
+		if (!this->cert)
+		{
+			continue;
+		}
+		*out = this->cert;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(pkcs7_t, create_cert_enumerator, enumerator_t*,
+	private_openssl_pkcs7_t *this)
+{
+	cert_enumerator_t *enumerator;
+
+	if (this->type == CONTAINER_PKCS7_SIGNED_DATA)
+	{
+		INIT(enumerator,
+			.public = {
+				.enumerate = (void*)_cert_enumerate,
+				.destroy = _cert_destroy,
+			},
+			.certs = CMS_get1_certs(this->cms),
+		);
+		return &enumerator->public;
+	}
+	return enumerator_create_empty();
+}
+
+/**
+ * Enumerator for signatures
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** Stack of signerinfos */
+	STACK_OF(CMS_SignerInfo) *signers;
+	/** current enumerator position in signers */
+	int i;
+	/** currently enumerating auth config */
+	auth_cfg_t *auth;
+	/** full CMS */
+	CMS_ContentInfo *cms;
+	/** credential set containing wrapped certificates */
+	mem_cred_t *creds;
+} signature_enumerator_t;
+
+/**
+ * Verify signerInfo signature
+ */
+static auth_cfg_t *verify_signature(CMS_SignerInfo *si, int hash_oid)
+{
+	enumerator_t *enumerator;
+	public_key_t *key;
+	certificate_t *cert;
+	auth_cfg_t *auth, *found = NULL;
+	identification_t *issuer, *serial;
+	chunk_t attrs = chunk_empty, sig, attr;
+	X509_NAME *name;
+	ASN1_INTEGER *snr;
+	int i;
+
+	if (CMS_SignerInfo_get0_signer_id(si, NULL, &name, &snr) != 1)
+	{
+		return NULL;
+	}
+	issuer = openssl_x509_name2id(name);
+	if (!issuer)
+	{
+		return NULL;
+	}
+	serial = identification_create_from_encoding(
+									ID_KEY_ID, openssl_asn1_str2chunk(snr));
+
+	/* reconstruct DER encoded attributes to verify signature */
+	for (i = 0; i < CMS_signed_get_attr_count(si); i++)
+	{
+		attr = openssl_i2chunk(X509_ATTRIBUTE, CMS_signed_get_attr(si, i));
+		attrs = chunk_cat("mm", attrs, attr);
+	}
+	/* wrap in a ASN1_SET */
+	attrs = asn1_wrap(0x31, "m", attrs);
+
+	/* TODO: find a better way to access and verify the signature */
+	sig = openssl_asn1_str2chunk(si->signature);
+	enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr,
+														KEY_RSA, serial, FALSE);
+	while (enumerator->enumerate(enumerator, &cert, &auth))
+	{
+		if (issuer->equals(issuer, cert->get_issuer(cert)))
+		{
+			key = cert->get_public_key(cert);
+			if (key)
+			{
+				if (key->verify(key, signature_scheme_from_oid(hash_oid),
+								attrs, sig))
+				{
+					found = auth->clone(auth);
+					key->destroy(key);
+					break;
+				}
+				key->destroy(key);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	issuer->destroy(issuer);
+	serial->destroy(serial);
+	free(attrs.ptr);
+
+	return found;
+}
+
+/**
+ * Verify the message digest in the signerInfo attributes
+ */
+static bool verify_digest(CMS_ContentInfo *cms, CMS_SignerInfo *si, int hash_oid)
+{
+	ASN1_OCTET_STRING *os, **osp;
+	hash_algorithm_t hash_alg;
+	chunk_t digest, content, hash;
+	hasher_t *hasher;
+
+	os = CMS_signed_get0_data_by_OBJ(si,
+				OBJ_nid2obj(NID_pkcs9_messageDigest), -3, V_ASN1_OCTET_STRING);
+	if (!os)
+	{
+		return FALSE;
+	}
+	digest = openssl_asn1_str2chunk(os);
+	osp = CMS_get0_content(cms);
+	if (!osp)
+	{
+		return FALSE;
+	}
+	content = openssl_asn1_str2chunk(*osp);
+
+	hash_alg = hasher_algorithm_from_oid(hash_oid);
+	hasher = lib->crypto->create_hasher(lib->crypto, hash_alg);
+	if (!hasher)
+	{
+		DBG1(DBG_LIB, "hash algorithm %N not supported",
+			 hash_algorithm_names, hash_alg);
+		return FALSE;
+	}
+	if (!hasher->allocate_hash(hasher, content, &hash))
+	{
+		hasher->destroy(hasher);
+		return FALSE;
+	}
+	hasher->destroy(hasher);
+
+	if (!chunk_equals(digest, hash))
+	{
+		free(hash.ptr);
+		DBG1(DBG_LIB, "invalid messageDigest");
+		return FALSE;
+	}
+	free(hash.ptr);
+	return TRUE;
+}
+
+METHOD(enumerator_t, signature_enumerate, bool,
+	signature_enumerator_t *this, auth_cfg_t **out)
+{
+	if (!this->signers)
+	{
+		return FALSE;
+	}
+	while (this->i < sk_CMS_SignerInfo_num(this->signers))
+	{
+		CMS_SignerInfo *si;
+		X509_ALGOR *digest, *sig;
+		int hash_oid;
+
+		/* clean up previous round */
+		DESTROY_IF(this->auth);
+		this->auth = NULL;
+
+		si = sk_CMS_SignerInfo_value(this->signers, this->i++);
+
+		CMS_SignerInfo_get0_algs(si, NULL, NULL, &digest, &sig);
+		hash_oid = openssl_asn1_known_oid(digest->algorithm);
+		if (openssl_asn1_known_oid(sig->algorithm) != OID_RSA_ENCRYPTION)
+		{
+			DBG1(DBG_LIB, "only RSA digest encryption supported");
+			continue;
+		}
+		this->auth = verify_signature(si, hash_oid);
+		if (!this->auth)
+		{
+			DBG1(DBG_LIB, "unable to verify pkcs7 attributes signature");
+			continue;
+		}
+		if (!verify_digest(this->cms, si, hash_oid))
+		{
+			continue;
+		}
+		*out = this->auth;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(enumerator_t, signature_destroy, void,
+	signature_enumerator_t *this)
+{
+	lib->credmgr->remove_local_set(lib->credmgr, &this->creds->set);
+	this->creds->destroy(this->creds);
+	DESTROY_IF(this->auth);
+	free(this);
+}
+
+METHOD(container_t, create_signature_enumerator, enumerator_t*,
+	private_openssl_pkcs7_t *this)
+{
+	signature_enumerator_t *enumerator;
+
+	if (this->type == CONTAINER_PKCS7_SIGNED_DATA)
+	{
+		enumerator_t *certs;
+		certificate_t *cert;
+
+		INIT(enumerator,
+			.public = {
+				.enumerate = (void*)_signature_enumerate,
+				.destroy = _signature_destroy,
+			},
+			.cms = this->cms,
+			.signers = CMS_get0_SignerInfos(this->cms),
+			.creds = mem_cred_create(),
+		);
+
+		/* make available wrapped certs during signature checking */
+		certs = create_cert_enumerator(this);
+		while (certs->enumerate(certs, &cert))
+		{
+			enumerator->creds->add_cert(enumerator->creds, FALSE,
+										cert->get_ref(cert));
+		}
+		certs->destroy(certs);
+
+		lib->credmgr->add_local_set(lib->credmgr, &enumerator->creds->set,
+									FALSE);
+
+		return &enumerator->public;
+	}
+	return enumerator_create_empty();
+}
+
+
+METHOD(container_t, get_type, container_type_t,
+	private_openssl_pkcs7_t *this)
+{
+	return this->type;
+}
+
+METHOD(pkcs7_t, get_attribute, bool,
+	private_openssl_pkcs7_t *this, int oid,
+	enumerator_t *enumerator, chunk_t *value)
+{
+	signature_enumerator_t *e;
+	CMS_SignerInfo *si;
+	X509_ATTRIBUTE *attr;
+	ASN1_TYPE *type;
+	chunk_t chunk, wrapped;
+	int i;
+
+	e = (signature_enumerator_t*)enumerator;
+	if (e->i <= 0)
+	{
+		return FALSE;
+	}
+
+	/* "i" gets incremeneted after enumerate(), hence read from previous */
+	si = sk_CMS_SignerInfo_value(e->signers, e->i - 1);
+	for (i = 0; i < CMS_signed_get_attr_count(si); i++)
+	{
+		attr = CMS_signed_get_attr(si, i);
+		if (!attr->single && sk_ASN1_TYPE_num(attr->value.set) == 1 &&
+			openssl_asn1_known_oid(attr->object) == oid)
+		{
+			/* get first value in SET */
+			type = sk_ASN1_TYPE_value(attr->value.set, 0);
+			chunk = wrapped = openssl_i2chunk(ASN1_TYPE, type);
+			if (asn1_unwrap(&chunk, &chunk) != 0x100 /* ASN1_INVALID */)
+			{
+				*value = chunk_clone(chunk);
+				free(wrapped.ptr);
+				return TRUE;
+			}
+			free(wrapped.ptr);
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * Find a private key for issuerAndSerialNumber
+ */
+static private_key_t *find_private(identification_t *issuer,
+								   identification_t *serial)
+{
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	public_key_t *public;
+	private_key_t *private = NULL;
+	identification_t *id;
+	chunk_t fp;
+
+	enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+											CERT_X509, KEY_RSA, serial, FALSE);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		if (issuer->equals(issuer, cert->get_issuer(cert)))
+		{
+			public = cert->get_public_key(cert);
+			if (public)
+			{
+				if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &fp))
+				{
+					id = identification_create_from_encoding(ID_KEY_ID, fp);
+					private = lib->credmgr->get_private(lib->credmgr,
+														KEY_ANY, id, NULL);
+					id->destroy(id);
+				}
+				public->destroy(public);
+			}
+		}
+		if (private)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return private;
+}
+
+/**
+ * Decrypt enveloped-data with a decrypted symmetric key
+ */
+static bool decrypt_symmetric(private_openssl_pkcs7_t *this, chunk_t key,
+							  chunk_t encrypted, chunk_t *plain)
+{
+	encryption_algorithm_t encr;
+	X509_ALGOR *alg;
+	crypter_t *crypter;
+	chunk_t iv;
+	size_t key_size;
+
+	/* read encryption algorithm from interal structures; TODO fixup */
+	alg = this->cms->envelopedData->encryptedContentInfo->
+												contentEncryptionAlgorithm;
+	encr = encryption_algorithm_from_oid(openssl_asn1_known_oid(alg->algorithm),
+										 &key_size);
+	if (alg->parameter->type != V_ASN1_OCTET_STRING)
+	{
+		return FALSE;
+	}
+	iv = openssl_asn1_str2chunk(alg->parameter->value.octet_string);
+
+	crypter = lib->crypto->create_crypter(lib->crypto, encr, key_size / 8);
+	if (!crypter)
+	{
+		DBG1(DBG_LIB, "crypter %N-%d not available",
+			 encryption_algorithm_names, alg, key_size);
+		return FALSE;
+	}
+	if (key.len != crypter->get_key_size(crypter))
+	{
+		DBG1(DBG_LIB, "symmetric key length is wrong");
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	if (iv.len != crypter->get_iv_size(crypter))
+	{
+		DBG1(DBG_LIB, "IV length is wrong");
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	if (!crypter->set_key(crypter, key) ||
+		!crypter->decrypt(crypter, encrypted, iv, plain))
+	{
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	crypter->destroy(crypter);
+	return TRUE;
+}
+
+/**
+ * Remove enveloped-data PKCS#7 padding from plain data
+ */
+static bool remove_padding(chunk_t *data)
+{
+	u_char *pos;
+	u_char pattern;
+	size_t padding;
+
+	if (!data->len)
+	{
+		return FALSE;
+	}
+	pos = data->ptr + data->len - 1;
+	padding = pattern = *pos;
+
+	if (padding > data->len)
+	{
+		DBG1(DBG_LIB, "padding greater than data length");
+		return FALSE;
+	}
+	data->len -= padding;
+
+	while (padding-- > 0)
+	{
+		if (*pos-- != pattern)
+		{
+			DBG1(DBG_LIB, "wrong padding pattern");
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Decrypt PKCS#7 enveloped-data
+ */
+static bool decrypt(private_openssl_pkcs7_t *this,
+					chunk_t encrypted, chunk_t *plain)
+{
+	STACK_OF(CMS_RecipientInfo) *ris;
+	CMS_RecipientInfo *ri;
+	chunk_t chunk, key = chunk_empty;
+	int i;
+
+	ris = CMS_get0_RecipientInfos(this->cms);
+	for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++)
+	{
+		ri = sk_CMS_RecipientInfo_value(ris, i);
+		if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_TRANS)
+		{
+			identification_t *serial, *issuer;
+			private_key_t *private;
+			X509_ALGOR *alg;
+			X509_NAME *name;
+			ASN1_INTEGER *sn;
+			u_char zero = 0;
+			int oid;
+
+			if (CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &alg) == 1 &&
+				CMS_RecipientInfo_ktri_get0_signer_id(ri, NULL, &name, &sn) == 1)
+			{
+				oid = openssl_asn1_known_oid(alg->algorithm);
+				if (oid != OID_RSA_ENCRYPTION)
+				{
+					DBG1(DBG_LIB, "only RSA encryption supported in PKCS#7");
+					continue;
+				}
+				issuer = openssl_x509_name2id(name);
+				if (!issuer)
+				{
+					continue;
+				}
+				chunk = openssl_asn1_str2chunk(sn);
+				if (chunk.len && chunk.ptr[0] & 0x80)
+				{	/* if MSB is set, append a zero to make it non-negative */
+					chunk = chunk_cata("cc", chunk_from_thing(zero), chunk);
+				}
+				serial = identification_create_from_encoding(ID_KEY_ID, chunk);
+				private = find_private(issuer, serial);
+				issuer->destroy(issuer);
+				serial->destroy(serial);
+
+				if (private)
+				{
+					/* get encryptedKey from internal structure; TODO fixup */
+					chunk = openssl_asn1_str2chunk(ri->ktri->encryptedKey);
+					if (private->decrypt(private, ENCRYPT_RSA_PKCS1,
+										 chunk, &key))
+					{
+						private->destroy(private);
+						break;
+					}
+					private->destroy(private);
+				}
+			}
+		}
+	}
+	if (!key.len)
+	{
+		DBG1(DBG_LIB, "no private key found to decrypt PKCS#7");
+		return FALSE;
+	}
+	if (!decrypt_symmetric(this, key, encrypted, plain))
+	{
+		chunk_clear(&key);
+		return FALSE;
+	}
+	chunk_clear(&key);
+	if (!remove_padding(plain))
+	{
+		free(plain->ptr);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(container_t, get_data, bool,
+	private_openssl_pkcs7_t *this, chunk_t *data)
+{
+	ASN1_OCTET_STRING **os;
+	chunk_t chunk;
+
+	os = CMS_get0_content(this->cms);
+	if (os)
+	{
+		chunk = openssl_asn1_str2chunk(*os);
+		switch (this->type)
+		{
+			case CONTAINER_PKCS7_DATA:
+			case CONTAINER_PKCS7_SIGNED_DATA:
+				*data = chunk_clone(chunk);
+				return TRUE;
+			case CONTAINER_PKCS7_ENVELOPED_DATA:
+				return decrypt(this, chunk, data);
+			default:
+				break;
+		}
+	}
+	return FALSE;
+}
+
+METHOD(container_t, get_encoding, bool,
+	private_openssl_pkcs7_t *this, chunk_t *data)
+{
+	return FALSE;
+}
+
+METHOD(container_t, destroy, void,
+	private_openssl_pkcs7_t *this)
+{
+	CMS_ContentInfo_free(this->cms);
+	free(this);
+}
+
+/**
+ * Generic constructor
+ */
+static private_openssl_pkcs7_t* create_empty()
+{
+	private_openssl_pkcs7_t *this;
+
+	INIT(this,
+		.public = {
+			.container = {
+				.get_type = _get_type,
+				.create_signature_enumerator = _create_signature_enumerator,
+				.get_data = _get_data,
+				.get_encoding = _get_encoding,
+				.destroy = _destroy,
+			},
+			.get_attribute = _get_attribute,
+			.create_cert_enumerator = _create_cert_enumerator,
+		},
+	);
+
+	return this;
+}
+
+/**
+ * Parse a PKCS#7 container
+ */
+static bool parse(private_openssl_pkcs7_t *this, chunk_t blob)
+{
+	BIO *bio;
+
+	bio = BIO_new_mem_buf(blob.ptr, blob.len);
+	this->cms = d2i_CMS_bio(bio, NULL);
+	BIO_free(bio);
+
+	if (!this->cms)
+	{
+		return FALSE;
+	}
+	switch (openssl_asn1_known_oid((ASN1_OBJECT*)CMS_get0_type(this->cms)))
+	{
+		case OID_PKCS7_DATA:
+			this->type = CONTAINER_PKCS7_DATA;
+			break;
+		case OID_PKCS7_SIGNED_DATA:
+			this->type = CONTAINER_PKCS7_SIGNED_DATA;
+			break;
+		case OID_PKCS7_ENVELOPED_DATA:
+			this->type = CONTAINER_PKCS7_ENVELOPED_DATA;
+			break;
+		default:
+			return FALSE;
+	}
+
+	return TRUE;
+}
+
+/**
+ * See header
+ */
+pkcs7_t *openssl_pkcs7_load(container_type_t type, va_list args)
+{
+	chunk_t blob = chunk_empty;
+	private_openssl_pkcs7_t *this;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (blob.len)
+	{
+		this = create_empty();
+		if (parse(this, blob))
+		{
+			return &this->public;
+		}
+		destroy(this);
+	}
+	return NULL;
+}
+
+#endif /* OPENSSL_NO_CMS */
diff --git a/src/libstrongswan/plugins/openssl/openssl_pkcs7.h b/src/libstrongswan/plugins/openssl/openssl_pkcs7.h
new file mode 100644
index 000000000..2c7939ebd
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_pkcs7.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup openssl_pkcs7 openssl_pkcs7
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_PKCS7_H_
+#define OPENSSL_PKCS7_H_
+
+#include <credentials/containers/pkcs7.h>
+
+/**
+ * Load a generic PKCS#7 container.
+ *
+ * The argument list must contain a single BUILD_BLOB_ASN1_DER argument.
+ *
+ * @param type		type of the container, CONTAINER_PKCS7
+ * @param args		builder_part_t argument list
+ * @return			container, NULL on failure
+ */
+pkcs7_t *openssl_pkcs7_load(container_type_t type, va_list args);
+
+#endif /** OPENSSL_PKCS7_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index b69de981e..dd6a379d2 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -25,7 +25,7 @@
 #include "openssl_plugin.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
 #include "openssl_util.h"
@@ -40,6 +40,7 @@
 #include "openssl_ec_public_key.h"
 #include "openssl_x509.h"
 #include "openssl_crl.h"
+#include "openssl_pkcs7.h"
 #include "openssl_rng.h"
 #include "openssl_hmac.h"
 
@@ -365,6 +366,10 @@ METHOD(plugin_t, get_features, int,
 				PLUGIN_SDEPEND(PUBKEY, KEY_DSA),
 		PLUGIN_REGISTER(CERT_DECODE, openssl_crl_load, TRUE),
 			PLUGIN_PROVIDE(CERT_DECODE, CERT_X509_CRL),
+#ifndef OPENSSL_NO_CMS
+		PLUGIN_REGISTER(CONTAINER_DECODE, openssl_pkcs7_load, TRUE),
+			PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS7),
+#endif /* OPENSSL_NO_CMS */
 #ifndef OPENSSL_NO_ECDH
 		/* EC DH groups */
 		PLUGIN_REGISTER(DH, openssl_ec_diffie_hellman_create),
diff --git a/src/libstrongswan/plugins/openssl/openssl_rng.c b/src/libstrongswan/plugins/openssl/openssl_rng.c
index c83244f60..d3d64f5e8 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rng.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rng.c
@@ -20,7 +20,7 @@
  * THE SOFTWARE.
  */
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <openssl/rand.h>
 #include <openssl/err.h>
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index 98cd700bf..926e5928c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -17,7 +17,7 @@
 #include "openssl_rsa_private_key.h"
 #include "openssl_rsa_public_key.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index 5872a8159..0da5d2514 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -16,7 +16,7 @@
 
 #include "openssl_rsa_public_key.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.c b/src/libstrongswan/plugins/openssl/openssl_util.c
index 1eb1c6723..bc10dd28c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_util.c
+++ b/src/libstrongswan/plugins/openssl/openssl_util.c
@@ -16,7 +16,7 @@
 
 #include "openssl_util.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <openssl/evp.h>
 #include <openssl/x509.h>
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index e85c5cc90..676b97f7a 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -47,9 +47,9 @@
 #include "openssl_x509.h"
 #include "openssl_util.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 
 typedef struct private_openssl_x509_t private_openssl_x509_t;
@@ -327,6 +327,10 @@ METHOD(certificate_t, has_subject, id_match_t,
 		{
 			return ID_MATCH_PERFECT;
 		}
+		if (chunk_equals(get_serial(this), encoding))
+		{
+			return ID_MATCH_PERFECT;
+		}
 	}
 	best = this->subject->matches(this->subject, subject);
 	enumerator = create_subjectAltName_enumerator(this);
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index 5a559eadf..94feb11f9 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_padlock_la_LIBADD =
@@ -123,6 +129,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -150,6 +157,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,6 +185,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -189,6 +198,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -242,7 +252,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -374,7 +383,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-padlock.la: $(libstrongswan_padlock_la_OBJECTS) $(libstrongswan_padlock_la_DEPENDENCIES) 
+libstrongswan-padlock.la: $(libstrongswan_padlock_la_OBJECTS) $(libstrongswan_padlock_la_DEPENDENCIES) $(EXTRA_libstrongswan_padlock_la_DEPENDENCIES) 
 	$(libstrongswan_padlock_la_LINK) $(am_libstrongswan_padlock_la_rpath) $(libstrongswan_padlock_la_OBJECTS) $(libstrongswan_padlock_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -514,10 +523,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.c b/src/libstrongswan/plugins/padlock/padlock_plugin.c
index 9d4afd8e8..b887c2c84 100644
--- a/src/libstrongswan/plugins/padlock/padlock_plugin.c
+++ b/src/libstrongswan/plugins/padlock/padlock_plugin.c
@@ -21,7 +21,7 @@
 #include <stdio.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_padlock_plugin_t private_padlock_plugin_t;
 typedef enum padlock_feature_t padlock_feature_t;
diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in
index 7988d1e74..580b39caf 100644
--- a/src/libstrongswan/plugins/pem/Makefile.in
+++ b/src/libstrongswan/plugins/pem/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_pem_la_LIBADD =
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -371,7 +380,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-pem.la: $(libstrongswan_pem_la_OBJECTS) $(libstrongswan_pem_la_DEPENDENCIES) 
+libstrongswan-pem.la: $(libstrongswan_pem_la_OBJECTS) $(libstrongswan_pem_la_DEPENDENCIES) $(EXTRA_libstrongswan_pem_la_DEPENDENCIES) 
 	$(libstrongswan_pem_la_LINK) $(am_libstrongswan_pem_la_rpath) $(libstrongswan_pem_la_OBJECTS) $(libstrongswan_pem_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -510,10 +519,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/pem/pem_builder.c b/src/libstrongswan/plugins/pem/pem_builder.c
index 9b9777031..08e81b3c5 100644
--- a/src/libstrongswan/plugins/pem/pem_builder.c
+++ b/src/libstrongswan/plugins/pem/pem_builder.c
@@ -27,7 +27,7 @@
 #include <sys/mman.h>
 #include <sys/stat.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <library.h>
 #include <utils/lexparser.h>
 #include <asn1/asn1.h>
@@ -288,8 +288,11 @@ static status_t pem_to_bin(chunk_t *blob, bool *pgp)
 							 " not supported", (int)dek.len, dek.ptr);
 						return NOT_SUPPORTED;
 					}
-					eat_whitespace(&value);
-					iv = chunk_from_hex(value, iv.ptr);
+					if (!eat_whitespace(&value) || value.len > 2*sizeof(iv_buf))
+					{
+						return PARSE_ERROR;
+					}
+					iv = chunk_from_hex(value, iv_buf);
 				}
 			}
 			else /* state is PEM_BODY */
diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in
index 65acdc196..ed0a880f6 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.in
+++ b/src/libstrongswan/plugins/pgp/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_pgp_la_LIBADD =
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -373,7 +382,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-pgp.la: $(libstrongswan_pgp_la_OBJECTS) $(libstrongswan_pgp_la_DEPENDENCIES) 
+libstrongswan-pgp.la: $(libstrongswan_pgp_la_OBJECTS) $(libstrongswan_pgp_la_DEPENDENCIES) $(EXTRA_libstrongswan_pgp_la_DEPENDENCIES) 
 	$(libstrongswan_pgp_la_LINK) $(am_libstrongswan_pgp_la_rpath) $(libstrongswan_pgp_la_OBJECTS) $(libstrongswan_pgp_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -514,10 +523,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/pgp/pgp_builder.c b/src/libstrongswan/plugins/pgp/pgp_builder.c
index 361157742..3ff357202 100644
--- a/src/libstrongswan/plugins/pgp/pgp_builder.c
+++ b/src/libstrongswan/plugins/pgp/pgp_builder.c
@@ -17,8 +17,8 @@
 #include "pgp_builder.h"
 #include "pgp_utils.h"
 
-#include <enum.h>
-#include <debug.h>
+#include <utils/enum.h>
+#include <utils/debug.h>
 #include <credentials/keys/private_key.h>
 
 /**
diff --git a/src/libstrongswan/plugins/pgp/pgp_cert.c b/src/libstrongswan/plugins/pgp/pgp_cert.c
index a99bed2f6..89d7094ad 100644
--- a/src/libstrongswan/plugins/pgp/pgp_cert.c
+++ b/src/libstrongswan/plugins/pgp/pgp_cert.c
@@ -18,7 +18,7 @@
 
 #include <time.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pgp_cert_t private_pgp_cert_t;
 
diff --git a/src/libstrongswan/plugins/pgp/pgp_encoder.c b/src/libstrongswan/plugins/pgp/pgp_encoder.c
index d16d1d71b..100f3ef33 100644
--- a/src/libstrongswan/plugins/pgp/pgp_encoder.c
+++ b/src/libstrongswan/plugins/pgp/pgp_encoder.c
@@ -15,7 +15,7 @@
 
 #include "pgp_encoder.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * Build a PGPv3 fingerprint
diff --git a/src/libstrongswan/plugins/pgp/pgp_utils.c b/src/libstrongswan/plugins/pgp/pgp_utils.c
index 7fd905ce4..bb15627fd 100644
--- a/src/libstrongswan/plugins/pgp/pgp_utils.c
+++ b/src/libstrongswan/plugins/pgp/pgp_utils.c
@@ -15,7 +15,7 @@
 
 #include "pgp_utils.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM_BEGIN(pgp_pubkey_alg_names, PGP_PUBKEY_ALG_RSA, PGP_PUBKEY_ALG_RSA_SIGN_ONLY,
 	"RSA",
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in
index 85246f3de..58989e574 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_pkcs1_la_LIBADD =
@@ -122,6 +128,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -149,6 +156,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,6 +184,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -188,6 +197,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -241,7 +251,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -372,7 +381,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-pkcs1.la: $(libstrongswan_pkcs1_la_OBJECTS) $(libstrongswan_pkcs1_la_DEPENDENCIES) 
+libstrongswan-pkcs1.la: $(libstrongswan_pkcs1_la_OBJECTS) $(libstrongswan_pkcs1_la_DEPENDENCIES) $(EXTRA_libstrongswan_pkcs1_la_DEPENDENCIES) 
 	$(libstrongswan_pkcs1_la_LINK) $(am_libstrongswan_pkcs1_la_rpath) $(libstrongswan_pkcs1_la_OBJECTS) $(libstrongswan_pkcs1_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -511,10 +520,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
index 6d022f362..c6661fcda 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
@@ -17,7 +17,7 @@
 
 #include "pkcs1_builder.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c b/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c
index 9122e8d8e..60f0ca757 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c
@@ -15,7 +15,7 @@
 
 #include "pkcs1_encoder.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/asn1.h>
 #include <asn1/oid.h>
 
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in
index dc0ab1e82..75faadcf1 100644
--- a/src/libstrongswan/plugins/pkcs11/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_pkcs11_la_LIBADD =
@@ -125,6 +131,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -152,6 +159,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -179,6 +187,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -191,6 +200,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -244,7 +254,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -381,7 +390,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-pkcs11.la: $(libstrongswan_pkcs11_la_OBJECTS) $(libstrongswan_pkcs11_la_DEPENDENCIES) 
+libstrongswan-pkcs11.la: $(libstrongswan_pkcs11_la_OBJECTS) $(libstrongswan_pkcs11_la_DEPENDENCIES) $(EXTRA_libstrongswan_pkcs11_la_DEPENDENCIES) 
 	$(libstrongswan_pkcs11_la_LINK) $(am_libstrongswan_pkcs11_la_rpath) $(libstrongswan_pkcs11_la_OBJECTS) $(libstrongswan_pkcs11_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -526,10 +535,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c
index 7536ce1d3..e65f3a06b 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c
@@ -14,9 +14,10 @@
  */
 
 #include "pkcs11_creds.h"
+#include "pkcs11_manager.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 typedef struct private_pkcs11_creds_t private_pkcs11_creds_t;
 
@@ -257,3 +258,112 @@ pkcs11_creds_t *pkcs11_creds_create(pkcs11_library_t *p11, CK_SLOT_ID slot)
 
 	return &this->public;
 }
+
+/**
+ * See header.
+ */
+certificate_t *pkcs11_creds_load(certificate_type_t type, va_list args)
+{
+	chunk_t keyid = chunk_empty, data = chunk_empty;
+	enumerator_t *enumerator, *certs;
+	pkcs11_manager_t *manager;
+	pkcs11_library_t *p11;
+	certificate_t *cert = NULL;
+	CK_SLOT_ID current, slot = -1;
+	char *module = NULL;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_PKCS11_KEYID:
+				keyid = va_arg(args, chunk_t);
+				continue;
+			case BUILD_PKCS11_SLOT:
+				slot = va_arg(args, int);
+				continue;
+			case BUILD_PKCS11_MODULE:
+				module = va_arg(args, char*);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (!keyid.len)
+	{
+		return NULL;
+	}
+
+	manager = lib->get(lib, "pkcs11-manager");
+	if (!manager)
+	{
+		return NULL;
+	}
+	enumerator = manager->create_token_enumerator(manager);
+	while (enumerator->enumerate(enumerator, &p11, &current))
+	{
+		CK_OBJECT_CLASS class = CKO_CERTIFICATE;
+		CK_CERTIFICATE_TYPE type = CKC_X_509;
+		CK_ATTRIBUTE tmpl[] = {
+			{CKA_CLASS, &class, sizeof(class)},
+			{CKA_CERTIFICATE_TYPE, &type, sizeof(type)},
+			{CKA_ID, keyid.ptr, keyid.len},
+		};
+		CK_ATTRIBUTE attr[] = {
+			{CKA_VALUE, NULL, 0},
+		};
+		CK_OBJECT_HANDLE object;
+		CK_SESSION_HANDLE session;
+		CK_RV rv;
+
+		if (slot != -1 && slot != current)
+		{
+			continue;
+		}
+		if (module && !streq(module, p11->get_name(p11)))
+		{
+			continue;
+		}
+
+		rv = p11->f->C_OpenSession(current, CKF_SERIAL_SESSION, NULL, NULL,
+								   &session);
+		if (rv != CKR_OK)
+		{
+			DBG1(DBG_CFG, "opening PKCS#11 session failed: %N", ck_rv_names, rv);
+			continue;
+		}
+		certs = p11->create_object_enumerator(p11, session,
+									tmpl, countof(tmpl), attr, countof(attr));
+		if (certs->enumerate(certs, &object))
+		{
+			data = chunk_clone(chunk_create(attr[0].pValue, attr[0].ulValueLen));
+		}
+		certs->destroy(certs);
+		p11->f->C_CloseSession(session);
+
+		if (data.ptr)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (data.ptr)
+	{
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_BLOB_ASN1_DER, data, BUILD_END);
+		free(data.ptr);
+		if (!cert)
+		{
+			DBG1(DBG_CFG, "parsing PKCS#11 certificate %#B failed", &keyid);
+		}
+	}
+	else
+	{
+		DBG1(DBG_CFG, "PKCS#11 certificate %#B not found", &keyid);
+	}
+	return cert;
+}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h
index c40a8dea6..a5a042397 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h
@@ -65,4 +65,16 @@ struct pkcs11_creds_t {
  */
 pkcs11_creds_t *pkcs11_creds_create(pkcs11_library_t *p11, CK_SLOT_ID slot);
 
+/**
+ * Load a specific certificate from a token.
+ *
+ * Requires a BUILD_PKCS11_KEYID argument, and optionally BUILD_PKCS11_MODULE
+ * and/or BUILD_PKCS11_SLOT.
+ *
+ * @param type			certificate type, must be CERT_X509
+ * @param args			variable argument list, containing BUILD_PKCS11_KEYID.
+ * @return				loaded certificate, or NULL on failure
+ */
+certificate_t *pkcs11_creds_load(certificate_type_t type, va_list args);
+
 #endif /** PKCS11_CREDS_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
index c870370c8..2e5af95ff 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
@@ -15,7 +15,7 @@
 
 #include "pkcs11_dh.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <library.h>
 #include <asn1/asn1.h>
 #include <asn1/oid.h>
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
index 53a2bfca7..80079b9a9 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
@@ -17,7 +17,7 @@
 
 #include <unistd.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/mutex.h>
 
 #include "pkcs11_manager.h"
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
index 97c3d2fcf..7661473b1 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
@@ -21,9 +21,9 @@
 #include <dlfcn.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_pkcs11_library_t private_pkcs11_library_t;
 
@@ -895,6 +895,7 @@ METHOD(pkcs11_library_t, destroy, void,
 {
 	this->public.f->C_Finalize(NULL);
 	dlclose(this->handle);
+	free(this->name);
 	free(this);
 }
 
@@ -1077,7 +1078,7 @@ pkcs11_library_t *pkcs11_library_create(char *name, char *file, bool os_locking)
 			.get_ck_attribute = _get_ck_attribute,
 			.destroy = _destroy,
 		},
-		.name = name,
+		.name = strdup(name),
 		.handle = dlopen(file, RTLD_LAZY),
 	);
 
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
index e76e65e07..abd99ed5f 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
@@ -29,9 +29,9 @@ typedef struct pkcs11_library_t pkcs11_library_t;
 
 #include "pkcs11.h"
 
-#include <enum.h>
-#include <chunk.h>
-#include <utils/enumerator.h>
+#include <utils/enum.h>
+#include <utils/chunk.h>
+#include <collections/enumerator.h>
 
 /**
  * Optional PKCS#11 features some libraries support, some not
@@ -161,7 +161,7 @@ void pkcs11_library_trim(char *str, int len);
 /**
  * Create a pkcs11_library instance.
  *
- * @param name		an arbitrary name, for debugging
+ * @param name		an arbitrary name (for debugging), cloned
  * @param file		pkcs11 library file to dlopen()
  * @param os_lock	enforce OS Locking for this library
  * @return			library abstraction
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
index 83c383671..8bda5b66f 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
@@ -15,8 +15,8 @@
 
 #include "pkcs11_manager.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <threading/thread.h>
 
 #include "pkcs11_library.h"
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
index 183fce53a..9afaf123a 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
@@ -19,8 +19,8 @@
 #include "pkcs11_plugin.h"
 
 #include <library.h>
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <threading/mutex.h>
 #include <threading/rwlock.h>
 
@@ -82,13 +82,18 @@ static void token_event_cb(private_pkcs11_plugin_t *this, pkcs11_library_t *p11,
 	this->handle_events_lock->read_lock(this->handle_events_lock);
 	if (add && this->handle_events)
 	{
-		creds = pkcs11_creds_create(p11, slot);
-		if (creds)
+		if (lib->settings->get_bool(lib->settings,
+						"libstrongswan.plugins.pkcs11.modules.%s.load_certs",
+						TRUE, p11->get_name(p11)))
 		{
-			this->mutex->lock(this->mutex);
-			this->creds->insert_last(this->creds, creds);
-			this->mutex->unlock(this->mutex);
-			lib->credmgr->add_set(lib->credmgr, &creds->set);
+			creds = pkcs11_creds_create(p11, slot);
+			if (creds)
+			{
+				this->mutex->lock(this->mutex);
+				this->creds->insert_last(this->creds, creds);
+				this->mutex->unlock(this->mutex);
+				lib->credmgr->add_set(lib->credmgr, &creds->set);
+			}
 		}
 	}
 	else if (this->handle_events)
@@ -147,6 +152,9 @@ static bool handle_certs(private_pkcs11_plugin_t *this,
 			token_event_cb(this, p11, slot, TRUE);
 		}
 		enumerator->destroy(enumerator);
+
+		lib->creds->add_builder(lib->creds, CRED_CERTIFICATE,
+								CERT_X509, FALSE, (void*)pkcs11_creds_load);
 	}
 	else
 	{
@@ -157,9 +165,26 @@ static bool handle_certs(private_pkcs11_plugin_t *this,
 			lib->credmgr->remove_set(lib->credmgr, &creds->set);
 			creds->destroy(creds);
 		}
+
+		lib->creds->remove_builder(lib->creds, (void*)pkcs11_creds_load);
 	}
 	return TRUE;
 }
+
+METHOD(plugin_t, reload, bool,
+	private_pkcs11_plugin_t *this)
+{
+	if (lib->settings->get_bool(lib->settings,
+					"libstrongswan.plugins.pkcs11.reload_certs", FALSE))
+	{
+		DBG1(DBG_CFG, "reloading certificates from PKCS#11 tokens");
+		handle_certs(this, NULL, FALSE, NULL);
+		handle_certs(this, NULL, TRUE, NULL);
+		return TRUE;
+	}
+	return FALSE;
+}
+
 /**
  * Add a set of features
  */
@@ -292,6 +317,7 @@ plugin_t *pkcs11_plugin_create()
 			.plugin = {
 				.get_name = _get_name,
 				.get_features = _get_features,
+				.reload = _reload,
 				.destroy = _destroy,
 			},
 		},
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
index f7f7d3f79..bb9cc7a21 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
@@ -20,8 +20,9 @@
 
 #include "pkcs11_library.h"
 #include "pkcs11_manager.h"
+#include "pkcs11_public_key.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pkcs11_private_key_t private_pkcs11_private_key_t;
 
@@ -81,12 +82,6 @@ struct private_pkcs11_private_key_t {
 	key_type_t type;
 };
 
-/**
- * Implemented in pkcs11_public_key.c
- */
-public_key_t *pkcs11_public_key_connect(pkcs11_library_t *p11,
-									int slot, key_type_t type, chunk_t keyid);
-
 
 METHOD(private_key_t, get_type, key_type_t,
 	private_pkcs11_private_key_t *this)
@@ -420,7 +415,8 @@ static pkcs11_library_t* find_lib(char *module)
 /**
  * Find the PKCS#11 lib having a keyid, and optionally a slot
  */
-static pkcs11_library_t* find_lib_by_keyid(chunk_t keyid, int *slot)
+static pkcs11_library_t* find_lib_by_keyid(chunk_t keyid, int *slot,
+										   CK_OBJECT_CLASS class)
 {
 	pkcs11_manager_t *manager;
 	enumerator_t *enumerator;
@@ -437,8 +433,7 @@ static pkcs11_library_t* find_lib_by_keyid(chunk_t keyid, int *slot)
 	{
 		if (*slot == -1 || *slot == current)
 		{
-			/* we look for a public key, it is usually readable without login */
-			CK_OBJECT_CLASS class = CKO_PUBLIC_KEY;
+			/* look for a pubkey/cert, it is usually readable without login */
 			CK_ATTRIBUTE tmpl[] = {
 				{CKA_CLASS, &class, sizeof(class)},
 				{CKA_ID, keyid.ptr, keyid.len},
@@ -577,6 +572,50 @@ static bool login(private_pkcs11_private_key_t *this, int slot)
 }
 
 /**
+ * Get a public key from a certificate with a given key ID.
+ */
+static public_key_t* find_pubkey_in_certs(private_pkcs11_private_key_t *this,
+										  chunk_t keyid)
+{
+	CK_OBJECT_CLASS class = CKO_CERTIFICATE;
+	CK_CERTIFICATE_TYPE type = CKC_X_509;
+	CK_ATTRIBUTE tmpl[] = {
+		{CKA_CLASS, &class, sizeof(class)},
+		{CKA_CERTIFICATE_TYPE, &type, sizeof(type)},
+		{CKA_ID, keyid.ptr, keyid.len},
+	};
+	CK_OBJECT_HANDLE object;
+	CK_ATTRIBUTE attr[] = {
+		{CKA_VALUE, NULL, 0},
+	};
+	enumerator_t *enumerator;
+	chunk_t data = chunk_empty;
+	public_key_t *key = NULL;
+	certificate_t *cert;
+
+	enumerator = this->lib->create_object_enumerator(this->lib, this->session,
+									tmpl, countof(tmpl), attr, countof(attr));
+	if (enumerator->enumerate(enumerator, &object))
+	{
+		data = chunk_clone(chunk_create(attr[0].pValue, attr[0].ulValueLen));
+	}
+	enumerator->destroy(enumerator);
+
+	if (data.ptr)
+	{
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_BLOB_ASN1_DER, data, BUILD_END);
+		free(data.ptr);
+		if (cert)
+		{
+			key = cert->get_public_key(cert);
+			cert->destroy(cert);
+		}
+	}
+	return key;
+}
+
+/**
  * See header.
  */
 pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
@@ -644,7 +683,11 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
 	}
 	else
 	{
-		this->lib = find_lib_by_keyid(keyid, &slot);
+		this->lib = find_lib_by_keyid(keyid, &slot, CKO_PUBLIC_KEY);
+		if (!this->lib)
+		{
+			this->lib = find_lib_by_keyid(keyid, &slot, CKO_CERTIFICATE);
+		}
 		if (!this->lib)
 		{
 			DBG1(DBG_CFG, "no PKCS#11 module found having a keyid %#B", &keyid);
@@ -678,12 +721,17 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
 		return NULL;
 	}
 
-	this->pubkey = pkcs11_public_key_connect(this->lib, slot, this->type,
-											 keyid);
+	this->pubkey = pkcs11_public_key_connect(this->lib, slot, this->type, keyid);
 	if (!this->pubkey)
 	{
-		destroy(this);
-		return NULL;
+		this->pubkey = find_pubkey_in_certs(this, keyid);
+		if (!this->pubkey)
+		{
+			DBG1(DBG_CFG, "no public key or certificate found for private key "
+				 "on '%s':%d", module, slot);
+			destroy(this);
+			return NULL;
+		}
 	}
 
 	return &this->public;
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
index f0d7093db..0302c0edd 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
@@ -25,7 +25,7 @@
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pkcs11_public_key_t private_pkcs11_public_key_t;
 
@@ -882,20 +882,10 @@ static private_pkcs11_public_key_t *find_key_by_keyid(pkcs11_library_t *p11,
 }
 
 /**
- * Find a public key on the given token with a specific keyid.
- *
- * Used by pkcs11_private_key_t.
- *
- * TODO: if no public key is found, we should perhaps search for a certificate
- * with the given keyid and extract the key from there
- *
- * @param p11		PKCS#11 module
- * @param slot		slot id
- * @param type		type of the key
- * @param keyid		key id
+ * See header.
  */
-pkcs11_public_key_t *pkcs11_public_key_connect(pkcs11_library_t *p11,
-									int slot, key_type_t type, chunk_t keyid)
+public_key_t *pkcs11_public_key_connect(pkcs11_library_t *p11, int slot,
+										key_type_t type, chunk_t keyid)
 {
 	private_pkcs11_public_key_t *this;
 
@@ -904,5 +894,5 @@ pkcs11_public_key_t *pkcs11_public_key_connect(pkcs11_library_t *p11,
 	{
 		return NULL;
 	}
-	return &this->public;
+	return &this->public.key;
 }
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.h b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.h
index b3ea725a2..4585e736e 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.h
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.h
@@ -26,6 +26,8 @@ typedef struct pkcs11_public_key_t pkcs11_public_key_t;
 #include <credentials/builder.h>
 #include <credentials/keys/private_key.h>
 
+#include "pkcs11_library.h"
+
 /**
  * PKCS#11 based public key implementation.
  */
@@ -46,4 +48,15 @@ struct pkcs11_public_key_t {
  */
 pkcs11_public_key_t *pkcs11_public_key_load(key_type_t type, va_list args);
 
+/**
+ * Find a public key on the given token with a specific keyid.
+ *
+ * @param p11		PKCS#11 module
+ * @param slot		slot id
+ * @param type		type of the key
+ * @param keyid		key id
+ */
+public_key_t *pkcs11_public_key_connect(pkcs11_library_t *p11, int slot,
+										key_type_t type, chunk_t keyid);
+
 #endif /** PKCS11_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_rng.c b/src/libstrongswan/plugins/pkcs11/pkcs11_rng.c
index 20e4b6f76..d18028b45 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_rng.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_rng.c
@@ -15,7 +15,7 @@
 
 #include "pkcs11_rng.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "pkcs11_manager.h"
 
diff --git a/src/libstrongswan/plugins/pkcs7/Makefile.am b/src/libstrongswan/plugins/pkcs7/Makefile.am
new file mode 100644
index 000000000..6310daece
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/Makefile.am
@@ -0,0 +1,20 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-pkcs7.la
+else
+plugin_LTLIBRARIES = libstrongswan-pkcs7.la
+endif
+
+libstrongswan_pkcs7_la_SOURCES = \
+	pkcs7_generic.h pkcs7_generic.c \
+	pkcs7_signed_data.h pkcs7_signed_data.c \
+	pkcs7_enveloped_data.h pkcs7_enveloped_data.c \
+	pkcs7_data.h pkcs7_data.c \
+	pkcs7_attributes.h pkcs7_attributes.c \
+	pkcs7_plugin.h pkcs7_plugin.c
+
+libstrongswan_pkcs7_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/pkcs7/Makefile.in b/src/libstrongswan/plugins/pkcs7/Makefile.in
new file mode 100644
index 000000000..ef45de39d
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/Makefile.in
@@ -0,0 +1,641 @@
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/pkcs7
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_pkcs7_la_LIBADD =
+am_libstrongswan_pkcs7_la_OBJECTS = pkcs7_generic.lo \
+	pkcs7_signed_data.lo pkcs7_enveloped_data.lo pkcs7_data.lo \
+	pkcs7_attributes.lo pkcs7_plugin.lo
+libstrongswan_pkcs7_la_OBJECTS = $(am_libstrongswan_pkcs7_la_OBJECTS)
+libstrongswan_pkcs7_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_pkcs7_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_pkcs7_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_pkcs7_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_pkcs7_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_pkcs7_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+axis2c_CFLAGS = @axis2c_CFLAGS@
+axis2c_LIBS = @axis2c_LIBS@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pkcs7.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pkcs7.la
+libstrongswan_pkcs7_la_SOURCES = \
+	pkcs7_generic.h pkcs7_generic.c \
+	pkcs7_signed_data.h pkcs7_signed_data.c \
+	pkcs7_enveloped_data.h pkcs7_enveloped_data.c \
+	pkcs7_data.h pkcs7_data.c \
+	pkcs7_attributes.h pkcs7_attributes.c \
+	pkcs7_plugin.h pkcs7_plugin.c
+
+libstrongswan_pkcs7_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/pkcs7/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/pkcs7/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-pkcs7.la: $(libstrongswan_pkcs7_la_OBJECTS) $(libstrongswan_pkcs7_la_DEPENDENCIES) $(EXTRA_libstrongswan_pkcs7_la_DEPENDENCIES) 
+	$(libstrongswan_pkcs7_la_LINK) $(am_libstrongswan_pkcs7_la_rpath) $(libstrongswan_pkcs7_la_OBJECTS) $(libstrongswan_pkcs7_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7_attributes.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7_data.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7_enveloped_data.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7_generic.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7_signed_data.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c b/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c
new file mode 100644
index 000000000..ca6899786
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c
@@ -0,0 +1,273 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2008 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <utils/debug.h>
+
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <collections/linked_list.h>
+
+#include "pkcs7_attributes.h"
+
+typedef struct private_pkcs7_attributes_t private_pkcs7_attributes_t;
+typedef struct attribute_t attribute_t;
+
+/**
+ * Private data of a pkcs7_attributes_t attribute list.
+ */
+struct private_pkcs7_attributes_t {
+	/**
+	 * Public interface
+	 */
+	pkcs7_attributes_t public;
+
+	/**
+	 * DER encoding of PKCS#9 attributes
+	 */
+	chunk_t encoding;
+
+	/**
+	 * Linked list of PKCS#9 attributes
+	 */
+	linked_list_t *attributes;
+};
+
+/**
+ * Definition of an attribute_t object.
+ */
+struct attribute_t {
+
+	/**
+	 * Object Identifier (OID)
+	 */
+	int oid;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * ASN.1 encoding
+	 */
+	chunk_t encoding;
+};
+
+/**
+ * Destroy an attribute_t object.
+ */
+static void attribute_destroy(attribute_t *this)
+{
+	free(this->value.ptr);
+	free(this);
+}
+
+/**
+ * Create an attribute_t object.
+ */
+static attribute_t *attribute_create(int oid, chunk_t value)
+{
+	attribute_t *this;
+
+	INIT(this,
+		.oid = oid,
+		.value = chunk_clone(value),
+	);
+
+	return this;
+}
+
+/**
+ * Build encoding of the attribute list
+ */
+static void build_encoding(private_pkcs7_attributes_t *this)
+{
+	enumerator_t *enumerator;
+	attribute_t *attribute;
+	u_int len = 0, count, i = 0;
+	chunk_t *chunks;
+	u_char *pos;
+
+	count = this->attributes->get_count(this->attributes);
+	chunks = malloc(sizeof(chunk_t) * count);
+
+	enumerator = this->attributes->create_enumerator(this->attributes);
+	while (enumerator->enumerate(enumerator, &attribute))
+	{
+		chunks[i] = asn1_wrap(ASN1_SEQUENCE, "mm",
+								asn1_build_known_oid(attribute->oid),
+								asn1_wrap(ASN1_SET, "c", attribute->value));
+		len += chunks[i].len;
+		i++;
+	}
+	enumerator->destroy(enumerator);
+
+	pos = asn1_build_object(&this->encoding, ASN1_SET, len);
+	for (i = 0; i < count; i++)
+	{
+		memcpy(pos, chunks[i].ptr, chunks[i].len);
+		pos += chunks[i].len;
+		free(chunks[i].ptr);
+	}
+	free(chunks);
+}
+
+METHOD(pkcs7_attributes_t, get_encoding, chunk_t,
+	private_pkcs7_attributes_t *this)
+{
+	if (!this->encoding.len)
+	{
+		build_encoding(this);
+	}
+	return this->encoding;
+}
+
+METHOD(pkcs7_attributes_t, get_attribute, chunk_t,
+	private_pkcs7_attributes_t *this, int oid)
+{
+	enumerator_t *enumerator;
+	chunk_t value = chunk_empty;
+	attribute_t *attribute;
+
+	enumerator = this->attributes->create_enumerator(this->attributes);
+	while (enumerator->enumerate(enumerator, &attribute))
+	{
+		if (attribute->oid == oid)
+		{
+			value = attribute->value;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (value.len && asn1_unwrap(&value, &value) != ASN1_INVALID)
+	{
+		return value;
+	}
+	return chunk_empty;
+}
+
+METHOD(pkcs7_attributes_t, add_attribute, void,
+	private_pkcs7_attributes_t *this, int oid, chunk_t value)
+{
+	this->attributes->insert_last(this->attributes,
+								  attribute_create(oid, value));
+	chunk_free(&value);
+
+	/* rebuild encoding when adding attributes */
+	chunk_free(&this->encoding);
+}
+
+METHOD(pkcs7_attributes_t, destroy, void,
+	private_pkcs7_attributes_t *this)
+{
+	this->attributes->destroy_function(this->attributes,
+									   (void*)attribute_destroy);
+	free(this->encoding.ptr);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+pkcs7_attributes_t *pkcs7_attributes_create(void)
+{
+	private_pkcs7_attributes_t *this;
+
+	INIT(this,
+		.public = {
+			.get_encoding = _get_encoding,
+			.get_attribute = _get_attribute,
+			.add_attribute = _add_attribute,
+			.destroy = _destroy,
+		},
+		.attributes = linked_list_create(),
+	);
+
+	return &this->public;
+}
+
+/**
+ * ASN.1 definition of the X.501 atttribute type
+ */
+static const asn1Object_t attributesObjects[] = {
+	{ 0, "attributes",		ASN1_SET,		ASN1_LOOP }, /* 0 */
+	{ 1,   "attribute",		ASN1_SEQUENCE,	ASN1_NONE }, /* 1 */
+	{ 2,     "type",		ASN1_OID,		ASN1_BODY }, /* 2 */
+	{ 2,     "values",		ASN1_SET,		ASN1_LOOP }, /* 3 */
+	{ 3,       "value",		ASN1_EOC,		ASN1_RAW  }, /* 4 */
+	{ 2,     "end loop",	ASN1_EOC,		ASN1_END  }, /* 5 */
+	{ 0, "end loop",		ASN1_EOC,		ASN1_END  }, /* 6 */
+	{ 0, "exit",			ASN1_EOC,		ASN1_EXIT }
+};
+#define ATTRIBUTE_OBJ_TYPE 	2
+#define ATTRIBUTE_OBJ_VALUE	4
+
+/**
+ * Parse a PKCS#9 attribute list
+ */
+static bool parse_attributes(chunk_t chunk, int level0,
+							 private_pkcs7_attributes_t* this)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	int oid = OID_UNKNOWN;
+	bool success = FALSE;
+
+	parser = asn1_parser_create(attributesObjects, chunk);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case ATTRIBUTE_OBJ_TYPE:
+				oid = asn1_known_oid(object);
+				break;
+			case ATTRIBUTE_OBJ_VALUE:
+				if (oid != OID_UNKNOWN)
+				{
+					this->attributes->insert_last(this->attributes,
+												  attribute_create(oid, object));
+				}
+				break;
+		}
+	}
+	success = parser->success(parser);
+
+	parser->destroy(parser);
+	return success;
+}
+
+ /*
+ * Described in header.
+ */
+pkcs7_attributes_t *pkcs7_attributes_create_from_chunk(chunk_t chunk,
+													   u_int level)
+{
+	private_pkcs7_attributes_t *this;
+
+	this = (private_pkcs7_attributes_t*)pkcs7_attributes_create();
+	this->encoding = chunk_clone(chunk);
+	if (!parse_attributes(chunk, level, this))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
diff --git a/src/libstrongswan/crypto/pkcs9.h b/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.h
index c442d4441..d5f6156a1 100644
--- a/src/libstrongswan/crypto/pkcs9.h
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.h
@@ -15,78 +15,65 @@
  */
 
 /**
- * @defgroup pkcs9 pkcs9
- * @{ @ingroup crypto
+ * @defgroup pkcs7_attributes pkcs7_attributes
+ * @{ @ingroup pkcs7p
  */
 
-#ifndef PKCS9_H_
-#define PKCS9_H_
+#ifndef PKCS7_ATTRIBUTES_H_
+#define PKCS7_ATTRIBUTES_H_
 
-typedef struct pkcs9_t pkcs9_t;
+typedef struct pkcs7_attributes_t pkcs7_attributes_t;
 
 #include <library.h>
 
 /**
- * PKCS#9 attributes.
+ * PKCS#7 attribute lists, aka PKCS#9.
  */
-struct pkcs9_t {
+struct pkcs7_attributes_t {
 
 	/**
-	 * Generate ASN.1 encoding of attribute list
-	 */
-	void (*build_encoding) (pkcs9_t *this);
-
-	/**
-	 * Gets ASN.1 encoding of PKCS#9 attribute list
+	 * Gets ASN.1 encoding of PKCS#9 attribute list.
 	 *
 	 * @return				ASN.1 encoded PKCSI#9 list
 	 */
-	chunk_t (*get_encoding) (pkcs9_t *this);
+	chunk_t (*get_encoding) (pkcs7_attributes_t *this);
 
 	/**
-	 * Gets a PKCS#9 attribute
+	 * Gets a PKCS#9 attribute from the list.
 	 *
 	 * @param oid			OID of the attribute
 	 * @return				value of the attribute (internal data)
 	 */
-	chunk_t (*get_attribute) (pkcs9_t *this, int oid);
-
-	/**
-	 * Adds a PKCS#9 attribute
-	 *
-	 * @param oid			OID of the attribute
-	 * @param value			value of the attribute (gets cloned)
-	 */
-	void (*set_attribute) (pkcs9_t *this, int oid, chunk_t value);
+	chunk_t (*get_attribute) (pkcs7_attributes_t *this, int oid);
 
 	/**
-	 * Adds a ASN.1 encoded PKCS#9 attribute
+	 * Adds a PKCS#9 attribute.
 	 *
 	 * @param oid			OID of the attribute
-	 * @param value			ASN.1 encoded value of the attribute (gets adopted)
+	 * @param value			value of the attribute, with ASN1 type (gets owned)
 	 */
-	void (*set_attribute_raw) (pkcs9_t *this, int oid, chunk_t value);
+	void (*add_attribute) (pkcs7_attributes_t *this, int oid, chunk_t value);
 
 	/**
 	 * Destroys the PKCS#9 attribute list.
 	 */
-	void (*destroy) (pkcs9_t *this);
+	void (*destroy) (pkcs7_attributes_t *this);
 };
 
 /**
- * Read a PKCS#9 attribute list from a DER encoded chunk.
+ * Read a PKCS#7 attribute list (aka PKCS#9) from a DER encoded chunk.
  *
  * @param chunk		chunk containing DER encoded data
  * @param level		ASN.1 parsing start level
  * @return 			created pkcs9 attribute list, or NULL if invalid.
  */
-pkcs9_t *pkcs9_create_from_chunk(chunk_t chunk, u_int level);
+pkcs7_attributes_t *pkcs7_attributes_create_from_chunk(chunk_t chunk, u_int level);
 
 /**
- * Create an empty PKCS#9 attribute list
+ * Create an empty PKCS#7 attribute list, aka PKCS#9.
  *
  * @return 				created pkcs9 attribute list.
  */
-pkcs9_t *pkcs9_create(void);
+pkcs7_attributes_t *pkcs7_attributes_create(void);
 
 #endif /** PKCS9_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_data.c b/src/libstrongswan/plugins/pkcs7/pkcs7_data.c
new file mode 100644
index 000000000..06816095c
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_data.c
@@ -0,0 +1,156 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs7_data.h"
+
+#include <asn1/asn1.h>
+#include <asn1/oid.h>
+
+typedef struct private_pkcs7_data_t private_pkcs7_data_t;
+
+/**
+ * Private data of a PKCS#7 signed-data container.
+ */
+struct private_pkcs7_data_t {
+
+	/**
+	 * Implements pkcs7_t.
+	 */
+	pkcs7_t public;
+
+	/**
+	 * Encoded data
+	 */
+	chunk_t content;
+
+	/**
+	 * Encoded PKCS#7 data
+	 */
+	chunk_t encoding;
+};
+
+METHOD(container_t, get_type, container_type_t,
+	private_pkcs7_data_t *this)
+{
+	return CONTAINER_PKCS7_DATA;
+}
+
+METHOD(container_t, create_signature_enumerator, enumerator_t*,
+	private_pkcs7_data_t *this)
+{
+	return enumerator_create_empty();
+}
+
+METHOD(container_t, get_data, bool,
+	private_pkcs7_data_t *this, chunk_t *data)
+{
+	chunk_t chunk;
+
+	chunk = this->content;
+	if (asn1_unwrap(&chunk, &chunk) == ASN1_OCTET_STRING)
+	{
+		*data = chunk_clone(chunk);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(container_t, get_encoding, bool,
+	private_pkcs7_data_t *this, chunk_t *data)
+{
+	*data = chunk_clone(this->encoding);
+	return TRUE;
+}
+
+METHOD(container_t, destroy, void,
+	private_pkcs7_data_t *this)
+{
+	free(this->content.ptr);
+	free(this->encoding.ptr);
+	free(this);
+}
+
+/**
+ * Create an empty container
+ */
+static private_pkcs7_data_t* create_empty()
+{
+	private_pkcs7_data_t *this;
+
+	INIT(this,
+		.public = {
+			.container = {
+				.get_type = _get_type,
+				.create_signature_enumerator = _create_signature_enumerator,
+				.get_data = _get_data,
+				.get_encoding = _get_encoding,
+				.destroy = _destroy,
+			},
+			.get_attribute = (void*)return_false,
+			.create_cert_enumerator = (void*)enumerator_create_empty,
+		},
+	);
+
+	return this;
+}
+
+/**
+ * See header.
+ */
+pkcs7_t *pkcs7_data_load(chunk_t encoding, chunk_t content)
+{
+	private_pkcs7_data_t *this = create_empty();
+
+	this->encoding = chunk_clone(encoding);
+	this->content = chunk_clone(content);
+
+	return &this->public;
+}
+
+/**
+ * See header.
+ */
+pkcs7_t *pkcs7_data_gen(container_type_t type, va_list args)
+{
+	private_pkcs7_data_t *this;
+	chunk_t blob = chunk_empty;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+
+	if (blob.len)
+	{
+		this = create_empty();
+
+		this->content = asn1_wrap(ASN1_OCTET_STRING, "c", blob);
+		this->encoding = asn1_wrap(ASN1_SEQUENCE, "mm",
+							asn1_build_known_oid(OID_PKCS7_DATA),
+							asn1_wrap(ASN1_CONTEXT_C_0, "c", this->content));
+		return &this->public;
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_data.h b/src/libstrongswan/plugins/pkcs7/pkcs7_data.h
new file mode 100644
index 000000000..86512b76f
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_data.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs7_data pkcs7_data
+ * @{ @ingroup pkcs7p
+ */
+
+#ifndef PKCS7_DATA_H_
+#define PKCS7_DATA_H_
+
+#include <credentials/builder.h>
+#include <credentials/containers/pkcs7.h>
+
+/**
+ * Parse a PKCS#7 "data" container.
+ *
+ * @param encoding	full contentInfo encoding
+ * @param content	DER encoded content from contentInfo
+ * @return			CONTAINER_PKCS7_DATA container, NULL on failure
+ */
+pkcs7_t *pkcs7_data_load(chunk_t encoding, chunk_t content);
+
+/**
+ * Generate a PKCS#7 data container.
+ *
+ * The only accepted builder argument is BUILDER_BLOB.
+ *
+ * @param type		container type, must be CONTAINER_PKCS7_DATA
+ * @param args		builder_t arguments to use.
+ */
+pkcs7_t *pkcs7_data_gen(container_type_t type, va_list args);
+
+#endif /** PKCS7_DATA_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c b/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c
new file mode 100644
index 000000000..5cd0d8f93
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c
@@ -0,0 +1,613 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2002-2008 Andreas Steffen
+ * Copyright (C) 2005 Jan Hutter, Martin Willi
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs7_enveloped_data.h"
+
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <asn1/oid.h>
+#include <credentials/certificates/x509.h>
+#include <utils/debug.h>
+
+typedef struct private_pkcs7_enveloped_data_t private_pkcs7_enveloped_data_t;
+
+/**
+ * Private data of a PKCS#7 signed-data container.
+ */
+struct private_pkcs7_enveloped_data_t {
+
+	/**
+	 * Implements pkcs7_t.
+	 */
+	pkcs7_t public;
+
+	/**
+	 * Decrypted content
+	 */
+	chunk_t content;
+
+	/**
+	 * Encrypted and encoded PKCS#7 enveloped-data
+	 */
+	chunk_t encoding;
+};
+
+/**
+ * ASN.1 definition of the PKCS#7 envelopedData type
+ */
+static const asn1Object_t envelopedDataObjects[] = {
+	{ 0, "envelopedData",					ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
+	{ 1,   "version",						ASN1_INTEGER, 		ASN1_BODY }, /*  1 */
+	{ 1,   "recipientInfos",				ASN1_SET,    		ASN1_LOOP }, /*  2 */
+	{ 2,     "recipientInfo",				ASN1_SEQUENCE, 		ASN1_BODY }, /*  3 */
+	{ 3,       "version",					ASN1_INTEGER, 		ASN1_BODY }, /*  4 */
+	{ 3,       "issuerAndSerialNumber",		ASN1_SEQUENCE,		ASN1_BODY }, /*  5 */
+	{ 4,         "issuer",					ASN1_SEQUENCE,		ASN1_OBJ  }, /*  6 */
+	{ 4,         "serial",					ASN1_INTEGER,		ASN1_BODY }, /*  7 */
+	{ 3,       "encryptionAlgorithm",		ASN1_EOC,			ASN1_RAW  }, /*  8 */
+	{ 3,       "encryptedKey",				ASN1_OCTET_STRING,	ASN1_BODY }, /*  9 */
+	{ 1,   "end loop",						ASN1_EOC,			ASN1_END  }, /* 10 */
+	{ 1,   "encryptedContentInfo",			ASN1_SEQUENCE,		ASN1_OBJ  }, /* 11 */
+	{ 2,     "contentType",					ASN1_OID,			ASN1_BODY }, /* 12 */
+	{ 2,     "contentEncryptionAlgorithm",	ASN1_EOC,			ASN1_RAW  }, /* 13 */
+	{ 2,     "encryptedContent",			ASN1_CONTEXT_S_0, 	ASN1_BODY }, /* 14 */
+	{ 0, "exit",							ASN1_EOC,			ASN1_EXIT }
+};
+#define PKCS7_VERSION					 1
+#define PKCS7_RECIPIENT_INFO_VERSION	 4
+#define PKCS7_ISSUER					 6
+#define PKCS7_SERIAL_NUMBER				 7
+#define PKCS7_ENCRYPTION_ALG			 8
+#define PKCS7_ENCRYPTED_KEY				 9
+#define PKCS7_CONTENT_TYPE				12
+#define PKCS7_CONTENT_ENC_ALGORITHM		13
+#define PKCS7_ENCRYPTED_CONTENT			14
+
+/**
+ * Find a private key for issuerAndSerialNumber
+ */
+static private_key_t *find_private(identification_t *issuer,
+								   identification_t *serial)
+{
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	public_key_t *public;
+	private_key_t *private = NULL;
+	identification_t *id;
+	chunk_t fp;
+
+	enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+											CERT_X509, KEY_RSA, serial, FALSE);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		if (issuer->equals(issuer, cert->get_issuer(cert)))
+		{
+			public = cert->get_public_key(cert);
+			if (public)
+			{
+				if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &fp))
+				{
+					id = identification_create_from_encoding(ID_KEY_ID, fp);
+					private = lib->credmgr->get_private(lib->credmgr,
+														KEY_ANY, id, NULL);
+					id->destroy(id);
+				}
+				public->destroy(public);
+			}
+		}
+		if (private)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return private;
+}
+
+/**
+ * Decrypt content using a private key from "issuer"
+ */
+static bool decrypt(private_key_t *private, chunk_t key, chunk_t iv, int oid,
+					chunk_t encrypted, chunk_t *plain)
+{
+	encryption_algorithm_t alg;
+	chunk_t plain_key;
+	crypter_t *crypter;
+	size_t key_size;
+
+	alg = encryption_algorithm_from_oid(oid, &key_size);
+	if (alg == ENCR_UNDEFINED)
+	{
+		DBG1(DBG_LIB, "unsupported content encryption algorithm");
+		return FALSE;
+	}
+	if (!private->decrypt(private, ENCRYPT_RSA_PKCS1, key, &plain_key))
+	{
+		DBG1(DBG_LIB, "symmetric key could not be decrypted with rsa");
+		return FALSE;
+	}
+	crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
+	if (!crypter)
+	{
+		DBG1(DBG_LIB, "crypter %N-%d not available",
+			 encryption_algorithm_names, alg, key_size);
+		free(plain_key.ptr);
+		return FALSE;
+	}
+	if (plain_key.len != crypter->get_key_size(crypter))
+	{
+		DBG1(DBG_LIB, "symmetric key length %d is wrong", plain_key.len);
+		free(plain_key.ptr);
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	if (iv.len != crypter->get_iv_size(crypter))
+	{
+		DBG1(DBG_LIB, "IV length %d is wrong", iv.len);
+		free(plain_key.ptr);
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	if (!crypter->set_key(crypter, plain_key) ||
+		!crypter->decrypt(crypter, encrypted, iv, plain))
+	{
+		free(plain_key.ptr);
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	DBG4(DBG_LIB, "decrypted content with padding: %B", plain);
+	free(plain_key.ptr);
+	crypter->destroy(crypter);
+	return TRUE;
+}
+
+/**
+ * Remove the padding from plain data
+ */
+static bool remove_padding(private_pkcs7_enveloped_data_t *this)
+{
+	u_char *pos = this->content.ptr + this->content.len - 1;
+	u_char pattern = *pos;
+	size_t padding = pattern;
+
+	if (padding > this->content.len)
+	{
+		DBG1(DBG_LIB, "padding greater than data length");
+		return FALSE;
+	}
+	this->content.len -= padding;
+
+	while (padding-- > 0)
+	{
+		if (*pos-- != pattern)
+		{
+			DBG1(DBG_LIB, "wrong padding pattern");
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Parse and decrypt enveloped-data
+ */
+static bool parse(private_pkcs7_enveloped_data_t *this, chunk_t content)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID, version, alg = OID_UNKNOWN;
+	bool success = FALSE;
+	identification_t *issuer = NULL, *serial = NULL;
+	private_key_t *private = NULL;
+	chunk_t iv = chunk_empty, key = chunk_empty, encrypted = chunk_empty;
+
+	parser = asn1_parser_create(envelopedDataObjects, content);
+	parser->set_top_level(parser, 0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		u_int level = parser->get_level(parser);
+
+		switch (objectID)
+		{
+			case PKCS7_VERSION:
+				version = object.len ? (int)*object.ptr : 0;
+				DBG2(DBG_LIB, "  v%d", version);
+				if (version != 0)
+				{
+					DBG1(DBG_LIB, "envelopedData version is not 0");
+					goto end;
+				}
+				break;
+			case PKCS7_RECIPIENT_INFO_VERSION:
+				version = object.len ? (int)*object.ptr : 0;
+				DBG2(DBG_LIB, "  v%d", version);
+				if (version != 0)
+				{
+					DBG1(DBG_LIB, "recipient info version is not 0");
+					goto end;
+				}
+				break;
+			case PKCS7_ISSUER:
+				if (!issuer)
+				{
+					issuer = identification_create_from_encoding(ID_DER_ASN1_DN,
+																 object);
+				}
+				break;
+			case PKCS7_SERIAL_NUMBER:
+				if (!serial)
+				{
+					serial = identification_create_from_encoding(ID_KEY_ID,
+																 object);
+				}
+				break;
+			case PKCS7_ENCRYPTION_ALG:
+				if (asn1_parse_algorithmIdentifier(object, level,
+												   NULL) != OID_RSA_ENCRYPTION)
+				{
+					DBG1(DBG_LIB, "only rsa encryption supported");
+					goto end;
+				}
+				break;
+			case PKCS7_ENCRYPTED_KEY:
+				key = object;
+				break;
+			case PKCS7_CONTENT_TYPE:
+				if (asn1_known_oid(object) != OID_PKCS7_DATA)
+				{
+					DBG1(DBG_LIB, "encrypted content not of type pkcs7 data");
+					goto end;
+				}
+				break;
+			case PKCS7_CONTENT_ENC_ALGORITHM:
+				alg = asn1_parse_algorithmIdentifier(object, level, &iv);
+				if (!asn1_parse_simple_object(&iv, ASN1_OCTET_STRING,
+											  level + 1, "IV"))
+				{
+					DBG1(DBG_LIB, "IV could not be parsed");
+					goto end;
+				}
+				break;
+			case PKCS7_ENCRYPTED_CONTENT:
+				encrypted = object;
+				break;
+		}
+	}
+	success = parser->success(parser);
+
+end:
+	parser->destroy(parser);
+	if (!success)
+	{
+		goto failed;
+	}
+	success = FALSE;
+	if (!issuer)
+	{
+		goto failed;
+	}
+	private = find_private(issuer, serial);
+	if (!private)
+	{
+		DBG1(DBG_LIB, "no private key found to decrypt pkcs7");
+		goto failed;
+	}
+	if (!decrypt(private, key, iv, alg, encrypted, &this->content))
+	{
+		goto failed;
+	}
+	if (!remove_padding(this))
+	{
+		goto failed;
+	}
+
+	success = TRUE;
+failed:
+	DESTROY_IF(issuer);
+	DESTROY_IF(serial);
+	DESTROY_IF(private);
+	return success;
+}
+
+METHOD(container_t, get_type, container_type_t,
+	private_pkcs7_enveloped_data_t *this)
+{
+	return CONTAINER_PKCS7_ENVELOPED_DATA;
+}
+
+METHOD(container_t, create_signature_enumerator, enumerator_t*,
+	private_pkcs7_enveloped_data_t *this)
+{
+	return enumerator_create_empty();
+}
+
+METHOD(container_t, get_data, bool,
+	private_pkcs7_enveloped_data_t *this, chunk_t *data)
+{
+	if (this->content.len)
+	{
+		*data = chunk_clone(this->content);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(container_t, get_encoding, bool,
+	private_pkcs7_enveloped_data_t *this, chunk_t *data)
+{
+	*data = chunk_clone(this->encoding);
+	return TRUE;
+}
+
+METHOD(container_t, destroy, void,
+	private_pkcs7_enveloped_data_t *this)
+{
+	free(this->content.ptr);
+	free(this->encoding.ptr);
+	free(this);
+}
+
+/**
+ * Generic constructor
+ */
+static private_pkcs7_enveloped_data_t* create_empty()
+{
+	private_pkcs7_enveloped_data_t *this;
+
+	INIT(this,
+		.public = {
+			.container = {
+				.get_type = _get_type,
+				.create_signature_enumerator = _create_signature_enumerator,
+				.get_data = _get_data,
+				.get_encoding = _get_encoding,
+				.destroy = _destroy,
+			},
+			.create_cert_enumerator = (void*)enumerator_create_empty,
+			.get_attribute = (void*)return_false,
+		},
+	);
+
+	return this;
+}
+
+/**
+ * See header.
+ */
+pkcs7_t *pkcs7_enveloped_data_load(chunk_t encoding, chunk_t content)
+{
+	private_pkcs7_enveloped_data_t *this = create_empty();
+
+	this->encoding = chunk_clone(encoding);
+	if (!parse(this, content))
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
+
+/**
+ * Allocate data with an RNG
+ */
+static bool get_random(rng_quality_t quality, size_t size, chunk_t *out)
+{
+	rng_t *rng;
+
+	rng = lib->crypto->create_rng(lib->crypto, quality);
+	if (!rng)
+	{
+		return FALSE;
+	}
+	if (!rng->allocate_bytes(rng, size, out))
+	{
+		rng->destroy(rng);
+		return FALSE;
+	}
+	rng->destroy(rng);
+	return TRUE;
+}
+
+/**
+ * Encrypt symmetric key using a public key from a certificate
+ */
+static bool encrypt_key(certificate_t *cert, chunk_t in, chunk_t *out)
+{
+	public_key_t *key;
+
+	key = cert->get_public_key(cert);
+	if (!key)
+	{
+		return FALSE;
+	}
+	if (!key->encrypt(key, ENCRYPT_RSA_PKCS1, in, out))
+	{
+		key->destroy(key);
+		return FALSE;
+	}
+	key->destroy(key);
+	return TRUE;
+}
+
+/**
+ * build a DER-encoded issuerAndSerialNumber object
+ */
+static chunk_t build_issuerAndSerialNumber(certificate_t *cert)
+{
+	identification_t *issuer = cert->get_issuer(cert);
+	chunk_t serial = chunk_empty;
+
+	if (cert->get_type(cert) == CERT_X509)
+	{
+		x509_t *x509 = (x509_t*)cert;
+		serial = x509->get_serial(x509);
+	}
+
+	return asn1_wrap(ASN1_SEQUENCE, "cm",
+					 issuer->get_encoding(issuer),
+					 asn1_integer("c", serial));
+}
+
+/**
+ * Generate a new PKCS#7 enveloped-data container
+ */
+static bool generate(private_pkcs7_enveloped_data_t *this,
+				certificate_t *cert, encryption_algorithm_t alg, int key_size)
+{
+	chunk_t contentEncryptionAlgorithm, encryptedContentInfo, recipientInfo;
+	chunk_t iv, symmetricKey, protectedKey, content;
+	crypter_t *crypter;
+	size_t bs, padding;
+	int alg_oid;
+
+	alg_oid = encryption_algorithm_to_oid(alg, key_size);
+	if (alg_oid == OID_UNKNOWN)
+	{
+		DBG1(DBG_LIB, "  encryption algorithm %N not supported",
+			 encryption_algorithm_names, alg);
+		return FALSE;
+	}
+	crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
+	if (crypter == NULL)
+	{
+		DBG1(DBG_LIB, "  could not create crypter for algorithm %N",
+			 encryption_algorithm_names, alg);
+		return FALSE;
+	}
+
+	if (!get_random(RNG_TRUE, crypter->get_key_size(crypter), &symmetricKey))
+	{
+		DBG1(DBG_LIB, "  failed to allocate symmetric encryption key");
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	DBG4(DBG_LIB, "  symmetric encryption key: %B", &symmetricKey);
+
+	if (!get_random(RNG_WEAK, crypter->get_iv_size(crypter), &iv))
+	{
+		DBG1(DBG_LIB, "  failed to allocate initialization vector");
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	DBG4(DBG_LIB, "  initialization vector: %B", &iv);
+
+	bs = crypter->get_block_size(crypter);
+	padding = bs - this->content.len % bs;
+	content = chunk_alloc(this->content.len + padding);
+	memcpy(content.ptr, this->content.ptr, this->content.len);
+	memset(content.ptr + this->content.len, padding, padding);
+	DBG3(DBG_LIB, "  padded unencrypted data: %B", &content);
+
+	/* symmetric inline encryption of content */
+	if (!crypter->set_key(crypter, symmetricKey) ||
+		!crypter->encrypt(crypter, content, iv, NULL))
+	{
+		crypter->destroy(crypter);
+		chunk_clear(&symmetricKey);
+		chunk_free(&iv);
+		return FALSE;
+	}
+	crypter->destroy(crypter);
+	DBG3(DBG_LIB, "  encrypted data: %B", &content);
+
+	if (!encrypt_key(cert, symmetricKey, &protectedKey))
+	{
+		DBG1(DBG_LIB, "  encrypting symmetric key failed");
+		chunk_clear(&symmetricKey);
+		chunk_free(&iv);
+		chunk_free(&content);
+		return FALSE;
+	}
+	chunk_clear(&symmetricKey);
+
+	contentEncryptionAlgorithm = asn1_wrap(ASN1_SEQUENCE, "mm",
+				asn1_build_known_oid(alg_oid),
+				asn1_wrap(ASN1_OCTET_STRING, "m", iv));
+
+	encryptedContentInfo = asn1_wrap(ASN1_SEQUENCE, "mmm",
+				asn1_build_known_oid(OID_PKCS7_DATA),
+				contentEncryptionAlgorithm,
+				asn1_wrap(ASN1_CONTEXT_S_0, "m", content));
+
+	recipientInfo = asn1_wrap(ASN1_SEQUENCE, "cmmm",
+				ASN1_INTEGER_0,
+				build_issuerAndSerialNumber(cert),
+				asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
+				asn1_wrap(ASN1_OCTET_STRING, "m", protectedKey));
+
+	this->encoding = asn1_wrap(ASN1_SEQUENCE, "mm",
+		asn1_build_known_oid(OID_PKCS7_ENVELOPED_DATA),
+		asn1_wrap(ASN1_CONTEXT_C_0, "m",
+			asn1_wrap(ASN1_SEQUENCE, "cmm",
+				ASN1_INTEGER_0,
+				asn1_wrap(ASN1_SET, "m", recipientInfo),
+				encryptedContentInfo)));
+
+	return TRUE;
+}
+
+/**
+ * See header.
+ */
+pkcs7_t *pkcs7_enveloped_data_gen(container_type_t type, va_list args)
+{
+	private_pkcs7_enveloped_data_t *this;
+	chunk_t blob = chunk_empty;
+	encryption_algorithm_t alg = ENCR_AES_CBC;
+	certificate_t *cert = NULL;
+	int key_size = 128;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_CERT:
+				cert = va_arg(args, certificate_t*);
+				continue;
+			case BUILD_ENCRYPTION_ALG:
+				alg = va_arg(args, int);
+				continue;
+			case BUILD_KEY_SIZE:
+				key_size = va_arg(args, int);
+				continue;
+			case BUILD_BLOB:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (blob.len && cert)
+	{
+		this = create_empty();
+
+		this->content = chunk_clone(blob);
+		if (generate(this, cert, alg, key_size))
+		{
+			return &this->public;
+		}
+		destroy(this);
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.h b/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.h
new file mode 100644
index 000000000..5e35abd54
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs7_enveloped_data pkcs7_enveloped_data
+ * @{ @ingroup pkcs7p
+ */
+
+#ifndef PKCS7_ENVELOPED_DATA_H_
+#define PKCS7_ENVELOPED_DATA_H_
+
+#include <credentials/builder.h>
+#include <credentials/containers/pkcs7.h>
+
+/**
+ * Parse a PKCS#7 enveloped-data container.
+ *
+ * @param encoding	full contentInfo encoding
+ * @param content	DER encoded content from contentInfo
+ * @return			CONTAINER_PKCS7_ENVELOPED_DATA container, NULL on failure
+ */
+pkcs7_t *pkcs7_enveloped_data_load(chunk_t encoding, chunk_t content);
+
+/**
+ * Generate a PKCS#7 enveloped-data container.
+ *
+ * @param type		container type, must be CONTAINER_PKCS7_ENVELOPED_DATA
+ * @param args		builder_t arguments to use.
+ */
+pkcs7_t *pkcs7_enveloped_data_gen(container_type_t type, va_list args);
+
+#endif /** PKCS7_ENVELOPED_DATA_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_generic.c b/src/libstrongswan/plugins/pkcs7/pkcs7_generic.c
new file mode 100644
index 000000000..35d8d11a7
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_generic.c
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2002-2008 Andreas Steffen
+ * Copyright (C) 2005 Jan Hutter, Martin Willi
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs7_generic.h"
+#include "pkcs7_data.h"
+#include "pkcs7_signed_data.h"
+#include "pkcs7_enveloped_data.h"
+
+#include <utils/debug.h>
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+
+/**
+ * ASN.1 definition of the PKCS#7 ContentInfo type
+ */
+static const asn1Object_t contentInfoObjects[] = {
+	{ 0, "contentInfo",		ASN1_SEQUENCE,		ASN1_NONE }, /* 0 */
+	{ 1,   "contentType",	ASN1_OID,			ASN1_BODY }, /* 1 */
+	{ 1,   "content",		ASN1_CONTEXT_C_0,	ASN1_OPT |
+												ASN1_BODY }, /* 2 */
+	{ 1,   "end opt",		ASN1_EOC,			ASN1_END  }, /* 3 */
+	{ 0, "exit",			ASN1_EOC,			ASN1_EXIT }
+};
+#define PKCS7_INFO_TYPE		1
+#define PKCS7_INFO_CONTENT	2
+
+/**
+ * Parse PKCS#7 contentInfo object
+ */
+static pkcs7_t* parse_contentInfo(chunk_t blob)
+{
+	asn1_parser_t *parser;
+	chunk_t object, content = chunk_empty;
+	int objectID, type = OID_UNKNOWN;
+	bool success = FALSE;
+
+	parser = asn1_parser_create(contentInfoObjects, blob);
+	parser->set_top_level(parser, 0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		if (objectID == PKCS7_INFO_TYPE)
+		{
+			type = asn1_known_oid(object);
+			if (type < OID_PKCS7_DATA || type > OID_PKCS7_ENCRYPTED_DATA)
+			{
+				DBG1(DBG_ASN, "unknown pkcs7 content type");
+				goto end;
+			}
+		}
+		else if (objectID == PKCS7_INFO_CONTENT)
+		{
+			content = object;
+		}
+	}
+	success = parser->success(parser);
+
+end:
+	parser->destroy(parser);
+
+	if (success)
+	{
+		switch (type)
+		{
+			case OID_PKCS7_DATA:
+				return pkcs7_data_load(blob, content);
+			case OID_PKCS7_SIGNED_DATA:
+				return pkcs7_signed_data_load(blob, content);
+			case OID_PKCS7_ENVELOPED_DATA:
+				return pkcs7_enveloped_data_load(blob, content);
+			default:
+				DBG1(DBG_ASN, "pkcs7 content type %d not supported", type);
+				return NULL;
+		}
+	}
+	return NULL;
+}
+
+
+pkcs7_t *pkcs7_generic_load(container_type_t type, va_list args)
+{
+	chunk_t blob = chunk_empty;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (blob.len)
+	{
+		if (blob.len >= 2 &&
+			blob.ptr[0] == ASN1_SEQUENCE && blob.ptr[1] == 0x80)
+		{	/* looks like infinite length BER encoding, but we can't handle it.
+			 * ignore silently, our openssl backend can handle it */
+			return NULL;
+		}
+		return parse_contentInfo(blob);
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_generic.h b/src/libstrongswan/plugins/pkcs7/pkcs7_generic.h
new file mode 100644
index 000000000..819343c4d
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_generic.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs7_generic pkcs7_generic
+ * @{ @ingroup pkcs7p
+ */
+
+#ifndef PKCS7_GENERIC_H_
+#define PKCS7_GENERIC_H_
+
+#include <credentials/builder.h>
+#include <credentials/containers/pkcs7.h>
+
+/**
+ * Load a generic PKCS#7 container.
+ *
+ * The argument list must contain a single BUILD_BLOB_ASN1_DER argument.
+ *
+ * @param type		type of the container, CONTAINER_PKCS7
+ * @param args		builder_part_t argument list
+ * @return			container, NULL on failure
+ */
+pkcs7_t *pkcs7_generic_load(container_type_t type, va_list args);
+
+#endif /** PKCS7_GENERIC_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_plugin.c b/src/libstrongswan/plugins/pkcs7/pkcs7_plugin.c
new file mode 100644
index 000000000..7d350155d
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_plugin.c
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs7_plugin.h"
+#include "pkcs7_generic.h"
+#include "pkcs7_data.h"
+#include "pkcs7_signed_data.h"
+#include "pkcs7_enveloped_data.h"
+
+#include <library.h>
+
+typedef struct private_pkcs7_plugin_t private_pkcs7_plugin_t;
+
+/**
+ * private data of pkcs7_plugin
+ */
+struct private_pkcs7_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	pkcs7_plugin_t public;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_pkcs7_plugin_t *this)
+{
+	return "pkcs7";
+}
+
+METHOD(plugin_t, get_features, int,
+	private_pkcs7_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_REGISTER(CONTAINER_DECODE, pkcs7_generic_load, TRUE),
+			PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS7),
+		PLUGIN_REGISTER(CONTAINER_ENCODE, pkcs7_data_gen, TRUE),
+			PLUGIN_PROVIDE(CONTAINER_ENCODE, CONTAINER_PKCS7_DATA),
+		PLUGIN_REGISTER(CONTAINER_ENCODE, pkcs7_signed_data_gen, TRUE),
+			PLUGIN_PROVIDE(CONTAINER_ENCODE, CONTAINER_PKCS7_SIGNED_DATA),
+		PLUGIN_REGISTER(CONTAINER_ENCODE, pkcs7_enveloped_data_gen, TRUE),
+			PLUGIN_PROVIDE(CONTAINER_ENCODE, CONTAINER_PKCS7_ENVELOPED_DATA),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_pkcs7_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *pkcs7_plugin_create()
+{
+	private_pkcs7_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_plugin.h b/src/libstrongswan/plugins/pkcs7/pkcs7_plugin.h
new file mode 100644
index 000000000..3d582c7c6
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs7p pkcs7
+ * @ingroup plugins
+ *
+ * @defgroup pkcs7_plugin pkcs7_plugin
+ * @{ @ingroup pkcs7p
+ */
+
+#ifndef PKCS7_PLUGIN_H_
+#define PKCS7_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct pkcs7_plugin_t pkcs7_plugin_t;
+
+/**
+ * Plugin providing PKCS#7 container functionality.
+ */
+struct pkcs7_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** PKCS7_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c b/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c
new file mode 100644
index 000000000..48fb5e6a4
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c
@@ -0,0 +1,678 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs7_signed_data.h"
+#include "pkcs7_attributes.h"
+
+#include <time.h>
+
+#include <utils/debug.h>
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <credentials/sets/mem_cred.h>
+#include <credentials/certificates/x509.h>
+#include <credentials/keys/private_key.h>
+
+typedef struct private_pkcs7_signed_data_t private_pkcs7_signed_data_t;
+
+/**
+ * Private data of a PKCS#7 signed-data container.
+ */
+struct private_pkcs7_signed_data_t {
+
+	/**
+	 * Implements pkcs7_t.
+	 */
+	pkcs7_t public;
+
+	/**
+	 * Signed content data
+	 */
+	container_t *content;
+
+	/**
+	 * Encoded PKCS#7 signed-data
+	 */
+	chunk_t encoding;
+
+	/**
+	 * list of signerInfos, signerinfo_t
+	 */
+	linked_list_t *signerinfos;
+
+	/**
+	 * Contained certificates
+	 */
+	mem_cred_t *creds;
+};
+
+/**
+ * A single signerInfo
+ */
+typedef struct {
+
+	/**
+	 * Signed attributes of signerInfo
+	 */
+	pkcs7_attributes_t *attributes;
+
+	/**
+	 * Serial of signing certificate
+	 */
+	identification_t *serial;
+
+	/**
+	 * Issuer of signing certificate
+	 */
+	identification_t *issuer;
+
+	/**
+	 * EncryptedDigest
+	 */
+	chunk_t encrypted_digest;
+
+	/**
+	 * Digesting algorithm OID
+	 */
+	int digest_alg;
+
+	/**
+	 * Public key encryption algorithm OID
+	 */
+	int enc_alg;
+
+} signerinfo_t;
+
+/**
+ * Destroy a signerinfo_t entry
+ */
+void signerinfo_destroy(signerinfo_t *this)
+{
+	DESTROY_IF(this->attributes);
+	DESTROY_IF(this->serial);
+	DESTROY_IF(this->issuer);
+	free(this->encrypted_digest.ptr);
+	free(this);
+}
+
+/**
+ * ASN.1 definition of the PKCS#7 signedData type
+ */
+static const asn1Object_t signedDataObjects[] = {
+	{ 0, "signedData",						ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
+	{ 1,   "version",						ASN1_INTEGER,		ASN1_BODY }, /*  1 */
+	{ 1,   "digestAlgorithms",				ASN1_SET,			ASN1_LOOP }, /*  2 */
+	{ 2,     "algorithm",					ASN1_EOC,			ASN1_RAW  }, /*  3 */
+	{ 1,   "end loop",						ASN1_EOC,			ASN1_END  }, /*  4 */
+	{ 1,   "contentInfo",					ASN1_EOC,			ASN1_RAW  }, /*  5 */
+	{ 1,   "certificates",					ASN1_CONTEXT_C_0,	ASN1_OPT |
+																ASN1_LOOP }, /*  6 */
+	{ 2,      "certificate",				ASN1_SEQUENCE,		ASN1_OBJ  }, /*  7 */
+	{ 1,   "end opt or loop",				ASN1_EOC,			ASN1_END  }, /*  8 */
+	{ 1,   "crls",							ASN1_CONTEXT_C_1,	ASN1_OPT |
+																ASN1_LOOP }, /*  9 */
+	{ 2,	    "crl",						ASN1_SEQUENCE,		ASN1_OBJ  }, /* 10 */
+	{ 1,   "end opt or loop",				ASN1_EOC,			ASN1_END  }, /* 11 */
+	{ 1,   "signerInfos",					ASN1_SET,			ASN1_LOOP }, /* 12 */
+	{ 2,     "signerInfo",					ASN1_SEQUENCE,		ASN1_NONE }, /* 13 */
+	{ 3,       "version",					ASN1_INTEGER,		ASN1_BODY }, /* 14 */
+	{ 3,       "issuerAndSerialNumber",		ASN1_SEQUENCE,		ASN1_BODY }, /* 15 */
+	{ 4,         "issuer",					ASN1_SEQUENCE,		ASN1_OBJ  }, /* 16 */
+	{ 4,         "serial",					ASN1_INTEGER,		ASN1_BODY }, /* 17 */
+	{ 3,       "digestAlgorithm",			ASN1_EOC,			ASN1_RAW  }, /* 18 */
+	{ 3,       "authenticatedAttributes",	ASN1_CONTEXT_C_0,	ASN1_OPT |
+																ASN1_OBJ  }, /* 19 */
+	{ 3,       "end opt",					ASN1_EOC,			ASN1_END  }, /* 20 */
+	{ 3,       "digestEncryptionAlgorithm",	ASN1_EOC,			ASN1_RAW  }, /* 21 */
+	{ 3,       "encryptedDigest",			ASN1_OCTET_STRING,	ASN1_BODY }, /* 22 */
+	{ 3,       "unauthenticatedAttributes", ASN1_CONTEXT_C_1,	ASN1_OPT  }, /* 23 */
+	{ 3,       "end opt",					ASN1_EOC,			ASN1_END  }, /* 24 */
+	{ 1,   "end loop",						ASN1_EOC,			ASN1_END  }, /* 25 */
+	{ 0, "exit",							ASN1_EOC,			ASN1_EXIT }
+};
+#define PKCS7_VERSION				 1
+#define PKCS7_DIGEST_ALG			 3
+#define PKCS7_CONTENT_INFO			 5
+#define PKCS7_CERT					 7
+#define PKCS7_SIGNER_INFO			13
+#define PKCS7_SIGNER_INFO_VERSION	14
+#define PKCS7_ISSUER				16
+#define PKCS7_SERIAL_NUMBER			17
+#define PKCS7_DIGEST_ALGORITHM		18
+#define PKCS7_AUTH_ATTRIBUTES		19
+#define PKCS7_DIGEST_ENC_ALGORITHM	21
+#define PKCS7_ENCRYPTED_DIGEST		22
+
+METHOD(container_t, get_type, container_type_t,
+	private_pkcs7_signed_data_t *this)
+{
+	return CONTAINER_PKCS7_SIGNED_DATA;
+}
+
+/**
+ * Signature enumerator implementation
+ */
+typedef struct {
+	/** implements enumerator */
+	enumerator_t public;
+	/** inner signerinfos enumerator */
+	enumerator_t *inner;
+	/** currently enumerated auth_cfg */
+	auth_cfg_t *auth;
+	/** currently enumerating signerinfo */
+	signerinfo_t *info;
+	/** reference to container */
+	private_pkcs7_signed_data_t *this;
+} signature_enumerator_t;
+
+METHOD(enumerator_t, enumerate, bool,
+	signature_enumerator_t *this, auth_cfg_t **out)
+{
+	signerinfo_t *info;
+	signature_scheme_t scheme;
+	hash_algorithm_t algorithm;
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	public_key_t *key;
+	auth_cfg_t *auth;
+	chunk_t chunk, hash, content;
+	hasher_t *hasher;
+	bool valid;
+
+	while (this->inner->enumerate(this->inner, &info))
+	{
+		/* clean up previous round */
+		DESTROY_IF(this->auth);
+		this->auth = NULL;
+
+		scheme = signature_scheme_from_oid(info->digest_alg);
+		if (scheme == SIGN_UNKNOWN)
+		{
+			DBG1(DBG_LIB, "unsupported signature scheme");
+			continue;
+		}
+		if (!info->attributes)
+		{
+			DBG1(DBG_LIB, "no authenticatedAttributes object found");
+			continue;
+		}
+		if (info->enc_alg != OID_RSA_ENCRYPTION)
+		{
+			DBG1(DBG_LIB, "only RSA digest encryption supported");
+			continue;
+		}
+
+		enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr,
+												KEY_RSA, info->serial, FALSE);
+		while (enumerator->enumerate(enumerator, &cert, &auth))
+		{
+			if (info->issuer->equals(info->issuer, cert->get_issuer(cert)))
+			{
+				key = cert->get_public_key(cert);
+				if (key)
+				{
+					chunk = info->attributes->get_encoding(info->attributes);
+					if (key->verify(key, scheme, chunk, info->encrypted_digest))
+					{
+						this->auth = auth->clone(auth);
+						key->destroy(key);
+						break;
+					}
+					key->destroy(key);
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		if (!this->auth)
+		{
+			DBG1(DBG_LIB, "unable to verify pkcs7 attributes signature");
+			continue;
+		}
+
+		chunk = info->attributes->get_attribute(info->attributes,
+												OID_PKCS9_MESSAGE_DIGEST);
+		if (!chunk.len)
+		{
+			DBG1(DBG_LIB, "messageDigest attribute not found");
+			continue;
+		}
+		if (!this->this->content->get_data(this->this->content, &content))
+		{
+			continue;
+		}
+
+		algorithm = hasher_algorithm_from_oid(info->digest_alg);
+		hasher = lib->crypto->create_hasher(lib->crypto, algorithm);
+		if (!hasher || !hasher->allocate_hash(hasher, content, &hash))
+		{
+			free(content.ptr);
+			DESTROY_IF(hasher);
+			DBG1(DBG_LIB, "hash algorithm %N not supported",
+				 hash_algorithm_names, algorithm);
+			continue;
+		}
+		free(content.ptr);
+		hasher->destroy(hasher);
+		DBG3(DBG_LIB, "hash: %B", &hash);
+
+		valid = chunk_equals(chunk, hash);
+		free(hash.ptr);
+		if (!valid)
+		{
+			DBG1(DBG_LIB, "invalid messageDigest");
+			continue;
+		}
+		*out = this->auth;
+		this->info = info;
+		return TRUE;
+	}
+	this->info = NULL;
+	return FALSE;
+}
+
+METHOD(enumerator_t, enumerator_destroy, void,
+	signature_enumerator_t *this)
+{
+	lib->credmgr->remove_local_set(lib->credmgr, &this->this->creds->set);
+	this->inner->destroy(this->inner);
+	DESTROY_IF(this->auth);
+	free(this);
+}
+
+METHOD(container_t, create_signature_enumerator, enumerator_t*,
+	private_pkcs7_signed_data_t *this)
+{
+	signature_enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_enumerate,
+			.destroy = _enumerator_destroy,
+		},
+		.inner = this->signerinfos->create_enumerator(this->signerinfos),
+		.this = this,
+	);
+
+	lib->credmgr->add_local_set(lib->credmgr, &this->creds->set, FALSE);
+	return &enumerator->public;
+}
+
+METHOD(pkcs7_t, get_attribute, bool,
+	private_pkcs7_signed_data_t *this, int oid, enumerator_t *enumerator, chunk_t *value)
+{
+	signature_enumerator_t *e;
+	chunk_t chunk;
+
+	e = (signature_enumerator_t*)enumerator;
+	if (e->info)
+	{
+		chunk = e->info->attributes->get_attribute(e->info->attributes, oid);
+		if (chunk.len)
+		{
+			*value = chunk_clone(chunk);
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+METHOD(pkcs7_t, create_cert_enumerator, enumerator_t*,
+	private_pkcs7_signed_data_t *this)
+{
+	return this->creds->set.create_cert_enumerator(&this->creds->set,
+											CERT_ANY, KEY_ANY, NULL, FALSE);
+}
+
+METHOD(container_t, get_data, bool,
+	private_pkcs7_signed_data_t *this, chunk_t *data)
+{
+	if (this->content)
+	{
+		return this->content->get_data(this->content, data);
+	}
+	return FALSE;
+}
+
+METHOD(container_t, get_encoding, bool,
+	private_pkcs7_signed_data_t *this, chunk_t *data)
+{
+	*data = chunk_clone(this->encoding);
+	return TRUE;
+}
+
+METHOD(container_t, destroy, void,
+	private_pkcs7_signed_data_t *this)
+{
+	this->creds->destroy(this->creds);
+	this->signerinfos->destroy_function(this->signerinfos,
+										(void*)signerinfo_destroy);
+	DESTROY_IF(this->content);
+	free(this->encoding.ptr);
+	free(this);
+}
+
+/**
+ * Create an empty PKCS#7 signed-data container.
+ */
+static private_pkcs7_signed_data_t* create_empty()
+{
+	private_pkcs7_signed_data_t *this;
+
+	INIT(this,
+		.public = {
+			.container = {
+				.get_type = _get_type,
+				.create_signature_enumerator = _create_signature_enumerator,
+				.get_data = _get_data,
+				.get_encoding = _get_encoding,
+				.destroy = _destroy,
+			},
+			.get_attribute = _get_attribute,
+			.create_cert_enumerator = _create_cert_enumerator,
+		},
+		.creds = mem_cred_create(),
+		.signerinfos = linked_list_create(),
+	);
+
+	return this;
+}
+
+/**
+ * Parse PKCS#7 signed data
+ */
+static bool parse(private_pkcs7_signed_data_t *this, chunk_t content)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID, version;
+	signerinfo_t *info = NULL;
+	bool success = FALSE;
+
+	parser = asn1_parser_create(signedDataObjects, content);
+	parser->set_top_level(parser, 0);
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		u_int level = parser->get_level(parser);
+
+		switch (objectID)
+		{
+			case PKCS7_VERSION:
+				version = object.len ? (int)*object.ptr : 0;
+				DBG2(DBG_LIB, "  v%d", version);
+				break;
+			case PKCS7_CONTENT_INFO:
+				this->content = lib->creds->create(lib->creds,
+										CRED_CONTAINER, CONTAINER_PKCS7,
+										BUILD_BLOB_ASN1_DER, object, BUILD_END);
+				break;
+			case PKCS7_CERT:
+			{
+				certificate_t *cert;
+
+				DBG2(DBG_LIB, "  parsing pkcs7-wrapped certificate");
+				cert = lib->creds->create(lib->creds,
+										  CRED_CERTIFICATE, CERT_X509,
+										  BUILD_BLOB_ASN1_DER, object,
+										  BUILD_END);
+				if (cert)
+				{
+					this->creds->add_cert(this->creds, FALSE, cert);
+				}
+				break;
+			}
+			case PKCS7_SIGNER_INFO:
+				INIT(info,
+					.digest_alg = OID_UNKNOWN,
+					.enc_alg = OID_UNKNOWN,
+				);
+				this->signerinfos->insert_last(this->signerinfos, info);
+				break;
+			case PKCS7_SIGNER_INFO_VERSION:
+				version = object.len ? (int)*object.ptr : 0;
+				DBG2(DBG_LIB, "  v%d", version);
+				break;
+			case PKCS7_ISSUER:
+				info->issuer = identification_create_from_encoding(
+														ID_DER_ASN1_DN, object);
+				break;
+			case PKCS7_SERIAL_NUMBER:
+				info->serial = identification_create_from_encoding(
+														ID_KEY_ID, object);
+				break;
+			case PKCS7_AUTH_ATTRIBUTES:
+				*object.ptr = ASN1_SET;
+				info->attributes = pkcs7_attributes_create_from_chunk(
+														object, level+1);
+				*object.ptr = ASN1_CONTEXT_C_0;
+				break;
+			case PKCS7_DIGEST_ALGORITHM:
+				info->digest_alg = asn1_parse_algorithmIdentifier(object,
+														level, NULL);
+				break;
+			case PKCS7_DIGEST_ENC_ALGORITHM:
+				info->enc_alg = asn1_parse_algorithmIdentifier(object,
+														level, NULL);
+				break;
+			case PKCS7_ENCRYPTED_DIGEST:
+				info->encrypted_digest = chunk_clone(object);
+				break;
+		}
+	}
+	success = parser->success(parser);
+	parser->destroy(parser);
+
+	return success;
+}
+
+/**
+ * See header.
+ */
+pkcs7_t *pkcs7_signed_data_load(chunk_t encoding, chunk_t content)
+{
+	private_pkcs7_signed_data_t *this = create_empty();
+
+	this->encoding = chunk_clone(encoding);
+	if (!parse(this, content))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+/**
+ * build a DER-encoded issuerAndSerialNumber object
+ */
+static chunk_t build_issuerAndSerialNumber(certificate_t *cert)
+{
+	identification_t *issuer = cert->get_issuer(cert);
+	chunk_t serial = chunk_empty;
+
+	if (cert->get_type(cert) == CERT_X509)
+	{
+		x509_t *x509 = (x509_t*)cert;
+		serial = x509->get_serial(x509);
+	}
+
+	return asn1_wrap(ASN1_SEQUENCE, "cm",
+					 issuer->get_encoding(issuer),
+					 asn1_integer("c", serial));
+}
+
+/**
+ * Generate a new PKCS#7 signed-data container
+ */
+static bool generate(private_pkcs7_signed_data_t *this, private_key_t *key,
+					 certificate_t *cert, hash_algorithm_t alg,
+					 pkcs7_attributes_t *pkcs9)
+{
+	chunk_t authenticatedAttributes = chunk_empty;
+	chunk_t encryptedDigest = chunk_empty;
+	chunk_t data, signerInfo, encoding = chunk_empty;
+	chunk_t messageDigest, signingTime, attributes;
+	signature_scheme_t scheme;
+	hasher_t *hasher;
+	time_t now;
+	int digest_oid;
+
+	digest_oid = hasher_algorithm_to_oid(alg);
+	scheme = signature_scheme_from_oid(digest_oid);
+
+	if (!this->content->get_data(this->content, &data))
+	{
+		return FALSE;
+	}
+
+	hasher = lib->crypto->create_hasher(lib->crypto, alg);
+	if (!hasher || !hasher->allocate_hash(hasher, data, &messageDigest))
+	{
+		DESTROY_IF(hasher);
+		DBG1(DBG_LIB, "  hash algorithm %N not support",
+			 hash_algorithm_names, alg);
+		free(data.ptr);
+		return FALSE;
+	}
+	hasher->destroy(hasher);
+	pkcs9->add_attribute(pkcs9,
+					OID_PKCS9_MESSAGE_DIGEST,
+					asn1_wrap(ASN1_OCTET_STRING, "m", messageDigest));
+
+	/* take the current time as signingTime */
+	now = time(NULL);
+	signingTime = asn1_from_time(&now, ASN1_UTCTIME);
+	pkcs9->add_attribute(pkcs9, OID_PKCS9_SIGNING_TIME, signingTime);
+	pkcs9->add_attribute(pkcs9, OID_PKCS9_CONTENT_TYPE,
+						 asn1_build_known_oid(OID_PKCS7_DATA));
+
+	attributes = pkcs9->get_encoding(pkcs9);
+
+	if (!key->sign(key, scheme, attributes, &encryptedDigest))
+	{
+		free(data.ptr);
+		return FALSE;
+	}
+	authenticatedAttributes = chunk_clone(attributes);
+	*authenticatedAttributes.ptr = ASN1_CONTEXT_C_0;
+
+	free(data.ptr);
+	if (encryptedDigest.ptr)
+	{
+		encryptedDigest = asn1_wrap(ASN1_OCTET_STRING, "m", encryptedDigest);
+	}
+	signerInfo = asn1_wrap(ASN1_SEQUENCE, "cmmmmm",
+					ASN1_INTEGER_1,
+					build_issuerAndSerialNumber(cert),
+					asn1_algorithmIdentifier(digest_oid),
+					authenticatedAttributes,
+					asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
+					encryptedDigest);
+
+	if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
+	{
+		free(signerInfo.ptr);
+		return FALSE;
+	}
+	if (!this->content->get_encoding(this->content, &data))
+	{
+		free(encoding.ptr);
+		free(signerInfo.ptr);
+		return FALSE;
+	}
+
+	this->encoding = asn1_wrap(ASN1_SEQUENCE, "mm",
+		asn1_build_known_oid(OID_PKCS7_SIGNED_DATA),
+		asn1_wrap(ASN1_CONTEXT_C_0, "m",
+			asn1_wrap(ASN1_SEQUENCE, "cmmmm",
+				ASN1_INTEGER_1,
+				asn1_wrap(ASN1_SET, "m", asn1_algorithmIdentifier(digest_oid)),
+				data,
+				asn1_wrap(ASN1_CONTEXT_C_0, "m", encoding),
+				asn1_wrap(ASN1_SET, "m", signerInfo))));
+
+
+	pkcs9->destroy(pkcs9);
+	/* TODO: create signerInfos entry */
+	return TRUE;
+}
+
+/**
+ * See header.
+ */
+pkcs7_t *pkcs7_signed_data_gen(container_type_t type, va_list args)
+{
+	private_pkcs7_signed_data_t *this;
+	chunk_t blob = chunk_empty;
+	hash_algorithm_t alg = HASH_SHA1;
+	private_key_t *key = NULL;
+	certificate_t *cert = NULL;
+	pkcs7_attributes_t *pkcs9;
+	chunk_t value;
+	int oid;
+
+	pkcs9 = pkcs7_attributes_create();
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_SIGNING_KEY:
+				key = va_arg(args, private_key_t*);
+				continue;
+			case BUILD_SIGNING_CERT:
+				cert = va_arg(args, certificate_t*);
+				continue;
+			case BUILD_DIGEST_ALG:
+				alg = va_arg(args, int);
+				continue;
+			case BUILD_BLOB:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_PKCS7_ATTRIBUTE:
+				oid = va_arg(args, int);
+				value = va_arg(args, chunk_t);
+				pkcs9->add_attribute(pkcs9, oid, chunk_clone(value));
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				pkcs9->destroy(pkcs9);
+				return NULL;
+		}
+		break;
+	}
+	if (blob.len && key && cert)
+	{
+		this = create_empty();
+
+		this->creds->add_cert(this->creds, FALSE, cert->get_ref(cert));
+		this->content = lib->creds->create(lib->creds,
+										   CRED_CONTAINER, CONTAINER_PKCS7_DATA,
+										   BUILD_BLOB, blob, BUILD_END);
+
+		if (this->content && generate(this, key, cert, alg, pkcs9))
+		{
+			return &this->public;
+		}
+		pkcs9->destroy(pkcs9);
+		destroy(this);
+	}
+	else
+	{
+		pkcs9->destroy(pkcs9);
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.h b/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.h
new file mode 100644
index 000000000..5de672117
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs7_signed_data pkcs7_signed_data
+ * @{ @ingroup pkcs7p
+ */
+
+#ifndef PKCS7_SIGNED_DATA_H_
+#define PKCS7_SIGNED_DATA_H_
+
+#include <credentials/builder.h>
+#include <credentials/containers/pkcs7.h>
+
+/**
+ * Parse a PKCS#7 signed-data container.
+ *
+ * @param encoding	full contentInfo encoding
+ * @param content	DER encoded content from contentInfo
+ * @return			CONTAINER_PKCS7_SIGNED_DATA container, NULL on failure
+ */
+pkcs7_t *pkcs7_signed_data_load(chunk_t encoding, chunk_t content);
+
+/**
+ * Generate a PKCS#7 signed-data container.
+ *
+ * @param type		container type, must be CONTAINER_PKCS7_SIGNED_DATA
+ * @param args		builder_t arguments to use.
+ */
+pkcs7_t *pkcs7_signed_data_gen(container_type_t type, va_list args);
+
+#endif /** PKCS7_SIGNED_DATA_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs8/Makefile.in b/src/libstrongswan/plugins/pkcs8/Makefile.in
index 60d7ae643..45a1e16e8 100644
--- a/src/libstrongswan/plugins/pkcs8/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs8/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_pkcs8_la_LIBADD =
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -370,7 +379,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-pkcs8.la: $(libstrongswan_pkcs8_la_OBJECTS) $(libstrongswan_pkcs8_la_DEPENDENCIES) 
+libstrongswan-pkcs8.la: $(libstrongswan_pkcs8_la_OBJECTS) $(libstrongswan_pkcs8_la_DEPENDENCIES) $(EXTRA_libstrongswan_pkcs8_la_DEPENDENCIES) 
 	$(libstrongswan_pkcs8_la_LINK) $(am_libstrongswan_pkcs8_la_rpath) $(libstrongswan_pkcs8_la_OBJECTS) $(libstrongswan_pkcs8_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -508,10 +517,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c
index a501423b1..26a3620d7 100644
--- a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c
+++ b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c
@@ -15,7 +15,7 @@
 
 #include "pkcs8_builder.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
diff --git a/src/libstrongswan/plugins/plugin_feature.c b/src/libstrongswan/plugins/plugin_feature.c
index 6e043878c..6c954f76d 100644
--- a/src/libstrongswan/plugins/plugin_feature.c
+++ b/src/libstrongswan/plugins/plugin_feature.c
@@ -21,7 +21,7 @@
 
 #include "plugin_feature.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(plugin_feature_names, FEATURE_NONE, FEATURE_CUSTOM,
 	"NONE",
@@ -42,6 +42,8 @@ ENUM(plugin_feature_names, FEATURE_NONE, FEATURE_CUSTOM,
 	"PUBKEY_ENCRYPT",
 	"CERT_DECODE",
 	"CERT_ENCODE",
+	"CONTAINER_DECODE",
+	"CONTAINER_ENCODE",
 	"EAP_SERVER",
 	"EAP_CLIENT",
 	"XAUTH_SERVER",
@@ -83,6 +85,8 @@ u_int32_t plugin_feature_hash(plugin_feature_t *feature)
 		case FEATURE_PUBKEY_ENCRYPT:
 		case FEATURE_CERT_DECODE:
 		case FEATURE_CERT_ENCODE:
+		case FEATURE_CONTAINER_DECODE:
+		case FEATURE_CONTAINER_ENCODE:
 		case FEATURE_EAP_SERVER:
 		case FEATURE_EAP_PEER:
 			data = chunk_from_thing(feature->arg);
@@ -143,6 +147,9 @@ bool plugin_feature_matches(plugin_feature_t *a, plugin_feature_t *b)
 			case FEATURE_CERT_DECODE:
 			case FEATURE_CERT_ENCODE:
 				return a->arg.cert == b->arg.cert;
+			case FEATURE_CONTAINER_DECODE:
+			case FEATURE_CONTAINER_ENCODE:
+				return a->arg.container == b->arg.container;
 			case FEATURE_EAP_SERVER:
 			case FEATURE_EAP_PEER:
 				return a->arg.eap == b->arg.eap;
@@ -267,6 +274,14 @@ char* plugin_feature_get_string(plugin_feature_t *feature)
 				return str;
 			}
 			break;
+		case FEATURE_CONTAINER_DECODE:
+		case FEATURE_CONTAINER_ENCODE:
+			if (asprintf(&str, "%N:%N", plugin_feature_names, feature->type,
+					container_type_names, feature->arg.container) > 0)
+			{
+				return str;
+			}
+			break;
 		case FEATURE_EAP_SERVER:
 		case FEATURE_EAP_PEER:
 			if (asprintf(&str, "%N:%N", plugin_feature_names, feature->type,
@@ -385,6 +400,12 @@ bool plugin_feature_load(plugin_t *plugin, plugin_feature_t *feature,
 								feature->arg.cert, reg->arg.reg.final,
 								reg->arg.reg.f);
 			break;
+		case FEATURE_CONTAINER_DECODE:
+		case FEATURE_CONTAINER_ENCODE:
+			lib->creds->add_builder(lib->creds, CRED_CONTAINER,
+								feature->arg.container, reg->arg.reg.final,
+								reg->arg.reg.f);
+			break;
 		case FEATURE_DATABASE:
 			lib->db->add_database(lib->db, reg->arg.reg.f);
 			break;
@@ -454,6 +475,10 @@ bool plugin_feature_unload(plugin_t *plugin, plugin_feature_t *feature,
 		case FEATURE_CERT_ENCODE:
 			lib->creds->remove_builder(lib->creds, reg->arg.reg.f);
 			break;
+		case FEATURE_CONTAINER_DECODE:
+		case FEATURE_CONTAINER_ENCODE:
+			lib->creds->remove_builder(lib->creds, reg->arg.reg.f);
+			break;
 		case FEATURE_DATABASE:
 			lib->db->remove_database(lib->db, reg->arg.reg.f);
 			break;
diff --git a/src/libstrongswan/plugins/plugin_feature.h b/src/libstrongswan/plugins/plugin_feature.h
index 90f8a948a..7667fff3e 100644
--- a/src/libstrongswan/plugins/plugin_feature.h
+++ b/src/libstrongswan/plugins/plugin_feature.h
@@ -29,6 +29,7 @@ typedef struct plugin_feature_t plugin_feature_t;
 #include <library.h>
 #include <eap/eap.h>
 #include <plugins/plugin.h>
+#include <credentials/containers/container.h>
 
 /**
  * Callback function of a plugin to (un-)register a specified feature.
@@ -133,6 +134,10 @@ struct plugin_feature_t {
 		FEATURE_CERT_DECODE,
 		/** generating certificates */
 		FEATURE_CERT_ENCODE,
+		/** parsing containers */
+		FEATURE_CONTAINER_DECODE,
+		/** generating containers */
+		FEATURE_CONTAINER_ENCODE,
 		/** EAP server implementation */
 		FEATURE_EAP_SERVER,
 		/** EAP peer implementation */
@@ -186,6 +191,8 @@ struct plugin_feature_t {
 		encryption_scheme_t pubkey_encrypt;
 		/** FEATURE_CERT_DECODE/ENCODE */
 		certificate_type_t cert;
+		/** FEATURE_CONTAINER_DECODE/ENCODE */
+		container_type_t container;
 		/** FEATURE_EAP_SERVER/CLIENT */
 		eap_type_t eap;
 		/** FEATURE_DATABASE */
@@ -281,6 +288,8 @@ struct plugin_feature_t {
 #define _PLUGIN_FEATURE_PUBKEY_ENCRYPT(kind, scheme)		__PLUGIN_FEATURE(kind, PUBKEY_ENCRYPT, .pubkey_encrypt = scheme)
 #define _PLUGIN_FEATURE_CERT_DECODE(kind, type)				__PLUGIN_FEATURE(kind, CERT_DECODE, .cert = type)
 #define _PLUGIN_FEATURE_CERT_ENCODE(kind, type)				__PLUGIN_FEATURE(kind, CERT_ENCODE, .cert = type)
+#define _PLUGIN_FEATURE_CONTAINER_DECODE(kind, type)		__PLUGIN_FEATURE(kind, CONTAINER_DECODE, .container = type)
+#define _PLUGIN_FEATURE_CONTAINER_ENCODE(kind, type)		__PLUGIN_FEATURE(kind, CONTAINER_ENCODE, .container = type)
 #define _PLUGIN_FEATURE_EAP_SERVER(kind, type)				__PLUGIN_FEATURE(kind, EAP_SERVER, .eap = type)
 #define _PLUGIN_FEATURE_EAP_PEER(kind, type)				__PLUGIN_FEATURE(kind, EAP_PEER, .eap = type)
 #define _PLUGIN_FEATURE_DATABASE(kind, type)				__PLUGIN_FEATURE(kind, DATABASE, .database = type)
@@ -304,6 +313,8 @@ struct plugin_feature_t {
 #define _PLUGIN_FEATURE_REGISTER_PUBKEY(type, f, final)		__PLUGIN_FEATURE_REGISTER_BUILDER(type, f, final)
 #define _PLUGIN_FEATURE_REGISTER_CERT_DECODE(type, f, final)__PLUGIN_FEATURE_REGISTER_BUILDER(type, f, final)
 #define _PLUGIN_FEATURE_REGISTER_CERT_ENCODE(type, f, final)__PLUGIN_FEATURE_REGISTER_BUILDER(type, f, final)
+#define _PLUGIN_FEATURE_REGISTER_CONTAINER_DECODE(type, f, final)__PLUGIN_FEATURE_REGISTER_BUILDER(type, f, final)
+#define _PLUGIN_FEATURE_REGISTER_CONTAINER_ENCODE(type, f, final)__PLUGIN_FEATURE_REGISTER_BUILDER(type, f, final)
 #define _PLUGIN_FEATURE_REGISTER_DATABASE(type, f)			__PLUGIN_FEATURE_REGISTER(type, f)
 #define _PLUGIN_FEATURE_REGISTER_FETCHER(type, f)			__PLUGIN_FEATURE_REGISTER(type, f)
 
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index 95a0bfc02..cea219e92 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -22,12 +22,12 @@
 #include <limits.h>
 #include <stdio.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <library.h>
-#include <integrity_checker.h>
-#include <utils/hashtable.h>
-#include <utils/linked_list.h>
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
 #include <plugins/plugin.h>
+#include <utils/integrity_checker.h>
 
 typedef struct private_plugin_loader_t private_plugin_loader_t;
 typedef struct plugin_entry_t plugin_entry_t;
diff --git a/src/libstrongswan/plugins/plugin_loader.h b/src/libstrongswan/plugins/plugin_loader.h
index 94181dbb6..6a8f8f6a1 100644
--- a/src/libstrongswan/plugins/plugin_loader.h
+++ b/src/libstrongswan/plugins/plugin_loader.h
@@ -24,7 +24,7 @@
 
 typedef struct plugin_loader_t plugin_loader_t;
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 /* to avoid circular references we can't include plugin_feature.h */
 struct plugin_feature_t;
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index 6680873c2..165314993 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_pubkey_la_LIBADD =
@@ -122,6 +128,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -149,6 +156,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,6 +184,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -188,6 +197,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -241,7 +251,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -371,7 +380,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-pubkey.la: $(libstrongswan_pubkey_la_OBJECTS) $(libstrongswan_pubkey_la_DEPENDENCIES) 
+libstrongswan-pubkey.la: $(libstrongswan_pubkey_la_OBJECTS) $(libstrongswan_pubkey_la_DEPENDENCIES) $(EXTRA_libstrongswan_pubkey_la_DEPENDENCIES) 
 	$(libstrongswan_pubkey_la_LINK) $(am_libstrongswan_pubkey_la_rpath) $(libstrongswan_pubkey_la_OBJECTS) $(libstrongswan_pubkey_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -509,10 +518,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.c b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
index 0304ccb36..95f53f919 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_cert.c
+++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
@@ -17,7 +17,7 @@
 
 #include <time.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pubkey_cert_t private_pubkey_cert_t;
 
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index a393e8049..07e5dba40 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_random_la_LIBADD =
@@ -122,6 +128,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -149,6 +156,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,6 +184,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -188,6 +197,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -241,7 +251,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -374,7 +383,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-random.la: $(libstrongswan_random_la_OBJECTS) $(libstrongswan_random_la_DEPENDENCIES) 
+libstrongswan-random.la: $(libstrongswan_random_la_OBJECTS) $(libstrongswan_random_la_DEPENDENCIES) $(EXTRA_libstrongswan_random_la_DEPENDENCIES) 
 	$(libstrongswan_random_la_LINK) $(am_libstrongswan_random_la_rpath) $(libstrongswan_random_la_OBJECTS) $(libstrongswan_random_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -512,10 +521,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/random/random_plugin.c b/src/libstrongswan/plugins/random/random_plugin.c
index cef20047a..24c711a69 100644
--- a/src/libstrongswan/plugins/random/random_plugin.c
+++ b/src/libstrongswan/plugins/random/random_plugin.c
@@ -22,7 +22,7 @@
 #include <errno.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include "random_rng.h"
 
 #ifndef DEV_RANDOM
diff --git a/src/libstrongswan/plugins/random/random_rng.c b/src/libstrongswan/plugins/random/random_rng.c
index 52cfc080e..568844899 100644
--- a/src/libstrongswan/plugins/random/random_rng.c
+++ b/src/libstrongswan/plugins/random/random_rng.c
@@ -17,7 +17,7 @@
 #include <string.h>
 #include <unistd.h>
 #include <errno.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "random_rng.h"
 #include "random_plugin.h"
diff --git a/src/libstrongswan/plugins/rdrand/Makefile.am b/src/libstrongswan/plugins/rdrand/Makefile.am
new file mode 100644
index 000000000..4be7b7215
--- /dev/null
+++ b/src/libstrongswan/plugins/rdrand/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-rdrand.la
+else
+plugin_LTLIBRARIES = libstrongswan-rdrand.la
+endif
+
+libstrongswan_rdrand_la_SOURCES = \
+	rdrand_plugin.h rdrand_plugin.c \
+	rdrand_rng.h rdrand_rng.c
+
+libstrongswan_rdrand_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/rdrand/Makefile.in b/src/libstrongswan/plugins/rdrand/Makefile.in
new file mode 100644
index 000000000..9da0ae0c2
--- /dev/null
+++ b/src/libstrongswan/plugins/rdrand/Makefile.in
@@ -0,0 +1,632 @@
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/rdrand
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_rdrand_la_LIBADD =
+am_libstrongswan_rdrand_la_OBJECTS = rdrand_plugin.lo rdrand_rng.lo
+libstrongswan_rdrand_la_OBJECTS =  \
+	$(am_libstrongswan_rdrand_la_OBJECTS)
+libstrongswan_rdrand_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_rdrand_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_rdrand_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_rdrand_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_rdrand_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_rdrand_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+axis2c_CFLAGS = @axis2c_CFLAGS@
+axis2c_LIBS = @axis2c_LIBS@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-rdrand.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-rdrand.la
+libstrongswan_rdrand_la_SOURCES = \
+	rdrand_plugin.h rdrand_plugin.c \
+	rdrand_rng.h rdrand_rng.c
+
+libstrongswan_rdrand_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/rdrand/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/rdrand/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-rdrand.la: $(libstrongswan_rdrand_la_OBJECTS) $(libstrongswan_rdrand_la_DEPENDENCIES) $(EXTRA_libstrongswan_rdrand_la_DEPENDENCIES) 
+	$(libstrongswan_rdrand_la_LINK) $(am_libstrongswan_rdrand_la_rpath) $(libstrongswan_rdrand_la_OBJECTS) $(libstrongswan_rdrand_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rdrand_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rdrand_rng.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/rdrand/rdrand_plugin.c b/src/libstrongswan/plugins/rdrand/rdrand_plugin.c
new file mode 100644
index 000000000..4bdfc258e
--- /dev/null
+++ b/src/libstrongswan/plugins/rdrand/rdrand_plugin.c
@@ -0,0 +1,137 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "rdrand_plugin.h"
+#include "rdrand_rng.h"
+
+#include <stdio.h>
+
+#include <library.h>
+#include <utils/debug.h>
+
+typedef struct private_rdrand_plugin_t private_rdrand_plugin_t;
+typedef enum cpuid_feature_t cpuid_feature_t;
+
+/**
+ * private data of rdrand_plugin
+ */
+struct private_rdrand_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	rdrand_plugin_t public;
+};
+
+/**
+ * CPU feature flags, returned via cpuid(1)
+ */
+enum cpuid_feature_t {
+	CPUID_RDRAND =		(1<<30),
+};
+
+/**
+ * Get cpuid for info, return eax, ebx, ecx and edx.
+ * -fPIC requires to save ebx on IA-32.
+ */
+static void cpuid(u_int op, u_int *a, u_int *b, u_int *c, u_int *d)
+{
+#ifdef __x86_64__
+	asm("cpuid" : "=a" (*a), "=b" (*b), "=c" (*c), "=d" (*d) : "a" (op));
+#else /* __i386__ */
+	asm("pushl %%ebx;"
+		"cpuid;"
+		"movl %%ebx, %1;"
+		"popl %%ebx;"
+		: "=a" (*a), "=r" (*b), "=c" (*c), "=d" (*d) : "a" (op));
+#endif /* __x86_64__ / __i386__*/
+}
+
+/**
+ * Check if we have RDRAND instruction
+ */
+static bool have_rdrand()
+{
+	char vendor[3 * sizeof(u_int32_t) + 1];
+	u_int a, b, c, d;
+
+	cpuid(0, &a, &b, &c, &d);
+	/* VendorID string is in b-d-c (yes, in this order) */
+	snprintf(vendor, sizeof(vendor), "%.4s%.4s%.4s", &b, &d, &c);
+
+	/* check if we have an Intel CPU */
+	if (streq(vendor, "GenuineIntel"))
+	{
+		cpuid(1, &a, &b, &c, &d);
+		if (c & CPUID_RDRAND)
+		{
+			DBG1(DBG_LIB, "detected RDRAND support on %s CPU", vendor);
+			return TRUE;
+		}
+	}
+	DBG1(DBG_LIB, "no RDRAND support on %s CPU, disabled", vendor);
+	return FALSE;
+}
+
+METHOD(plugin_t, get_name, char*,
+	private_rdrand_plugin_t *this)
+{
+	return "rdrand";
+}
+
+METHOD(plugin_t, get_features, int,
+	private_rdrand_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_REGISTER(RNG, rdrand_rng_create),
+			PLUGIN_PROVIDE(RNG, RNG_WEAK),
+			PLUGIN_PROVIDE(RNG, RNG_STRONG),
+			PLUGIN_PROVIDE(RNG, RNG_TRUE),
+				PLUGIN_DEPENDS(CRYPTER, ENCR_AES_CBC, 16),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_rdrand_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *rdrand_plugin_create()
+{
+	private_rdrand_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.reload = (void*)return_false,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	if (have_rdrand())
+	{
+		this->public.plugin.get_features = _get_features;
+	}
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/rdrand/rdrand_plugin.h b/src/libstrongswan/plugins/rdrand/rdrand_plugin.h
new file mode 100644
index 000000000..6f0e55313
--- /dev/null
+++ b/src/libstrongswan/plugins/rdrand/rdrand_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup rdrand_p rdrand
+ * @ingroup plugins
+ *
+ * @defgroup rdrand_plugin rdrand_plugin
+ * @{ @ingroup rdrand_p
+ */
+
+#ifndef RDRAND_PLUGIN_H_
+#define RDRAND_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct rdrand_plugin_t rdrand_plugin_t;
+
+/**
+ * Plugin providing random generators based on Intels RDRAND instruction.
+ */
+struct rdrand_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** RDRAND_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/rdrand/rdrand_rng.c b/src/libstrongswan/plugins/rdrand/rdrand_rng.c
new file mode 100644
index 000000000..fa66f3ad7
--- /dev/null
+++ b/src/libstrongswan/plugins/rdrand/rdrand_rng.c
@@ -0,0 +1,442 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "rdrand_rng.h"
+
+#include <unistd.h>
+
+typedef struct private_rdrand_rng_t private_rdrand_rng_t;
+
+/**
+ * Private data of an rdrand_rng_t object.
+ */
+struct private_rdrand_rng_t {
+
+	/**
+	 * Public rdrand_rng_t interface.
+	 */
+	rdrand_rng_t public;
+
+	/**
+	 * Quality we produce RNG data
+	 */
+	rng_quality_t quality;
+};
+
+/**
+ * Retries for failed RDRAND instructions
+ */
+#define MAX_TRIES 16
+
+/**
+ * After how many bytes should we reseed for RNG_STRONG
+ * (must be a power of two >= 8)
+ */
+#define FORCE_RESEED 16
+
+/**
+ * How many times we mix reseeded RDRAND output when using RNG_TRUE
+ */
+#define MIX_ROUNDS 32
+
+/**
+ * Get a two byte word using RDRAND
+ */
+static bool rdrand16(u_int16_t *out)
+{
+	u_char res;
+	int i;
+
+	for (i = 0; i < MAX_TRIES; i++)
+	{
+		asm(".byte 0x66;.byte 0x0f;.byte 0xc7;.byte 0xf0; " /* rdrand */
+			"setc %1;"
+			: "=a"(*out), "=qm"(res));
+
+		if (res)
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * Get a four byte word using RDRAND
+ */
+static bool rdrand32(u_int32_t *out)
+{
+	u_char res;
+	int i;
+
+	for (i = 0; i < MAX_TRIES; i++)
+	{
+		asm(".byte 0x0f;.byte 0xc7;.byte 0xf0;" /* rdrand */
+			"setc %1;"
+			: "=a"(*out), "=qm"(res));
+
+		if (res)
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+#ifdef __x86_64__
+/**
+ * Get a eight byte word using RDRAND
+ */
+static bool rdrand64(u_int64_t *out)
+{
+	u_char res;
+	int i;
+
+	for (i = 0; i < MAX_TRIES; i++)
+	{
+		asm(".byte 0x48;.byte 0x0f;.byte 0xc7;.byte 0xf0;" /* rdrand */
+			"setc %1;"
+			: "=a"(*out), "=qm"(res));
+
+		if (res)
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+#endif /* __x86_64__ */
+
+/**
+ * Get a one byte word using RDRAND
+ */
+static bool rdrand8(u_int8_t *out)
+{
+	u_int16_t u16;
+
+	if (!rdrand16(&u16))
+	{
+		return FALSE;
+	}
+	*out = u16;
+	return TRUE;
+}
+
+/**
+ * Get a 16 byte word using RDRAND
+ */
+static bool rdrand128(void *out)
+{
+#ifdef __x86_64__
+	if (!rdrand64(out) ||
+		!rdrand64(out + sizeof(u_int64_t)))
+	{
+		return FALSE;
+	}
+#else /* __i386__ */
+	if (!rdrand32(out) ||
+		!rdrand32(out + 1 * sizeof(u_int32_t)) ||
+		!rdrand32(out + 2 * sizeof(u_int32_t)) ||
+		!rdrand32(out + 3 * sizeof(u_int32_t)))
+	{
+		return FALSE;
+	}
+#endif /* __x86_64__ / __i386__ */
+	return TRUE;
+}
+
+/**
+ * Enforce a DRNG reseed by reading 511 128-bit samples
+ */
+static bool reseed()
+{
+	int i;
+
+#ifdef __x86_64__
+	u_int64_t tmp;
+
+	for (i = 0; i < 511 * 16 / sizeof(u_int64_t); i++)
+	{
+		if (!rdrand64(&tmp))
+		{
+			return FALSE;
+		}
+	}
+#else /* __i386__ */
+	u_int32_t tmp;
+
+	for (i = 0; i < 511 * 16 / sizeof(u_int32_t); i++)
+	{
+		if (!rdrand32(&tmp))
+		{
+			return FALSE;
+		}
+	}
+#endif /* __x86_64__ / __i386__ */
+	return TRUE;
+}
+
+/**
+ * Fill a preallocated chunk of data with random bytes
+ */
+static bool rdrand_chunk(private_rdrand_rng_t *this, chunk_t chunk)
+{
+	if (this->quality == RNG_STRONG)
+	{
+		if (!reseed())
+		{
+			return FALSE;
+		}
+	}
+
+	/* align to 2 byte */
+	if (chunk.len >= sizeof(u_int8_t))
+	{
+		if ((uintptr_t)chunk.ptr % 2)
+		{
+			if (!rdrand8((u_int8_t*)chunk.ptr))
+			{
+				return FALSE;
+			}
+			chunk = chunk_skip(chunk, sizeof(u_int8_t));
+		}
+	}
+
+	/* align to 4 byte */
+	if (chunk.len >= sizeof(u_int16_t))
+	{
+		if ((uintptr_t)chunk.ptr % 4)
+		{
+			if (!rdrand16((u_int16_t*)chunk.ptr))
+			{
+				return FALSE;
+			}
+			chunk = chunk_skip(chunk, sizeof(u_int16_t));
+		}
+	}
+
+#ifdef __x86_64__
+
+	/* align to 8 byte */
+	if (chunk.len >= sizeof(u_int32_t))
+	{
+		if ((uintptr_t)chunk.ptr % 8)
+		{
+			if (!rdrand32((u_int32_t*)chunk.ptr))
+			{
+				return FALSE;
+			}
+			chunk = chunk_skip(chunk, sizeof(u_int32_t));
+		}
+	}
+
+	/* fill with 8 byte words */
+	while (chunk.len >= sizeof(u_int64_t))
+	{
+		if (this->quality == RNG_STRONG && chunk.len % FORCE_RESEED == 0)
+		{
+			if (!reseed())
+			{
+				return FALSE;
+			}
+		}
+		if (!rdrand64((u_int64_t*)chunk.ptr))
+		{
+			return FALSE;
+		}
+		chunk = chunk_skip(chunk, sizeof(u_int64_t));
+	}
+
+	/* append 4 byte word */
+	if (chunk.len >= sizeof(u_int32_t))
+	{
+		if (!rdrand32((u_int32_t*)chunk.ptr))
+		{
+			return FALSE;
+		}
+		chunk = chunk_skip(chunk, sizeof(u_int32_t));
+	}
+
+#else /* __i386__ */
+
+	/* fill with 4 byte words */
+	while (chunk.len >= sizeof(u_int32_t))
+	{
+		if (this->quality == RNG_STRONG && chunk.len % FORCE_RESEED == 0)
+		{
+			if (!reseed())
+			{
+				return FALSE;
+			}
+		}
+		if (!rdrand32((u_int32_t*)chunk.ptr))
+		{
+			return FALSE;
+		}
+		chunk = chunk_skip(chunk, sizeof(u_int32_t));
+	}
+
+#endif /* __x86_64__ / __i386__ */
+
+	if (this->quality == RNG_STRONG)
+	{
+		if (!reseed())
+		{
+			return FALSE;
+		}
+	}
+
+	/* append 2 byte word */
+	if (chunk.len >= sizeof(u_int16_t))
+	{
+		if (!rdrand16((u_int16_t*)chunk.ptr))
+		{
+			return FALSE;
+		}
+		chunk = chunk_skip(chunk, sizeof(u_int16_t));
+	}
+
+	/* append 1 byte word */
+	if (chunk.len >= sizeof(u_int8_t))
+	{
+		if (!rdrand8((u_int8_t*)chunk.ptr))
+		{
+			return FALSE;
+		}
+		chunk = chunk_skip(chunk, sizeof(u_int8_t));
+	}
+
+	return TRUE;
+}
+
+/**
+ * Stronger variant mixing reseeded results of rdrand output
+ *
+ * This is based on the Intel DRNG "Software Implementation Guide", using
+ * AES-CBC to mix several reseeded RDRAND outputs.
+ */
+static bool rdrand_mixed(private_rdrand_rng_t *this, chunk_t chunk)
+{
+	u_char block[16], forward[16], key[16], iv[16];
+	crypter_t *crypter;
+	int i, len;
+
+	memset(iv, 0, sizeof(iv));
+	crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 16);
+	if (!crypter)
+	{
+		return FALSE;
+	}
+	for (i = 0; i < sizeof(key); i++)
+	{
+		key[i] = i;
+	}
+	if (!crypter->set_key(crypter, chunk_from_thing(key)))
+	{
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	while (chunk.len > 0)
+	{
+		memset(forward, 0, sizeof(forward));
+		for (i = 0; i < MIX_ROUNDS; i++)
+		{
+			/* sleep to reseed PRNG */
+			usleep(10);
+			if (!rdrand128(block))
+			{
+				crypter->destroy(crypter);
+				return FALSE;
+			}
+			memxor(forward, block, sizeof(block));
+			if (!crypter->encrypt(crypter, chunk_from_thing(forward),
+								  chunk_from_thing(iv), NULL))
+			{
+				crypter->destroy(crypter);
+				return FALSE;
+			}
+		}
+		len = min(chunk.len, sizeof(forward));
+		memcpy(chunk.ptr, forward, len);
+		chunk = chunk_skip(chunk, len);
+	}
+	crypter->destroy(crypter);
+
+	return TRUE;
+}
+
+METHOD(rng_t, get_bytes, bool,
+	private_rdrand_rng_t *this, size_t bytes, u_int8_t *buffer)
+{
+	switch (this->quality)
+	{
+		case RNG_WEAK:
+		case RNG_STRONG:
+			return rdrand_chunk(this, chunk_create(buffer, bytes));
+		case RNG_TRUE:
+			return rdrand_mixed(this, chunk_create(buffer, bytes));
+		default:
+			return FALSE;
+	}
+}
+
+METHOD(rng_t, allocate_bytes, bool,
+	private_rdrand_rng_t *this, size_t bytes, chunk_t *chunk)
+{
+	*chunk = chunk_alloc(bytes);
+	if (get_bytes(this, bytes, chunk->ptr))
+	{
+		return TRUE;
+	}
+	free(chunk->ptr);
+	return FALSE;
+}
+
+METHOD(rng_t, destroy, void,
+	private_rdrand_rng_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+rdrand_rng_t *rdrand_rng_create(rng_quality_t quality)
+{
+	private_rdrand_rng_t *this;
+
+	switch (quality)
+	{
+		case RNG_WEAK:
+		case RNG_STRONG:
+		case RNG_TRUE:
+			break;
+		default:
+			return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.rng = {
+				.get_bytes = _get_bytes,
+				.allocate_bytes = _allocate_bytes,
+				.destroy = _destroy,
+			},
+		},
+		.quality = quality,
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/rdrand/rdrand_rng.h b/src/libstrongswan/plugins/rdrand/rdrand_rng.h
new file mode 100644
index 000000000..d15a48224
--- /dev/null
+++ b/src/libstrongswan/plugins/rdrand/rdrand_rng.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup rdrand_rng rdrand_rng
+ * @{ @ingroup rdrand
+ */
+
+#ifndef RDRAND_RNG_H_
+#define RDRAND_RNG_H_
+
+#include <crypto/rngs/rng.h>
+
+typedef struct rdrand_rng_t rdrand_rng_t;
+
+/**
+ * RNG implemented with Intels RDRAND instructions, introduced in Ivy Bridge.
+ */
+struct rdrand_rng_t {
+
+	/**
+	 * Implements rng_t interface.
+	 */
+	rng_t rng;
+};
+
+/**
+ * Create a rdrand_rng instance.
+ *
+ * @param quality		RNG quality
+ * @return				RNG instance
+ */
+rdrand_rng_t *rdrand_rng_create(rng_quality_t quality);
+
+#endif /** RDRAND_RNG_H_ @}*/
diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
index e2cbbbbe0..df94dc36e 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.in
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_revocation_la_LIBADD =
@@ -124,6 +130,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -151,6 +158,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,6 +186,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -190,6 +199,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -243,7 +253,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -373,7 +382,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-revocation.la: $(libstrongswan_revocation_la_OBJECTS) $(libstrongswan_revocation_la_DEPENDENCIES) 
+libstrongswan-revocation.la: $(libstrongswan_revocation_la_OBJECTS) $(libstrongswan_revocation_la_DEPENDENCIES) $(EXTRA_libstrongswan_revocation_la_DEPENDENCIES) 
 	$(libstrongswan_revocation_la_LINK) $(am_libstrongswan_revocation_la_rpath) $(libstrongswan_revocation_la_OBJECTS) $(libstrongswan_revocation_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -511,10 +520,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index dc8e454e7..44c234559 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -17,7 +17,7 @@
 
 #include "revocation_validator.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/crl.h>
 #include <credentials/certificates/ocsp_request.h>
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index 5188c3fbf..bfc35d1b8 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_sha1_la_LIBADD =
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -370,7 +379,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-sha1.la: $(libstrongswan_sha1_la_OBJECTS) $(libstrongswan_sha1_la_DEPENDENCIES) 
+libstrongswan-sha1.la: $(libstrongswan_sha1_la_OBJECTS) $(libstrongswan_sha1_la_DEPENDENCIES) $(EXTRA_libstrongswan_sha1_la_DEPENDENCIES) 
 	$(libstrongswan_sha1_la_LINK) $(am_libstrongswan_sha1_la_rpath) $(libstrongswan_sha1_la_OBJECTS) $(libstrongswan_sha1_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -509,10 +518,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index adf7d10b4..1b9d7b717 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_sha2_la_LIBADD =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -368,7 +377,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-sha2.la: $(libstrongswan_sha2_la_OBJECTS) $(libstrongswan_sha2_la_DEPENDENCIES) 
+libstrongswan-sha2.la: $(libstrongswan_sha2_la_OBJECTS) $(libstrongswan_sha2_la_DEPENDENCIES) $(EXTRA_libstrongswan_sha2_la_DEPENDENCIES) 
 	$(libstrongswan_sha2_la_LINK) $(am_libstrongswan_sha2_la_rpath) $(libstrongswan_sha2_la_OBJECTS) $(libstrongswan_sha2_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -506,10 +515,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in
index 5ab3f94aa..41cd7bac5 100644
--- a/src/libstrongswan/plugins/soup/Makefile.in
+++ b/src/libstrongswan/plugins/soup/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 am__DEPENDENCIES_1 =
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -370,7 +379,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-soup.la: $(libstrongswan_soup_la_OBJECTS) $(libstrongswan_soup_la_DEPENDENCIES) 
+libstrongswan-soup.la: $(libstrongswan_soup_la_OBJECTS) $(libstrongswan_soup_la_DEPENDENCIES) $(EXTRA_libstrongswan_soup_la_DEPENDENCIES) 
 	$(libstrongswan_soup_la_LINK) $(am_libstrongswan_soup_la_rpath) $(libstrongswan_soup_la_OBJECTS) $(libstrongswan_soup_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -508,10 +517,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/soup/soup_fetcher.c b/src/libstrongswan/plugins/soup/soup_fetcher.c
index 3e5786b12..681a3c357 100644
--- a/src/libstrongswan/plugins/soup/soup_fetcher.c
+++ b/src/libstrongswan/plugins/soup/soup_fetcher.c
@@ -18,7 +18,7 @@
 #include <libsoup/soup.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #define DEFAULT_TIMEOUT 10
 
diff --git a/src/libstrongswan/plugins/soup/soup_plugin.c b/src/libstrongswan/plugins/soup/soup_plugin.c
index b21b28b9f..1260a5a60 100644
--- a/src/libstrongswan/plugins/soup/soup_plugin.c
+++ b/src/libstrongswan/plugins/soup/soup_plugin.c
@@ -66,10 +66,13 @@ plugin_t *soup_plugin_create()
 	private_soup_plugin_t *this;
 
 	g_type_init();
+
+#if !GLIB_CHECK_VERSION(2,23,0)
 	if (!g_thread_get_initialized())
 	{
 		g_thread_init(NULL);
 	}
+#endif
 
 	INIT(this,
 		.public = {
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index f13540edb..8e5b21e49 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_sqlite_la_DEPENDENCIES =
@@ -123,6 +129,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -150,6 +157,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,6 +185,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -189,6 +198,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -242,7 +252,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -373,7 +382,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-sqlite.la: $(libstrongswan_sqlite_la_OBJECTS) $(libstrongswan_sqlite_la_DEPENDENCIES) 
+libstrongswan-sqlite.la: $(libstrongswan_sqlite_la_OBJECTS) $(libstrongswan_sqlite_la_DEPENDENCIES) $(EXTRA_libstrongswan_sqlite_la_DEPENDENCIES) 
 	$(libstrongswan_sqlite_la_LINK) $(am_libstrongswan_sqlite_la_rpath) $(libstrongswan_sqlite_la_OBJECTS) $(libstrongswan_sqlite_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -511,10 +520,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/sqlite/sqlite_database.c b/src/libstrongswan/plugins/sqlite/sqlite_database.c
index 0fb3c7fff..1fb306579 100644
--- a/src/libstrongswan/plugins/sqlite/sqlite_database.c
+++ b/src/libstrongswan/plugins/sqlite/sqlite_database.c
@@ -18,7 +18,7 @@
 #include <sqlite3.h>
 #include <unistd.h>
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/mutex.h>
 
 typedef struct private_sqlite_database_t private_sqlite_database_t;
@@ -300,7 +300,10 @@ static int busy_handler(private_sqlite_database_t *this, int count)
 METHOD(database_t, destroy, void,
 	private_sqlite_database_t *this)
 {
-	sqlite3_close(this->db);
+	if (sqlite3_close(this->db) == SQLITE_BUSY)
+	{
+		DBG1(DBG_LIB, "sqlite close failed because database is busy");
+	}
 	this->mutex->destroy(this->mutex);
 	free(this);
 }
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index f717ad6d9..f7ac9f9d0 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_test_vectors_la_LIBADD =
@@ -129,6 +135,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -156,6 +163,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -183,6 +191,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -195,6 +204,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -248,7 +258,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -405,7 +414,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-test-vectors.la: $(libstrongswan_test_vectors_la_OBJECTS) $(libstrongswan_test_vectors_la_DEPENDENCIES) 
+libstrongswan-test-vectors.la: $(libstrongswan_test_vectors_la_OBJECTS) $(libstrongswan_test_vectors_la_DEPENDENCIES) $(EXTRA_libstrongswan_test_vectors_la_DEPENDENCIES) 
 	$(libstrongswan_test_vectors_la_LINK) $(am_libstrongswan_test_vectors_la_rpath) $(libstrongswan_test_vectors_la_OBJECTS) $(libstrongswan_test_vectors_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -766,10 +775,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/rng.c b/src/libstrongswan/plugins/test_vectors/test_vectors/rng.c
index 18e0c9278..3316c364d 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors/rng.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/rng.c
@@ -15,7 +15,7 @@
 
 #include <crypto/crypto_tester.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * Monobit test
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index 6d9f88647..5c1258986 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_x509_la_LIBADD =
@@ -122,6 +128,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -149,6 +156,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,6 +184,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -188,6 +197,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -241,7 +251,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -376,7 +385,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-x509.la: $(libstrongswan_x509_la_OBJECTS) $(libstrongswan_x509_la_DEPENDENCIES) 
+libstrongswan-x509.la: $(libstrongswan_x509_la_OBJECTS) $(libstrongswan_x509_la_DEPENDENCIES) $(EXTRA_libstrongswan_x509_la_DEPENDENCIES) 
 	$(libstrongswan_x509_la_LINK) $(am_libstrongswan_x509_la_rpath) $(libstrongswan_x509_la_OBJECTS) $(libstrongswan_x509_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -519,10 +528,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c
index d6ca8c4fa..7d83e48ea 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.c
+++ b/src/libstrongswan/plugins/x509/x509_ac.c
@@ -22,12 +22,12 @@
 #include <time.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
 #include <utils/identification.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/ietf_attributes/ietf_attributes.h>
 #include <credentials/keys/private_key.h>
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 2269eb453..85c481552 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -29,13 +29,13 @@
 #include <stdio.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
 #include <crypto/hashers/hasher.h>
 #include <credentials/keys/private_key.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/identification.h>
 #include <selectors/traffic_selector.h>
 
@@ -1547,6 +1547,10 @@ METHOD(certificate_t, has_subject, id_match_t,
 		{
 			return ID_MATCH_PERFECT;
 		}
+		if (chunk_equals(this->serialNumber, encoding))
+		{
+			return ID_MATCH_PERFECT;
+		}
 	}
 	best = this->subject->matches(this->subject, subject);
 	enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames);
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index 47621103e..5350d4a51 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -20,14 +20,14 @@ typedef struct revoked_t revoked_t;
 
 #include <time.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <library.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/keys/private_key.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /**
  * entry for a revoked certificate
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
index bbd1c5905..09c5a8539 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
@@ -21,8 +21,8 @@
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <utils/identification.h>
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/keys/private_key.h>
 
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
index 27497e0e3..1f8929958 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@@ -23,8 +23,8 @@
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
 #include <utils/identification.h>
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 #include <library.h>
 #include <credentials/certificates/x509.h>
diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c
index 9fa91fed2..024b4dba5 100644
--- a/src/libstrongswan/plugins/x509/x509_pkcs10.c
+++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c
@@ -18,12 +18,12 @@
 #include "x509_pkcs10.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
 #include <credentials/keys/private_key.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/identification.h>
 
 typedef struct private_x509_pkcs10_t private_x509_pkcs10_t;
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index b4d0a2160..b29989c9d 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_xcbc_la_LIBADD =
@@ -120,6 +126,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -147,6 +154,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,6 +182,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,6 +195,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -239,7 +249,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -368,7 +377,7 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-xcbc.la: $(libstrongswan_xcbc_la_OBJECTS) $(libstrongswan_xcbc_la_DEPENDENCIES) 
+libstrongswan-xcbc.la: $(libstrongswan_xcbc_la_OBJECTS) $(libstrongswan_xcbc_la_DEPENDENCIES) $(EXTRA_libstrongswan_xcbc_la_DEPENDENCIES) 
 	$(libstrongswan_xcbc_la_LINK) $(am_libstrongswan_xcbc_la_rpath) $(libstrongswan_xcbc_la_OBJECTS) $(libstrongswan_xcbc_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -506,10 +515,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/xcbc/xcbc.c b/src/libstrongswan/plugins/xcbc/xcbc.c
index 1bb7e640a..802c8a39f 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc.c
@@ -18,7 +18,7 @@
 
 #include "xcbc.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <crypto/mac.h>
 #include <crypto/prfs/mac_prf.h>
 #include <crypto/signers/mac_signer.h>
diff --git a/src/libstrongswan/processing/jobs/callback_job.c b/src/libstrongswan/processing/jobs/callback_job.c
index a5ddc8ff6..8258ccb33 100644
--- a/src/libstrongswan/processing/jobs/callback_job.c
+++ b/src/libstrongswan/processing/jobs/callback_job.c
@@ -21,7 +21,7 @@
 #include <threading/condvar.h>
 #include <threading/semaphore.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_callback_job_t private_callback_job_t;
 
diff --git a/src/libstrongswan/processing/processor.c b/src/libstrongswan/processing/processor.c
index 5b7fd467c..934636fc0 100644
--- a/src/libstrongswan/processing/processor.c
+++ b/src/libstrongswan/processing/processor.c
@@ -22,12 +22,12 @@
 
 #include "processor.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/thread.h>
 #include <threading/condvar.h>
 #include <threading/mutex.h>
 #include <threading/thread_value.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_processor_t private_processor_t;
 
diff --git a/src/libstrongswan/processing/scheduler.c b/src/libstrongswan/processing/scheduler.c
index c97dbc4be..3f1598fc4 100644
--- a/src/libstrongswan/processing/scheduler.c
+++ b/src/libstrongswan/processing/scheduler.c
@@ -19,7 +19,7 @@
 
 #include "scheduler.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <processing/processor.h>
 #include <processing/jobs/callback_job.h>
 #include <threading/thread.h>
diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
index b19b962e6..87e57095c 100644
--- a/src/libstrongswan/selectors/traffic_selector.c
+++ b/src/libstrongswan/selectors/traffic_selector.c
@@ -22,9 +22,9 @@
 
 #include "traffic_selector.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/identification.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #define NON_SUBNET_ADDRESS_RANGE	255
 
@@ -818,6 +818,23 @@ traffic_selector_t *traffic_selector_create_from_string(
 /*
  * see header
  */
+traffic_selector_t *traffic_selector_create_from_cidr(char *string,
+									u_int8_t protocol, u_int16_t port)
+{
+	host_t *net;
+	int bits;
+
+	net = host_create_from_subnet(string, &bits);
+	if (net)
+	{
+		return traffic_selector_create_from_subnet(net, bits, protocol, port);
+	}
+	return NULL;
+}
+
+/*
+ * see header
+ */
 traffic_selector_t *traffic_selector_create_dynamic(u_int8_t protocol,
 									u_int16_t from_port, u_int16_t to_port)
 {
diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h
index 7a81521e9..b6da391aa 100644
--- a/src/libstrongswan/selectors/traffic_selector.h
+++ b/src/libstrongswan/selectors/traffic_selector.h
@@ -27,7 +27,7 @@ typedef enum ts_type_t ts_type_t;
 typedef struct traffic_selector_t traffic_selector_t;
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 
 /**
  * Traffic selector types.
@@ -231,6 +231,19 @@ traffic_selector_t *traffic_selector_create_from_string(
 									char *from_addr, u_int16_t from_port,
 									char *to_addr, u_int16_t to_port);
 
+
+
+/**
+ * Create a traffic selector from a CIDR string.
+ *
+ * @param string		CIDR string, such as 10.1.0.0/16
+ * @param protocol		protocol for this ts, such as TCP or UDP
+ * @param port			single port for this TS, 0 for any port
+ * @return				traffic selector, NULL if string invalid
+ */
+traffic_selector_t *traffic_selector_create_from_cidr(char *string,
+									u_int8_t protocol, u_int16_t port);
+
 /**
  * Create a new traffic selector using data read from the net.
  *
diff --git a/src/libstrongswan/threading/mutex.c b/src/libstrongswan/threading/mutex.c
index 2ef918a28..f86e781c5 100644
--- a/src/libstrongswan/threading/mutex.c
+++ b/src/libstrongswan/threading/mutex.c
@@ -21,7 +21,7 @@
 #include <errno.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "condvar.h"
 #include "mutex.h"
@@ -282,13 +282,7 @@ METHOD(condvar_t, timed_wait, bool,
 	ms = timeout % 1000;
 
 	tv.tv_sec += s;
-	tv.tv_usec += ms * 1000;
-
-	if (tv.tv_usec > 1000000 /* 1s */)
-	{
-		tv.tv_usec -= 1000000;
-		tv.tv_sec++;
-	}
+	timeval_add_ms(&tv, ms);
 	return timed_wait_abs(this, mutex, tv);
 }
 
diff --git a/src/libstrongswan/threading/rwlock.c b/src/libstrongswan/threading/rwlock.c
index 7097a8e8c..176445705 100644
--- a/src/libstrongswan/threading/rwlock.c
+++ b/src/libstrongswan/threading/rwlock.c
@@ -18,7 +18,7 @@
 #include <pthread.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "rwlock.h"
 #include "rwlock_condvar.h"
@@ -433,13 +433,8 @@ METHOD(rwlock_condvar_t, timed_wait, bool,
 	ms = timeout % 1000;
 
 	tv.tv_sec += s;
-	tv.tv_usec += ms * 1000;
+	timeval_add_ms(&tv, ms);
 
-	if (tv.tv_usec > 1000000 /* 1s */)
-	{
-		tv.tv_usec -= 1000000;
-		tv.tv_sec++;
-	}
 	return timed_wait_abs(this, lock, tv);
 }
 
diff --git a/src/libstrongswan/threading/spinlock.c b/src/libstrongswan/threading/spinlock.c
index 812cf696b..a0de02ce5 100644
--- a/src/libstrongswan/threading/spinlock.c
+++ b/src/libstrongswan/threading/spinlock.c
@@ -13,20 +13,15 @@
  * for more details.
  */
 
-#include <unistd.h> /* for _POSIX_SPIN_LOCKS */
 #include <pthread.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "spinlock.h"
 #include "mutex.h"
 #include "lock_profiler.h"
 
-#if defined(_POSIX_SPIN_LOCKS) && _POSIX_SPIN_LOCKS == -1
-#undef _POSIX_SPIN_LOCKS
-#endif
-
 typedef struct private_spinlock_t private_spinlock_t;
 
 /**
@@ -39,7 +34,7 @@ struct private_spinlock_t {
 	 */
 	spinlock_t public;
 
-#ifdef _POSIX_SPIN_LOCKS
+#ifdef HAVE_PTHREAD_SPIN_INIT
 
 	/**
 	 * wrapped pthread spin lock
@@ -51,20 +46,20 @@ struct private_spinlock_t {
 	 */
 	lock_profile_t profile;
 
-#else /* _POSIX_SPIN_LOCKS */
+#else /* HAVE_PTHREAD_SPIN_INIT */
 
 	/**
 	 * use a mutex if spin locks are not available
 	 */
 	mutex_t *mutex;
 
-#endif /* _POSIX_SPIN_LOCKS */
+#endif /* HAVE_PTHREAD_SPIN_INIT */
 };
 
 METHOD(spinlock_t, lock, void,
 	private_spinlock_t *this)
 {
-#ifdef _POSIX_SPIN_LOCKS
+#ifdef HAVE_PTHREAD_SPIN_INIT
 	int err;
 
 	profiler_start(&this->profile);
@@ -82,7 +77,7 @@ METHOD(spinlock_t, lock, void,
 METHOD(spinlock_t, unlock, void,
 	private_spinlock_t *this)
 {
-#ifdef _POSIX_SPIN_LOCKS
+#ifdef HAVE_PTHREAD_SPIN_INIT
 	int err;
 
 	err = pthread_spin_unlock(&this->spinlock);
@@ -98,7 +93,7 @@ METHOD(spinlock_t, unlock, void,
 METHOD(spinlock_t, destroy, void,
 	private_spinlock_t *this)
 {
-#ifdef _POSIX_SPIN_LOCKS
+#ifdef HAVE_PTHREAD_SPIN_INIT
 	profiler_cleanup(&this->profile);
 	pthread_spin_destroy(&this->spinlock);
 #else
@@ -122,15 +117,12 @@ spinlock_t *spinlock_create()
 		},
 	);
 
-#ifdef _POSIX_SPIN_LOCKS
+#ifdef HAVE_PTHREAD_SPIN_INIT
 	pthread_spin_init(&this->spinlock, PTHREAD_PROCESS_PRIVATE);
 	profiler_init(&this->profile);
 #else
-	#warning Using mutexes as spin lock alternatives
 	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 #endif
 
 	return &this->public;
 }
-
-
diff --git a/src/libstrongswan/threading/thread.c b/src/libstrongswan/threading/thread.c
index 9ef514ebc..e524409c7 100644
--- a/src/libstrongswan/threading/thread.c
+++ b/src/libstrongswan/threading/thread.c
@@ -32,11 +32,11 @@ static inline pid_t gettid()
 #endif
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <threading/thread_value.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 #include "thread.h"
 
diff --git a/src/libstrongswan/utils/backtrace.c b/src/libstrongswan/utils/backtrace.c
index b6015fb35..0b6683233 100644
--- a/src/libstrongswan/utils/backtrace.c
+++ b/src/libstrongswan/utils/backtrace.c
@@ -54,7 +54,7 @@ struct private_backtrace_t {
 #ifdef HAVE_BFD_H
 
 #include <bfd.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 #include <threading/mutex.h>
 
 /**
diff --git a/src/libstrongswan/utils/capabilities.c b/src/libstrongswan/utils/capabilities.c
index 34128d010..c36a76efe 100644
--- a/src/libstrongswan/utils/capabilities.c
+++ b/src/libstrongswan/utils/capabilities.c
@@ -27,7 +27,7 @@
 # include <sys/prctl.h>
 #endif /* HAVE_PRCTL */
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #if !defined(HAVE_GETPWNAM_R) || !defined(HAVE_GETGRNAM_R)
 # include <threading/mutex.h>
diff --git a/src/libstrongswan/chunk.c b/src/libstrongswan/utils/chunk.c
index d7f1c31d9..d7f1c31d9 100644
--- a/src/libstrongswan/chunk.c
+++ b/src/libstrongswan/utils/chunk.c
diff --git a/src/libstrongswan/chunk.h b/src/libstrongswan/utils/chunk.h
index 91b23da3b..67848eec1 100644
--- a/src/libstrongswan/chunk.h
+++ b/src/libstrongswan/utils/chunk.h
@@ -17,7 +17,7 @@
 
 /**
  * @defgroup chunk chunk
- * @{ @ingroup libstrongswan
+ * @{ @ingroup utils
  */
 
 #ifndef CHUNK_H_
diff --git a/src/libstrongswan/debug.c b/src/libstrongswan/utils/debug.c
index e8c9e6b98..e8c9e6b98 100644
--- a/src/libstrongswan/debug.c
+++ b/src/libstrongswan/utils/debug.c
diff --git a/src/libstrongswan/debug.h b/src/libstrongswan/utils/debug.h
index ff4b4a1e9..c46d3fe55 100644
--- a/src/libstrongswan/debug.h
+++ b/src/libstrongswan/utils/debug.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup debug debug
- * @{ @ingroup libstrongswan
+ * @{ @ingroup utils
  */
 
 #ifndef DEBUG_H_
@@ -26,7 +26,7 @@ typedef enum level_t level_t;
 
 #include <stdio.h>
 
-#include "enum.h"
+#include "utils/enum.h"
 
 /**
  * Debug message group.
diff --git a/src/libstrongswan/enum.c b/src/libstrongswan/utils/enum.c
index 2dc7c5dde..9b3c4d566 100644
--- a/src/libstrongswan/enum.c
+++ b/src/libstrongswan/utils/enum.c
@@ -65,15 +65,17 @@ int enum_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
 {
 	enum_name_t *ed = *((enum_name_t**)(args[0]));
 	int val = *((int*)(args[1]));
+	char *name, buf[32];
 
-	char *name = enum_to_name(ed, val);
-
+	name = enum_to_name(ed, val);
 	if (name == NULL)
 	{
-		return print_in_hook(data, "(%d)", val);
+		snprintf(buf, sizeof(buf), "(%d)", val);
+		name = buf;
 	}
-	else
+	if (spec->minus)
 	{
-		return print_in_hook(data, "%s", name);
+		return print_in_hook(data, "%-*s", spec->width, name);
 	}
+	return print_in_hook(data, "%*s", spec->width, name);
 }
diff --git a/src/libstrongswan/enum.h b/src/libstrongswan/utils/enum.h
index 840371245..df8dbf8c1 100644
--- a/src/libstrongswan/enum.h
+++ b/src/libstrongswan/utils/enum.h
@@ -16,7 +16,7 @@
 
 /**
  * @defgroup enum enum
- * @{ @ingroup libstrongswan
+ * @{ @ingroup utils
  */
 
 #ifndef ENUM_H_
diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h
index 024fcea4b..cdf229127 100644
--- a/src/libstrongswan/utils/identification.h
+++ b/src/libstrongswan/utils/identification.h
@@ -29,8 +29,8 @@ typedef struct identification_t identification_t;
 typedef enum id_match_t id_match_t;
 typedef enum id_part_t id_part_t;
 
-#include <chunk.h>
-#include <utils/enumerator.h>
+#include <utils/chunk.h>
+#include <collections/enumerator.h>
 
 /**
  * Matches returned from identification_t.match
diff --git a/src/libstrongswan/integrity_checker.c b/src/libstrongswan/utils/integrity_checker.c
index e962aba70..e962aba70 100644
--- a/src/libstrongswan/integrity_checker.c
+++ b/src/libstrongswan/utils/integrity_checker.c
diff --git a/src/libstrongswan/integrity_checker.h b/src/libstrongswan/utils/integrity_checker.h
index 891ccccf7..afaa114b3 100644
--- a/src/libstrongswan/integrity_checker.h
+++ b/src/libstrongswan/utils/integrity_checker.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup integrity_checker integrity_checker
- * @{ @ingroup libstrongswan
+ * @{ @ingroup utils
  */
 
 #ifndef INTEGRITY_CHECKER_H_
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index cface0538..2b0be1661 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -32,9 +32,9 @@
 #include "leak_detective.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <utils/backtrace.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 
 typedef struct private_leak_detective_t private_leak_detective_t;
 
diff --git a/src/libstrongswan/utils/optionsfrom.c b/src/libstrongswan/utils/optionsfrom.c
index 5fd4cfd4d..117071351 100644
--- a/src/libstrongswan/utils/optionsfrom.c
+++ b/src/libstrongswan/utils/optionsfrom.c
@@ -2,22 +2,22 @@
  * Copyright (C) 2007-2008 Andreas Steffen
  * Hochschule fuer Technik Rapperswil
  *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
  *
- * This library is distributed in the hope that it will be useful, but
+ * This program is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
  */
 
 #include <stdio.h>
 #include <errno.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <utils/lexparser.h>
 
 #include "optionsfrom.h"
diff --git a/src/libstrongswan/printf_hook.c b/src/libstrongswan/utils/printf_hook.c
index 6e51aa4c3..6e51aa4c3 100644
--- a/src/libstrongswan/printf_hook.c
+++ b/src/libstrongswan/utils/printf_hook.c
diff --git a/src/libstrongswan/printf_hook.h b/src/libstrongswan/utils/printf_hook.h
index 7d3f23bce..1425910be 100644
--- a/src/libstrongswan/printf_hook.h
+++ b/src/libstrongswan/utils/printf_hook.h
@@ -16,7 +16,7 @@
 
 /**
  * @defgroup printf_hook printf_hook
- * @{ @ingroup libstrongswan
+ * @{ @ingroup utils
  */
 
 #ifndef PRINTF_HOOK_H_
diff --git a/src/libstrongswan/settings.c b/src/libstrongswan/utils/settings.c
index 8977cd9ed..712ea6ee2 100644
--- a/src/libstrongswan/settings.c
+++ b/src/libstrongswan/utils/settings.c
@@ -31,9 +31,9 @@
 
 #include "settings.h"
 
-#include "debug.h"
-#include "utils/linked_list.h"
+#include "collections/linked_list.h"
 #include "threading/rwlock.h"
+#include "utils/debug.h"
 
 #define MAX_INCLUSION_LEVEL		10
 
diff --git a/src/libstrongswan/settings.h b/src/libstrongswan/utils/settings.h
index c8b50d008..a861325f5 100644
--- a/src/libstrongswan/settings.h
+++ b/src/libstrongswan/utils/settings.h
@@ -16,7 +16,7 @@
 
 /**
  * @defgroup settings settings
- * @{ @ingroup libstrongswan
+ * @{ @ingroup utils
  */
 
 #ifndef SETTINGS_H_
@@ -25,7 +25,7 @@
 typedef struct settings_t settings_t;
 
 #include "utils.h"
-#include "utils/enumerator.h"
+#include "collections/enumerator.h"
 
 /**
  * Convert a string value returned by a key/value enumerator to a boolean.
diff --git a/src/libstrongswan/utils.c b/src/libstrongswan/utils/utils.c
index d43a4bc2f..bf0224c5f 100644
--- a/src/libstrongswan/utils.c
+++ b/src/libstrongswan/utils/utils.c
@@ -27,9 +27,8 @@
 #include <time.h>
 #include <pthread.h>
 
-#include "enum.h"
-#include "debug.h"
-#include "utils/enumerator.h"
+#include "collections/enumerator.h"
+#include "utils/debug.h"
 
 ENUM(status_names, SUCCESS, NEED_MORE,
 	"SUCCESS",
diff --git a/src/libstrongswan/utils.h b/src/libstrongswan/utils/utils.h
index f47c65ac1..7b1beb93a 100644
--- a/src/libstrongswan/utils.h
+++ b/src/libstrongswan/utils/utils.h
@@ -15,8 +15,8 @@
  */
 
 /**
- * @defgroup utils utils
- * @{ @ingroup libstrongswan
+ * @defgroup utils_i utils
+ * @{ @ingroup utils
  */
 
 #ifndef UTILS_H_
@@ -455,6 +455,22 @@ void closefrom(int lowfd);
 time_t time_monotonic(timeval_t *tv);
 
 /**
+ * Add the given number of milliseconds to the given timeval struct
+ *
+ * @param tv		timeval struct to modify
+ * @param ms		number of milliseconds
+ */
+static inline void timeval_add_ms(timeval_t *tv, u_int ms)
+{
+	tv->tv_usec += ms * 1000;
+	while (tv->tv_usec > 1000000 /* 1s */)
+	{
+		tv->tv_usec -= 1000000;
+		tv->tv_sec++;
+	}
+}
+
+/**
  * returns null
  */
 void *return_null();
diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in
index fb1136ee0..d54545aac 100644
--- a/src/libtls/Makefile.in
+++ b/src/libtls/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -75,6 +75,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)" \
 	"$(DESTDIR)$(tls_includedir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
@@ -126,6 +132,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -153,6 +160,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -180,6 +188,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -192,6 +201,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -245,7 +255,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -370,7 +379,7 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libtls.la: $(libtls_la_OBJECTS) $(libtls_la_DEPENDENCIES) 
+libtls.la: $(libtls_la_OBJECTS) $(libtls_la_DEPENDENCIES) $(EXTRA_libtls_la_DEPENDENCIES) 
 	$(LINK) -rpath $(ipseclibdir) $(libtls_la_OBJECTS) $(libtls_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -438,9 +447,7 @@ uninstall-nobase_tls_includeHEADERS:
 	@$(NORMAL_UNINSTALL)
 	@list='$(nobase_tls_include_HEADERS)'; test -n "$(tls_includedir)" || list=; \
 	$(am__nobase_strip_setup); files=`$(am__nobase_strip)`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(tls_includedir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(tls_includedir)" && rm -f $$files
+	dir='$(DESTDIR)$(tls_includedir)'; $(am__uninstall_files_from_dir)
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -541,10 +548,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libtls/tls.c b/src/libtls/tls.c
index 2bcaffbc8..dea08e3eb 100644
--- a/src/libtls/tls.c
+++ b/src/libtls/tls.c
@@ -15,7 +15,7 @@
 
 #include "tls.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "tls_protection.h"
 #include "tls_compression.h"
diff --git a/src/libtls/tls_alert.c b/src/libtls/tls_alert.c
index 8a4fa7d77..7dd219db8 100644
--- a/src/libtls/tls_alert.c
+++ b/src/libtls/tls_alert.c
@@ -15,8 +15,8 @@
 
 #include "tls_alert.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 ENUM_BEGIN(tls_alert_desc_names, TLS_CLOSE_NOTIFY, TLS_CLOSE_NOTIFY,
 	"close notify",
diff --git a/src/libtls/tls_cache.c b/src/libtls/tls_cache.c
index a89201ad7..c13b1e851 100644
--- a/src/libtls/tls_cache.c
+++ b/src/libtls/tls_cache.c
@@ -15,9 +15,9 @@
 
 #include "tls_cache.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
-#include <utils/hashtable.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
+#include <collections/hashtable.h>
 #include <threading/rwlock.h>
 
 typedef struct private_tls_cache_t private_tls_cache_t;
diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c
index f74984879..12aa049a2 100644
--- a/src/libtls/tls_crypto.c
+++ b/src/libtls/tls_crypto.c
@@ -15,7 +15,7 @@
 
 #include "tls_crypto.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
 								   TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
@@ -1110,6 +1110,7 @@ METHOD(tls_crypto_t, get_signature_algorithms, void,
 	}
 	enumerator->destroy(enumerator);
 
+	supported->wrap16(supported);
 	writer->write_data16(writer, supported->get_buf(supported));
 	supported->destroy(supported);
 }
diff --git a/src/libtls/tls_eap.c b/src/libtls/tls_eap.c
index 928aadcb3..68cebb994 100644
--- a/src/libtls/tls_eap.c
+++ b/src/libtls/tls_eap.c
@@ -18,7 +18,7 @@
 
 #include "tls.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <library.h>
 
 /**
diff --git a/src/libtls/tls_fragmentation.c b/src/libtls/tls_fragmentation.c
index f2fa77cfd..c76376b43 100644
--- a/src/libtls/tls_fragmentation.c
+++ b/src/libtls/tls_fragmentation.c
@@ -16,7 +16,7 @@
 #include "tls_fragmentation.h"
 
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * Maximum size of a TLS handshake message we accept
diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
index 65072d087..622df4035 100644
--- a/src/libtls/tls_peer.c
+++ b/src/libtls/tls_peer.c
@@ -15,7 +15,7 @@
 
 #include "tls_peer.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/certificates/x509.h>
 
 #include <time.h>
@@ -760,6 +760,7 @@ static status_t send_client_hello(private_tls_peer_t *this,
 	enumerator->destroy(enumerator);
 	if (curves)
 	{
+		curves->wrap16(curves);
 		extensions->write_data16(extensions, curves->get_buf(curves));
 		curves->destroy(curves);
 
diff --git a/src/libtls/tls_protection.c b/src/libtls/tls_protection.c
index 8263728bb..0d5df18f7 100644
--- a/src/libtls/tls_protection.c
+++ b/src/libtls/tls_protection.c
@@ -15,7 +15,7 @@
 
 #include "tls_protection.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tls_protection_t private_tls_protection_t;
 
diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index a66448d24..ec42b67fc 100644
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -17,7 +17,7 @@
 
 #include <time.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/certificates/x509.h>
 
 typedef struct private_tls_server_t private_tls_server_t;
diff --git a/src/libtls/tls_socket.c b/src/libtls/tls_socket.c
index 3abff596d..75b714e30 100644
--- a/src/libtls/tls_socket.c
+++ b/src/libtls/tls_socket.c
@@ -18,7 +18,7 @@
 #include <unistd.h>
 #include <errno.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/thread.h>
 
 /**
diff --git a/src/libtnccs/Makefile.in b/src/libtnccs/Makefile.in
index 5eac73ab0..1e9f639f8 100644
--- a/src/libtnccs/Makefile.in
+++ b/src/libtnccs/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libtnccs_la_DEPENDENCIES = $(top_builddir)/src/libtncif/libtncif.la
@@ -116,6 +122,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -143,6 +150,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -170,6 +178,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -182,6 +191,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -235,7 +245,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -359,7 +368,7 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libtnccs.la: $(libtnccs_la_OBJECTS) $(libtnccs_la_DEPENDENCIES) 
+libtnccs.la: $(libtnccs_la_OBJECTS) $(libtnccs_la_DEPENDENCIES) $(EXTRA_libtnccs_la_DEPENDENCIES) 
 	$(LINK) -rpath $(ipseclibdir) $(libtnccs_la_OBJECTS) $(libtnccs_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -527,10 +536,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libtnccs/tnc/imc/imc_manager.h b/src/libtnccs/tnc/imc/imc_manager.h
index 25e0efe9d..db033c4c0 100644
--- a/src/libtnccs/tnc/imc/imc_manager.h
+++ b/src/libtnccs/tnc/imc/imc_manager.h
@@ -55,7 +55,31 @@ struct imc_manager_t {
 	 * @param path				path of the IMC dynamic library file
 	 * @return					TRUE if loading succeeded
 	 */
-	 bool (*load)(imc_manager_t *this, char *name, char *path);
+	bool (*load)(imc_manager_t *this, char *name, char *path);
+
+	/**
+	 * Load and initialize an IMC from a set of TNC IMC functions.
+	 *
+	 * @param name						name of the IMC
+	 * @param initialize				TNC_IMC_InitializePointer
+	 * @param notify_connection_change	TNC_IMC_NotifyConnectionChangePointer
+	 * @param begin_handshake			TNC_IMC_BeginHandshakePointer
+	 * @param receive_message			TNC_IMC_ReceiveMessagePointer
+	 * @param receive_message_long		TNC_IMC_ReceiveMessageLongPointer
+	 * @param batch_ending				TNC_IMC_BatchEndingPointer
+	 * @param terminate					TNC_IMC_TerminatePointer
+	 * @param provide_bind_function		TNC_IMC_ProvideBindFunctionPointer
+	 * @return							TRUE if loading succeeded
+	 */
+	bool (*load_from_functions)(imc_manager_t *this, char *name,
+				TNC_IMC_InitializePointer initialize,
+				TNC_IMC_NotifyConnectionChangePointer notify_connection_change,
+				TNC_IMC_BeginHandshakePointer begin_handshake,
+				TNC_IMC_ReceiveMessagePointer receive_message,
+				TNC_IMC_ReceiveMessageLongPointer receive_message_long,
+				TNC_IMC_BatchEndingPointer batch_ending,
+				TNC_IMC_TerminatePointer terminate,
+				TNC_IMC_ProvideBindFunctionPointer provide_bind_function);
 
 	/**
 	 * Check if an IMC with a given ID is registered with the IMC manager
diff --git a/src/libtnccs/tnc/imv/imv_manager.h b/src/libtnccs/tnc/imv/imv_manager.h
index 43f40973c..7772b7e08 100644
--- a/src/libtnccs/tnc/imv/imv_manager.h
+++ b/src/libtnccs/tnc/imv/imv_manager.h
@@ -56,8 +56,31 @@ struct imv_manager_t {
 	 * @param path				path of the IMV dynamic library file
 	 * @return					TRUE if loading succeeded
 	 */
-	 bool (*load)(imv_manager_t *this, char *name, char *path);
+	bool (*load)(imv_manager_t *this, char *name, char *path);
 
+	/**
+	 * Load and initialize an IMV from a set of TNC IMC functions.
+	 *
+	 * @param name						name of the IMV
+	 * @param initialize				TNC_IMV_InitializePointer
+	 * @param notify_connection_change	TNC_IMV_NotifyConnectionChangePointer
+	 * @param receive_message			TNC_IMV_ReceiveMessagePointer
+	 * @param receive_message_long		TNC_IMV_ReceiveMessageLongPointer
+	 * @param solicit_recommendation	TNC_IMV_SolicitRecommendationPointer
+	 * @param batch_ending				TNC_IMV_BatchEndingPointer
+	 * @param terminate					TNC_IMV_TerminatePointer
+	 * @param provide_bind_function		TNC_IMV_ProvideBindFunctionPointer
+	 * @return							TRUE if loading succeeded
+	 */
+	bool (*load_from_functions)(imv_manager_t *this, char *name,
+				TNC_IMV_InitializePointer initialize,
+				TNC_IMV_NotifyConnectionChangePointer notify_connection_change,
+				TNC_IMV_ReceiveMessagePointer receive_message,
+				TNC_IMV_ReceiveMessageLongPointer receive_message_long,
+				TNC_IMV_SolicitRecommendationPointer solicit_recommendation,
+				TNC_IMV_BatchEndingPointer batch_ending,
+				TNC_IMV_TerminatePointer terminate,
+				TNC_IMV_ProvideBindFunctionPointer provide_bind_function);
 
 	/**
 	 * Check if an IMV with a given ID is registered with the IMV manager
diff --git a/src/libtnccs/tnc/tnc.c b/src/libtnccs/tnc/tnc.c
index 7c0ee4132..769b9fa54 100644
--- a/src/libtnccs/tnc/tnc.c
+++ b/src/libtnccs/tnc/tnc.c
@@ -23,7 +23,7 @@
 #include <fcntl.h>
 
 #include <utils/lexparser.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tnc_t private_tnc_t;
 
@@ -40,6 +40,11 @@ struct private_tnc_t {
 	 * Public members of tnc_t.
 	 */
 	tnc_t public;
+
+	/**
+	 * Number of times we have been initialized
+	 */
+	refcount_t ref;
 };
 
 /**
@@ -54,9 +59,17 @@ void libtnccs_init(void)
 {
 	private_tnc_t *this;
 
+	if (tnc)
+	{	/* already initialized, increase refcount */
+		this = (private_tnc_t*)tnc;
+		ref_get(&this->ref);
+		return;
+	}
+
 	INIT(this,
 		.public = {
 		},
+		.ref = 1,
 	);
 
 	tnc = &this->public;
@@ -69,6 +82,11 @@ void libtnccs_deinit(void)
 {
 	private_tnc_t *this = (private_tnc_t*)tnc;
 
+	if (!this || !ref_put(&this->ref))
+	{	/* have more users */
+		return;
+	}
+
 	free(this);
 	tnc = NULL;
 }
@@ -145,9 +163,7 @@ static bool load_imcvs_from_config(char *filename, bool is_imc)
 		}
 
 		/* copy the IMC/IMV name */
-		name = malloc(token.len + 1);
-		memcpy(name, token.ptr, token.len);
-		name[token.len] = '\0';
+		name = strndup(token.ptr, token.len);
 
 		/* advance to the IMC/IMV path and extract it */
 		if (!eat_whitespace(&line))
@@ -162,9 +178,7 @@ static bool load_imcvs_from_config(char *filename, bool is_imc)
 		}
 
 		/* copy the IMC/IMV path */
-		path = malloc(token.len + 1);
-		memcpy(path, token.ptr, token.len);
-		path[token.len] = '\0';
+		path = strndup(token.ptr, token.len);
 
 		/* load and register an IMC/IMV instance */
 		if (is_imc)
@@ -175,6 +189,8 @@ static bool load_imcvs_from_config(char *filename, bool is_imc)
 		{
 			success = tnc->imvs->load(tnc->imvs, name, path);
 		}
+		free(name);
+		free(path);
 		if (!success)
 		{
 			break;
@@ -243,24 +259,10 @@ bool tnc_manager_register(plugin_t *plugin, plugin_feature_t *feature,
 
 		if (load_imcvs)
 		{
-			char *tnc_config;
-
-			tnc_config = lib->settings->get_str(lib->settings,
-								"libtnccs.tnc_config", "/etc/tnc_config");
-			if (!load_imcvs_from_config(tnc_config, is_imc))
-			{
-				if (is_imc)
-				{
-					tnc->imcs->destroy(tnc->imcs);
-					tnc->imcs = NULL;
-				}
-				else
-				{
-					tnc->imvs->destroy(tnc->imvs);
-					tnc->imvs = NULL;
-				}
-				return FALSE;
-			}
+			load_imcvs_from_config(
+						lib->settings->get_str(lib->settings,
+									"libtnccs.tnc_config", "/etc/tnc_config"),
+						is_imc);
 		}
 	}
 	return TRUE;
diff --git a/src/libtnccs/tnc/tnccs/tnccs_manager.c b/src/libtnccs/tnc/tnccs/tnccs_manager.c
index fa91bfb21..fca4b2584 100644
--- a/src/libtnccs/tnc/tnccs/tnccs_manager.c
+++ b/src/libtnccs/tnc/tnccs/tnccs_manager.c
@@ -17,7 +17,7 @@
 
 #include "tnc/tnc.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * See header
diff --git a/src/libtncif/Makefile.in b/src/libtncif/Makefile.in
index 013266c20..e2add7ab0 100644
--- a/src/libtncif/Makefile.in
+++ b/src/libtncif/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -93,6 +93,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -120,6 +121,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -147,6 +149,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -159,6 +162,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -212,7 +216,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -309,7 +312,7 @@ clean-noinstLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libtncif.la: $(libtncif_la_OBJECTS) $(libtncif_la_DEPENDENCIES) 
+libtncif.la: $(libtncif_la_OBJECTS) $(libtncif_la_DEPENDENCIES) $(EXTRA_libtncif_la_DEPENDENCIES) 
 	$(LINK)  $(libtncif_la_OBJECTS) $(libtncif_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
@@ -444,10 +447,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libtncif/tncif_pa_subtypes.c b/src/libtncif/tncif_pa_subtypes.c
index d15a1c864..135be3c31 100644
--- a/src/libtncif/tncif_pa_subtypes.c
+++ b/src/libtncif/tncif_pa_subtypes.c
@@ -61,12 +61,11 @@ ENUM_NEXT(pa_subtype_fhh_names, PA_SUBTYPE_FHH_ANY, PA_SUBTYPE_FHH_ANY,
 );
 ENUM_END(pa_subtype_fhh_names, PA_SUBTYPE_FHH_ANY);
 
-ENUM_BEGIN(pa_subtype_ita_names, PA_SUBTYPE_ITA_TEST, PA_SUBTYPE_ITA_SCANNER,
-	"Test",
-	"Scanner"
+ENUM_BEGIN(pa_subtype_ita_names, PA_SUBTYPE_ITA_TEST, PA_SUBTYPE_ITA_TEST,
+	"Test"
 );
 ENUM_NEXT(pa_subtype_ita_names, PA_SUBTYPE_ITA_ANY, PA_SUBTYPE_ITA_ANY,
-								PA_SUBTYPE_ITA_SCANNER,
+								PA_SUBTYPE_ITA_TEST,
 	"ANY"
 );
 ENUM_END(pa_subtype_ita_names, PA_SUBTYPE_ITA_ANY);
diff --git a/src/libtncif/tncif_pa_subtypes.h b/src/libtncif/tncif_pa_subtypes.h
index 0be495bfc..2dc4c9220 100644
--- a/src/libtncif/tncif_pa_subtypes.h
+++ b/src/libtncif/tncif_pa_subtypes.h
@@ -84,7 +84,6 @@ extern enum_name_t *pa_subtype_fhh_names;
  */
  enum pa_subtype_ita_t {
 	PA_SUBTYPE_ITA_TEST =				0x01,
-	PA_SUBTYPE_ITA_SCANNER =			0x02,
 	PA_SUBTYPE_ITA_ANY =				0xff
 };
 
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index e65328cfa..7aeed94f8 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -109,6 +109,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 DATA = $(manager_templates_DATA) $(manager_templates_auth_DATA) \
 	$(manager_templates_config_DATA) \
 	$(manager_templates_control_DATA) \
@@ -137,6 +143,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -164,6 +171,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -191,6 +199,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -203,6 +212,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -256,7 +266,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -430,7 +439,7 @@ clean-managerPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-manager.fcgi$(EXEEXT): $(manager_fcgi_OBJECTS) $(manager_fcgi_DEPENDENCIES) 
+manager.fcgi$(EXEEXT): $(manager_fcgi_OBJECTS) $(manager_fcgi_DEPENDENCIES) $(EXTRA_manager_fcgi_DEPENDENCIES) 
 	@rm -f manager.fcgi$(EXEEXT)
 	$(LINK) $(manager_fcgi_OBJECTS) $(manager_fcgi_LDADD) $(LIBS)
 
@@ -564,9 +573,7 @@ uninstall-manager_templatesDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(manager_templates_DATA)'; test -n "$(manager_templatesdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(manager_templatesdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(manager_templatesdir)" && rm -f $$files
+	dir='$(DESTDIR)$(manager_templatesdir)'; $(am__uninstall_files_from_dir)
 install-manager_templates_authDATA: $(manager_templates_auth_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(manager_templates_authdir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_authdir)"
@@ -584,9 +591,7 @@ uninstall-manager_templates_authDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(manager_templates_auth_DATA)'; test -n "$(manager_templates_authdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(manager_templates_authdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(manager_templates_authdir)" && rm -f $$files
+	dir='$(DESTDIR)$(manager_templates_authdir)'; $(am__uninstall_files_from_dir)
 install-manager_templates_configDATA: $(manager_templates_config_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(manager_templates_configdir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_configdir)"
@@ -604,9 +609,7 @@ uninstall-manager_templates_configDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(manager_templates_config_DATA)'; test -n "$(manager_templates_configdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(manager_templates_configdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(manager_templates_configdir)" && rm -f $$files
+	dir='$(DESTDIR)$(manager_templates_configdir)'; $(am__uninstall_files_from_dir)
 install-manager_templates_controlDATA: $(manager_templates_control_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(manager_templates_controldir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_controldir)"
@@ -624,9 +627,7 @@ uninstall-manager_templates_controlDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(manager_templates_control_DATA)'; test -n "$(manager_templates_controldir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(manager_templates_controldir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(manager_templates_controldir)" && rm -f $$files
+	dir='$(DESTDIR)$(manager_templates_controldir)'; $(am__uninstall_files_from_dir)
 install-manager_templates_gatewayDATA: $(manager_templates_gateway_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(manager_templates_gatewaydir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_gatewaydir)"
@@ -644,9 +645,7 @@ uninstall-manager_templates_gatewayDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(manager_templates_gateway_DATA)'; test -n "$(manager_templates_gatewaydir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(manager_templates_gatewaydir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(manager_templates_gatewaydir)" && rm -f $$files
+	dir='$(DESTDIR)$(manager_templates_gatewaydir)'; $(am__uninstall_files_from_dir)
 install-manager_templates_ikesaDATA: $(manager_templates_ikesa_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(manager_templates_ikesadir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_ikesadir)"
@@ -664,9 +663,7 @@ uninstall-manager_templates_ikesaDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(manager_templates_ikesa_DATA)'; test -n "$(manager_templates_ikesadir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(manager_templates_ikesadir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(manager_templates_ikesadir)" && rm -f $$files
+	dir='$(DESTDIR)$(manager_templates_ikesadir)'; $(am__uninstall_files_from_dir)
 install-manager_templates_staticDATA: $(manager_templates_static_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(manager_templates_staticdir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_staticdir)"
@@ -684,9 +681,7 @@ uninstall-manager_templates_staticDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(manager_templates_static_DATA)'; test -n "$(manager_templates_staticdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(manager_templates_staticdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(manager_templates_staticdir)" && rm -f $$files
+	dir='$(DESTDIR)$(manager_templates_staticdir)'; $(am__uninstall_files_from_dir)
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -787,10 +782,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/manager/gateway.h b/src/manager/gateway.h
index db44a2ffa..5792ebf02 100644
--- a/src/manager/gateway.h
+++ b/src/manager/gateway.h
@@ -21,8 +21,8 @@
 #ifndef GATEWAY_H_
 #define GATEWAY_H_
 
-#include <utils/host.h>
-#include <utils/enumerator.h>
+#include <networking/host.h>
+#include <collections/enumerator.h>
 
 typedef struct gateway_t gateway_t;
 
diff --git a/src/manager/main.c b/src/manager/main.c
index 5c297cf0c..15ed38154 100644
--- a/src/manager/main.c
+++ b/src/manager/main.c
@@ -14,7 +14,7 @@
  */
 
 #include <dispatcher.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <stdio.h>
 
 #include "manager.h"
diff --git a/src/manager/manager.c b/src/manager/manager.c
index b6f3951c4..207800bd2 100644
--- a/src/manager/manager.c
+++ b/src/manager/manager.c
@@ -17,7 +17,7 @@
 
 #include "gateway.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_manager_t private_manager_t;
 
diff --git a/src/manager/storage.h b/src/manager/storage.h
index 69459e5aa..4324e99fe 100644
--- a/src/manager/storage.h
+++ b/src/manager/storage.h
@@ -21,7 +21,7 @@
 #ifndef STORAGE_H_
 #define STORAGE_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 
 typedef struct storage_t storage_t;
diff --git a/src/manager/xml.h b/src/manager/xml.h
index 0c362fed1..bd11cb4f8 100644
--- a/src/manager/xml.h
+++ b/src/manager/xml.h
@@ -21,7 +21,7 @@
 #ifndef XML_H_
 #define XML_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 typedef struct xml_t xml_t;
 
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index 85b1f0d92..de602300a 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -103,6 +103,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 DATA = $(medsrv_templates_DATA) $(medsrv_templates_peer_DATA) \
 	$(medsrv_templates_static_DATA) $(medsrv_templates_user_DATA)
 ETAGS = etags
@@ -127,6 +133,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -154,6 +161,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -181,6 +189,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -193,6 +202,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -246,7 +256,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -407,7 +416,7 @@ clean-medsrvPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-medsrv.fcgi$(EXEEXT): $(medsrv_fcgi_OBJECTS) $(medsrv_fcgi_DEPENDENCIES) 
+medsrv.fcgi$(EXEEXT): $(medsrv_fcgi_OBJECTS) $(medsrv_fcgi_DEPENDENCIES) $(EXTRA_medsrv_fcgi_DEPENDENCIES) 
 	@rm -f medsrv.fcgi$(EXEEXT)
 	$(LINK) $(medsrv_fcgi_OBJECTS) $(medsrv_fcgi_LDADD) $(LIBS)
 
@@ -508,9 +517,7 @@ uninstall-medsrv_templatesDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(medsrv_templates_DATA)'; test -n "$(medsrv_templatesdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(medsrv_templatesdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(medsrv_templatesdir)" && rm -f $$files
+	dir='$(DESTDIR)$(medsrv_templatesdir)'; $(am__uninstall_files_from_dir)
 install-medsrv_templates_peerDATA: $(medsrv_templates_peer_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(medsrv_templates_peerdir)" || $(MKDIR_P) "$(DESTDIR)$(medsrv_templates_peerdir)"
@@ -528,9 +535,7 @@ uninstall-medsrv_templates_peerDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(medsrv_templates_peer_DATA)'; test -n "$(medsrv_templates_peerdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(medsrv_templates_peerdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(medsrv_templates_peerdir)" && rm -f $$files
+	dir='$(DESTDIR)$(medsrv_templates_peerdir)'; $(am__uninstall_files_from_dir)
 install-medsrv_templates_staticDATA: $(medsrv_templates_static_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(medsrv_templates_staticdir)" || $(MKDIR_P) "$(DESTDIR)$(medsrv_templates_staticdir)"
@@ -548,9 +553,7 @@ uninstall-medsrv_templates_staticDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(medsrv_templates_static_DATA)'; test -n "$(medsrv_templates_staticdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(medsrv_templates_staticdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(medsrv_templates_staticdir)" && rm -f $$files
+	dir='$(DESTDIR)$(medsrv_templates_staticdir)'; $(am__uninstall_files_from_dir)
 install-medsrv_templates_userDATA: $(medsrv_templates_user_DATA)
 	@$(NORMAL_INSTALL)
 	test -z "$(medsrv_templates_userdir)" || $(MKDIR_P) "$(DESTDIR)$(medsrv_templates_userdir)"
@@ -568,9 +571,7 @@ uninstall-medsrv_templates_userDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(medsrv_templates_user_DATA)'; test -n "$(medsrv_templates_userdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(medsrv_templates_userdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(medsrv_templates_userdir)" && rm -f $$files
+	dir='$(DESTDIR)$(medsrv_templates_userdir)'; $(am__uninstall_files_from_dir)
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -671,10 +672,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/medsrv/controller/peer_controller.c b/src/medsrv/controller/peer_controller.c
index edcf653b2..7b0b9e6ac 100644
--- a/src/medsrv/controller/peer_controller.c
+++ b/src/medsrv/controller/peer_controller.c
@@ -20,7 +20,7 @@
 #include "peer_controller.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/asn1.h>
 #include <asn1/oid.h>
 #include <utils/identification.h>
diff --git a/src/medsrv/filter/auth_filter.c b/src/medsrv/filter/auth_filter.c
index d21abdc46..436a72f2b 100644
--- a/src/medsrv/filter/auth_filter.c
+++ b/src/medsrv/filter/auth_filter.c
@@ -16,7 +16,7 @@
 
 #include "auth_filter.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_auth_filter_t private_auth_filter_t;
 
diff --git a/src/medsrv/main.c b/src/medsrv/main.c
index 1f43a7e17..03b135289 100644
--- a/src/medsrv/main.c
+++ b/src/medsrv/main.c
@@ -17,7 +17,7 @@
 #include <stdio.h>
 
 #include <dispatcher.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <database/database.h>
 
 #include "filter/auth_filter.h"
diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in
index 9b67a5667..0315adf08 100644
--- a/src/openac/Makefile.in
+++ b/src/openac/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -96,6 +96,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 man8dir = $(mandir)/man8
 NROFF = nroff
 MANS = $(dist_man_MANS)
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -372,7 +381,7 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-openac$(EXEEXT): $(openac_OBJECTS) $(openac_DEPENDENCIES) 
+openac$(EXEEXT): $(openac_OBJECTS) $(openac_DEPENDENCIES) $(EXTRA_openac_DEPENDENCIES) 
 	@rm -f openac$(EXEEXT)
 	$(LINK) $(openac_OBJECTS) $(openac_LDADD) $(LIBS)
 
@@ -445,9 +454,7 @@ uninstall-man8:
 	  sed -n '/\.8[a-z]*$$/p'; \
 	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
 	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
+	dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -561,10 +568,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/openac/openac.c b/src/openac/openac.c
index 745988750..7b81d6cea 100644
--- a/src/openac/openac.c
+++ b/src/openac/openac.c
@@ -31,7 +31,7 @@
 #include <time.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/asn1.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/ac.h>
diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am
index 482f83834..be74e5d00 100644
--- a/src/pki/Makefile.am
+++ b/src/pki/Makefile.am
@@ -9,6 +9,7 @@ pki_SOURCES = pki.c pki.h command.c command.h \
 	commands/self.c \
 	commands/print.c \
 	commands/signcrl.c \
+	commands/pkcs7.c \
 	commands/verify.c
 
 pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index 609ab345b..bc38e96c0 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -58,7 +58,7 @@ PROGRAMS = $(ipsec_PROGRAMS)
 am_pki_OBJECTS = pki.$(OBJEXT) command.$(OBJEXT) gen.$(OBJEXT) \
 	issue.$(OBJEXT) keyid.$(OBJEXT) pub.$(OBJEXT) req.$(OBJEXT) \
 	self.$(OBJEXT) print.$(OBJEXT) signcrl.$(OBJEXT) \
-	verify.$(OBJEXT)
+	pkcs7.$(OBJEXT) verify.$(OBJEXT)
 pki_OBJECTS = $(am_pki_OBJECTS)
 pki_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
@@ -98,6 +98,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -125,6 +126,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -152,6 +154,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -164,6 +167,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -217,7 +221,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -273,6 +276,7 @@ pki_SOURCES = pki.c pki.h command.c command.h \
 	commands/self.c \
 	commands/print.c \
 	commands/signcrl.c \
+	commands/pkcs7.c \
 	commands/verify.c
 
 pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -357,7 +361,7 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-pki$(EXEEXT): $(pki_OBJECTS) $(pki_DEPENDENCIES) 
+pki$(EXEEXT): $(pki_OBJECTS) $(pki_DEPENDENCIES) $(EXTRA_pki_DEPENDENCIES) 
 	@rm -f pki$(EXEEXT)
 	$(LINK) $(pki_OBJECTS) $(pki_LDADD) $(LIBS)
 
@@ -371,6 +375,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/issue.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyid.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pki.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/print.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pub.Po@am__quote@
@@ -512,6 +517,20 @@ signcrl.obj: commands/signcrl.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signcrl.obj `if test -f 'commands/signcrl.c'; then $(CYGPATH_W) 'commands/signcrl.c'; else $(CYGPATH_W) '$(srcdir)/commands/signcrl.c'; fi`
 
+pkcs7.o: commands/pkcs7.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pkcs7.o -MD -MP -MF $(DEPDIR)/pkcs7.Tpo -c -o pkcs7.o `test -f 'commands/pkcs7.c' || echo '$(srcdir)/'`commands/pkcs7.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pkcs7.Tpo $(DEPDIR)/pkcs7.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/pkcs7.c' object='pkcs7.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs7.o `test -f 'commands/pkcs7.c' || echo '$(srcdir)/'`commands/pkcs7.c
+
+pkcs7.obj: commands/pkcs7.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pkcs7.obj -MD -MP -MF $(DEPDIR)/pkcs7.Tpo -c -o pkcs7.obj `if test -f 'commands/pkcs7.c'; then $(CYGPATH_W) 'commands/pkcs7.c'; else $(CYGPATH_W) '$(srcdir)/commands/pkcs7.c'; fi`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pkcs7.Tpo $(DEPDIR)/pkcs7.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/pkcs7.c' object='pkcs7.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs7.obj `if test -f 'commands/pkcs7.c'; then $(CYGPATH_W) 'commands/pkcs7.c'; else $(CYGPATH_W) '$(srcdir)/commands/pkcs7.c'; fi`
+
 verify.o: commands/verify.c
 @am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT verify.o -MD -MP -MF $(DEPDIR)/verify.Tpo -c -o verify.o `test -f 'commands/verify.c' || echo '$(srcdir)/'`commands/verify.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/verify.Tpo $(DEPDIR)/verify.Po
@@ -631,10 +650,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/pki/command.c b/src/pki/command.c
index 43328575c..a5e5b8528 100644
--- a/src/pki/command.c
+++ b/src/pki/command.c
@@ -23,7 +23,7 @@
 #include <stdio.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <utils/optionsfrom.h>
 
 /**
diff --git a/src/pki/commands/gen.c b/src/pki/commands/gen.c
index 33d9cf35d..e3602f0c3 100644
--- a/src/pki/commands/gen.c
+++ b/src/pki/commands/gen.c
@@ -22,9 +22,10 @@ static int gen()
 {
 	cred_encoding_type_t form = PRIVKEY_ASN1_DER;
 	key_type_t type = KEY_RSA;
-	u_int size = 0;
+	u_int size = 0, shares = 0, threshold = 1;
 	private_key_t *key;
 	chunk_t encoding;
+	bool safe_primes = FALSE;
 	char *arg;
 
 	while (TRUE)
@@ -60,6 +61,23 @@ static int gen()
 					return command_usage("invalid key size");
 				}
 				continue;
+			case 'p':
+				safe_primes = TRUE;
+				continue;
+			case 'n':
+				shares = atoi(arg);
+				if (shares < 2)
+				{
+					return command_usage("invalid number of key shares");
+				}
+				continue;
+			case 'l':
+				threshold = atoi(arg);
+				if (threshold < 1)
+				{
+					return command_usage("invalid key share threshold");
+				}
+				continue;
 			case EOF:
 				break;
 			default:
@@ -82,8 +100,27 @@ static int gen()
 				break;
 		}
 	}
-	key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
-							 BUILD_KEY_SIZE, size, BUILD_END);
+	if (type == KEY_RSA && shares)
+	{
+		if (threshold > shares)
+		{
+			return command_usage("threshold is larger than number of shares");
+		}
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+							BUILD_KEY_SIZE, size, BUILD_SAFE_PRIMES,
+							BUILD_SHARES, shares, BUILD_THRESHOLD, threshold,
+							BUILD_END);
+	}
+	else if (type == KEY_RSA && safe_primes)
+	{
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+							BUILD_KEY_SIZE, size, BUILD_SAFE_PRIMES, BUILD_END);
+	}
+	else
+	{
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+							BUILD_KEY_SIZE, size, BUILD_END);
+	}
 	if (!key)
 	{
 		fprintf(stderr, "private key generation failed\n");
@@ -113,12 +150,16 @@ static void __attribute__ ((constructor))reg()
 {
 	command_register((command_t) {
 		gen, 'g', "gen", "generate a new private key",
-		{"[--type rsa|ecdsa] [--size bits] [--outform der|pem|pgp]"},
+		{"  [--type rsa|ecdsa] [--size bits] [--safe-primes]",
+		 "[--shares n] [--threshold l] [--outform der|pem|pgp]"},
 		{
-			{"help",	'h', 0, "show usage information"},
-			{"type",	't', 1, "type of key, default: rsa"},
-			{"size",	's', 1, "keylength in bits, default: rsa 2048, ecdsa 384"},
-			{"outform",	'f', 1, "encoding of generated private key"},
+			{"help",		'h', 0, "show usage information"},
+			{"type",		't', 1, "type of key, default: rsa"},
+			{"size",		's', 1, "keylength in bits, default: rsa 2048, ecdsa 384"},
+			{"safe-primes", 'p', 0, "generate rsa safe primes"},
+			{"shares",		'n', 1, "number of private rsa key shares"},
+			{"threshold",	'l', 1, "minimum number of participating rsa key shares"},
+			{"outform",		'f', 1, "encoding of generated private key"},
 		}
 	});
 }
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index 47e668b6c..5f098ba41 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -17,9 +17,9 @@
 
 #include "pki.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/asn1.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <credentials/certificates/certificate.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/pkcs10.h>
diff --git a/src/pki/commands/pkcs7.c b/src/pki/commands/pkcs7.c
new file mode 100644
index 000000000..790656c62
--- /dev/null
+++ b/src/pki/commands/pkcs7.c
@@ -0,0 +1,462 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pki.h"
+
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <credentials/containers/pkcs7.h>
+#include <credentials/sets/mem_cred.h>
+
+/**
+ * Read input data as chunk
+ */
+static chunk_t read_from_stream(FILE *stream)
+{
+	char buf[8096];
+	size_t len, total = 0;
+
+	while (TRUE)
+	{
+		len = fread(buf + total, 1, sizeof(buf) - total, stream);
+		if (len < (sizeof(buf) - total))
+		{
+			if (ferror(stream))
+			{
+				return chunk_empty;
+			}
+			if (feof(stream))
+			{
+				return chunk_clone(chunk_create(buf, total + len));
+			}
+		}
+		total += len;
+		if (total == sizeof(buf))
+		{
+			fprintf(stderr, "buffer too small to read input!\n");
+			return chunk_empty;
+		}
+	}
+}
+
+/**
+ * Write output data from chunk to stream
+ */
+static bool write_to_stream(FILE *stream, chunk_t data)
+{
+	size_t len, total = 0;
+
+	while (total < data.len)
+	{
+		len = fwrite(data.ptr + total, 1, data.len - total, stream);
+		if (len <= 0)
+		{
+			return FALSE;
+		}
+		total += len;
+	}
+	return TRUE;
+}
+
+/**
+ * Verify PKCS#7 signed-data
+ */
+static int verify(chunk_t chunk)
+{
+	container_t *container;
+	pkcs7_t *pkcs7;
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	auth_cfg_t *auth;
+	chunk_t data;
+	time_t t;
+	bool verified = FALSE;
+
+	container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
+								   BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
+	if (!container)
+	{
+		return 1;
+	}
+
+	if (container->get_type(container) != CONTAINER_PKCS7_SIGNED_DATA)
+	{
+		fprintf(stderr, "verification failed, container is %N\n",
+				container_type_names, container->get_type(container));
+		container->destroy(container);
+		return 1;
+	}
+
+	pkcs7 = (pkcs7_t*)container;
+	enumerator = container->create_signature_enumerator(container);
+	while (enumerator->enumerate(enumerator, &auth))
+	{
+		verified = TRUE;
+		cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+		if (cert)
+		{
+			fprintf(stderr, "signed by '%Y'", cert->get_subject(cert));
+
+			if (pkcs7->get_attribute(pkcs7, OID_PKCS9_SIGNING_TIME,
+									 enumerator, &data))
+			{
+				t = asn1_to_time(&data, ASN1_UTCTIME);
+				if (t != UNDEFINED_TIME)
+				{
+					fprintf(stderr, " at %T", &t, FALSE);
+				}
+				free(data.ptr);
+			}
+			fprintf(stderr, "\n");
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!verified)
+	{
+		fprintf(stderr, "no trusted signature found\n");
+	}
+
+	if (verified)
+	{
+		if (container->get_data(container, &data))
+		{
+			write_to_stream(stdout, data);
+			free(data.ptr);
+		}
+		else
+		{
+			verified = FALSE;
+		}
+	}
+	container->destroy(container);
+
+	return verified ? 0 : 1;
+}
+
+/**
+ * Sign data into PKCS#7 signed-data
+ */
+static int sign(chunk_t chunk, certificate_t *cert, private_key_t *key)
+{
+	container_t *container;
+	chunk_t encoding;
+	int res = 1;
+
+	container = lib->creds->create(lib->creds,
+								   CRED_CONTAINER, CONTAINER_PKCS7_SIGNED_DATA,
+								   BUILD_BLOB, chunk,
+								   BUILD_SIGNING_CERT, cert,
+								   BUILD_SIGNING_KEY, key,
+								   BUILD_END);
+	if (container)
+	{
+		if (container->get_encoding(container, &encoding))
+		{
+			write_to_stream(stdout, encoding);
+			free(encoding.ptr);
+		}
+		container->destroy(container);
+	}
+	return res;
+}
+
+/**
+ * Encrypt data to a PKCS#7 enveloped-data
+ */
+static int encrypt(chunk_t chunk, certificate_t *cert)
+{
+	container_t *container;
+	chunk_t encoding;
+	int res = 1;
+
+	container = lib->creds->create(lib->creds,
+								   CRED_CONTAINER, CONTAINER_PKCS7_ENVELOPED_DATA,
+								   BUILD_BLOB, chunk, BUILD_CERT, cert,
+								   BUILD_END);
+	if (container)
+	{
+		if (container->get_encoding(container, &encoding))
+		{
+			write_to_stream(stdout, encoding);
+			free(encoding.ptr);
+		}
+		container->destroy(container);
+	}
+	return res;
+}
+
+/**
+ * Decrypt PKCS#7 enveloped-data
+ */
+static int decrypt(chunk_t chunk)
+{
+	container_t *container;
+	chunk_t data;
+
+	container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
+								   BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
+	if (!container)
+	{
+		return 1;
+	}
+	if (container->get_type(container) != CONTAINER_PKCS7_ENVELOPED_DATA)
+	{
+		fprintf(stderr, "decryption failed, container is %N\n",
+				container_type_names, container->get_type(container));
+		container->destroy(container);
+		return 1;
+	}
+	if (!container->get_data(container, &data))
+	{
+		fprintf(stderr, "PKCS#7 decryption failed\n");
+		container->destroy(container);
+		return 1;
+	}
+	container->destroy(container);
+
+	write_to_stream(stdout, data);
+	free(data.ptr);
+
+	return 0;
+}
+
+/**
+ * Show info about PKCS#7 container
+ */
+static int show(chunk_t chunk)
+{
+	container_t *container;
+	pkcs7_t *pkcs7;
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	chunk_t data;
+
+	container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
+								   BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
+	if (!container)
+	{
+		return 1;
+	}
+	fprintf(stderr, "%N\n", container_type_names, container->get_type(container));
+
+	if (container->get_type(container) == CONTAINER_PKCS7_SIGNED_DATA)
+	{
+		pkcs7 = (pkcs7_t*)container;
+		enumerator = pkcs7->create_cert_enumerator(pkcs7);
+		while (enumerator->enumerate(enumerator, &cert))
+		{
+			if (cert->get_encoding(cert, CERT_PEM, &data))
+			{
+				printf("%.*s", (int)data.len, data.ptr);
+				free(data.ptr);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	container->destroy(container);
+	return 0;
+}
+
+/**
+ * Wrap/Unwrap PKCs#7 containers
+ */
+static int pkcs7()
+{
+	char *arg, *file = NULL;
+	private_key_t *key = NULL;
+	certificate_t *cert = NULL;
+	chunk_t data = chunk_empty;
+	mem_cred_t *creds;
+	int res = 1;
+	FILE *in;
+	enum {
+		OP_NONE,
+		OP_SIGN,
+		OP_VERIFY,
+		OP_ENCRYPT,
+		OP_DECRYPT,
+		OP_SHOW,
+	} op = OP_NONE;
+
+	creds = mem_cred_create();
+
+	while (TRUE)
+	{
+		switch (command_getopt(&arg))
+		{
+			case 'h':
+				creds->destroy(creds);
+				return command_usage(NULL);
+			case 'i':
+				file = arg;
+				continue;
+			case 's':
+				if (op != OP_NONE)
+				{
+					goto invalid;
+				}
+				op = OP_SIGN;
+				continue;
+			case 'u':
+				if (op != OP_NONE)
+				{
+					goto invalid;
+				}
+				op = OP_VERIFY;
+				continue;
+			case 'e':
+				if (op != OP_NONE)
+				{
+					goto invalid;
+				}
+				op = OP_ENCRYPT;
+				continue;
+			case 'd':
+				if (op != OP_NONE)
+				{
+					goto invalid;
+				}
+				op = OP_DECRYPT;
+				continue;
+			case 'p':
+				if (op != OP_NONE)
+				{
+					goto invalid;
+				}
+				op = OP_SHOW;
+				continue;
+			case 'k':
+				key = lib->creds->create(lib->creds,
+										 CRED_PRIVATE_KEY, KEY_RSA,
+										 BUILD_FROM_FILE, arg, BUILD_END);
+				if (!key)
+				{
+					fprintf(stderr, "parsing private key failed\n");
+					goto end;
+				}
+				creds->add_key(creds, key);
+				continue;
+			case 'c':
+				cert = lib->creds->create(lib->creds,
+										  CRED_CERTIFICATE, CERT_X509,
+										  BUILD_FROM_FILE, arg, BUILD_END);
+				if (!cert)
+				{
+					fprintf(stderr, "parsing certificate failed\n");
+					goto end;
+				}
+				creds->add_cert(creds, TRUE, cert);
+				continue;
+			case EOF:
+				break;
+			default:
+			invalid:
+				creds->destroy(creds);
+				return command_usage("invalid --pkcs7 option");
+		}
+		break;
+	}
+
+	if (file)
+	{
+		in = fopen(file, "r");
+		if (in)
+		{
+			data = read_from_stream(in);
+			fclose(in);
+		}
+	}
+	else
+	{
+		data = read_from_stream(stdin);
+	}
+
+	if (!data.len)
+	{
+		fprintf(stderr, "reading input failed!\n");
+		goto end;
+	}
+	if (op != OP_SHOW && !cert)
+	{
+		fprintf(stderr, "requiring a certificate!\n");
+		goto end;
+	}
+
+	lib->credmgr->add_local_set(lib->credmgr, &creds->set, FALSE);
+
+	switch (op)
+	{
+		case OP_SIGN:
+			if (!key)
+			{
+				fprintf(stderr, "signing requires a private key\n");
+				res = 1;
+				break;
+			}
+			res = sign(data, cert, key);
+			break;
+		case OP_VERIFY:
+			res = verify(data);
+			break;
+		case OP_ENCRYPT:
+			res = encrypt(data, cert);
+			break;
+		case OP_DECRYPT:
+			if (!key)
+			{
+				fprintf(stderr, "decryption requires a private key\n");
+				res = 1;
+				break;
+			}
+			res = decrypt(data);
+			break;
+		case OP_SHOW:
+			res = show(data);
+			break;
+		default:
+			res = 1;
+			break;
+	}
+	lib->credmgr->remove_local_set(lib->credmgr, &creds->set);
+
+end:
+	creds->destroy(creds);
+	free(data.ptr);
+	return res;
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+	command_register((command_t) {
+		pkcs7, '7', "pkcs7", "PKCS#7 wrap/unwrap functions",
+		{"--sign | --verify | --encrypt | --decrypt",
+		 "--certificate+ [--key]"},
+		{
+			{"help",	'h', 0, "show usage information"},
+			{"sign",	's', 0, "create PKCS#7 signed-data"},
+			{"verify",	'u', 0, "verify PKCS#7 signed-data"},
+			{"encrypt",	'e', 0, "create PKCS#7 enveloped-data"},
+			{"decrypt",	'd', 0, "decrypt PKCS#7 enveloped-data"},
+			{"show",	'p', 0, "show info about PKCS#7, print certificates"},
+			{"in",		'i', 1, "input file, default: stdin"},
+			{"key",		'k', 1, "path to private key for sign/decryp"},
+			{"cert",	'c', 1, "path to certificate for sign/verify/encryp"},
+		}
+	});
+}
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index d050c7032..d90ddc251 100644
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -19,7 +19,7 @@
 
 #include "pki.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <credentials/certificates/certificate.h>
 
 /**
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index 4a50aa463..448360821 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -17,7 +17,7 @@
 
 #include "pki.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <credentials/certificates/certificate.h>
 #include <credentials/certificates/x509.h>
 #include <asn1/asn1.h>
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index 4ada120ed..f9746cca7 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -17,8 +17,8 @@
 
 #include "pki.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <credentials/certificates/certificate.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/crl.h>
diff --git a/src/pki/pki.c b/src/pki/pki.c
index e28bf1595..3f77c5e8d 100644
--- a/src/pki/pki.c
+++ b/src/pki/pki.c
@@ -18,7 +18,7 @@
 
 #include <unistd.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/sets/callback_cred.h>
 
 /**
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index c2814a4e6..e67c8ebc3 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -96,6 +96,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 man8dir = $(mandir)/man8
 NROFF = nroff
 MANS = $(dist_man_MANS)
@@ -121,6 +127,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -148,6 +155,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,6 +183,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -187,6 +196,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -240,7 +250,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -379,7 +388,7 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-scepclient$(EXEEXT): $(scepclient_OBJECTS) $(scepclient_DEPENDENCIES) 
+scepclient$(EXEEXT): $(scepclient_OBJECTS) $(scepclient_DEPENDENCIES) $(EXTRA_scepclient_DEPENDENCIES) 
 	@rm -f scepclient$(EXEEXT)
 	$(LINK) $(scepclient_OBJECTS) $(scepclient_LDADD) $(LIBS)
 
@@ -453,9 +462,7 @@ uninstall-man8:
 	  sed -n '/\.8[a-z]*$$/p'; \
 	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
 	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
+	dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -569,10 +576,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/scepclient/scep.c b/src/scepclient/scep.c
index 8b2fd179a..f2090274c 100644
--- a/src/scepclient/scep.c
+++ b/src/scepclient/scep.c
@@ -18,11 +18,10 @@
 #include <stdlib.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
 #include <asn1/oid.h>
-#include <crypto/pkcs9.h>
 #include <crypto/rngs/rng.h>
 #include <crypto/hashers/hasher.h>
 
@@ -68,13 +67,12 @@ const scep_attributes_t empty_scep_attributes = {
 /**
  * Extract X.501 attributes
  */
-void extract_attributes(pkcs7_t *pkcs7, scep_attributes_t *attrs)
+void extract_attributes(pkcs7_t *pkcs7, enumerator_t *enumerator,
+						scep_attributes_t *attrs)
 {
-	pkcs9_t *attributes = pkcs7->get_attributes(pkcs7);
 	chunk_t attr;
 
-	attr = attributes->get_attribute(attributes, OID_PKI_MESSAGE_TYPE);
-	if (attr.ptr)
+	if (pkcs7->get_attribute(pkcs7, OID_PKI_MESSAGE_TYPE, enumerator, &attr))
 	{
 		scep_msg_t m;
 
@@ -86,9 +84,9 @@ void extract_attributes(pkcs7_t *pkcs7, scep_attributes_t *attrs)
 			}
 		}
 		DBG2(DBG_APP, "messageType:  %s", msgType_names[attrs->msgType]);
+		free(attr.ptr);
 	}
-	attr = attributes->get_attribute(attributes, OID_PKI_STATUS);
-	if (attr.ptr)
+	if (pkcs7->get_attribute(pkcs7, OID_PKI_STATUS, enumerator, &attr))
 	{
 		pkiStatus_t s;
 
@@ -100,9 +98,9 @@ void extract_attributes(pkcs7_t *pkcs7, scep_attributes_t *attrs)
 			}
 		}
 		DBG2(DBG_APP, "pkiStatus:    %s", pkiStatus_names[attrs->pkiStatus]);
+		free(attr.ptr);
 	}
-	attr = attributes->get_attribute(attributes, OID_PKI_FAIL_INFO);
-	if (attr.ptr)
+	if (pkcs7->get_attribute(pkcs7, OID_PKI_FAIL_INFO, enumerator, &attr))
 	{
 		if (attr.len == 1 && *attr.ptr >= '0' && *attr.ptr <= '4')
 		{
@@ -112,13 +110,15 @@ void extract_attributes(pkcs7_t *pkcs7, scep_attributes_t *attrs)
 		{
 			DBG1(DBG_APP, "failInfo:     %s", failInfo_reasons[attrs->failInfo]);
 		}
+		free(attr.ptr);
 	}
-	attrs->senderNonce = attributes->get_attribute(attributes,
-											OID_PKI_SENDER_NONCE);
-	attrs->recipientNonce = attributes->get_attribute(attributes,
-											OID_PKI_RECIPIENT_NONCE);
-	attrs->transID = attributes->get_attribute(attributes,
-											OID_PKI_TRANS_ID);
+
+	pkcs7->get_attribute(pkcs7, OID_PKI_SENDER_NONCE, enumerator,
+						 &attrs->senderNonce);
+	pkcs7->get_attribute(pkcs7, OID_PKI_RECIPIENT_NONCE, enumerator,
+						 &attrs->recipientNonce);
+	pkcs7->get_attribute(pkcs7, OID_PKI_TRANS_ID, enumerator,
+						 &attrs->transID);
 }
 
 /**
@@ -188,68 +188,81 @@ void scep_generate_transaction_id(public_key_t *key, chunk_t *transID,
 }
 
 /**
- * Adds a senderNonce attribute to the given pkcs9 attribute list
+ * Builds a pkcs7 enveloped and signed scep request
  */
-static bool add_senderNonce_attribute(pkcs9_t *pkcs9)
+chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
+					certificate_t *enc_cert, encryption_algorithm_t enc_alg,
+					size_t key_size, certificate_t *signer_cert,
+					hash_algorithm_t digest_alg, private_key_t *private_key)
 {
-	const size_t nonce_len = 16;
-	u_char nonce_buf[nonce_len];
-	chunk_t senderNonce = { nonce_buf, nonce_len };
+	chunk_t request;
+	container_t *container;
+	char nonce[16];
 	rng_t *rng;
+	chunk_t senderNonce, msgType;
 
+	/* generate senderNonce */
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng || !rng->get_bytes(rng, nonce_len, nonce_buf))
+	if (!rng || !rng->get_bytes(rng, sizeof(nonce), nonce))
 	{
 		DESTROY_IF(rng);
-		return FALSE;
+		return chunk_empty;
 	}
 	rng->destroy(rng);
 
-	pkcs9->set_attribute(pkcs9, OID_PKI_SENDER_NONCE, senderNonce);
-	return TRUE;
-}
-
-/**
- * Builds a pkcs7 enveloped and signed scep request
- */
-chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
-					certificate_t *enc_cert, encryption_algorithm_t enc_alg,
-					size_t key_size, certificate_t *signer_cert,
-					hash_algorithm_t digest_alg, private_key_t *private_key)
-{
-	chunk_t request, msgType = {
-		(u_char*)msgType_values[msg],
-		strlen(msgType_values[msg]),
-	};
-	pkcs7_t *pkcs7;
-	pkcs9_t *pkcs9;
-
-	pkcs7 = pkcs7_create_from_data(data);
-	if (!pkcs7->build_envelopedData(pkcs7, enc_cert, enc_alg, key_size))
+	/* encrypt data in enveloped-data PKCS#7 */
+	container = lib->creds->create(lib->creds,
+					CRED_CONTAINER, CONTAINER_PKCS7_ENVELOPED_DATA,
+					BUILD_BLOB, data,
+					BUILD_CERT, enc_cert,
+					BUILD_ENCRYPTION_ALG, enc_alg,
+					BUILD_KEY_SIZE, (int)key_size,
+					BUILD_END);
+	if (!container)
 	{
-		pkcs7->destroy(pkcs7);
 		return chunk_empty;
 	}
-
-	pkcs9 = pkcs9_create();
-	pkcs9->set_attribute(pkcs9, OID_PKI_TRANS_ID, transID);
-	pkcs9->set_attribute(pkcs9, OID_PKI_MESSAGE_TYPE, msgType);
-	if (!add_senderNonce_attribute(pkcs9))
+	if (!container->get_encoding(container, &request))
 	{
-		pkcs9->destroy(pkcs9);
-		pkcs7->destroy(pkcs7);
+		container->destroy(container);
 		return chunk_empty;
 	}
-
-	pkcs7->set_attributes(pkcs7, pkcs9);
-	pkcs7->set_certificate(pkcs7, signer_cert->get_ref(signer_cert));
-	if (!pkcs7->build_signedData(pkcs7, private_key, digest_alg))
+	container->destroy(container);
+
+	/* sign enveloped-data in a signed-data PKCS#7 */
+	senderNonce = asn1_wrap(ASN1_OCTET_STRING, "c", chunk_from_thing(nonce));
+	transID = asn1_wrap(ASN1_PRINTABLESTRING, "c", transID);
+	msgType = asn1_wrap(ASN1_PRINTABLESTRING, "c",
+						chunk_create((char*)msgType_values[msg],
+									 strlen(msgType_values[msg])));
+
+	container = lib->creds->create(lib->creds,
+					CRED_CONTAINER, CONTAINER_PKCS7_SIGNED_DATA,
+					BUILD_BLOB, request,
+					BUILD_SIGNING_CERT, signer_cert,
+					BUILD_SIGNING_KEY, private_key,
+					BUILD_DIGEST_ALG, digest_alg,
+					BUILD_PKCS7_ATTRIBUTE, OID_PKI_SENDER_NONCE, senderNonce,
+					BUILD_PKCS7_ATTRIBUTE, OID_PKI_TRANS_ID, transID,
+					BUILD_PKCS7_ATTRIBUTE, OID_PKI_MESSAGE_TYPE, msgType,
+					BUILD_END);
+
+	free(request.ptr);
+	free(senderNonce.ptr);
+	free(transID.ptr);
+	free(msgType.ptr);
+
+	if (!container)
 	{
-		pkcs7->destroy(pkcs7);
 		return chunk_empty;
 	}
-	request = pkcs7->get_contentInfo(pkcs7);
-	pkcs7->destroy(pkcs7);
+	if (!container->get_encoding(container, &request))
+	{
+		container->destroy(container);
+		return chunk_empty;
+	}
+	container->destroy(container);
+
 	return request;
 }
 
@@ -319,7 +332,7 @@ static char* escape_http_request(chunk_t req)
 /**
  * Send a SCEP request via HTTP and wait for a response
  */
-bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
+bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
 					   bool http_get_request, chunk_t *response)
 {
 	int len;
@@ -337,7 +350,7 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
 
 		if (http_get_request)
 		{
-			char *escaped_req = escape_http_request(pkcs7);
+			char *escaped_req = escape_http_request(msg);
 
 			/* form complete url */
 			len = strlen(url) + 20 + strlen(operation) + strlen(escaped_req) + 1;
@@ -362,7 +375,7 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
 
 			status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
 										 FETCH_HTTP_VERSION_1_0,
-										 FETCH_REQUEST_DATA, pkcs7,
+										 FETCH_REQUEST_DATA, msg,
 										 FETCH_REQUEST_TYPE, "",
 										 FETCH_REQUEST_HEADER, "Expect:",
 										 FETCH_END);
@@ -371,12 +384,22 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
 	else  /* SCEP_GET_CA_CERT */
 	{
 		const char operation[] = "GetCACert";
+		int i;
+
+		/* escape spaces, TODO: complete URL escape */
+		for (i = 0; i < msg.len; i++)
+		{
+			if (msg.ptr[i] == ' ')
+			{
+				msg.ptr[i] = '+';
+			}
+		}
 
 		/* form complete url */
-		len = strlen(url) + 32 + strlen(operation) + 1;
+		len = strlen(url) + 32 + strlen(operation) + msg.len + 1;
 		complete_url = malloc(len);
-		snprintf(complete_url, len, "%s?operation=%s&message=CAIdentifier",
-				 url, operation);
+		snprintf(complete_url, len, "%s?operation=%s&message=%.*s",
+				 url, operation, (int)msg.len, msg.ptr);
 
 		status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
 									 FETCH_HTTP_VERSION_1_0,
@@ -387,23 +410,44 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
 	return (status == SUCCESS);
 }
 
-err_t scep_parse_response(chunk_t response, chunk_t transID, pkcs7_t **data,
-						  scep_attributes_t *attrs, certificate_t *signer_cert)
+err_t scep_parse_response(chunk_t response, chunk_t transID,
+						  container_t **out, scep_attributes_t *attrs)
 {
-	pkcs7_t *pkcs7;
-
-	pkcs7 = pkcs7_create_from_chunk(response, 0);
-	if (!pkcs7 || !pkcs7->parse_signedData(pkcs7, signer_cert))
+	enumerator_t *enumerator;
+	bool verified = FALSE;
+	container_t *container;
+	auth_cfg_t *auth;
+
+	container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
+								   BUILD_BLOB_ASN1_DER, response, BUILD_END);
+	if (!container)
 	{
-		DESTROY_IF(pkcs7);
 		return "error parsing the scep response";
 	}
-	extract_attributes(pkcs7, attrs);
-	if (!chunk_equals(transID, attrs->transID))
+	if (container->get_type(container) != CONTAINER_PKCS7_SIGNED_DATA)
+	{
+		container->destroy(container);
+		return "scep response is not PKCS#7 signed-data";
+	}
+
+	enumerator = container->create_signature_enumerator(container);
+	while (enumerator->enumerate(enumerator, &auth))
+	{
+		verified = TRUE;
+		extract_attributes((pkcs7_t*)container, enumerator, attrs);
+		if (!chunk_equals(transID, attrs->transID))
+		{
+			enumerator->destroy(enumerator);
+			container->destroy(container);
+			return "transaction ID of scep response does not match";
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!verified)
 	{
-		pkcs7->destroy(pkcs7);
-		return "transaction ID of scep response does not match";
+		container->destroy(container);
+		return "unable to verify PKCS#7 container";
 	}
-	*data = pkcs7;
+	*out = container;
 	return NULL;
 }
diff --git a/src/scepclient/scep.h b/src/scepclient/scep.h
index 6227faba4..30551d2db 100644
--- a/src/scepclient/scep.h
+++ b/src/scepclient/scep.h
@@ -17,7 +17,7 @@
 #ifndef _SCEP_H
 #define _SCEP_H
 
-#include <crypto/pkcs7.h>
+#include <credentials/containers/pkcs7.h>
 #include <credentials/certificates/certificate.h>
 
 /* supported SCEP operation types */
@@ -78,10 +78,9 @@ chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
 						certificate_t *enc_cert, encryption_algorithm_t enc_alg,
 						size_t key_size, certificate_t *signer_cert,
 						hash_algorithm_t digest_alg, private_key_t *private_key);
-bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
+bool scep_http_request(const char *url, chunk_t message, scep_op_t op,
 					   bool http_get_request, chunk_t *response);
 err_t scep_parse_response(chunk_t response, chunk_t transID,
-						  pkcs7_t **data, scep_attributes_t *attrs,
-						  certificate_t *signer_cert);
+						  container_t **out, scep_attributes_t *attrs);
 
 #endif /* _SCEP_H */
diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index 78b0d7e7a..83b5d6219 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -26,12 +26,12 @@
 #include <syslog.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/asn1.h>
 #include <asn1/oid.h>
 #include <utils/optionsfrom.h>
-#include <utils/enumerator.h>
-#include <utils/linked_list.h>
+#include <collections/enumerator.h>
+#include <collections/linked_list.h>
 #include <crypto/hashers/hasher.h>
 #include <crypto/crypters/crypter.h>
 #include <crypto/proposal/proposal_keywords.h>
@@ -40,6 +40,7 @@
 #include <credentials/certificates/certificate.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/pkcs10.h>
+#include <credentials/sets/mem_cred.h>
 #include <plugins/plugin.h>
 
 #include "scep.h"
@@ -140,6 +141,8 @@ certificate_t *x509_ca_enc     = NULL;
 certificate_t *x509_ca_sig     = NULL;
 certificate_t *pkcs10_req      = NULL;
 
+mem_cred_t *creds              = NULL;
+
 /* logging */
 static bool log_to_stderr = TRUE;
 static bool log_to_syslog = TRUE;
@@ -255,6 +258,12 @@ static void exit_scepclient(err_t message, ...)
 {
 	int status = 0;
 
+	if (creds)
+	{
+		lib->credmgr->remove_set(lib->credmgr, &creds->set);
+		creds->destroy(creds);
+	}
+
 	DESTROY_IF(subject);
 	DESTROY_IF(private_key);
 	DESTROY_IF(public_key);
@@ -361,6 +370,9 @@ static void usage(const char *message)
 		"                                   <algo> = md5 (default) | sha1 | sha256 |\n"
 		"                                            sha384 | sha512\n"
 		"\n"
+		"Options for CA certificate acquisition:\n"
+		" --caname (-c) <name>              name of CA to fetch CA certificate(s)\n"
+		"                                   (default: CAIdentifier)\n"
 		"Options for enrollment (cert):\n"
 		" --url (-u) <url>                  url of the SCEP server\n"
 		" --method (-m) post | get          http request type\n"
@@ -451,6 +463,9 @@ int main(int argc, char **argv)
 	/* URL of the SCEP-Server */
 	char *scep_url = NULL;
 
+	/* Name of CA to fetch CA certs for */
+	char *ca_name = "CAIdentifier";
+
 	/* http request method, default is GET */
 	bool http_get_request = TRUE;
 
@@ -512,6 +527,7 @@ int main(int argc, char **argv)
 			{ "password", required_argument, NULL, 'p' },
 			{ "algorithm", required_argument, NULL, 'a' },
 			{ "url", required_argument, NULL, 'u' },
+			{ "caname", required_argument, NULL, 'c'},
 			{ "method", required_argument, NULL, 'm' },
 			{ "interval", required_argument, NULL, 't' },
 			{ "maxpolltime", required_argument, NULL, 'x' },
@@ -519,7 +535,7 @@ int main(int argc, char **argv)
 		};
 
 		/* parse next option */
-		int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:m:t:x:APRCMS", long_opts, NULL);
+		int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:c:m:t:x:APRCMS", long_opts, NULL);
 
 		switch (c)
 		{
@@ -782,6 +798,10 @@ int main(int argc, char **argv)
 				scep_url = optarg;
 				continue;
 
+			case 'c':       /* -- caname */
+				ca_name = optarg;
+				continue;
+
 			case 'm':       /* --method */
 				if (strcaseeq("get", optarg))
 				{
@@ -915,20 +935,24 @@ int main(int argc, char **argv)
 	if (request_ca_certificate)
 	{
 		char ca_path[PATH_MAX];
+		container_t *container;
 		pkcs7_t *pkcs7;
 
-		if (!scep_http_request(scep_url, chunk_empty, SCEP_GET_CA_CERT,
-							   http_get_request, &scep_response))
+		if (!scep_http_request(scep_url, chunk_create(ca_name, strlen(ca_name)),
+							SCEP_GET_CA_CERT, http_get_request, &scep_response))
 		{
 			exit_scepclient("did not receive a valid scep response");
 		}
 
 		join_paths(ca_path, sizeof(ca_path), CA_CERT_PATH, file_out_ca_cert);
 
-		pkcs7 = pkcs7_create_from_chunk(scep_response, 0);
-		if (!pkcs7 || !pkcs7->parse_signedData(pkcs7, NULL))
+		pkcs7 = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
+								BUILD_BLOB_ASN1_DER, scep_response, BUILD_END);
+
+		if (!pkcs7)
 		{	/* no PKCS#7 encoded CA+RA certificates, assume simple CA cert */
-			DESTROY_IF(pkcs7);
+
+			DBG1(DBG_APP, "unable to parse PKCS#7, assuming plain CA cert");
 			if (!chunk_write(scep_response, ca_path, "ca cert",  0022, force))
 			{
 				exit_scepclient("could not write ca cert file '%s'", ca_path);
@@ -941,7 +965,7 @@ int main(int argc, char **argv)
 			int ra_certs = 0, ca_certs = 0;
 			int ra_index = 1, ca_index = 1;
 
-			enumerator = pkcs7->create_certificate_enumerator(pkcs7);
+			enumerator = pkcs7->create_cert_enumerator(pkcs7);
 			while (enumerator->enumerate(enumerator, &cert))
 			{
 				x509_t *x509 = (x509_t*)cert;
@@ -956,7 +980,7 @@ int main(int argc, char **argv)
 			}
 			enumerator->destroy(enumerator);
 
-			enumerator = pkcs7->create_certificate_enumerator(pkcs7);
+			enumerator = pkcs7->create_cert_enumerator(pkcs7);
 			while (enumerator->enumerate(enumerator, &cert))
 			{
 				x509_t *x509 = (x509_t*)cert;
@@ -993,11 +1017,15 @@ int main(int argc, char **argv)
 				chunk_free(&encoding);
 			}
 			enumerator->destroy(enumerator);
-			pkcs7->destroy(pkcs7);
+			container = &pkcs7->container;
+			container->destroy(container);
 		}
 		exit_scepclient(NULL); /* no further output required */
 	}
 
+	creds = mem_cred_create();
+	lib->credmgr->add_set(lib->credmgr, &creds->set);
+
 	/*
 	 * input of PKCS#1 file
 	 */
@@ -1020,6 +1048,7 @@ int main(int argc, char **argv)
 	{
 		exit_scepclient("no RSA private key available");
 	}
+	creds->add_key(creds, private_key->get_ref(private_key));
 	public_key = private_key->get_public_key(private_key);
 
 	/* check for minimum key length */
@@ -1170,6 +1199,7 @@ int main(int argc, char **argv)
 			exit_scepclient("generating certificate failed");
 		}
 	}
+	creds->add_cert(creds, TRUE, x509_signer->get_ref(x509_signer));
 
 	/*
 	 * output of self-signed X.509 certificate file
@@ -1270,7 +1300,9 @@ int main(int argc, char **argv)
 		enumerator_t  *enumerator;
 		char path[PATH_MAX];
 		time_t poll_start = 0;
-		pkcs7_t *data = NULL;
+		pkcs7_t *p7;
+		container_t *container = NULL;
+		chunk_t chunk;
 		scep_attributes_t attrs = empty_scep_attributes;
 
 		join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_sig);
@@ -1282,13 +1314,14 @@ int main(int argc, char **argv)
 			exit_scepclient("could not load signature cacert file '%s'", path);
 		}
 
+		creds->add_cert(creds, TRUE, x509_ca_sig->get_ref(x509_ca_sig));
+
 		if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION,
 				http_get_request, &scep_response))
 		{
 			exit_scepclient("did not receive a valid scep response");
 		}
-		ugh = scep_parse_response(scep_response, transID, &data, &attrs,
-								  x509_ca_sig);
+		ugh = scep_parse_response(scep_response, transID, &container, &attrs);
 		if (ugh != NULL)
 		{
 			exit_scepclient(ugh);
@@ -1317,7 +1350,7 @@ int main(int argc, char **argv)
 			DBG2(DBG_APP, "going to sleep for %d seconds", poll_interval);
 			sleep(poll_interval);
 			free(scep_response.ptr);
-			data->destroy(data);
+			container->destroy(container);
 
 			DBG2(DBG_APP, "fingerprint:    %.*s",
 				 (int)fingerprint.len, fingerprint.ptr);
@@ -1338,8 +1371,7 @@ int main(int argc, char **argv)
 			{
 				exit_scepclient("did not receive a valid scep response");
 			}
-			ugh = scep_parse_response(scep_response, transID, &data, &attrs,
-									  x509_ca_sig);
+			ugh = scep_parse_response(scep_response, transID, &container, &attrs);
 			if (ugh != NULL)
 			{
 				exit_scepclient(ugh);
@@ -1348,25 +1380,53 @@ int main(int argc, char **argv)
 
 		if (attrs.pkiStatus != SCEP_SUCCESS)
 		{
-			data->destroy(data);
+			container->destroy(container);
 			exit_scepclient("reply status is not 'SUCCESS'");
 		}
 
-		if (!data->parse_envelopedData(data, serialNumber, private_key))
+		if (!container->get_data(container, &chunk))
+		{
+			container->destroy(container);
+			exit_scepclient("extracting signed-data failed");
+		}
+		container->destroy(container);
+
+		/* decrypt enveloped-data container */
+		container = lib->creds->create(lib->creds,
+									   CRED_CONTAINER, CONTAINER_PKCS7,
+									   BUILD_BLOB_ASN1_DER, chunk,
+									   BUILD_END);
+		free(chunk.ptr);
+		if (!container)
 		{
-			data->destroy(data);
 			exit_scepclient("could not decrypt envelopedData");
 		}
-		if (!data->parse_signedData(data, NULL))
+
+		if (!container->get_data(container, &chunk))
+		{
+			container->destroy(container);
+			exit_scepclient("extracting encrypted-data failed");
+		}
+		container->destroy(container);
+
+		/* parse signed-data container */
+		container = lib->creds->create(lib->creds,
+									   CRED_CONTAINER, CONTAINER_PKCS7,
+									   BUILD_BLOB_ASN1_DER, chunk,
+									   BUILD_END);
+		free(chunk.ptr);
+		if (!container)
 		{
-			data->destroy(data);
-			exit_scepclient("error parsing the scep response");
+			exit_scepclient("could not parse singed-data");
 		}
+		/* no need to verify the signed-data container, the signature does NOT
+		 * cover the contained certificates */
 
 		/* store the end entity certificate */
 		join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert);
 
-		enumerator = data->create_certificate_enumerator(data);
+		p7 = (pkcs7_t*)container;
+		enumerator = p7->create_cert_enumerator(p7);
 		while (enumerator->enumerate(enumerator, &cert))
 		{
 			x509_t *x509 = (x509_t*)cert;
@@ -1387,7 +1447,11 @@ int main(int argc, char **argv)
 			}
 		}
 		enumerator->destroy(enumerator);
-		data->destroy(data);
+		container->destroy(container);
+		chunk_free(&attrs.transID);
+		chunk_free(&attrs.senderNonce);
+		chunk_free(&attrs.recipientNonce);
+
 		filetype_out &= ~CERT;   /* delete CERT flag */
 	}
 
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index a6d55c5e2..b2c86384e 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -82,13 +82,13 @@ CCLD = $(CC)
 LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
 	$(LDFLAGS) -o $@
-LEXCOMPILE = $(LEX) $(LFLAGS) $(AM_LFLAGS)
+LEXCOMPILE = $(LEX) $(AM_LFLAGS) $(LFLAGS)
 LTLEXCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(LEX) $(LFLAGS) $(AM_LFLAGS)
+	--mode=compile $(LEX) $(AM_LFLAGS) $(LFLAGS)
 YLWRAP = $(top_srcdir)/ylwrap
-YACCCOMPILE = $(YACC) $(YFLAGS) $(AM_YFLAGS)
+YACCCOMPILE = $(YACC) $(AM_YFLAGS) $(YFLAGS)
 LTYACCCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(YACC) $(YFLAGS) $(AM_YFLAGS)
+	--mode=compile $(YACC) $(AM_YFLAGS) $(YFLAGS)
 SOURCES = $(starter_SOURCES)
 DIST_SOURCES = $(starter_SOURCES)
 ETAGS = etags
@@ -113,6 +113,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -140,6 +141,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -167,6 +169,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -179,6 +182,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -232,7 +236,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -382,11 +385,9 @@ clean-ipsecPROGRAMS:
 	echo " rm -f" $$list; \
 	rm -f $$list
 parser.h: parser.c
-	@if test ! -f $@; then \
-	  rm -f parser.c; \
-	  $(MAKE) $(AM_MAKEFLAGS) parser.c; \
-	else :; fi
-starter$(EXEEXT): $(starter_OBJECTS) $(starter_DEPENDENCIES) 
+	@if test ! -f $@; then rm -f parser.c; else :; fi
+	@if test ! -f $@; then $(MAKE) $(AM_MAKEFLAGS) parser.c; else :; fi
+starter$(EXEEXT): $(starter_OBJECTS) $(starter_DEPENDENCIES) $(EXTRA_starter_DEPENDENCIES) 
 	@rm -f starter$(EXEEXT)
 	$(LINK) $(starter_OBJECTS) $(starter_LDADD) $(LIBS)
 
@@ -542,10 +543,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/starter/args.c b/src/starter/args.c
index 2416960bd..390062a99 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -18,7 +18,7 @@
 #include <string.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "keywords.h"
 #include "confread.h"
@@ -108,6 +108,13 @@ static const char *LST_authby[] = {
 	 NULL
 };
 
+static const char *LST_fragmentation[] = {
+	"no",
+	"yes",
+	"force",
+	 NULL
+};
+
 typedef struct {
 	arg_t       type;
 	size_t      offset;
@@ -138,6 +145,7 @@ static const token_info_t token_info[] =
 	{ ARG_STR,  offsetof(starter_conn_t, aaa_identity), NULL                       },
 	{ ARG_MISC, 0, NULL  /* KW_MOBIKE */                                           },
 	{ ARG_MISC, 0, NULL  /* KW_FORCEENCAPS */                                      },
+	{ ARG_ENUM, offsetof(starter_conn_t, fragmentation), LST_fragmentation         },
 	{ ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL                },
 	{ ARG_TIME, offsetof(starter_conn_t, sa_ipsec_life_seconds), NULL              },
 	{ ARG_TIME, offsetof(starter_conn_t, sa_rekey_margin), NULL                    },
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 6544b1ccd..fecb998df 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -22,7 +22,7 @@
 #include <netdb.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "keywords.h"
 #include "confread.h"
@@ -36,7 +36,7 @@
 #define SA_REPLACEMENT_RETRIES_DEFAULT   3
 
 static const char ike_defaults[] = "aes128-sha1-modp2048,3des-sha1-modp1536";
-static const char esp_defaults[] = "aes128-sha1-modp2048,3des-sha1-modp1536";
+static const char esp_defaults[] = "aes128-sha1,3des-sha1";
 
 static const char firewall_defaults[] = "ipsec _updown iptables";
 
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 3f2079883..a0f6234f9 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -50,7 +50,7 @@ typedef enum {
 typedef enum {
 		STRICT_NO,
 		STRICT_YES,
-		STRICT_IFURI
+		STRICT_IFURI,
 } strict_t;
 
 typedef enum {
@@ -70,6 +70,13 @@ typedef enum {
 } dpd_action_t;
 
 typedef enum {
+		/* same as in ike_cfg.h */
+		FRAGMENTATION_NO,
+		FRAGMENTATION_YES,
+		FRAGMENTATION_FORCE,
+} fragmentation_t;
+
+typedef enum {
 		/* IPsec options */
 		SA_OPTION_AUTHENTICATE	= 1 << 0, /* use AH instead of ESP? */
 		SA_OPTION_COMPRESS      = 1 << 1, /* use IPComp */
@@ -140,6 +147,7 @@ struct starter_conn {
 		char            *authby;
 		ipsec_mode_t    mode;
 		bool            proxy_mode;
+		fragmentation_t fragmentation;
 		sa_option_t     options;
 		time_t          sa_ike_life_seconds;
 		time_t          sa_ipsec_life_seconds;
diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c
index 102d1589e..1c93381f7 100644
--- a/src/starter/invokecharon.c
+++ b/src/starter/invokecharon.c
@@ -24,7 +24,7 @@
 #include <errno.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "confread.h"
 #include "invokecharon.h"
diff --git a/src/starter/keywords.c b/src/starter/keywords.c
index 7615a81d2..b75ff1395 100644
--- a/src/starter/keywords.c
+++ b/src/starter/keywords.c
@@ -54,12 +54,12 @@ struct kw_entry {
     kw_token_t token;
 };
 
-#define TOTAL_KEYWORDS 134
+#define TOTAL_KEYWORDS 135
 #define MIN_WORD_LENGTH 3
 #define MAX_WORD_LENGTH 17
-#define MIN_HASH_VALUE 9
-#define MAX_HASH_VALUE 220
-/* maximum key range = 212, duplicates = 0 */
+#define MIN_HASH_VALUE 10
+#define MAX_HASH_VALUE 259
+/* maximum key range = 250, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -73,34 +73,34 @@ hash (str, len)
      register const char *str;
      register unsigned int len;
 {
-  static const unsigned char asso_values[] =
+  static const unsigned short asso_values[] =
     {
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221,  62,
-      117, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221,   0, 221,  27,   0,  79,
-       26,   0,   6,   0,  92,   0, 221,  44,  58,  36,
-       36,  73,  33,   5,  16,   0,   7,  87,   0, 221,
-      221,  11,   3, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260,  15,
+       99, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260,  11, 260,  11,   2,  80,
+       55,   6,   3,   2, 114,   2, 260,  83,  70,   6,
+       22,  81,  51,   7,  14,   2,   7, 122,   2, 260,
+      260,  43,  19, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260
     };
   register int hval = len;
 
@@ -124,166 +124,170 @@ hash (str, len)
 static const struct kw_entry wordlist[] =
   {
     {"pfs",               KW_PFS_DEPRECATED},
-    {"aggressive",        KW_AGGRESSIVE},
-    {"rightgroups",       KW_RIGHTGROUPS},
     {"right",             KW_RIGHT},
-    {"lifetime",          KW_KEYLIFE},
+    {"rightgroups",       KW_RIGHTGROUPS},
     {"left",              KW_LEFT},
+    {"lifetime",          KW_KEYLIFE},
+    {"aggressive",        KW_AGGRESSIVE},
     {"rightsubnet",       KW_RIGHTSUBNET},
     {"rightikeport",      KW_RIGHTIKEPORT},
     {"rightsendcert",     KW_RIGHTSENDCERT},
+    {"lifepackets",       KW_LIFEPACKETS},
     {"leftcert",          KW_LEFTCERT},
-    {"keyingtries",       KW_KEYINGTRIES},
-    {"keylife",           KW_KEYLIFE},
     {"leftsendcert",      KW_LEFTSENDCERT},
-    {"lifebytes",         KW_LIFEBYTES},
-    {"leftrsasigkey",     KW_LEFTRSASIGKEY},
-    {"leftcertpolicy",    KW_LEFTCERTPOLICY},
     {"leftgroups",        KW_LEFTGROUPS},
-    {"rightid",           KW_RIGHTID},
-    {"rightdns",          KW_RIGHTDNS},
-    {"me_peerid",         KW_ME_PEERID},
-    {"reqid",             KW_REQID},
+    {"leftca",            KW_LEFTCA},
     {"keep_alive",        KW_SETUP_DEPRECATED},
-    {"rightrsasigkey",    KW_RIGHTRSASIGKEY},
+    {"leftdns",           KW_LEFTDNS},
+    {"uniqueids",         KW_UNIQUEIDS},
     {"leftprotoport",     KW_LEFTPROTOPORT},
+    {"interfaces",        KW_SETUP_DEPRECATED},
+    {"rightsubnetwithin", KW_RIGHTSUBNET},
+    {"virtual_private",   KW_SETUP_DEPRECATED},
     {"certuribase",       KW_CERTURIBASE},
-    {"lifepackets",       KW_LIFEPACKETS},
-    {"uniqueids",         KW_UNIQUEIDS},
+    {"mark_in",           KW_MARK_IN},
+    {"lifebytes",         KW_LIFEBYTES},
+    {"marginbytes",       KW_MARGINBYTES},
+    {"marginpackets",     KW_MARGINPACKETS},
+    {"margintime",        KW_REKEYMARGIN},
+    {"keyingtries",       KW_KEYINGTRIES},
+    {"keylife",           KW_KEYLIFE},
+    {"fragmentation",     KW_FRAGMENTATION},
+    {"leftrsasigkey",     KW_LEFTRSASIGKEY},
+    {"rightid",           KW_RIGHTID},
+    {"rightdns",          KW_RIGHTDNS},
     {"rightsourceip",     KW_RIGHTSOURCEIP},
-    {"ike",               KW_IKE},
-    {"type",              KW_TYPE},
-    {"leftdns",           KW_LEFTDNS},
-    {"leftnexthop",       KW_LEFT_DEPRECATED},
     {"rightallowany",     KW_RIGHTALLOWANY},
-    {"rightsubnetwithin", KW_RIGHTSUBNET},
+    {"leftcertpolicy",    KW_LEFTCERTPOLICY},
+    {"reqid",             KW_REQID},
+    {"rightrsasigkey",    KW_RIGHTRSASIGKEY},
     {"rightprotoport",    KW_RIGHTPROTOPORT},
-    {"mediated_by",       KW_MEDIATED_BY},
+    {"leftnexthop",       KW_LEFT_DEPRECATED},
     {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
-    {"virtual_private",   KW_SETUP_DEPRECATED},
-    {"interfaces",        KW_SETUP_DEPRECATED},
-    {"rekey",             KW_REKEY},
-    {"ikelifetime",       KW_IKELIFETIME},
-    {"rekeyfuzz",         KW_REKEYFUZZ},
-    {"leftid",            KW_LEFTID},
-    {"leftca",            KW_LEFTCA},
-    {"leftikeport",       KW_LEFTIKEPORT},
-    {"esp",               KW_ESP},
-    {"leftfirewall",      KW_LEFTFIREWALL},
+    {"me_peerid",         KW_ME_PEERID},
+    {"inactivity",        KW_INACTIVITY},
+    {"rightnexthop",      KW_RIGHT_DEPRECATED},
     {"rightfirewall",     KW_RIGHTFIREWALL},
+    {"ldapbase",          KW_CA_DEPRECATED},
+    {"leftupdown",        KW_LEFTUPDOWN},
+    {"leftfirewall",      KW_LEFTFIREWALL},
+    {"crluri",            KW_CRLURI},
+    {"ike",               KW_IKE},
     {"mediation",         KW_MEDIATION},
+    {"rightcert",         KW_RIGHTCERT},
     {"mobike",	           KW_MOBIKE},
-    {"crluri",            KW_CRLURI},
-    {"rightnexthop",      KW_RIGHT_DEPRECATED},
-    {"inactivity",        KW_INACTIVITY},
-    {"leftupdown",        KW_LEFTUPDOWN},
-    {"mark_in",           KW_MARK_IN},
-    {"leftallowany",      KW_LEFTALLOWANY},
-    {"ldapbase",          KW_CA_DEPRECATED},
-    {"margintime",        KW_REKEYMARGIN},
-    {"marginbytes",       KW_MARGINBYTES},
-    {"mark",              KW_MARK},
-    {"marginpackets",     KW_MARGINPACKETS},
+    {"rightca",           KW_RIGHTCA},
+    {"compress",          KW_COMPRESS},
+    {"type",              KW_TYPE},
+    {"ocspuri",           KW_OCSPURI},
     {"lefthostaccess",    KW_LEFTHOSTACCESS},
-    {"klipsdebug",        KW_SETUP_DEPRECATED},
-    {"rightcert",         KW_RIGHTCERT},
-    {"eap",               KW_CONN_DEPRECATED},
-    {"overridemtu",       KW_SETUP_DEPRECATED},
+    {"esp",               KW_ESP},
+    {"crluri1",           KW_CRLURI},
+    {"ikelifetime",       KW_IKELIFETIME},
+    {"leftikeport",       KW_LEFTIKEPORT},
+    {"cacert",            KW_CACERT},
+    {"mark",              KW_MARK},
+    {"rightid2",          KW_RIGHTID2},
     {"forceencaps",       KW_FORCEENCAPS},
-    {"keyexchange",       KW_KEYEXCHANGE},
-    {"ocspuri",           KW_OCSPURI},
-    {"aaa_identity",      KW_AAA_IDENTITY},
+    {"nat_traversal",     KW_SETUP_DEPRECATED},
+    {"eap",               KW_CONN_DEPRECATED},
+    {"rightgroups2",      KW_RIGHTGROUPS2},
+    {"packetdefault",     KW_SETUP_DEPRECATED},
+    {"ocspuri1",          KW_OCSPURI},
+    {"rekeyfuzz",         KW_REKEYFUZZ},
+    {"mark_out",          KW_MARK_OUT},
+    {"mediated_by",       KW_MEDIATED_BY},
+    {"leftcert2",         KW_LEFTCERT2},
+    {"rightauth2",        KW_RIGHTAUTH2},
+    {"leftid",            KW_LEFTID},
+    {"leftca2",           KW_LEFTCA2},
     {"force_keepalive",   KW_SETUP_DEPRECATED},
+    {"rekeymargin",       KW_REKEYMARGIN},
+    {"dpdtimeout",        KW_DPDTIMEOUT},
+    {"aaa_identity",      KW_AAA_IDENTITY},
+    {"leftgroups2",       KW_LEFTGROUPS2},
+    {"leftallowany",      KW_LEFTALLOWANY},
+    {"righthostaccess",   KW_RIGHTHOSTACCESS},
+    {"rekey",             KW_REKEY},
+    {"rightauth",         KW_RIGHTAUTH},
+    {"klipsdebug",        KW_SETUP_DEPRECATED},
     {"rightcertpolicy",   KW_RIGHTCERTPOLICY},
+    {"overridemtu",       KW_SETUP_DEPRECATED},
+    {"dpdaction",         KW_DPDACTION},
+    {"pfsgroup",          KW_PFS_DEPRECATED},
+    {"keyexchange",       KW_KEYEXCHANGE},
     {"hidetos",           KW_SETUP_DEPRECATED},
-    {"righthostaccess",   KW_RIGHTHOSTACCESS},
-    {"eap_identity",      KW_EAP_IDENTITY},
     {"leftsubnet",        KW_LEFTSUBNET},
-    {"dpdaction",         KW_DPDACTION},
-    {"dpdtimeout",        KW_DPDTIMEOUT},
-    {"rightca",           KW_RIGHTCA},
-    {"compress",          KW_COMPRESS},
     {"installpolicy",     KW_INSTALLPOLICY},
-    {"pfsgroup",          KW_PFS_DEPRECATED},
-    {"nat_traversal",     KW_SETUP_DEPRECATED},
-    {"authby",            KW_AUTHBY},
+    {"dumpdir",           KW_SETUP_DEPRECATED},
     {"leftsourceip",      KW_LEFTSOURCEIP},
-    {"rightid2",          KW_RIGHTID2},
-    {"cacert",            KW_CACERT},
-    {"rekeymargin",       KW_REKEYMARGIN},
-    {"rightauth",         KW_RIGHTAUTH},
-    {"rightgroups2",      KW_RIGHTGROUPS2},
-    {"mark_out",          KW_MARK_OUT},
-    {"leftcert2",         KW_LEFTCERT2},
-    {"packetdefault",     KW_SETUP_DEPRECATED},
-    {"rightupdown",       KW_RIGHTUPDOWN},
     {"also",              KW_ALSO},
-    {"dpddelay",          KW_DPDDELAY},
-    {"xauth_identity",    KW_XAUTH_IDENTITY},
+    {"rightupdown",       KW_RIGHTUPDOWN},
+    {"charondebug",       KW_CHARONDEBUG},
     {"ldaphost",          KW_CA_DEPRECATED},
-    {"crluri1",           KW_CRLURI},
+    {"fragicmp",          KW_SETUP_DEPRECATED},
+    {"charonstart",       KW_SETUP_DEPRECATED},
+    {"tfc",               KW_TFC},
     {"leftsubnetwithin",  KW_LEFTSUBNET},
-    {"dumpdir",           KW_SETUP_DEPRECATED},
-    {"crlcheckinterval",  KW_SETUP_DEPRECATED},
-    {"leftgroups2",       KW_LEFTGROUPS2},
-    {"rightauth2",        KW_RIGHTAUTH2},
     {"leftid2",           KW_LEFTID2},
-    {"leftca2",           KW_LEFTCA2},
+    {"eap_identity",      KW_EAP_IDENTITY},
+    {"crlcheckinterval",  KW_SETUP_DEPRECATED},
+    {"cachecrls",         KW_CACHECRLS},
+    {"rightca2",          KW_RIGHTCA2},
+    {"crluri2",           KW_CRLURI2},
+    {"rightcert2",        KW_RIGHTCERT2},
+    {"pkcs11initargs",    KW_PKCS11_DEPRECATED},
+    {"closeaction",       KW_CLOSEACTION},
+    {"pkcs11module",      KW_PKCS11_DEPRECATED},
+    {"pkcs11keepstate",   KW_PKCS11_DEPRECATED},
+    {"xauth_identity",    KW_XAUTH_IDENTITY},
+    {"ocspuri2",          KW_OCSPURI2},
     {"plutostderrlog",    KW_SETUP_DEPRECATED},
     {"plutostart",        KW_SETUP_DEPRECATED},
-    {"fragicmp",          KW_SETUP_DEPRECATED},
-    {"ocspuri1",          KW_OCSPURI},
-    {"charondebug",       KW_CHARONDEBUG},
-    {"tfc",               KW_TFC},
     {"auto",              KW_AUTO},
-    {"charonstart",       KW_SETUP_DEPRECATED},
-    {"plutodebug",        KW_SETUP_DEPRECATED},
+    {"authby",            KW_AUTHBY},
+    {"dpddelay",          KW_DPDDELAY},
     {"modeconfig",        KW_MODECONFIG},
-    {"prepluto",          KW_SETUP_DEPRECATED},
     {"nocrsend",          KW_SETUP_DEPRECATED},
-    {"auth",              KW_AUTH},
-    {"leftauth",          KW_LEFTAUTH},
-    {"cachecrls",         KW_CACHECRLS},
-    {"pkcs11module",      KW_PKCS11_DEPRECATED},
-    {"crluri2",           KW_CRLURI2},
-    {"pkcs11initargs",    KW_PKCS11_DEPRECATED},
-    {"pkcs11keepstate",   KW_PKCS11_DEPRECATED},
-    {"rightca2",          KW_RIGHTCA2},
-    {"closeaction",       KW_CLOSEACTION},
-    {"rightcert2",        KW_RIGHTCERT2},
+    {"prepluto",          KW_SETUP_DEPRECATED},
     {"pkcs11proxy",       KW_PKCS11_DEPRECATED},
-    {"xauth",             KW_XAUTH},
+    {"leftauth2",         KW_LEFTAUTH2},
     {"postpluto",         KW_SETUP_DEPRECATED},
+    {"auth",              KW_AUTH},
     {"reauth",            KW_REAUTH},
-    {"leftauth2",         KW_LEFTAUTH2},
-    {"ocspuri2",          KW_OCSPURI2}
+    {"xauth",             KW_XAUTH},
+    {"leftauth",          KW_LEFTAUTH},
+    {"plutodebug",        KW_SETUP_DEPRECATED}
   };
 
 static const short lookup[] =
   {
-     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,   0,
-      1,   2,   3,  -1,   4,  -1,  -1,   5,   6,   7,
-      8,   9,  10,  -1,  11,  12,  13,  -1,  -1,  -1,
-     14,  15,  16,  17,  18,  19,  20,  21,  -1,  -1,
-     -1,  22,  23,  24,  25,  26,  27,  28,  29,  30,
-     31,  32,  -1,  33,  34,  35,  36,  -1,  37,  38,
-     39,  40,  41,  -1,  42,  -1,  43,  -1,  44,  45,
-     -1,  -1,  -1,  -1,  -1,  -1,  46,  47,  48,  49,
-     50,  51,  -1,  -1,  52,  53,  54,  55,  56,  57,
-     58,  59,  60,  61,  62,  63,  64,  -1,  65,  -1,
-     66,  67,  68,  69,  70,  71,  72,  73,  -1,  74,
-     75,  76,  77,  78,  -1,  -1,  -1,  79,  80,  -1,
-     81,  82,  83,  -1,  84,  85,  86,  87,  88,  89,
-     -1,  90,  91,  92,  93,  94,  95,  -1,  -1,  96,
-     -1,  97,  -1,  98,  -1,  99, 100,  -1, 101,  -1,
-    102,  -1,  -1,  -1, 103,  -1, 104, 105,  -1, 106,
-     -1,  -1, 107, 108,  -1, 109, 110, 111,  -1,  -1,
-     -1, 112,  -1, 113,  -1,  -1,  -1,  -1,  -1,  -1,
-     -1, 114, 115,  -1, 116,  -1, 117,  -1,  -1,  -1,
-    118,  -1,  -1, 119, 120,  -1,  -1, 121, 122, 123,
-    124,  -1,  -1,  -1, 125, 126, 127, 128,  -1,  -1,
-     -1, 129,  -1, 130,  -1,  -1,  -1, 131,  -1, 132,
-    133
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+      0,  -1,  -1,  -1,  -1,  -1,   1,  -1,  -1,   2,
+      3,   4,   5,  -1,   6,   7,   8,  -1,  -1,   9,
+     10,  -1,  -1,  -1,  11,  12,  -1,  13,  -1,  14,
+     15,  16,  -1,  17,  18,  19,  -1,  -1,  20,  -1,
+     -1,  21,  -1,  -1,  -1,  -1,  22,  -1,  -1,  23,
+     24,  -1,  25,  26,  27,  28,  29,  30,  31,  32,
+     33,  34,  35,  36,  -1,  37,  38,  39,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1,  40,  41,  42,  43,
+     44,  45,  46,  47,  48,  -1,  -1,  -1,  49,  50,
+     51,  52,  53,  54,  55,  56,  57,  58,  59,  60,
+     61,  62,  63,  64,  65,  66,  67,  68,  69,  70,
+     71,  72,  73,  74,  75,  76,  77,  78,  79,  80,
+     -1,  -1,  81,  82,  83,  84,  -1,  85,  86,  87,
+     -1,  -1,  88,  89,  90,  91,  92,  93,  94,  -1,
+     95,  96,  -1,  97,  -1,  -1,  -1,  98,  -1,  99,
+    100,  -1, 101,  -1, 102, 103, 104,  -1,  -1, 105,
+    106,  -1, 107,  -1,  -1,  -1, 108,  -1,  -1,  -1,
+     -1,  -1, 109,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1, 110, 111, 112, 113, 114, 115,  -1,  -1, 116,
+     -1, 117,  -1, 118,  -1,  -1,  -1,  -1,  -1,  -1,
+    119, 120,  -1,  -1, 121,  -1,  -1,  -1,  -1,  -1,
+     -1, 122,  -1,  -1,  -1,  -1,  -1, 123,  -1, 124,
+    125, 126, 127,  -1,  -1,  -1,  -1,  -1,  -1, 128,
+     -1,  -1,  -1, 129,  -1,  -1,  -1, 130,  -1,  -1,
+     -1, 131, 132, 133,  -1,  -1,  -1,  -1,  -1, 134
   };
 
 #ifdef __GNUC__
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 537bceb07..f776f33c9 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -42,6 +42,7 @@ typedef enum {
 	KW_AAA_IDENTITY,
 	KW_MOBIKE,
 	KW_FORCEENCAPS,
+	KW_FRAGMENTATION,
 	KW_IKELIFETIME,
 	KW_KEYLIFE,
 	KW_REKEYMARGIN,
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index 8366f5209..1f1641287 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -40,6 +40,7 @@ eap_identity,      KW_EAP_IDENTITY
 aaa_identity,      KW_AAA_IDENTITY
 mobike,	           KW_MOBIKE
 forceencaps,       KW_FORCEENCAPS
+fragmentation,     KW_FRAGMENTATION
 ikelifetime,       KW_IKELIFETIME
 lifetime,          KW_KEYLIFE
 keylife,           KW_KEYLIFE
diff --git a/src/starter/klips.c b/src/starter/klips.c
index 484b7e281..22165465f 100644
--- a/src/starter/klips.c
+++ b/src/starter/klips.c
@@ -17,7 +17,7 @@
 #include <stdlib.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "files.h"
 
diff --git a/src/starter/netkey.c b/src/starter/netkey.c
index 25f68e505..921a220db 100644
--- a/src/starter/netkey.c
+++ b/src/starter/netkey.c
@@ -18,7 +18,7 @@
 
 #include <library.h>
 #include <hydra.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "files.h"
 
diff --git a/src/starter/parser.c b/src/starter/parser.c
index beb752a51..9a5831ef8 100644
--- a/src/starter/parser.c
+++ b/src/starter/parser.c
@@ -1,10 +1,8 @@
+/* A Bison parser, made by GNU Bison 2.5.  */
 
-/* A Bison parser, made by GNU Bison 2.4.1.  */
-
-/* Skeleton implementation for Bison's Yacc-like parsers in C
+/* Bison implementation for Yacc-like parsers in C
    
-      Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006
-   Free Software Foundation, Inc.
+      Copyright (C) 1984, 1989-1990, 2000-2011 Free Software Foundation, Inc.
    
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -46,7 +44,7 @@
 #define YYBISON 1
 
 /* Bison version.  */
-#define YYBISON_VERSION "2.4.1"
+#define YYBISON_VERSION "2.5"
 
 /* Skeleton name.  */
 #define YYSKELETON_NAME "yacc.c"
@@ -67,7 +65,7 @@
 
 /* Copy the first part of user declarations.  */
 
-/* Line 189 of yacc.c  */
+/* Line 268 of yacc.c  */
 #line 1 "parser.y"
 
 /* strongSwan config file parser (parser.y)
@@ -89,7 +87,7 @@
 #include <string.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "ipsec-parser.h"
 
@@ -120,8 +118,8 @@ extern kw_entry_t *in_word_set (char *str, unsigned int len);
 
 
 
-/* Line 189 of yacc.c  */
-#line 125 "parser.c"
+/* Line 268 of yacc.c  */
+#line 123 "parser.c"
 
 /* Enabling traces.  */
 #ifndef YYDEBUG
@@ -179,13 +177,13 @@ extern kw_entry_t *in_word_set (char *str, unsigned int len);
 typedef union YYSTYPE
 {
 
-/* Line 214 of yacc.c  */
+/* Line 293 of yacc.c  */
 #line 52 "parser.y"
  char *s; 
 
 
-/* Line 214 of yacc.c  */
-#line 189 "parser.c"
+/* Line 293 of yacc.c  */
+#line 187 "parser.c"
 } YYSTYPE;
 # define YYSTYPE_IS_TRIVIAL 1
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
@@ -196,8 +194,8 @@ typedef union YYSTYPE
 /* Copy the second part of user declarations.  */
 
 
-/* Line 264 of yacc.c  */
-#line 201 "parser.c"
+/* Line 343 of yacc.c  */
+#line 199 "parser.c"
 
 #ifdef short
 # undef short
@@ -247,7 +245,7 @@ typedef short int yytype_int16;
 #define YYSIZE_MAXIMUM ((YYSIZE_T) -1)
 
 #ifndef YY_
-# if YYENABLE_NLS
+# if defined YYENABLE_NLS && YYENABLE_NLS
 #  if ENABLE_NLS
 #   include <libintl.h> /* INFRINGES ON USER NAME SPACE */
 #   define YY_(msgid) dgettext ("bison-runtime", msgid)
@@ -300,11 +298,11 @@ YYID (yyi)
 #    define alloca _alloca
 #   else
 #    define YYSTACK_ALLOC alloca
-#    if ! defined _ALLOCA_H && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+#    if ! defined _ALLOCA_H && ! defined EXIT_SUCCESS && (defined __STDC__ || defined __C99__FUNC__ \
      || defined __cplusplus || defined _MSC_VER)
 #     include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
-#     ifndef _STDLIB_H
-#      define _STDLIB_H 1
+#     ifndef EXIT_SUCCESS
+#      define EXIT_SUCCESS 0
 #     endif
 #    endif
 #   endif
@@ -327,24 +325,24 @@ YYID (yyi)
 #  ifndef YYSTACK_ALLOC_MAXIMUM
 #   define YYSTACK_ALLOC_MAXIMUM YYSIZE_MAXIMUM
 #  endif
-#  if (defined __cplusplus && ! defined _STDLIB_H \
+#  if (defined __cplusplus && ! defined EXIT_SUCCESS \
        && ! ((defined YYMALLOC || defined malloc) \
 	     && (defined YYFREE || defined free)))
 #   include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
-#   ifndef _STDLIB_H
-#    define _STDLIB_H 1
+#   ifndef EXIT_SUCCESS
+#    define EXIT_SUCCESS 0
 #   endif
 #  endif
 #  ifndef YYMALLOC
 #   define YYMALLOC malloc
-#   if ! defined malloc && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+#   if ! defined malloc && ! defined EXIT_SUCCESS && (defined __STDC__ || defined __C99__FUNC__ \
      || defined __cplusplus || defined _MSC_VER)
 void *malloc (YYSIZE_T); /* INFRINGES ON USER NAME SPACE */
 #   endif
 #  endif
 #  ifndef YYFREE
 #   define YYFREE free
-#   if ! defined free && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+#   if ! defined free && ! defined EXIT_SUCCESS && (defined __STDC__ || defined __C99__FUNC__ \
      || defined __cplusplus || defined _MSC_VER)
 void free (void *); /* INFRINGES ON USER NAME SPACE */
 #   endif
@@ -373,23 +371,7 @@ union yyalloc
      ((N) * (sizeof (yytype_int16) + sizeof (YYSTYPE)) \
       + YYSTACK_GAP_MAXIMUM)
 
-/* Copy COUNT objects from FROM to TO.  The source and destination do
-   not overlap.  */
-# ifndef YYCOPY
-#  if defined __GNUC__ && 1 < __GNUC__
-#   define YYCOPY(To, From, Count) \
-      __builtin_memcpy (To, From, (Count) * sizeof (*(From)))
-#  else
-#   define YYCOPY(To, From, Count)		\
-      do					\
-	{					\
-	  YYSIZE_T yyi;				\
-	  for (yyi = 0; yyi < (Count); yyi++)	\
-	    (To)[yyi] = (From)[yyi];		\
-	}					\
-      while (YYID (0))
-#  endif
-# endif
+# define YYCOPY_NEEDED 1
 
 /* Relocate STACK from its old location to the new one.  The
    local variables YYSIZE and YYSTACKSIZE give the old and new number of
@@ -409,6 +391,26 @@ union yyalloc
 
 #endif
 
+#if defined YYCOPY_NEEDED && YYCOPY_NEEDED
+/* Copy COUNT objects from FROM to TO.  The source and destination do
+   not overlap.  */
+# ifndef YYCOPY
+#  if defined __GNUC__ && 1 < __GNUC__
+#   define YYCOPY(To, From, Count) \
+      __builtin_memcpy (To, From, (Count) * sizeof (*(From)))
+#  else
+#   define YYCOPY(To, From, Count)		\
+      do					\
+	{					\
+	  YYSIZE_T yyi;				\
+	  for (yyi = 0; yyi < (Count); yyi++)	\
+	    (To)[yyi] = (From)[yyi];		\
+	}					\
+      while (YYID (0))
+#  endif
+# endif
+#endif /* !YYCOPY_NEEDED */
+
 /* YYFINAL -- State number of the termination state.  */
 #define YYFINAL  2
 /* YYLAST -- Last index in YYTABLE.  */
@@ -526,8 +528,8 @@ static const yytype_uint8 yyr2[] =
        5,     0,     4,     1,     4,     0,     3,     2,     0
 };
 
-/* YYDEFACT[STATE-NAME] -- Default rule to reduce with in state
-   STATE-NUM when YYTABLE doesn't specify something else to do.  Zero
+/* YYDEFACT[STATE-NAME] -- Default reduction number in state STATE-NUM.
+   Performed when YYTABLE doesn't specify something else to do.  Zero
    means the default is an error.  */
 static const yytype_uint8 yydefact[] =
 {
@@ -562,8 +564,7 @@ static const yytype_int8 yypgoto[] =
 
 /* YYTABLE[YYPACT[STATE-NUM]].  What to do in state STATE-NUM.  If
    positive, shift that token.  If negative, reduce the rule which
-   number is the opposite.  If zero, do what YYDEFACT says.
-   If YYTABLE_NINF, syntax error.  */
+   number is the opposite.  If YYTABLE_NINF, syntax error.  */
 #define YYTABLE_NINF -1
 static const yytype_uint8 yytable[] =
 {
@@ -572,6 +573,12 @@ static const yytype_uint8 yytable[] =
       24,    28,    30,    31,     0,     0,     0,    32
 };
 
+#define yypact_value_is_default(yystate) \
+  ((yystate) == (-20))
+
+#define yytable_value_is_error(yytable_value) \
+  YYID (0)
+
 static const yytype_int8 yycheck[] =
 {
        0,     7,    21,    22,    12,     5,     6,    12,     8,     9,
@@ -601,9 +608,18 @@ static const yytype_uint8 yystos[] =
 
 /* Like YYERROR except do call yyerror.  This remains here temporarily
    to ease the transition to the new meaning of YYERROR, for GCC.
-   Once GCC version 2 has supplanted version 1, this can go.  */
+   Once GCC version 2 has supplanted version 1, this can go.  However,
+   YYFAIL appears to be in use.  Nevertheless, it is formally deprecated
+   in Bison 2.4.2's NEWS entry, where a plan to phase it out is
+   discussed.  */
 
 #define YYFAIL		goto yyerrlab
+#if defined YYFAIL
+  /* This is here to suppress warnings from the GCC cpp's
+     -Wunused-macros.  Normally we don't worry about that warning, but
+     some users do, and we want to make it easy for users to remove
+     YYFAIL uses, which will produce warnings from Bison 2.5.  */
+#endif
 
 #define YYRECOVERING()  (!!yyerrstatus)
 
@@ -613,7 +629,6 @@ do								\
     {								\
       yychar = (Token);						\
       yylval = (Value);						\
-      yytoken = YYTRANSLATE (yychar);				\
       YYPOPSTACK (1);						\
       goto yybackup;						\
     }								\
@@ -655,19 +670,10 @@ while (YYID (0))
 #endif
 
 
-/* YY_LOCATION_PRINT -- Print the location on the stream.
-   This macro was not mandated originally: define only if we know
-   we won't break user code: when these are the locations we know.  */
+/* This macro is provided for backward compatibility. */
 
 #ifndef YY_LOCATION_PRINT
-# if YYLTYPE_IS_TRIVIAL
-#  define YY_LOCATION_PRINT(File, Loc)			\
-     fprintf (File, "%d.%d-%d.%d",			\
-	      (Loc).first_line, (Loc).first_column,	\
-	      (Loc).last_line,  (Loc).last_column)
-# else
-#  define YY_LOCATION_PRINT(File, Loc) ((void) 0)
-# endif
+# define YY_LOCATION_PRINT(File, Loc) ((void) 0)
 #endif
 
 
@@ -859,7 +865,6 @@ int yydebug;
 # define YYMAXDEPTH 10000
 #endif
 
-
 
 #if YYERROR_VERBOSE
 
@@ -962,115 +967,142 @@ yytnamerr (char *yyres, const char *yystr)
 }
 # endif
 
-/* Copy into YYRESULT an error message about the unexpected token
-   YYCHAR while in state YYSTATE.  Return the number of bytes copied,
-   including the terminating null byte.  If YYRESULT is null, do not
-   copy anything; just return the number of bytes that would be
-   copied.  As a special case, return 0 if an ordinary "syntax error"
-   message will do.  Return YYSIZE_MAXIMUM if overflow occurs during
-   size calculation.  */
-static YYSIZE_T
-yysyntax_error (char *yyresult, int yystate, int yychar)
-{
-  int yyn = yypact[yystate];
+/* Copy into *YYMSG, which is of size *YYMSG_ALLOC, an error message
+   about the unexpected token YYTOKEN for the state stack whose top is
+   YYSSP.
 
-  if (! (YYPACT_NINF < yyn && yyn <= YYLAST))
-    return 0;
-  else
+   Return 0 if *YYMSG was successfully written.  Return 1 if *YYMSG is
+   not large enough to hold the message.  In that case, also set
+   *YYMSG_ALLOC to the required number of bytes.  Return 2 if the
+   required number of bytes is too large to store.  */
+static int
+yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg,
+                yytype_int16 *yyssp, int yytoken)
+{
+  YYSIZE_T yysize0 = yytnamerr (0, yytname[yytoken]);
+  YYSIZE_T yysize = yysize0;
+  YYSIZE_T yysize1;
+  enum { YYERROR_VERBOSE_ARGS_MAXIMUM = 5 };
+  /* Internationalized format string. */
+  const char *yyformat = 0;
+  /* Arguments of yyformat. */
+  char const *yyarg[YYERROR_VERBOSE_ARGS_MAXIMUM];
+  /* Number of reported tokens (one for the "unexpected", one per
+     "expected"). */
+  int yycount = 0;
+
+  /* There are many possibilities here to consider:
+     - Assume YYFAIL is not used.  It's too flawed to consider.  See
+       <http://lists.gnu.org/archive/html/bison-patches/2009-12/msg00024.html>
+       for details.  YYERROR is fine as it does not invoke this
+       function.
+     - If this state is a consistent state with a default action, then
+       the only way this function was invoked is if the default action
+       is an error action.  In that case, don't check for expected
+       tokens because there are none.
+     - The only way there can be no lookahead present (in yychar) is if
+       this state is a consistent state with a default action.  Thus,
+       detecting the absence of a lookahead is sufficient to determine
+       that there is no unexpected or expected token to report.  In that
+       case, just report a simple "syntax error".
+     - Don't assume there isn't a lookahead just because this state is a
+       consistent state with a default action.  There might have been a
+       previous inconsistent state, consistent state with a non-default
+       action, or user semantic action that manipulated yychar.
+     - Of course, the expected token list depends on states to have
+       correct lookahead information, and it depends on the parser not
+       to perform extra reductions after fetching a lookahead from the
+       scanner and before detecting a syntax error.  Thus, state merging
+       (from LALR or IELR) and default reductions corrupt the expected
+       token list.  However, the list is correct for canonical LR with
+       one exception: it will still contain any token that will not be
+       accepted due to an error action in a later state.
+  */
+  if (yytoken != YYEMPTY)
     {
-      int yytype = YYTRANSLATE (yychar);
-      YYSIZE_T yysize0 = yytnamerr (0, yytname[yytype]);
-      YYSIZE_T yysize = yysize0;
-      YYSIZE_T yysize1;
-      int yysize_overflow = 0;
-      enum { YYERROR_VERBOSE_ARGS_MAXIMUM = 5 };
-      char const *yyarg[YYERROR_VERBOSE_ARGS_MAXIMUM];
-      int yyx;
-
-# if 0
-      /* This is so xgettext sees the translatable formats that are
-	 constructed on the fly.  */
-      YY_("syntax error, unexpected %s");
-      YY_("syntax error, unexpected %s, expecting %s");
-      YY_("syntax error, unexpected %s, expecting %s or %s");
-      YY_("syntax error, unexpected %s, expecting %s or %s or %s");
-      YY_("syntax error, unexpected %s, expecting %s or %s or %s or %s");
-# endif
-      char *yyfmt;
-      char const *yyf;
-      static char const yyunexpected[] = "syntax error, unexpected %s";
-      static char const yyexpecting[] = ", expecting %s";
-      static char const yyor[] = " or %s";
-      char yyformat[sizeof yyunexpected
-		    + sizeof yyexpecting - 1
-		    + ((YYERROR_VERBOSE_ARGS_MAXIMUM - 2)
-		       * (sizeof yyor - 1))];
-      char const *yyprefix = yyexpecting;
-
-      /* Start YYX at -YYN if negative to avoid negative indexes in
-	 YYCHECK.  */
-      int yyxbegin = yyn < 0 ? -yyn : 0;
-
-      /* Stay within bounds of both yycheck and yytname.  */
-      int yychecklim = YYLAST - yyn + 1;
-      int yyxend = yychecklim < YYNTOKENS ? yychecklim : YYNTOKENS;
-      int yycount = 1;
-
-      yyarg[0] = yytname[yytype];
-      yyfmt = yystpcpy (yyformat, yyunexpected);
-
-      for (yyx = yyxbegin; yyx < yyxend; ++yyx)
-	if (yycheck[yyx + yyn] == yyx && yyx != YYTERROR)
-	  {
-	    if (yycount == YYERROR_VERBOSE_ARGS_MAXIMUM)
-	      {
-		yycount = 1;
-		yysize = yysize0;
-		yyformat[sizeof yyunexpected - 1] = '\0';
-		break;
-	      }
-	    yyarg[yycount++] = yytname[yyx];
-	    yysize1 = yysize + yytnamerr (0, yytname[yyx]);
-	    yysize_overflow |= (yysize1 < yysize);
-	    yysize = yysize1;
-	    yyfmt = yystpcpy (yyfmt, yyprefix);
-	    yyprefix = yyor;
-	  }
+      int yyn = yypact[*yyssp];
+      yyarg[yycount++] = yytname[yytoken];
+      if (!yypact_value_is_default (yyn))
+        {
+          /* Start YYX at -YYN if negative to avoid negative indexes in
+             YYCHECK.  In other words, skip the first -YYN actions for
+             this state because they are default actions.  */
+          int yyxbegin = yyn < 0 ? -yyn : 0;
+          /* Stay within bounds of both yycheck and yytname.  */
+          int yychecklim = YYLAST - yyn + 1;
+          int yyxend = yychecklim < YYNTOKENS ? yychecklim : YYNTOKENS;
+          int yyx;
+
+          for (yyx = yyxbegin; yyx < yyxend; ++yyx)
+            if (yycheck[yyx + yyn] == yyx && yyx != YYTERROR
+                && !yytable_value_is_error (yytable[yyx + yyn]))
+              {
+                if (yycount == YYERROR_VERBOSE_ARGS_MAXIMUM)
+                  {
+                    yycount = 1;
+                    yysize = yysize0;
+                    break;
+                  }
+                yyarg[yycount++] = yytname[yyx];
+                yysize1 = yysize + yytnamerr (0, yytname[yyx]);
+                if (! (yysize <= yysize1
+                       && yysize1 <= YYSTACK_ALLOC_MAXIMUM))
+                  return 2;
+                yysize = yysize1;
+              }
+        }
+    }
 
-      yyf = YY_(yyformat);
-      yysize1 = yysize + yystrlen (yyf);
-      yysize_overflow |= (yysize1 < yysize);
-      yysize = yysize1;
+  switch (yycount)
+    {
+# define YYCASE_(N, S)                      \
+      case N:                               \
+        yyformat = S;                       \
+      break
+      YYCASE_(0, YY_("syntax error"));
+      YYCASE_(1, YY_("syntax error, unexpected %s"));
+      YYCASE_(2, YY_("syntax error, unexpected %s, expecting %s"));
+      YYCASE_(3, YY_("syntax error, unexpected %s, expecting %s or %s"));
+      YYCASE_(4, YY_("syntax error, unexpected %s, expecting %s or %s or %s"));
+      YYCASE_(5, YY_("syntax error, unexpected %s, expecting %s or %s or %s or %s"));
+# undef YYCASE_
+    }
 
-      if (yysize_overflow)
-	return YYSIZE_MAXIMUM;
+  yysize1 = yysize + yystrlen (yyformat);
+  if (! (yysize <= yysize1 && yysize1 <= YYSTACK_ALLOC_MAXIMUM))
+    return 2;
+  yysize = yysize1;
 
-      if (yyresult)
-	{
-	  /* Avoid sprintf, as that infringes on the user's name space.
-	     Don't have undefined behavior even if the translation
-	     produced a string with the wrong number of "%s"s.  */
-	  char *yyp = yyresult;
-	  int yyi = 0;
-	  while ((*yyp = *yyf) != '\0')
-	    {
-	      if (*yyp == '%' && yyf[1] == 's' && yyi < yycount)
-		{
-		  yyp += yytnamerr (yyp, yyarg[yyi++]);
-		  yyf += 2;
-		}
-	      else
-		{
-		  yyp++;
-		  yyf++;
-		}
-	    }
-	}
-      return yysize;
+  if (*yymsg_alloc < yysize)
+    {
+      *yymsg_alloc = 2 * yysize;
+      if (! (yysize <= *yymsg_alloc
+             && *yymsg_alloc <= YYSTACK_ALLOC_MAXIMUM))
+        *yymsg_alloc = YYSTACK_ALLOC_MAXIMUM;
+      return 1;
     }
+
+  /* Avoid sprintf, as that infringes on the user's name space.
+     Don't have undefined behavior even if the translation
+     produced a string with the wrong number of "%s"s.  */
+  {
+    char *yyp = *yymsg;
+    int yyi = 0;
+    while ((*yyp = *yyformat) != '\0')
+      if (*yyp == '%' && yyformat[1] == 's' && yyi < yycount)
+        {
+          yyp += yytnamerr (yyp, yyarg[yyi++]);
+          yyformat += 2;
+        }
+      else
+        {
+          yyp++;
+          yyformat++;
+        }
+  }
+  return 0;
 }
 #endif /* YYERROR_VERBOSE */
-
 
 /*-----------------------------------------------.
 | Release the memory associated to this symbol.  |
@@ -1103,6 +1135,7 @@ yydestruct (yymsg, yytype, yyvaluep)
     }
 }
 
+
 /* Prevent warnings from -Wmissing-prototypes.  */
 #ifdef YYPARSE_PARAM
 #if defined __STDC__ || defined __cplusplus
@@ -1129,10 +1162,9 @@ YYSTYPE yylval;
 int yynerrs;
 
 
-
-/*-------------------------.
-| yyparse or yypush_parse.  |
-`-------------------------*/
+/*----------.
+| yyparse.  |
+`----------*/
 
 #ifdef YYPARSE_PARAM
 #if (defined __STDC__ || defined __C99__FUNC__ \
@@ -1156,8 +1188,6 @@ yyparse ()
 #endif
 #endif
 {
-
-
     int yystate;
     /* Number of tokens to shift before error messages enabled.  */
     int yyerrstatus;
@@ -1312,7 +1342,7 @@ yybackup:
 
   /* First try to decide what to do without reference to lookahead token.  */
   yyn = yypact[yystate];
-  if (yyn == YYPACT_NINF)
+  if (yypact_value_is_default (yyn))
     goto yydefault;
 
   /* Not known => get a lookahead token if don't already have one.  */
@@ -1343,8 +1373,8 @@ yybackup:
   yyn = yytable[yyn];
   if (yyn <= 0)
     {
-      if (yyn == 0 || yyn == YYTABLE_NINF)
-	goto yyerrlab;
+      if (yytable_value_is_error (yyn))
+        goto yyerrlab;
       yyn = -yyn;
       goto yyreduce;
     }
@@ -1399,7 +1429,7 @@ yyreduce:
     {
         case 4:
 
-/* Line 1455 of yacc.c  */
+/* Line 1806 of yacc.c  */
 #line 69 "parser.y"
     {
 		free((yyvsp[(2) - (3)].s));
@@ -1408,7 +1438,7 @@ yyreduce:
 
   case 5:
 
-/* Line 1455 of yacc.c  */
+/* Line 1806 of yacc.c  */
 #line 73 "parser.y"
     {
 		_parser_kw = &(_parser_cfg->config_setup);
@@ -1418,7 +1448,7 @@ yyreduce:
 
   case 7:
 
-/* Line 1455 of yacc.c  */
+/* Line 1806 of yacc.c  */
 #line 78 "parser.y"
     {
 		section_list_t *section = malloc_thing(section_list_t);
@@ -1439,7 +1469,7 @@ yyreduce:
 
   case 9:
 
-/* Line 1455 of yacc.c  */
+/* Line 1806 of yacc.c  */
 #line 94 "parser.y"
     {
 		section_list_t *section = malloc_thing(section_list_t);
@@ -1459,7 +1489,7 @@ yyreduce:
 
   case 11:
 
-/* Line 1455 of yacc.c  */
+/* Line 1806 of yacc.c  */
 #line 109 "parser.y"
     {
 		extern void _parser_y_include (const char *f);
@@ -1470,7 +1500,7 @@ yyreduce:
 
   case 16:
 
-/* Line 1455 of yacc.c  */
+/* Line 1806 of yacc.c  */
 #line 124 "parser.y"
     {
 		kw_list_t  *new;
@@ -1500,7 +1530,7 @@ yyreduce:
 
   case 17:
 
-/* Line 1455 of yacc.c  */
+/* Line 1806 of yacc.c  */
 #line 149 "parser.y"
     {
 		free((yyvsp[(1) - (2)].s));
@@ -1509,10 +1539,21 @@ yyreduce:
 
 
 
-/* Line 1455 of yacc.c  */
-#line 1514 "parser.c"
+/* Line 1806 of yacc.c  */
+#line 1544 "parser.c"
       default: break;
     }
+  /* User semantic actions sometimes alter yychar, and that requires
+     that yytoken be updated with the new translation.  We take the
+     approach of translating immediately before every use of yytoken.
+     One alternative is translating here after every semantic action,
+     but that translation would be missed if the semantic action invokes
+     YYABORT, YYACCEPT, or YYERROR immediately after altering yychar or
+     if it invokes YYBACKUP.  In the case of YYABORT or YYACCEPT, an
+     incorrect destructor might then be invoked immediately.  In the
+     case of YYERROR or YYBACKUP, subsequent parser actions might lead
+     to an incorrect destructor call or verbose syntax error message
+     before the lookahead is translated.  */
   YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
 
   YYPOPSTACK (yylen);
@@ -1540,6 +1581,10 @@ yyreduce:
 | yyerrlab -- here on detecting error |
 `------------------------------------*/
 yyerrlab:
+  /* Make sure we have latest lookahead translation.  See comments at
+     user semantic actions for why this is necessary.  */
+  yytoken = yychar == YYEMPTY ? YYEMPTY : YYTRANSLATE (yychar);
+
   /* If not already recovering from an error, report this error.  */
   if (!yyerrstatus)
     {
@@ -1547,37 +1592,36 @@ yyerrlab:
 #if ! YYERROR_VERBOSE
       yyerror (YY_("syntax error"));
 #else
+# define YYSYNTAX_ERROR yysyntax_error (&yymsg_alloc, &yymsg, \
+                                        yyssp, yytoken)
       {
-	YYSIZE_T yysize = yysyntax_error (0, yystate, yychar);
-	if (yymsg_alloc < yysize && yymsg_alloc < YYSTACK_ALLOC_MAXIMUM)
-	  {
-	    YYSIZE_T yyalloc = 2 * yysize;
-	    if (! (yysize <= yyalloc && yyalloc <= YYSTACK_ALLOC_MAXIMUM))
-	      yyalloc = YYSTACK_ALLOC_MAXIMUM;
-	    if (yymsg != yymsgbuf)
-	      YYSTACK_FREE (yymsg);
-	    yymsg = (char *) YYSTACK_ALLOC (yyalloc);
-	    if (yymsg)
-	      yymsg_alloc = yyalloc;
-	    else
-	      {
-		yymsg = yymsgbuf;
-		yymsg_alloc = sizeof yymsgbuf;
-	      }
-	  }
-
-	if (0 < yysize && yysize <= yymsg_alloc)
-	  {
-	    (void) yysyntax_error (yymsg, yystate, yychar);
-	    yyerror (yymsg);
-	  }
-	else
-	  {
-	    yyerror (YY_("syntax error"));
-	    if (yysize != 0)
-	      goto yyexhaustedlab;
-	  }
+        char const *yymsgp = YY_("syntax error");
+        int yysyntax_error_status;
+        yysyntax_error_status = YYSYNTAX_ERROR;
+        if (yysyntax_error_status == 0)
+          yymsgp = yymsg;
+        else if (yysyntax_error_status == 1)
+          {
+            if (yymsg != yymsgbuf)
+              YYSTACK_FREE (yymsg);
+            yymsg = (char *) YYSTACK_ALLOC (yymsg_alloc);
+            if (!yymsg)
+              {
+                yymsg = yymsgbuf;
+                yymsg_alloc = sizeof yymsgbuf;
+                yysyntax_error_status = 2;
+              }
+            else
+              {
+                yysyntax_error_status = YYSYNTAX_ERROR;
+                yymsgp = yymsg;
+              }
+          }
+        yyerror (yymsgp);
+        if (yysyntax_error_status == 2)
+          goto yyexhaustedlab;
       }
+# undef YYSYNTAX_ERROR
 #endif
     }
 
@@ -1636,7 +1680,7 @@ yyerrlab1:
   for (;;)
     {
       yyn = yypact[yystate];
-      if (yyn != YYPACT_NINF)
+      if (!yypact_value_is_default (yyn))
 	{
 	  yyn += YYTERROR;
 	  if (0 <= yyn && yyn <= YYLAST && yycheck[yyn] == YYTERROR)
@@ -1695,8 +1739,13 @@ yyexhaustedlab:
 
 yyreturn:
   if (yychar != YYEMPTY)
-     yydestruct ("Cleanup: discarding lookahead",
-		 yytoken, &yylval);
+    {
+      /* Make sure we have latest lookahead translation.  See comments at
+         user semantic actions for why this is necessary.  */
+      yytoken = YYTRANSLATE (yychar);
+      yydestruct ("Cleanup: discarding lookahead",
+                  yytoken, &yylval);
+    }
   /* Do not reclaim the symbols of the rule which action triggered
      this YYABORT or YYACCEPT.  */
   YYPOPSTACK (yylen);
@@ -1721,7 +1770,7 @@ yyreturn:
 
 
 
-/* Line 1675 of yacc.c  */
+/* Line 2067 of yacc.c  */
 #line 155 "parser.y"
 
 
diff --git a/src/starter/parser.h b/src/starter/parser.h
index eff532f6d..7007dfef5 100644
--- a/src/starter/parser.h
+++ b/src/starter/parser.h
@@ -1,10 +1,8 @@
+/* A Bison parser, made by GNU Bison 2.5.  */
 
-/* A Bison parser, made by GNU Bison 2.4.1.  */
-
-/* Skeleton interface for Bison's Yacc-like parsers in C
+/* Bison interface for Yacc-like parsers in C
    
-      Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006
-   Free Software Foundation, Inc.
+      Copyright (C) 1984, 1989-1990, 2000-2011 Free Software Foundation, Inc.
    
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -70,13 +68,13 @@
 typedef union YYSTYPE
 {
 
-/* Line 1676 of yacc.c  */
+/* Line 2068 of yacc.c  */
 #line 52 "parser.y"
  char *s; 
 
 
-/* Line 1676 of yacc.c  */
-#line 80 "parser.h"
+/* Line 2068 of yacc.c  */
+#line 78 "parser.h"
 } YYSTYPE;
 # define YYSTYPE_IS_TRIVIAL 1
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
diff --git a/src/starter/parser.y b/src/starter/parser.y
index 424e3a9fd..2cf0501f4 100644
--- a/src/starter/parser.y
+++ b/src/starter/parser.y
@@ -18,7 +18,7 @@
 #include <string.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "ipsec-parser.h"
 
diff --git a/src/starter/starter.c b/src/starter/starter.c
index c6efcb2f4..ae6863fd7 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -34,7 +34,7 @@
 #include <hydra.h>
 #include <utils/backtrace.h>
 #include <threading/thread.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "confread.h"
 #include "files.h"
@@ -328,7 +328,8 @@ static bool check_pid(char *pid_file)
 static void usage(char *name)
 {
 	fprintf(stderr, "Usage: starter [--nofork] [--auto-update <sec>]\n"
-			"               [--debug|--debug-more|--debug-all|--nolog]\n");
+			"               [--debug|--debug-more|--debug-all|--nolog]\n"
+			"               [--attach-gdb]\n");
 	exit(LSB_RC_INVALID_ARGUMENT);
 }
 
@@ -594,6 +595,10 @@ int main (int argc, char **argv)
 					{
 						if (starter_charon_pid())
 						{
+							if (conn->startup == STARTUP_ROUTE)
+							{
+								starter_stroke_unroute_conn(conn);
+							}
 							starter_stroke_del_conn(conn);
 						}
 						conn->state = STATE_TO_ADD;
@@ -622,7 +627,7 @@ int main (int argc, char **argv)
 			DBG2(DBG_APP, "Reloading config...");
 			new_cfg = confread_load(CONFIG_FILE);
 
-			if (new_cfg && (new_cfg->err + new_cfg->non_fatal_err == 0))
+			if (new_cfg && (new_cfg->err == 0))
 			{
 				/* Switch to new config. New conn will be loaded below */
 
@@ -651,6 +656,10 @@ int main (int argc, char **argv)
 					{
 						if (starter_charon_pid())
 						{
+							if (conn->startup == STARTUP_ROUTE)
+							{
+								starter_stroke_unroute_conn(conn);
+							}
 							starter_stroke_del_conn(conn);
 						}
 					}
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index d6ad3eb89..4f9e8fb14 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -27,7 +27,7 @@
 #include <credentials/auth_cfg.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <stroke_msg.h>
 
@@ -180,6 +180,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	}
 	msg.add_conn.mobike = conn->options & SA_OPTION_MOBIKE;
 	msg.add_conn.force_encap = conn->options & SA_OPTION_FORCE_ENCAP;
+	msg.add_conn.fragmentation = conn->fragmentation;
 	msg.add_conn.ipcomp = conn->options & SA_OPTION_COMPRESS;
 	msg.add_conn.install_policy = conn->install_policy;
 	msg.add_conn.aggressive = conn->aggressive;
@@ -270,6 +271,16 @@ int starter_stroke_route_conn(starter_conn_t *conn)
 	return send_stroke_msg(&msg);
 }
 
+int starter_stroke_unroute_conn(starter_conn_t *conn)
+{
+	stroke_msg_t msg;
+
+	msg.type = STR_UNROUTE;
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.route.name = push_string(&msg, connection_name(conn));
+	return send_stroke_msg(&msg);
+}
+
 int starter_stroke_initiate_conn(starter_conn_t *conn)
 {
 	stroke_msg_t msg;
diff --git a/src/starter/starterstroke.h b/src/starter/starterstroke.h
index fd2a3e320..126486325 100644
--- a/src/starter/starterstroke.h
+++ b/src/starter/starterstroke.h
@@ -21,6 +21,7 @@
 int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn);
 int starter_stroke_del_conn(starter_conn_t *conn);
 int starter_stroke_route_conn(starter_conn_t *conn);
+int starter_stroke_unroute_conn(starter_conn_t *conn);
 int starter_stroke_initiate_conn(starter_conn_t *conn);
 int starter_stroke_add_ca(starter_ca_t *ca);
 int starter_stroke_del_ca(starter_ca_t *ca);
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index acf9d3485..01288296e 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -98,6 +98,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -125,6 +126,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -152,6 +154,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -164,6 +167,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -217,7 +221,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -351,7 +354,7 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-stroke$(EXEEXT): $(stroke_OBJECTS) $(stroke_DEPENDENCIES) 
+stroke$(EXEEXT): $(stroke_OBJECTS) $(stroke_DEPENDENCIES) $(EXTRA_stroke_DEPENDENCIES) 
 	@rm -f stroke$(EXEEXT)
 	$(LINK) $(stroke_OBJECTS) $(stroke_LDADD) $(LIBS)
 
@@ -492,10 +495,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
index 03890b517..e289296c1 100644
--- a/src/stroke/stroke.c
+++ b/src/stroke/stroke.c
@@ -144,6 +144,7 @@ static int add_connection(char *name,
 	msg.add_conn.mode = 1;
 	msg.add_conn.mobike = 1;
 	msg.add_conn.dpd.action = 1;
+	msg.add_conn.install_policy = 1;
 
 	msg.add_conn.me.id = push_string(&msg, my_id);
 	msg.add_conn.me.address = push_string(&msg, my_addr);
@@ -265,6 +266,7 @@ static int list_flags[] = {
 	LIST_OCSP,
 	LIST_ALGS,
 	LIST_PLUGINS,
+	LIST_COUNTERS,
 	LIST_ALL
 };
 
@@ -363,7 +365,6 @@ static int user_credentials(char *name, char *user, char *pass)
 	return send_stroke_msg(&msg);
 }
 
-
 static int set_loglevel(char *type, u_int level)
 {
 	stroke_msg_t msg;
@@ -389,7 +390,7 @@ static void exit_usage(char *error)
 	printf("Usage:\n");
 	printf("  Add a connection:\n");
 	printf("    stroke add NAME MY_ID OTHER_ID MY_ADDR OTHER_ADDR\\\n");
-	printf("           MY_NET OTHER_NET MY_NETBITS OTHER_NETBITS\n");
+	printf("           MY_NET OTHER_NET\n");
 	printf("    where: ID is any IKEv2 ID \n");
 	printf("           ADDR is a IPv4 address\n");
 	printf("           NET is a IPv4 subnet in CIDR notation\n");
@@ -418,7 +419,7 @@ static void exit_usage(char *error)
 	printf("  Show list of authority and attribute certificates:\n");
 	printf("    stroke listcacerts|listocspcerts|listaacerts|listacerts\n");
 	printf("  Show list of end entity certificates, ca info records  and crls:\n");
-	printf("    stroke listcerts|listcainfos|listcrls|listall\n");
+	printf("    stroke listcerts|listcainfos|listcrls|listcounters|listall\n");
 	printf("  Show list of supported algorithms:\n");
 	printf("    stroke listalgs\n");
 	printf("  Reload authority and attribute certificates:\n");
@@ -470,7 +471,7 @@ int main(int argc, char *argv[])
 	switch (token->kw)
 	{
 		case STROKE_ADD:
-			if (argc < 11)
+			if (argc < 9)
 			{
 				exit_usage("\"add\" needs more parameters...");
 			}
@@ -552,6 +553,7 @@ int main(int argc, char *argv[])
 		case STROKE_LIST_OCSP:
 		case STROKE_LIST_ALGS:
 		case STROKE_LIST_PLUGINS:
+		case STROKE_LIST_COUNTERS:
 		case STROKE_LIST_ALL:
 			res = list(token->kw, argc > 2 && strcmp(argv[2], "--utc") == 0);
 			break;
diff --git a/src/stroke/stroke_keywords.c b/src/stroke/stroke_keywords.c
index b5ca2e143..3f53b7fa8 100644
--- a/src/stroke/stroke_keywords.c
+++ b/src/stroke/stroke_keywords.c
@@ -54,12 +54,12 @@ struct stroke_token {
     stroke_keyword_t kw;
 };
 
-#define TOTAL_KEYWORDS 41
+#define TOTAL_KEYWORDS 42
 #define MIN_WORD_LENGTH 2
 #define MAX_WORD_LENGTH 15
-#define MIN_HASH_VALUE 2
-#define MAX_HASH_VALUE 44
-/* maximum key range = 43, duplicates = 0 */
+#define MIN_HASH_VALUE 4
+#define MAX_HASH_VALUE 49
+/* maximum key range = 46, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -75,32 +75,32 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 15, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45,  0, 30,  1,
-       1, 15, 45, 15, 45, 30, 45, 13,  0,  0,
-      45,  9,  3, 45,  6, 18,  1,  0, 45, 45,
-       5,  0, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 19, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50,  1, 12,  2,
+       2, 16, 50, 14, 50, 11, 50, 16,  1,  8,
+      50, 18,  7, 50,  6, 12,  1, 11, 50, 50,
+       4,  3, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+      50, 50, 50, 50, 50, 50
     };
   register int hval = len;
 
@@ -125,17 +125,16 @@ hash (str, len)
 
 static const struct stroke_token wordlist[] =
   {
-    {"up",              STROKE_UP},
     {"add",             STROKE_ADD},
     {"del",             STROKE_DEL},
     {"down",            STROKE_DOWN},
-    {"listall",         STROKE_LIST_ALL},
     {"delete",          STROKE_DELETE},
+    {"listall",         STROKE_LIST_ALL},
     {"listcrls",        STROKE_LIST_CRLS},
+    {"up",              STROKE_UP},
     {"rekey",           STROKE_REKEY},
     {"listaacerts",     STROKE_LIST_AACERTS},
     {"listcacerts",     STROKE_LIST_CACERTS},
-    {"listplugins",     STROKE_LIST_PLUGINS},
     {"rereadall",       STROKE_REREAD_ALL},
     {"listcerts",       STROKE_LIST_CERTS},
     {"rereadcrls",      STROKE_REREAD_CRLS},
@@ -143,37 +142,39 @@ static const struct stroke_token wordlist[] =
     {"rereadaacerts",   STROKE_REREAD_AACERTS},
     {"rereadcacerts",   STROKE_REREAD_CACERTS},
     {"leases",          STROKE_LEASES},
-    {"unroute",         STROKE_UNROUTE},
     {"listalgs",        STROKE_LIST_ALGS},
-    {"status",          STROKE_STATUS},
-    {"listacerts",      STROKE_LIST_ACERTS},
+    {"listcainfos",     STROKE_LIST_CAINFOS},
+    {"listcounters",    STROKE_LIST_COUNTERS},
     {"route",           STROKE_ROUTE},
+    {"listacerts",      STROKE_LIST_ACERTS},
+    {"status",          STROKE_STATUS},
+    {"listplugins",     STROKE_LIST_PLUGINS},
+    {"listpubkeys",     STROKE_LIST_PUBKEYS},
+    {"rereadsecrets",   STROKE_REREAD_SECRETS},
     {"statusall",       STROKE_STATUSALL},
     {"purgeocsp",       STROKE_PURGE_OCSP},
     {"statusallnb",     STROKE_STATUSALL_NOBLK},
-    {"rereadocspcerts", STROKE_REREAD_OCSPCERTS},
-    {"user-creds",      STROKE_USER_CREDS},
+    {"exportx509",      STROKE_EXPORT_X509},
     {"down-srcip",      STROKE_DOWN_SRCIP},
     {"purgecrls",       STROKE_PURGE_CRLS},
-    {"listgroups",      STROKE_LIST_GROUPS},
     {"listocsp",        STROKE_LIST_OCSP},
-    {"exportx509",      STROKE_EXPORT_X509},
-    {"rereadsecrets",   STROKE_REREAD_SECRETS},
+    {"rereadocspcerts", STROKE_REREAD_OCSPCERTS},
     {"loglevel",        STROKE_LOGLEVEL},
-    {"purgeike",        STROKE_PURGE_IKE},
-    {"listocspcerts",   STROKE_LIST_OCSPCERTS},
     {"memusage",        STROKE_MEMUSAGE},
-    {"listcainfos",     STROKE_LIST_CAINFOS},
-    {"purgecerts",      STROKE_PURGE_CERTS},
-    {"listpubkeys",     STROKE_LIST_PUBKEYS}
+    {"listgroups",      STROKE_LIST_GROUPS},
+    {"listocspcerts",   STROKE_LIST_OCSPCERTS},
+    {"unroute",         STROKE_UNROUTE},
+    {"user-creds",      STROKE_USER_CREDS},
+    {"purgeike",        STROKE_PURGE_IKE},
+    {"purgecerts",      STROKE_PURGE_CERTS}
   };
 
 static const short lookup[] =
   {
-    -1, -1,  0,  1,  2,  3, -1,  4,  5,  6, -1,  7,  8,  9,
-    10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23,
-    24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37,
-    38, 39, 40
+    -1, -1, -1, -1,  0,  1,  2, -1, -1,  3,  4, -1,  5,  6,
+     7,  8,  9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20,
+    21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34,
+    35, 36, 37, 38, 39, 40, -1, 41
   };
 
 #ifdef __GNUC__
diff --git a/src/stroke/stroke_keywords.h b/src/stroke/stroke_keywords.h
index 554d071f3..0ad87b705 100644
--- a/src/stroke/stroke_keywords.h
+++ b/src/stroke/stroke_keywords.h
@@ -42,6 +42,7 @@ typedef enum {
 	STROKE_LIST_OCSP,
 	STROKE_LIST_ALGS,
 	STROKE_LIST_PLUGINS,
+	STROKE_LIST_COUNTERS,
 	STROKE_LIST_ALL,
 	STROKE_REREAD_SECRETS,
 	STROKE_REREAD_CACERTS,
diff --git a/src/stroke/stroke_keywords.txt b/src/stroke/stroke_keywords.txt
index 1d7ab8a45..95b2981d9 100644
--- a/src/stroke/stroke_keywords.txt
+++ b/src/stroke/stroke_keywords.txt
@@ -49,6 +49,7 @@ listcrls,        STROKE_LIST_CRLS
 listocsp,        STROKE_LIST_OCSP
 listalgs,        STROKE_LIST_ALGS
 listplugins,     STROKE_LIST_PLUGINS
+listcounters,    STROKE_LIST_COUNTERS
 listall,         STROKE_LIST_ALL
 rereadsecrets,   STROKE_REREAD_SECRETS
 rereadcacerts,   STROKE_REREAD_CACERTS
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index 662feed69..e972a5984 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -67,8 +67,10 @@ enum list_flag_t {
 	LIST_ALGS =			0x0400,
 	/** list plugin information */
 	LIST_PLUGINS =		0x0800,
+	/** list IKE counters */
+	LIST_COUNTERS =		0x1000,
 	/** all list options */
-	LIST_ALL =			0x0FFF,
+	LIST_ALL =			0x1FFF,
 };
 
 typedef enum reread_flag_t reread_flag_t;
@@ -252,6 +254,7 @@ struct stroke_msg_t {
 			int mobike;
 			int aggressive;
 			int force_encap;
+			int fragmentation;
 			int ipcomp;
 			time_t inactivity;
 			int proxy_mode;
diff --git a/testing/INSTALL b/testing/INSTALL
deleted file mode 100644
index bb4272eaf..000000000
--- a/testing/INSTALL
+++ /dev/null
@@ -1,145 +0,0 @@
-
-                 -------------------------------
-	          strongSwan UML - Installation
-                 -------------------------------
-
-
-Contents
---------
-
-   1. Making the host system UML-capable
-   2. Installing the required files
-   3. Creating the UML testing environment
-
-
-1. Making the host system UML-capable
-   ----------------------------------
-
-   UML instances can be run on both Linux 2.4 and Linux 2.6 kernels.
-   If you are using a vanilla kernel from kernel.org then you must first
-   apply the host SKAS patch available from
-
-    http://www.user-mode-linux.org/~blaisorblade/patches/
-
-   and recompile and reboot your host kernel. Some Linux distributions as e.g.
-   SuSE already include the SKAS patch in their kernels.
-
-   You will also need the UML utilities (uml_mconsole and uml_switch)
-   available from
-
-   http://prdownloads.sourceforge.net/user-mode-linux/uml_utilities_20040406.tar.bz2
-
-   Many Linux distributions offer the UML utilities as a package.
-
-
-2. Installing the required files
-   -----------------------------
-
-First create a directory where you want the strongSwan UML testing environment
-to be located.The default directory is "~/strongswan-testing". If you choose a
-different location, please adapt the UMLTESTDIR variable in "testing.conf"
-accordingly.
-
-    mkdir ~/strongswan-testing
-
-Now copy the "testing" subdirectory coming with the strongSwan distribution to
-the UML testing environment:
-
-    cp -r testing ~/strongswan-testing
-   
-Next you need to copy several files into the ~/strongswan-testing directory that
-are required for the strongSwan testing environment:
-
-    * A vanilla Linux kernel on which the UML kernel will be based on.
-      We recommend the use of
-
-      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.36.tar.bz2
-
-    * The Linux kernel 2.6.36 does not require any patches for the uml guest kernel
-      to successfully start up.
-
-    * The matching .config file required to compile the UML kernel:
-
-      http://download.strongswan.org/uml/.config-2.6.36
-
-    * A gentoo-based UML file system (compressed size 130 MBytes) found at
-
-      http://download.strongswan.org/uml/gentoo-fs-20100830.tar.bz2
-
-    * The latest strongSwan distribution
-
-      http://download.strongswan.org/strongswan-4.5.1.tar.bz2
-
-
-3. Creating the environment
-   ------------------------
-
-Now change into the testing subdirectory
-
-    cd ~/strongswan-testing/testing
-
-and make the UML testing environment:
-
-    ./make-testing <hosts>
-
-The "make-testing" script calls a series of subscripts which can be
-enabled or disabled individually by setting the corresponding flags
-in "testing.conf":
-
-    if [ $ENABLE_BUILD_UMLKERNEL = "yes" ]
-    then
-        scripts/build-umlkernel
-    fi
-
-builds an UML kernel out of the vanilla Linux kernel and the corresponding
-UML kernel patch.
-
-    if [ $ENABLE_BUILD_HOSTCONFIG = "yes" ]
-    then
-        scripts/build-hostconfig
-    fi
-
-generates the default configurations for the UML hosts alice, venus, moon,
-carol, winnetou, dave, sun, and bob by replacing the wildcards PH_IP_ALICE,
-etc. by the actual IP addresses defined in "testing.conf".
-
-    if [ $ENABLE_BUILD_UMLROOTFS = "yes" ]
-    then
-        scripts/build-umlrootfs
-    fi
-
-takes the gentoo-based UML file system and compiles the latest strongSwan
-distribution into it.
-
-    if [ $ENABLE_BUILD_SSHKEYS = "yes" ]
-    then
-        scripts/build-sshkeys
-    fi
-
-adds the common RSA public key of the UML instances to your ~/.ssh/known_hosts
-directory so that you can log onto the UML instances using ssh without typing
-in a password. The "scripts/build-sshkeys" script should only be run once.
-
-    if [ $ENABLE_BUILD_UMLHOSTFS = "yes" ]
-    then
-        scripts/build-umlhostfs <hosts>
-    fi
-
-creates the customized UML file systems for the instances given as command line 
-arguments by adding the default host configurations to the UML root file system.
-If the "make-starting" scripts is called without any arguments then by default
-the UML file systems are created for the hosts alice, venus, moon, carol,
-winnetou, dave, sun, and bob. Each UML root file system has as size defined by
-the ROOTFSSIZE in testing.conf which by default is 544 MBytes. Thus all 8 UML
-hosts plus the master copy will require a total of 5 GBytes of disk space.
-
-    if [ $ENABLE_START_TESTING = "yes" ]
-    then
-       ./start-testing <hosts>
-    fi
-
-starts the automated testing. More details on the tests you'll find in the
-README document.
-
------------------------------------------------------------------------------
-
diff --git a/testing/Makefile.am b/testing/Makefile.am
index 2aa7d70bc..305bf7f72 100644
--- a/testing/Makefile.am
+++ b/testing/Makefile.am
@@ -1,11 +1,4 @@
-noinst_SCRIPTS = do-tests
-CLEANFILES = do-tests
-EXTRA_DIST = do-tests.in make-testing start-testing stop-testing \
-             testing.conf ssh_config hosts images scripts tests INSTALL README
-
-do-tests : do-tests.in
-	sed \
-	-e "s:\@routing_table\@:$(routing_table):" \
-	$(srcdir)/$@.in > $@
-	chmod +x $@
+EXTRA_DIST = do-tests make-testing start-testing stop-testing \
+             testing.conf ssh_config config hosts images scripts tests \
+			 README
 
diff --git a/testing/Makefile.in b/testing/Makefile.in
index d37e9ec73..0f7ada07d 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,7 +14,6 @@
 # PARTICULAR PURPOSE.
 
 @SET_MAKE@
-
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -35,8 +34,7 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = testing
-DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
-	INSTALL
+DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -53,7 +51,6 @@ mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
-SCRIPTS = $(noinst_SCRIPTS)
 SOURCES =
 DIST_SOURCES =
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -76,6 +73,7 @@ CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -103,6 +101,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -130,6 +129,7 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -142,6 +142,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -195,7 +196,6 @@ libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -242,10 +242,9 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-noinst_SCRIPTS = do-tests
-CLEANFILES = do-tests
-EXTRA_DIST = do-tests.in make-testing start-testing stop-testing \
-             testing.conf ssh_config hosts images scripts tests INSTALL README
+EXTRA_DIST = do-tests make-testing start-testing stop-testing \
+             testing.conf ssh_config config hosts images scripts tests \
+			 README
 
 all: all-am
 
@@ -325,7 +324,7 @@ distdir: $(DISTFILES)
 	done
 check-am: all-am
 check: check-am
-all-am: Makefile $(SCRIPTS)
+all-am: Makefile
 installdirs:
 install: install-am
 install-exec: install-exec-am
@@ -337,14 +336,18 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
-	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
@@ -433,12 +436,6 @@ uninstall-am:
 	mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am
 
 
-do-tests : do-tests.in
-	sed \
-	-e "s:\@routing_table\@:$(routing_table):" \
-	$(srcdir)/$@.in > $@
-	chmod +x $@
-
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/testing/README b/testing/README
index 097b4264d..a62497269 100644
--- a/testing/README
+++ b/testing/README
@@ -1,158 +1,88 @@
 
-                 ------------------------------------
-	          strongSwan UML - Running the Tests
-                 ------------------------------------
+                 ------------------------------
+                  strongSwan Integration Tests
+                 ------------------------------
 
 
 Contents
 --------
 
-   1. Starting up the UML testing environment
-   2. Running the automated tests
-   3. Manual testing
+   1. Building the testing environment
+   2. Starting up the testing environment
+   3. Running the automated tests
+   4. Manual testing
 
 
-1. Starting up the UML testing environment
-   ---------------------------------------
-  
-When the strongSwan UML testing environment has been put into place by
-running the "make-testing" script then you are ready to start up the
-UML instances by calling
+1. Building the testing environment
+   --------------------------------
 
-    ./start-testing <hosts>
-    
-This main script first calls the subscript
+The testing environment can be built with the "make-testing" script after
+adjusting the variables in the testing.conf file.  By default everything is
+built when executing the script.  Setting any of the ENABLE_BUILD_* variables
+in the configuration file to "no" will not build those parts.
 
-    scripts/start-switches
 
-that starts the three UML switches umlswitch0, umlswitch1, and umlswitch2
-which are connecting the UML instances among each other and via tun/tap
-devices also make them accessible from the host system.
-      
-Then depending on the setting of the UMLSTARTMODE variable defined
-in "testing.conf", the UML instances given on the command line are started
-up with different terminals:
+2. Starting up the testing environment
+   -----------------------------------
 
-If you are running the KDE graphical environment then by setting
+When the strongSwan testing environment has been put into place by running
+the "make-testing" script you are ready to start up the KVM instances by
+executing the "start-testing" script.
 
-    UMLSTARTMODE=konsole
-    
-the script
 
-    scripts/kstart-umls <hosts>
-     
-is called which starts up each of the UML instances defined by <hosts> in
-a KDE konsole. If
-
-    UMLSTARTMODE=xterm
-
-is set then
- 
-    scripts/xstart-umls <hosts>
-    
-starts up the UML instances in an xterm each. And with the choice
-
-    UMLSTARTMODE=screen
-   
-the instances are started up by
-
-    scripts/start-umls <hosts>
-    
-in the background but the Linux command "screen -r <host>" can be used to
-connect a terminal to the UML instance <host> if desired.
-
-
-    if [ $ENABLE_DO_TESTS = "yes" ]
-    then
-        do-tests
-    fi
-
-either executes all the tests defined in the "testing/tests" directory
-if the variable SELECTEDTESTSONLY in "testing.conf" is set to "no" or the
-selected tests defined by the string in SELELECTEDTESTS if SELECTEDTESTSONLY
-is set to "yes".
-
-    if [ $ENABLE_STOP_TESTING = "yes" ]
-    then
-        stop-testing <hosts>
-    fi
-
-stops the both the UML switches and the UML instances designated by the
-<hosts> argument.
-
-
-2. Running the automated tests
+3. Running the automated tests
    ---------------------------
 
 The script
 
     ./do-tests <testnames>
 
-runs the automated tests. With an empty <testnames> argument the tests
-as defined in "testing.conf" are executed, otherwise the tests enumerated
-by the <testnames> argument will be run as shown in the example below.
+runs the automated tests.  If the <testnames> argument is omitted all tests
+are executed, otherwise only the tests listed will be run as shown in the
+example below:
 
-    ./do-tests net2net-psk net2net-cert
+    ./do-tests ikev2/net2net-psk ikev2/net2net-cert
 
 Each test is divided into the following phases:
 
-    * scripts/load-testconfig <testname>
-      loads the UML hosts with test specific settings if such are provided.
-      
-    * next the "pretest.dat" script found in each test directory is executed.
-      Among other commands, strongSwan is started on the IPsec hosts.
+    * Load the test-specific guest configuration if any is provided.
 
-    * the "evaltest.dat" script evaluates if the test has been successful.
-      
-    * the "posttest.dat" script terminates the test e.g. by stopping
-      strongSwan on the IPsec hosts.
+    * Next the "pretest.dat" script found in each test directory is executed.
+      Among other commands, strongSwan is started on the IPsec hosts.
 
-    * scripts/restore-defaults <testname>
-      restores the default settings on the UML hosts.
+    * The "evaltest.dat" script evaluates if the test has been successful.
 
-The test results and configuration settings for all tests settings are stored
-in a folder labeled with the current date in the directory
-  
-    ~/strongswan-testing/testresults
-     
-the same results are also automatically transferred to the Apache server
-running on UML instance "winnetou" and can be accessed via the URL
+    * The "posttest.dat" script terminates the test e.g. by stopping
+      strongSwan on the IPsec hosts.  It is also responsible to cleaning up
+      things (e.g. firewall rules) set up in "pretest.dat".
 
-    http://192.168.0.150/testresults/
+    * Restore the default configuration on every host (new files have to be
+      deleted manually in "posttest.dat").
 
+The test results and configuration files for all tests are stored in a
+folder labeled with the current date and time in the $TESTRESULTSDIR directory.
 
-3. Manual testing
-   --------------
-   
-The greates flexibility can be achieved with manual testing. Just set
-   
-    ENABLE_DO_TESTS="no"
-    ENABLE_STOP_TESTING="no"
-       
-in "testing.conf" and start the UML instances that you want to experiment with
-by calling
+The same results are also automatically transferred to the Apache server
+running on guest "winnetou" and can be accessed via the URL
 
-    ./start-testing <hosts>
-    
-If you want to preload a test scenario with configurations differing from
-the default values, e.g. when using Preshared Keys then you can do this
-with the command
+    http://192.168.0.150/testresults/
 
-    scripts/load-testconfig net2net-psk
-    
-You can then log onto any UML instance using its konsole, xterm or screen
-terminal as root with the default password
 
-    tuxmux
-    
-You can then execute any commands the UML instances, including changing
-and recompiling the strongSwan source code located in the /root directory.
+4. Manual testing
+   --------------
 
-After you have finished testing, the default configuration settings can
-restored with the command
+Instead of running tests automatically with "do-tests" it is possible to
+preload a test scenario with the script:
 
-    scripts/restore-defaults net2net-psk
+    scripts/load-testconfig <testname>
 
+Individual configuration files can be changed and any command can be executed by
+logging into a guest host directly (via SSH or a console window).  No password
+is required to login as root.  The sources for every software built during
+"make-testing" are mounted at /root/shared/, which allows you to change and
+recompile these components.
 
------------------------------------------------------------------------------
+After you have finished testing, the default configuration can be restored
+with the following command (newly created files have to be deleted manually)
 
+    scripts/restore-defaults
diff --git a/testing/config/kernel/config-3.5 b/testing/config/kernel/config-3.5
new file mode 100644
index 000000000..9494331eb
--- /dev/null
+++ b/testing/config/kernel/config-3.5
@@ -0,0 +1,1817 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86_64 3.5.3 Kernel Configuration
+#
+CONFIG_64BIT=y
+# CONFIG_X86_32 is not set
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_LATENCYTOP_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+# CONFIG_RWSEM_GENERIC_SPINLOCK is not set
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_DEFAULT_IDLE=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_ARCH_HAS_CPU_AUTOPROBE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_HAVE_IRQ_WORK=y
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+
+#
+# General setup
+#
+CONFIG_EXPERIMENTAL=y
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_FHANDLE is not set
+# CONFIG_TASKSTATS is not set
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_GENERIC_HARDIRQS=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_HARDIRQS=y
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_PREEMPT_RCU is not set
+# CONFIG_TREE_RCU_TRACE is not set
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+# CONFIG_CGROUPS is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+# CONFIG_EXPERT is not set
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_HOTPLUG=y
+CONFIG_PRINTK=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_PCI_QUIRKS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_ATTRS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+
+#
+# GCOV-based kernel profiling
+#
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+# CONFIG_INLINE_SPIN_TRYLOCK is not set
+# CONFIG_INLINE_SPIN_TRYLOCK_BH is not set
+# CONFIG_INLINE_SPIN_LOCK is not set
+# CONFIG_INLINE_SPIN_LOCK_BH is not set
+# CONFIG_INLINE_SPIN_LOCK_IRQ is not set
+# CONFIG_INLINE_SPIN_LOCK_IRQSAVE is not set
+# CONFIG_INLINE_SPIN_UNLOCK_BH is not set
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+# CONFIG_INLINE_SPIN_UNLOCK_IRQRESTORE is not set
+# CONFIG_INLINE_READ_TRYLOCK is not set
+# CONFIG_INLINE_READ_LOCK is not set
+# CONFIG_INLINE_READ_LOCK_BH is not set
+# CONFIG_INLINE_READ_LOCK_IRQ is not set
+# CONFIG_INLINE_READ_LOCK_IRQSAVE is not set
+CONFIG_INLINE_READ_UNLOCK=y
+# CONFIG_INLINE_READ_UNLOCK_BH is not set
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+# CONFIG_INLINE_READ_UNLOCK_IRQRESTORE is not set
+# CONFIG_INLINE_WRITE_TRYLOCK is not set
+# CONFIG_INLINE_WRITE_LOCK is not set
+# CONFIG_INLINE_WRITE_LOCK_BH is not set
+# CONFIG_INLINE_WRITE_LOCK_IRQ is not set
+# CONFIG_INLINE_WRITE_LOCK_IRQSAVE is not set
+CONFIG_INLINE_WRITE_UNLOCK=y
+# CONFIG_INLINE_WRITE_UNLOCK_BH is not set
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+# CONFIG_INLINE_WRITE_UNLOCK_IRQRESTORE is not set
+# CONFIG_MUTEX_SPIN_ON_OWNER is not set
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_MPPARSE=y
+CONFIG_X86_EXTENDED_PLATFORM=y
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+CONFIG_PARAVIRT_GUEST=y
+# CONFIG_PARAVIRT_TIME_ACCOUNTING is not set
+# CONFIG_XEN is not set
+# CONFIG_XEN_PRIVILEGED_GUEST is not set
+CONFIG_KVM_CLOCK=y
+CONFIG_KVM_GUEST=y
+CONFIG_PARAVIRT=y
+CONFIG_PARAVIRT_CLOCK=y
+# CONFIG_PARAVIRT_DEBUG is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MEMTEST is not set
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_CMPXCHG=y
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_XADD=y
+CONFIG_X86_WP_WORKS_OK=y
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_NR_CPUS=1
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+# CONFIG_I8K is not set
+# CONFIG_MICROCODE is not set
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_DIRECT_GBPAGES=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_PAGEFLAGS_EXTENDED=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_ZONE_DMA_FLAG=1
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_CC_STACKPROTECTOR is not set
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+# CONFIG_PM_RUNTIME is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS is not set
+# CONFIG_ACPI_PROCFS_POWER is not set
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_PROC_EVENT=y
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+CONFIG_ACPI_BLACKLIST_YEAR=0
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_BGRT is not set
+# CONFIG_ACPI_APEI is not set
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+CONFIG_CPU_IDLE=y
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCI_CNB20LE_QUIRK is not set
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_ARCH_SUPPORTS_MSI=y
+CONFIG_PCI_MSI=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+# CONFIG_PCI_IOAPIC is not set
+CONFIG_PCI_LABEL=y
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_HOTPLUG_PCI is not set
+# CONFIG_RAPIDIO is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+# CONFIG_IA32_EMULATION is not set
+# CONFIG_COMPAT_FOR_U64_ALIGNMENT is not set
+CONFIG_HAVE_TEXT_POKE_SMP=y
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_NET=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+# CONFIG_NET_IPGRE_DEMUX is not set
+# CONFIG_ARPD is not set
+# CONFIG_SYN_COOKIES is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+# CONFIG_INET_LRO is not set
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_PRIVACY is not set
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+# CONFIG_IPV6_SIT is not set
+# CONFIG_IPV6_TUNNEL is not set
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CONNTRACK_MARK=y
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_TPROXY is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+# CONFIG_NETFILTER_XT_TARGET_CT is not set
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+CONFIG_IP_SET_HASH_NET=y
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+CONFIG_IP_NF_QUEUE=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+CONFIG_IP_NF_TARGET_ULOG=y
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+# CONFIG_NF_NAT_FTP is not set
+# CONFIG_NF_NAT_IRC is not set
+# CONFIG_NF_NAT_TFTP is not set
+# CONFIG_NF_NAT_AMANDA is not set
+# CONFIG_NF_NAT_PPTP is not set
+# CONFIG_NF_NAT_H323 is not set
+# CONFIG_NF_NAT_SIP is not set
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_CONNTRACK_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+# CONFIG_NET_DSA is not set
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_WAN_ROUTER is not set
+# CONFIG_PHONET is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+# CONFIG_LIB80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+CONFIG_HAVE_BPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+# CONFIG_DEVTMPFS is not set
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+# CONFIG_DMA_SHARED_BUFFER is not set
+# CONFIG_CONNECTOR is not set
+# CONFIG_MTD is not set
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_CPQ_DA is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+
+#
+# DRBD disabled because PROC_FS, INET or CONNECTOR not selected
+#
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_INTEL_MID_PTI is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_VMWARE_BALLOON is not set
+# CONFIG_PCH_PHUB is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_SCSI_DMA is not set
+# CONFIG_SCSI_NETLINK is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_I2O is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_MII is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_NETCONSOLE is not set
+# CONFIG_NETPOLL is not set
+# CONFIG_NET_POLL_CONTROLLER is not set
+CONFIG_TUN=y
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+# CONFIG_NET_CALXEDA_XGMAC is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_ZNET is not set
+# CONFIG_IP1000 is not set
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_PCH_GBE is not set
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_SEEQ=y
+# CONFIG_SEEQ8005 is not set
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+# CONFIG_SFC is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+CONFIG_WLAN=y
+# CONFIG_AIRO is not set
+# CONFIG_ATMEL is not set
+# CONFIG_PRISM54 is not set
+# CONFIG_HOSTAP is not set
+# CONFIG_WL_TI is not set
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_ISDN is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+# CONFIG_INPUT_EVDEV is not set
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_OMAP4 is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+CONFIG_FIX_EARLYCON_MEM=y
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_MFD_HSU is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_TIMBERDALE is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_PCH_UART is not set
+# CONFIG_SERIAL_XILINX_PS_UART is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_RTC is not set
+# CONFIG_GEN_RTC is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+# CONFIG_PPS is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+
+#
+# Enable Device Drivers -> PPS to see the PTP clock options.
+#
+CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27x00 is not set
+# CONFIG_CHARGER_MAX8903 is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+# CONFIG_SENSORS_APPLESMC is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_CS5535 is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+# CONFIG_DRM is not set
+# CONFIG_STUB_POULSBO is not set
+# CONFIG_VGASTATE is not set
+# CONFIG_VIDEO_OUTPUT_CONTROL is not set
+# CONFIG_FB is not set
+# CONFIG_EXYNOS_VIDEO is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_SOUND=y
+# CONFIG_SOUND_OSS_CORE is not set
+# CONFIG_SND is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_USB_ARCH_HAS_OHCI=y
+CONFIG_USB_ARCH_HAS_EHCI=y
+CONFIG_USB_ARCH_HAS_XHCI=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+
+#
+# NOTE: USB_STORAGE depends on SCSI but BLK_DEV_SD may
+#
+# CONFIG_USB_GADGET is not set
+
+#
+# OTG and related infrastructure
+#
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+# CONFIG_EDAC is not set
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+CONFIG_VIRTIO=y
+CONFIG_VIRTIO_RING=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_HYPERV is not set
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_ASUS_LAPTOP is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_THINKPAD_ACPI is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_XO15_EBOOK is not set
+# CONFIG_SAMSUNG_Q10 is not set
+# CONFIG_APPLE_GMUX is not set
+
+#
+# Hardware Spinlock drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+CONFIG_IOMMU_SUPPORT=y
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers (EXPERIMENTAL)
+#
+
+#
+# Rpmsg drivers (EXPERIMENTAL)
+#
+# CONFIG_VIRT_DRIVERS is not set
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_VME_BUS is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+# CONFIG_EXT2_FS_XIP is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
+# CONFIG_EXT3_FS_XATTR is not set
+# CONFIG_EXT4_FS is not set
+CONFIG_JBD=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_FILE_LOCKING=y
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+# CONFIG_FUSE_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_LOGFS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+# CONFIG_PRINTK_TIME is not set
+CONFIG_DEFAULT_MESSAGE_LOGLEVEL=4
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_MAGIC_SYSRQ is not set
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_DEBUG_KERNEL=y
+# CONFIG_DEBUG_SHIRQ is not set
+# CONFIG_LOCKUP_DETECTOR is not set
+# CONFIG_HARDLOCKUP_DETECTOR is not set
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_TIMER_STATS is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_RT_MUTEX_TESTER is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+# CONFIG_DEBUG_WRITECOUNT is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_BOOT_PRINTK_DELAY is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+# CONFIG_DEBUG_PAGEALLOC is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
+CONFIG_HAVE_FUNCTION_TRACE_MCOUNT_TEST=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENT is not set
+# CONFIG_PROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA=y
+CONFIG_DEBUG_RODATA_TEST=y
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+
+#
+# Security options
+#
+# CONFIG_KEYS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_PCOMP=y
+CONFIG_CRYPTO_PCOMP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+CONFIG_CRYPTO_AUTHENC=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_SEQIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+# CONFIG_CRYPTO_AES_X86_64 is not set
+# CONFIG_CRYPTO_AES_NI_INTEL is not set
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+# CONFIG_CRYPTO_BLOWFISH_X86_64 is not set
+CONFIG_CRYPTO_CAMELLIA=y
+# CONFIG_CRYPTO_CAMELLIA_X86_64 is not set
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_DES=y
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+# CONFIG_CRYPTO_SALSA20_X86_64 is not set
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+# CONFIG_CRYPTO_SERPENT_SSE2_X86_64 is not set
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+# CONFIG_CRYPTO_TWOFISH_X86_64 is not set
+# CONFIG_CRYPTO_TWOFISH_X86_64_3WAY is not set
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_ZLIB=y
+# CONFIG_CRYPTO_LZO is not set
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_VHOST_NET is not set
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+# CONFIG_XZ_DEC is not set
+# CONFIG_XZ_DEC_BCJ is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT=y
+CONFIG_HAS_DMA=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+# CONFIG_AVERAGE is not set
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
diff --git a/testing/config/kernel/config-3.6 b/testing/config/kernel/config-3.6
new file mode 100644
index 000000000..8755bf772
--- /dev/null
+++ b/testing/config/kernel/config-3.6
@@ -0,0 +1,1830 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86_64 3.6.11 Kernel Configuration
+#
+CONFIG_64BIT=y
+# CONFIG_X86_32 is not set
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_LATENCYTOP_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+# CONFIG_RWSEM_GENERIC_SPINLOCK is not set
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_DEFAULT_IDLE=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_ARCH_HAS_CPU_AUTOPROBE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_HAVE_IRQ_WORK=y
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+
+#
+# General setup
+#
+CONFIG_EXPERIMENTAL=y
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_FHANDLE is not set
+# CONFIG_TASKSTATS is not set
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_GENERIC_HARDIRQS=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_HARDIRQS=y
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_PREEMPT_RCU is not set
+# CONFIG_TREE_RCU_TRACE is not set
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+# CONFIG_CGROUPS is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+# CONFIG_EXPERT is not set
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_HOTPLUG=y
+CONFIG_PRINTK=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_PCI_QUIRKS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_ATTRS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+
+#
+# GCOV-based kernel profiling
+#
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+# CONFIG_INLINE_SPIN_TRYLOCK is not set
+# CONFIG_INLINE_SPIN_TRYLOCK_BH is not set
+# CONFIG_INLINE_SPIN_LOCK is not set
+# CONFIG_INLINE_SPIN_LOCK_BH is not set
+# CONFIG_INLINE_SPIN_LOCK_IRQ is not set
+# CONFIG_INLINE_SPIN_LOCK_IRQSAVE is not set
+# CONFIG_INLINE_SPIN_UNLOCK_BH is not set
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+# CONFIG_INLINE_SPIN_UNLOCK_IRQRESTORE is not set
+# CONFIG_INLINE_READ_TRYLOCK is not set
+# CONFIG_INLINE_READ_LOCK is not set
+# CONFIG_INLINE_READ_LOCK_BH is not set
+# CONFIG_INLINE_READ_LOCK_IRQ is not set
+# CONFIG_INLINE_READ_LOCK_IRQSAVE is not set
+CONFIG_INLINE_READ_UNLOCK=y
+# CONFIG_INLINE_READ_UNLOCK_BH is not set
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+# CONFIG_INLINE_READ_UNLOCK_IRQRESTORE is not set
+# CONFIG_INLINE_WRITE_TRYLOCK is not set
+# CONFIG_INLINE_WRITE_LOCK is not set
+# CONFIG_INLINE_WRITE_LOCK_BH is not set
+# CONFIG_INLINE_WRITE_LOCK_IRQ is not set
+# CONFIG_INLINE_WRITE_LOCK_IRQSAVE is not set
+CONFIG_INLINE_WRITE_UNLOCK=y
+# CONFIG_INLINE_WRITE_UNLOCK_BH is not set
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+# CONFIG_INLINE_WRITE_UNLOCK_IRQRESTORE is not set
+# CONFIG_MUTEX_SPIN_ON_OWNER is not set
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_MPPARSE=y
+CONFIG_X86_EXTENDED_PLATFORM=y
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+CONFIG_PARAVIRT_GUEST=y
+# CONFIG_PARAVIRT_TIME_ACCOUNTING is not set
+# CONFIG_XEN is not set
+# CONFIG_XEN_PRIVILEGED_GUEST is not set
+CONFIG_KVM_CLOCK=y
+CONFIG_KVM_GUEST=y
+CONFIG_PARAVIRT=y
+CONFIG_PARAVIRT_CLOCK=y
+# CONFIG_PARAVIRT_DEBUG is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MEMTEST is not set
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_CMPXCHG=y
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_XADD=y
+CONFIG_X86_WP_WORKS_OK=y
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_NR_CPUS=1
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+# CONFIG_I8K is not set
+# CONFIG_MICROCODE is not set
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_DIRECT_GBPAGES=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_PAGEFLAGS_EXTENDED=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_ZONE_DMA_FLAG=1
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_CC_STACKPROTECTOR is not set
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+# CONFIG_PM_RUNTIME is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS is not set
+# CONFIG_ACPI_PROCFS_POWER is not set
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_PROC_EVENT=y
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+CONFIG_ACPI_BLACKLIST_YEAR=0
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_BGRT is not set
+# CONFIG_ACPI_APEI is not set
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+CONFIG_CPU_IDLE=y
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCI_CNB20LE_QUIRK is not set
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_ARCH_SUPPORTS_MSI=y
+CONFIG_PCI_MSI=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+# CONFIG_PCI_IOAPIC is not set
+CONFIG_PCI_LABEL=y
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_HOTPLUG_PCI is not set
+# CONFIG_RAPIDIO is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+# CONFIG_IA32_EMULATION is not set
+# CONFIG_COMPAT_FOR_U64_ALIGNMENT is not set
+CONFIG_HAVE_TEXT_POKE_SMP=y
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_NET=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+# CONFIG_NET_IPGRE_DEMUX is not set
+# CONFIG_ARPD is not set
+# CONFIG_SYN_COOKIES is not set
+# CONFIG_NET_IPVTI is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+# CONFIG_INET_LRO is not set
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_PRIVACY is not set
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+# CONFIG_IPV6_SIT is not set
+# CONFIG_IPV6_TUNNEL is not set
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CONNTRACK_MARK=y
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_NETLINK_QUEUE_CT is not set
+# CONFIG_NETFILTER_TPROXY is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+# CONFIG_NETFILTER_XT_TARGET_CT is not set
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+CONFIG_IP_SET_HASH_NET=y
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+CONFIG_IP_NF_QUEUE=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+CONFIG_IP_NF_TARGET_ULOG=y
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+# CONFIG_NF_NAT_FTP is not set
+# CONFIG_NF_NAT_IRC is not set
+# CONFIG_NF_NAT_TFTP is not set
+# CONFIG_NF_NAT_AMANDA is not set
+# CONFIG_NF_NAT_PPTP is not set
+# CONFIG_NF_NAT_H323 is not set
+# CONFIG_NF_NAT_SIP is not set
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_CONNTRACK_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+# CONFIG_NET_DSA is not set
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_WAN_ROUTER is not set
+# CONFIG_PHONET is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+# CONFIG_LIB80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+CONFIG_HAVE_BPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+# CONFIG_DEVTMPFS is not set
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+# CONFIG_DMA_SHARED_BUFFER is not set
+# CONFIG_CONNECTOR is not set
+# CONFIG_MTD is not set
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_CPQ_DA is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+
+#
+# DRBD disabled because PROC_FS, INET or CONNECTOR not selected
+#
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_INTEL_MID_PTI is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_VMWARE_BALLOON is not set
+# CONFIG_PCH_PHUB is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_SCSI_DMA is not set
+# CONFIG_SCSI_NETLINK is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_I2O is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_MII is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_NETCONSOLE is not set
+# CONFIG_NETPOLL is not set
+# CONFIG_NET_POLL_CONTROLLER is not set
+CONFIG_TUN=y
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+# CONFIG_NET_CALXEDA_XGMAC is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_ZNET is not set
+# CONFIG_IP1000 is not set
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_PCH_GBE is not set
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_SEEQ=y
+# CONFIG_SEEQ8005 is not set
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+# CONFIG_SFC is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+CONFIG_WLAN=y
+# CONFIG_AIRO is not set
+# CONFIG_ATMEL is not set
+# CONFIG_PRISM54 is not set
+# CONFIG_HOSTAP is not set
+# CONFIG_WL_TI is not set
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_ISDN is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+# CONFIG_INPUT_EVDEV is not set
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_OMAP4 is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+CONFIG_FIX_EARLYCON_MEM=y
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_MFD_HSU is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_TIMBERDALE is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_PCH_UART is not set
+# CONFIG_SERIAL_XILINX_PS_UART is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_RTC is not set
+# CONFIG_GEN_RTC is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+# CONFIG_PPS is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+
+#
+# Enable Device Drivers -> PPS to see the PTP clock options.
+#
+CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27x00 is not set
+# CONFIG_CHARGER_MAX8903 is not set
+# CONFIG_POWER_AVS is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+# CONFIG_SENSORS_APPLESMC is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_CS5535 is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+# CONFIG_DRM is not set
+# CONFIG_STUB_POULSBO is not set
+# CONFIG_VGASTATE is not set
+# CONFIG_VIDEO_OUTPUT_CONTROL is not set
+# CONFIG_FB is not set
+# CONFIG_EXYNOS_VIDEO is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_SOUND=y
+# CONFIG_SOUND_OSS_CORE is not set
+# CONFIG_SND is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_USB_ARCH_HAS_OHCI=y
+CONFIG_USB_ARCH_HAS_EHCI=y
+CONFIG_USB_ARCH_HAS_XHCI=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+
+#
+# NOTE: USB_STORAGE depends on SCSI but BLK_DEV_SD may
+#
+# CONFIG_USB_GADGET is not set
+
+#
+# OTG and related infrastructure
+#
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+# CONFIG_EDAC is not set
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+CONFIG_VIRTIO=y
+CONFIG_VIRTIO_RING=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_HYPERV is not set
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_ASUS_LAPTOP is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_THINKPAD_ACPI is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_XO15_EBOOK is not set
+# CONFIG_SAMSUNG_Q10 is not set
+
+#
+# Hardware Spinlock drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+CONFIG_IOMMU_SUPPORT=y
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers (EXPERIMENTAL)
+#
+
+#
+# Rpmsg drivers (EXPERIMENTAL)
+#
+# CONFIG_VIRT_DRIVERS is not set
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+# CONFIG_EXT2_FS_XIP is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
+# CONFIG_EXT3_FS_XATTR is not set
+# CONFIG_EXT4_FS is not set
+CONFIG_JBD=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_FILE_LOCKING=y
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+# CONFIG_FUSE_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_LOGFS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+# CONFIG_PRINTK_TIME is not set
+CONFIG_DEFAULT_MESSAGE_LOGLEVEL=4
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_MAGIC_SYSRQ is not set
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_DEBUG_KERNEL=y
+# CONFIG_DEBUG_SHIRQ is not set
+# CONFIG_LOCKUP_DETECTOR is not set
+# CONFIG_HARDLOCKUP_DETECTOR is not set
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_TIMER_STATS is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_RT_MUTEX_TESTER is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+# CONFIG_DEBUG_WRITECOUNT is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_BOOT_PRINTK_DELAY is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+# CONFIG_DEBUG_PAGEALLOC is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
+CONFIG_HAVE_FUNCTION_TRACE_MCOUNT_TEST=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENT is not set
+# CONFIG_PROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA=y
+CONFIG_DEBUG_RODATA_TEST=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+
+#
+# Security options
+#
+# CONFIG_KEYS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_PCOMP=y
+CONFIG_CRYPTO_PCOMP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_ABLK_HELPER_X86=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_SEQIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+# CONFIG_CRYPTO_AES_X86_64 is not set
+# CONFIG_CRYPTO_AES_NI_INTEL is not set
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+# CONFIG_CRYPTO_BLOWFISH_X86_64 is not set
+CONFIG_CRYPTO_CAMELLIA=y
+# CONFIG_CRYPTO_CAMELLIA_X86_64 is not set
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_DES=y
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+# CONFIG_CRYPTO_SALSA20_X86_64 is not set
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+# CONFIG_CRYPTO_SERPENT_SSE2_X86_64 is not set
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+CONFIG_CRYPTO_TWOFISH_X86_64=y
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_ZLIB=y
+# CONFIG_CRYPTO_LZO is not set
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_VHOST_NET is not set
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+# CONFIG_XZ_DEC is not set
+# CONFIG_XZ_DEC_BCJ is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT=y
+CONFIG_HAS_DMA=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
+# CONFIG_AVERAGE is not set
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
diff --git a/testing/config/kvm/alice.xml b/testing/config/kvm/alice.xml
new file mode 100644
index 000000000..6ca78f861
--- /dev/null
+++ b/testing/config/kvm/alice.xml
@@ -0,0 +1,70 @@
+<domain type='kvm'>
+  <name>alice</name>
+  <uuid>1f35c25d-6a7b-4ee1-2461-d7e530e7b2a9</uuid>
+  <memory unit='KiB'>131072</memory>
+  <currentMemory unit='KiB'>131072</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc-1.1'>hvm</type>
+	<kernel>/var/run/kvm-swan-kernel</kernel>
+    <cmdline>root=/dev/vda1 loglevel=1</cmdline>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <pae/>
+  </features>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>restart</on_crash>
+  <devices>
+    <emulator>/usr/bin/kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' cache='writethrough'/>
+      <source file='/var/lib/libvirt/images/alice.qcow2'/>
+      <target dev='vda' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+    </disk>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/run/kvm-swan-hostfs'/>
+      <target dir='/hostshare'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <mac address='52:54:00:9a:e2:de'/>
+      <source network='vnet2'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </interface>
+    <interface type='network'>
+      <mac address='52:54:00:3b:0c:d7'/>
+      <source network='vnet1'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <target port='0'/>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='tablet' bus='usb'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='vnc' port='-1' autoport='yes'/>
+    <sound model='ich6'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </sound>
+    <video>
+      <model type='cirrus' vram='9216' heads='1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </video>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/testing/config/kvm/bob.xml b/testing/config/kvm/bob.xml
new file mode 100644
index 000000000..d9a9b4c05
--- /dev/null
+++ b/testing/config/kvm/bob.xml
@@ -0,0 +1,64 @@
+<domain type='kvm'>
+  <name>bob</name>
+  <uuid>72728516-377f-f5be-ea1d-b1f1e851538f</uuid>
+  <memory unit='KiB'>131072</memory>
+  <currentMemory unit='KiB'>131072</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc-1.1'>hvm</type>
+	<kernel>/var/run/kvm-swan-kernel</kernel>
+    <cmdline>root=/dev/vda1 loglevel=1</cmdline>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <pae/>
+  </features>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>restart</on_crash>
+  <devices>
+    <emulator>/usr/bin/kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' cache='writethrough'/>
+      <source file='/var/lib/libvirt/images/bob.qcow2'/>
+      <target dev='vda' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+    </disk>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/run/kvm-swan-hostfs'/>
+      <target dir='/hostshare'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <mac address='52:54:00:40:85:6b'/>
+      <source network='vnet3'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <target port='0'/>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='tablet' bus='usb'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='vnc' port='-1' autoport='yes'/>
+    <sound model='ich6'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </sound>
+    <video>
+      <model type='cirrus' vram='9216' heads='1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </video>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/testing/config/kvm/carol.xml b/testing/config/kvm/carol.xml
new file mode 100644
index 000000000..fbdabe2e4
--- /dev/null
+++ b/testing/config/kvm/carol.xml
@@ -0,0 +1,64 @@
+<domain type='kvm'>
+  <name>carol</name>
+  <uuid>6bc2eef5-7faf-cde0-5f27-6fc29f93bc3d</uuid>
+  <memory unit='KiB'>131072</memory>
+  <currentMemory unit='KiB'>131072</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc-1.1'>hvm</type>
+	<kernel>/var/run/kvm-swan-kernel</kernel>
+    <cmdline>root=/dev/vda1 loglevel=1</cmdline>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <pae/>
+  </features>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>restart</on_crash>
+  <devices>
+    <emulator>/usr/bin/kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' cache='writethrough'/>
+      <source file='/var/lib/libvirt/images/carol.qcow2'/>
+      <target dev='vda' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+    </disk>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/run/kvm-swan-hostfs'/>
+      <target dir='/hostshare'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <mac address='52:54:00:ae:f1:f8'/>
+      <source network='vnet1'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <target port='0'/>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='tablet' bus='usb'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='vnc' port='-1' autoport='yes'/>
+    <sound model='ich6'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </sound>
+    <video>
+      <model type='cirrus' vram='9216' heads='1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </video>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/testing/config/kvm/dave.xml b/testing/config/kvm/dave.xml
new file mode 100644
index 000000000..bfebe9b60
--- /dev/null
+++ b/testing/config/kvm/dave.xml
@@ -0,0 +1,64 @@
+<domain type='kvm'>
+  <name>dave</name>
+  <uuid>05f1debe-4e38-4f3d-10a0-c07fbb70d816</uuid>
+  <memory unit='KiB'>131072</memory>
+  <currentMemory unit='KiB'>131072</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc-1.1'>hvm</type>
+	<kernel>/var/run/kvm-swan-kernel</kernel>
+    <cmdline>root=/dev/vda1 loglevel=1</cmdline>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <pae/>
+  </features>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>restart</on_crash>
+  <devices>
+    <emulator>/usr/bin/kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' cache='writethrough'/>
+      <source file='/var/lib/libvirt/images/dave.qcow2'/>
+      <target dev='vda' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+    </disk>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/run/kvm-swan-hostfs'/>
+      <target dir='/hostshare'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <mac address='52:54:00:b9:15:a9'/>
+      <source network='vnet1'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <target port='0'/>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='tablet' bus='usb'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='vnc' port='-1' autoport='yes'/>
+    <sound model='ich6'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </sound>
+    <video>
+      <model type='cirrus' vram='9216' heads='1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </video>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/testing/config/kvm/moon.xml b/testing/config/kvm/moon.xml
new file mode 100644
index 000000000..e019fcea5
--- /dev/null
+++ b/testing/config/kvm/moon.xml
@@ -0,0 +1,70 @@
+<domain type='kvm'>
+  <name>moon</name>
+  <uuid>b5e00ad3-1c81-3b2a-7f66-cdf8727b3c65</uuid>
+  <memory unit='KiB'>131072</memory>
+  <currentMemory unit='KiB'>131072</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc-1.1'>hvm</type>
+	<kernel>/var/run/kvm-swan-kernel</kernel>
+    <cmdline>root=/dev/vda1 loglevel=1</cmdline>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <pae/>
+  </features>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>restart</on_crash>
+  <devices>
+    <emulator>/usr/bin/kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' cache='writethrough'/>
+      <source file='/var/lib/libvirt/images/moon.qcow2'/>
+      <target dev='vda' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+    </disk>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/run/kvm-swan-hostfs'/>
+      <target dir='/hostshare'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <mac address='52:54:00:43:e3:35'/>
+      <source network='vnet2'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
+    </interface>
+    <interface type='network'>
+      <mac address='52:54:00:c7:b8:b0'/>
+      <source network='vnet1'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <target port='0'/>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='tablet' bus='usb'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='vnc' port='-1' autoport='yes'/>
+    <sound model='ich6'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </sound>
+    <video>
+      <model type='cirrus' vram='9216' heads='1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </video>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/testing/config/kvm/sun.xml b/testing/config/kvm/sun.xml
new file mode 100644
index 000000000..5ed1a47ea
--- /dev/null
+++ b/testing/config/kvm/sun.xml
@@ -0,0 +1,70 @@
+<domain type='kvm'>
+  <name>sun</name>
+  <uuid>35341843-346c-a63a-786b-9df0fd5e6264</uuid>
+  <memory unit='KiB'>131072</memory>
+  <currentMemory unit='KiB'>131072</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc-1.1'>hvm</type>
+	<kernel>/var/run/kvm-swan-kernel</kernel>
+    <cmdline>root=/dev/vda1 loglevel=1</cmdline>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <pae/>
+  </features>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>restart</on_crash>
+  <devices>
+    <emulator>/usr/bin/kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' cache='writethrough'/>
+      <source file='/var/lib/libvirt/images/sun.qcow2'/>
+      <target dev='vda' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+    </disk>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/run/kvm-swan-hostfs'/>
+      <target dir='/hostshare'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <mac address='52:54:00:77:43:ea'/>
+      <source network='vnet1'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </interface>
+    <interface type='network'>
+      <mac address='52:54:00:0f:97:db'/>
+      <source network='vnet3'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <target port='0'/>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='tablet' bus='usb'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='vnc' port='-1' autoport='yes'/>
+    <sound model='ich6'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </sound>
+    <video>
+      <model type='cirrus' vram='9216' heads='1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </video>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/testing/config/kvm/venus.xml b/testing/config/kvm/venus.xml
new file mode 100644
index 000000000..77a333655
--- /dev/null
+++ b/testing/config/kvm/venus.xml
@@ -0,0 +1,64 @@
+<domain type='kvm'>
+  <name>venus</name>
+  <uuid>f0838df9-7cc0-84f5-6c14-2d16ab002e8d</uuid>
+  <memory unit='KiB'>131072</memory>
+  <currentMemory unit='KiB'>131072</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc-1.1'>hvm</type>
+	<kernel>/var/run/kvm-swan-kernel</kernel>
+    <cmdline>root=/dev/vda1 loglevel=1</cmdline>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <pae/>
+  </features>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>restart</on_crash>
+  <devices>
+    <emulator>/usr/bin/kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' cache='writethrough'/>
+      <source file='/var/lib/libvirt/images/venus.qcow2'/>
+      <target dev='vda' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+    </disk>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/run/kvm-swan-hostfs'/>
+      <target dir='/hostshare'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <mac address='52:54:00:69:d3:80'/>
+      <source network='vnet2'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <target port='0'/>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='tablet' bus='usb'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='vnc' port='-1' autoport='yes'/>
+    <sound model='ich6'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </sound>
+    <video>
+      <model type='cirrus' vram='9216' heads='1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </video>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/testing/config/kvm/vnet1.xml b/testing/config/kvm/vnet1.xml
new file mode 100644
index 000000000..f9d979be1
--- /dev/null
+++ b/testing/config/kvm/vnet1.xml
@@ -0,0 +1,11 @@
+<network>
+  <name>vnet1</name>
+  <uuid>1d6ac7c7-60d9-56c1-a7df-210d3d0cc6d1</uuid>
+  <forward dev='lo' mode='route'>
+    <interface dev='lo'/>
+  </forward>
+  <bridge name='virbr1' stp='on' delay='0' />
+  <mac address='52:54:00:97:F9:FD'/>
+  <ip address='192.168.0.254' netmask='255.255.255.0'>
+  </ip>
+</network>
diff --git a/testing/config/kvm/vnet2.xml b/testing/config/kvm/vnet2.xml
new file mode 100644
index 000000000..7d125bfc6
--- /dev/null
+++ b/testing/config/kvm/vnet2.xml
@@ -0,0 +1,11 @@
+<network>
+  <name>vnet2</name>
+  <uuid>b5147a7d-e184-5c9e-3838-4621796ba95c</uuid>
+  <forward dev='lo' mode='route'>
+    <interface dev='lo'/>
+  </forward>
+  <bridge name='virbr2' stp='on' delay='0' />
+  <mac address='52:54:00:05:F3:34'/>
+  <ip address='10.1.0.254' netmask='255.255.0.0'>
+  </ip>
+</network>
diff --git a/testing/config/kvm/vnet3.xml b/testing/config/kvm/vnet3.xml
new file mode 100644
index 000000000..1da06c448
--- /dev/null
+++ b/testing/config/kvm/vnet3.xml
@@ -0,0 +1,11 @@
+<network>
+  <name>vnet3</name>
+  <uuid>5c537abc-c116-90e9-a0ef-886340d4c356</uuid>
+  <forward dev='lo' mode='route'>
+    <interface dev='lo'/>
+  </forward>
+  <bridge name='virbr3' stp='on' delay='0' />
+  <mac address='52:54:00:62:4C:69'/>
+  <ip address='10.2.0.254' netmask='255.255.0.0'>
+  </ip>
+</network>
diff --git a/testing/config/kvm/winnetou.xml b/testing/config/kvm/winnetou.xml
new file mode 100644
index 000000000..99d5deb99
--- /dev/null
+++ b/testing/config/kvm/winnetou.xml
@@ -0,0 +1,64 @@
+<domain type='kvm'>
+  <name>winnetou</name>
+  <uuid>b1d3d2f7-e20b-ab95-277e-66d4cac33cc3</uuid>
+  <memory unit='KiB'>131072</memory>
+  <currentMemory unit='KiB'>131072</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc-1.1'>hvm</type>
+	<kernel>/var/run/kvm-swan-kernel</kernel>
+    <cmdline>root=/dev/vda1 loglevel=1</cmdline>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <pae/>
+  </features>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>restart</on_crash>
+  <devices>
+    <emulator>/usr/bin/kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' cache='writethrough'/>
+      <source file='/var/lib/libvirt/images/winnetou.qcow2'/>
+      <target dev='vda' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+    </disk>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/run/kvm-swan-hostfs'/>
+      <target dir='/hostshare'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <mac address='52:54:00:4b:23:fa'/>
+      <source network='vnet1'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <target port='0'/>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='tablet' bus='usb'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='vnc' port='-1' autoport='yes'/>
+    <sound model='ich6'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </sound>
+    <video>
+      <model type='cirrus' vram='9216' heads='1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </video>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/testing/do-tests.in b/testing/do-tests
index 82e027078..fafbe6e89 100755
--- a/testing/do-tests.in
+++ b/testing/do-tests
@@ -14,23 +14,16 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 
-DIR=`dirname $0`
+DIR=$(dirname `readlink -f $0`)
+. $DIR/testing.conf
+. $DIR/scripts/function.sh
 
-source $DIR/scripts/function.sh
-
-[ -f $DIR/testing.conf ] || die "Configuration file 'testing.conf' not found"
 [ -d $DIR/hosts ] || die "Directory 'hosts' not found"
 [ -d $DIR/tests ] || die "Directory 'tests' not found"
+[ -d $BUILDDIR ] ||
+	die "Directory '$BUILDDIR' does not exist, please run make-testing first"
 
-source $DIR/testing.conf
-
-
-##############################################################################
-# test if UMLs have been built at all
-#
-
-[ -d $BUILDDIR ] || die "Directory '$BUILDDIR' does not exist. Please run 'make-testing'first."
-
+ln -sfT $DIR $TESTDIR/testing
 
 ##############################################################################
 # take care of new path and file variables
@@ -38,15 +31,15 @@ source $DIR/testing.conf
 
 [ -d $TESTRESULTSDIR ] || mkdir $TESTRESULTSDIR
 
-TESTDATE=`date +%Y%m%d-%H%M`
+TESTDATE=`date +%Y%m%d-%H%M-%S`
 
 TODAYDIR=$TESTRESULTSDIR/$TESTDATE
 mkdir $TODAYDIR
 TESTRESULTSHTML=$TODAYDIR/all.html
 INDEX=$TODAYDIR/index.html
-DEFAULTTESTSDIR=$UMLTESTDIR/testing/tests
+DEFAULTTESTSDIR=$TESTDIR/testing/tests
 
-SOURCEIP_ROUTING_TABLE=@routing_table@
+SOURCEIP_ROUTING_TABLE=220
 
 testnumber="0"
 failed_cnt="0"
@@ -105,8 +98,9 @@ done
 #
 for host in $STRONGSWANHOSTS
 do
-    ssh $SSHCONF -N root@`eval echo \\\$ipv4_$host` &
+    ssh $SSHCONF -N root@`eval echo \\\$ipv4_$host` >/dev/null 2>&1 &
     eval ssh_pid_$host="`echo $!`"
+    do_on_exit kill `eval echo \\\$ssh_pid_$host`
 done
 
 
@@ -114,30 +108,27 @@ done
 # create header for the results html file
 #
 
-KERNEL_VERSION=`basename $KERNEL .tar.bz2`
-IPSEC_VERSION=`basename $STRONGSWAN .tar.bz2`
-
 ENVIRONMENT_HEADER=$(cat <<@EOF
-  <table border="0" cellspacing="2">
+  <table border="0" cellspacing="2" cellpadding="2">
     <tr valign="top">
-      <td><b>Host:</b></td>
+      <td><b>Host</b></td>
       <td colspan="3">`uname -a`</td>
     </tr>
     <tr valign="top">
-      <td><b>UML kernel: &nbsp;</b></td>
-      <td colspan="3">$KERNEL_VERSION</td>
+      <td><b>Guest kernel</b></td>
+      <td colspan="3">$KERNELVERSION</td>
     </tr>
     <tr valign="top">
-      <td><b>IPsec:</b></td>
-      <td colspan="3">$IPSEC_VERSION</td>
+      <td><b>strongSwan</b></td>
+      <td colspan="3">$SWANVERSION</td>
     </tr>
     <tr valign="top">
-      <td><b>Date:</b></td>
+      <td><b>Date</b></td>
       <td colspan="3">$TESTDATE</td>
     </tr>
     <tr>
       <td width="100">&nbsp;</td>
-      <td width="200">&nbsp;</td>
+      <td width="300">&nbsp;</td>
       <td width=" 50">&nbsp;</td>
       <td >&nbsp;</td>
     </tr>
@@ -147,20 +138,20 @@ ENVIRONMENT_HEADER=$(cat <<@EOF
 cat > $INDEX <<@EOF
 <html>
 <head>
-  <title>strongSwan UML Tests</title>
+  <title>strongSwan KVM Tests</title>
 </head>
 <body>
-  <h2>strongSwan UML Tests</h2>
+  <h2>strongSwan KVM Tests</h2>
   $ENVIRONMENT_HEADER
 @EOF
 
 cat > $TESTRESULTSHTML <<@EOF
 <html>
 <head>
-  <title>strongSwan UML Tests - All Tests</title>
+  <title>strongSwan KVM Tests - All Tests</title>
 </head>
 <body>
-  <div><a href="index.html">strongSwan UML Tests</a> / All Tests</div>
+  <div><a href="index.html">strongSwan KVM Tests</a> / All Tests</div>
   <h2>All Tests</h2>
   $ENVIRONMENT_HEADER
     <tr align="left">
@@ -170,10 +161,10 @@ cat > $TESTRESULTSHTML <<@EOF
     </tr>
 @EOF
 
-cecho "UML kernel: $KERNEL_VERSION"
-cecho "IPsec:      $IPSEC_VERSION"
-cecho "Date:       $TESTDATE"
-cecho ""
+echo "Guest kernel : $KERNELVERSION"
+echo "strongSwan   : $SWANVERSION"
+echo "Date         : $TESTDATE"
+echo
 
 
 ##############################################################################
@@ -183,10 +174,6 @@ cecho ""
 if [ $# -gt 0 ]
 then
     TESTS=$*
-elif [ $SELECTEDTESTSONLY = "yes" ]
-then
-    # set internal field seperator
-    TESTS=$SELECTEDTESTS
 else
     # set internal field seperator
     TESTS="`ls $DEFAULTTESTSDIR`"
@@ -208,7 +195,7 @@ do
 	mkdir $TODAYDIR/$SUBDIR
 	if [ $testnumber == 0 ]
 	then
-	    FIRST="<b>Category:</b"
+	    FIRST="<b>Category</b>"
 	else
 	    FIRST="&nbsp;"
 	fi
@@ -225,24 +212,24 @@ do
   <title>strongSwan $SUBDIR Tests</title>
 </head>
 <body>
-  <div><a href="../index.html">strongSwan UML Tests</a> / $SUBDIR</div>
+  <div><a href="../index.html">strongSwan KVM Tests</a> / $SUBDIR</div>
   <h2>strongSwan $SUBDIR Tests</h2>
-  <table border="0" cellspacing="2">
+  <table border="0" cellspacing="2" cellpadding="2">
     <tr valign="top">
-      <td><b>UML kernel: &nbsp;</b></td>
-      <td colspan="3">$KERNEL_VERSION</td>
+      <td><b>Guest kernel</b></td>
+      <td colspan="3">$KERNELVERSION</td>
     </tr>
     <tr valign="top">
-      <td><b>IPsec:</b></td>
-      <td colspan="3">$IPSEC_VERSION</td>
+      <td><b>strongSwan</b></td>
+      <td colspan="3">$SWANVERSION</td>
     </tr>
     <tr valign="top">
-      <td><b>Date:</b></td>
+      <td><b>Date</b></td>
       <td colspan="3">$TESTDATE</td>
     </tr>
     <tr>
       <td width="100">&nbsp;</td>
-      <td width="200">&nbsp;</td>
+      <td width="300">&nbsp;</td>
       <td width=" 50">&nbsp;</td>
       <td >&nbsp;</td>
     </tr>
@@ -258,11 +245,11 @@ do
     do
 	let "testnumber += 1"
 	testname=$SUBDIR/$name
-	cecho-n " $testnumber $testname.."
+	log_action " $testnumber $testname:"
 
 	if [ ! -d $DEFAULTTESTSDIR/${testname} ]
 	then
-	    cecho "is missing..skipped"
+	    echo "is missing..skipped"
 	    continue
 	fi
 
@@ -390,7 +377,7 @@ do
 	# execute pre-test commands
 	#
 
-	cecho-n "pre.."
+	echo -n "pre.."
 	echo -e "\nPRE-TEST\n" >> $CONSOLE_LOG 2>&1
 
 	eval `awk -F "::" '{
@@ -419,7 +406,7 @@ do
 	# get and evaluate test results
 	#
 
-	cecho-n "test.."
+	echo -n "test.."
 	echo -e "\nTEST\n" >> $CONSOLE_LOG 2>&1
 
 	STATUS="passed"
@@ -476,7 +463,7 @@ do
 <body>
 <table border="0" cellpadding="0" cellspacing="0" width="600">
   <tr><td>
-    <div><a href="../../index.html">strongSwan UML Tests</a> / <a href="../index.html">$SUBDIR</a> / $name</div>
+    <div><a href="../../index.html">strongSwan KVM Tests</a> / <a href="../index.html">$SUBDIR</a> / $name</div>
     <h2>Test $testname</h2>
     <h3>Description</h3>
 @EOF
@@ -487,7 +474,7 @@ do
     <ul>
       <li><a href="console.log">console.log</a></li>
     </ul>
-    <img src="../../images/$DIAGRAM" alt="$UMLHOSTS">
+    <img src="../../images/$DIAGRAM" alt="$VIRTHOSTS">
 @EOF
 
 	for host in $IPSECHOSTS
@@ -507,7 +494,7 @@ do
 	    done
 
 	    scp $SSHCONF $HOSTLOGIN:/etc/ipsec.d/ipsec.sql \
-	    	$TESTRESULTDIR/${host}.ipsec.sql  > /dev/null 2>&1
+		$TESTRESULTDIR/${host}.ipsec.sql  > /dev/null 2>&1
 
 	    ssh $SSHCONF $HOSTLOGIN ip -s xfrm policy \
 		    > $TESTRESULTDIR/${host}.ip.policy 2>/dev/null
@@ -558,15 +545,18 @@ do
 
 	    for file in clients.conf eap.conf radiusd.conf proxy.conf users
 	    do
-		scp $SSHCONF $HOSTLOGIN:/etc/raddb/$file \
+		scp $SSHCONF $HOSTLOGIN:/etc/freeradius/$file \
 		    $TESTRESULTDIR/${host}.$file  > /dev/null 2>&1
 	    done
 
 		scp $SSHCONF $HOSTLOGIN:/etc/strongswan.conf \
 		    $TESTRESULTDIR/${host}.strongswan.conf  > /dev/null 2>&1
 
-	    scp $SSHCONF $HOSTLOGIN:/var/log/radius/radius.log \
-	    	$TESTRESULTDIR/${host}.radius.log  > /dev/null 2>&1
+	    scp $SSHCONF $HOSTLOGIN:/var/log/freeradius/radius.log \
+		$TESTRESULTDIR/${host}.radius.log  > /dev/null 2>&1
+
+	    ssh $SSHCONF $HOSTLOGIN grep imcv /var/log/daemon.log \
+		>> $TESTRESULTDIR/${host}.daemon.log
 
 	    chmod a+r $TESTRESULTDIR/*
 	    cat >> $TESTRESULTDIR/index.html <<@EOF
@@ -600,6 +590,28 @@ do
 	done
 
 	cat >> $TESTRESULTDIR/index.html <<@EOF
+	<h3>tcpdump</h3>
+	<ul>
+@EOF
+
+	for host in $TCPDUMPHOSTS
+	do
+	    eval HOSTLOGIN=root@\$ipv4_${host}
+
+		scp $SSHCONF $HOSTLOGIN:/tmp/tcpdump.log \
+			$TESTRESULTDIR/${host}.tcpdump.log > /dev/null 2>&1
+
+	    cat >> $TESTRESULTDIR/index.html <<@EOF
+	    <li><a href="$host.tcpdump.log">$host tcpdump.log</a></li>
+@EOF
+
+	done
+
+	cat >> $TESTRESULTDIR/index.html <<@EOF
+	</ul>
+@EOF
+
+	cat >> $TESTRESULTDIR/index.html <<@EOF
   </td></tr>
 </table>
 </body>
@@ -611,7 +623,7 @@ do
 	# execute post-test commands
 	#
 
-	cecho-n "post.."
+	echo -n "post"
 	echo -e "\nPOST-TEST\n" >> $CONSOLE_LOG 2>&1
 
 	eval `awk -F "::" '{
@@ -649,18 +661,6 @@ do
 
 
 	##########################################################################
-	# get a copy of /var/log/daemon.log
-	#
-
-	for host in $RADIUSHOSTS
-	do
-	    eval HOSTLOGIN=root@\$ipv4_${host}
-	    ssh $SSHCONF $HOSTLOGIN grep imcv /var/log/daemon.log \
-		>> $TESTRESULTDIR/${host}.daemon.log
-	done
-
-
-	##########################################################################
 	# stop tcpdump if necessary
 	#
 
@@ -688,11 +688,11 @@ do
 
 	if [ $STATUS = "passed" ]
 	then
-	    COLOR="green"
-	    cecho "\033[1;32m$STATUS"
+		COLOR="green"
+		log_status 0
 	else
-	    COLOR="red"
-	    cecho "$STATUS"
+		COLOR="red"
+		log_status 1
 	fi
 
 	cat >> $TESTRESULTSHTML << @EOF
@@ -737,10 +737,10 @@ cat >> $TESTRESULTSHTML << @EOF
       <td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td>
     </tr>
     <tr>
-      <td><b>Passed:</b></td><td><b><font color="green">$passed_cnt</font></b></td><td>&nbsp;</td><td>&nbsp;</td>
+      <td><b>Passed</b></td><td><b><font color="green">$passed_cnt</font></b></td><td>&nbsp;</td><td>&nbsp;</td>
     </tr>
     <tr>
-      <td><b>Failed:</b></td><td><b><font color="red">$failed_cnt</font></b></td><td>&nbsp;</td><td>&nbsp;</td>
+      <td><b>Failed</b></td><td><b><font color="red">$failed_cnt</font></b></td><td>&nbsp;</td><td>&nbsp;</td>
     </tr>
   </table>
 </body>
@@ -757,7 +757,7 @@ cat >> $INDEX << @EOF
       <td>&nbsp;</td>
     </tr>
     <tr>
-      <td><b>Failed:</b></td>
+      <td><b>Failed</b></td>
       <td>&nbsp;</td>
       <td align="right"><b><font color="red">$failed_cnt</font></b></td>
       <td>&nbsp;</td>
@@ -767,33 +767,25 @@ cat >> $INDEX << @EOF
 </html>
 @EOF
 
-cecho ""
-cecho "\033[1;32mPassed:   $passed_cnt"
-cecho "Failed:   $failed_cnt"
-cecho ""
+echo
+echo_ok     "Passed : $passed_cnt"
+echo_failed "Failed : $failed_cnt"
+echo
 
 
 ##############################################################################
 # copy the test results to the apache server
 #
 
-HTDOCS="/var/www/localhost/htdocs"
+HTDOCS="/var/www"
 
-cecho-n "Copying test results to winnetou.."
 ssh $SSHCONF root@${ipv4_winnetou} mkdir -p $HTDOCS/testresults > /dev/null 2>&1
 scp $SSHCONF -r $TODAYDIR root@${ipv4_winnetou}:$HTDOCS/testresults > /dev/null 2>&1
 ssh $SSHCONF root@${ipv4_winnetou} ln -s $HTDOCS/images $HTDOCS/testresults/$TESTDATE/images > /dev/null 2>&1
-cgecho "done"
-cecho ""
-cecho "The results are available in $TODAYDIR"
-cecho "or via the link http://$ipv4_winnetou/testresults/$TESTDATE"
-
-
-##########################################################################
-# close ssh sessions
-#
-for host in $STRONGSWANHOSTS
-do
-    kill `eval echo \\\$ssh_pid_$host`
-done
+echo
+echo "The results are available in $TODAYDIR"
+echo "or via the link http://$ipv4_winnetou/testresults/$TESTDATE"
 
+ENDDATE=`date +%Y%m%d-%H%M`
+echo
+echo "Finished : $ENDDATE"
diff --git a/testing/hosts/alice/etc/conf.d/hostname b/testing/hosts/alice/etc/conf.d/hostname
deleted file mode 100644
index 2012e0451..000000000
--- a/testing/hosts/alice/etc/conf.d/hostname
+++ /dev/null
@@ -1 +0,0 @@
-HOSTNAME=alice
diff --git a/testing/hosts/alice/etc/conf.d/net b/testing/hosts/alice/etc/conf.d/net
deleted file mode 100644
index 41e8887c4..000000000
--- a/testing/hosts/alice/etc/conf.d/net
+++ /dev/null
@@ -1,12 +0,0 @@
-# /etc/conf.d/net:
-
-# This is basically the ifconfig argument without the ifconfig $iface
-#
-config_eth0=( "PH_IP_ALICE broadcast 10.1.255.255 netmask 255.255.0.0"
-              "PH_IP6_ALICE/16" )
-config_eth1=( "PH_IP_ALICE1 broadcast 192.168.0.255 netmask 255.255.255.0"
-              "PH_IP6_ALICE1/16" )
-
-# For setting the default gateway
-#
-routes_eth0=( "default via PH_IP_MOON1" )
diff --git a/testing/hosts/alice/etc/freeradius/clients.conf b/testing/hosts/alice/etc/freeradius/clients.conf
new file mode 100644
index 000000000..5fb47a2ad
--- /dev/null
+++ b/testing/hosts/alice/etc/freeradius/clients.conf
@@ -0,0 +1,4 @@
+client 10.1.0.1 {
+  secret    = gv6URkSs
+  shortname = moon
+}
diff --git a/testing/hosts/alice/etc/freeradius/dictionary b/testing/hosts/alice/etc/freeradius/dictionary
new file mode 100644
index 000000000..59a874b3e
--- /dev/null
+++ b/testing/hosts/alice/etc/freeradius/dictionary
@@ -0,0 +1,32 @@
+#
+#	This is the master dictionary file, which references the
+#	pre-defined dictionary files included with the server.
+#
+#	Any new/changed attributes MUST be placed in this file, as
+#	the pre-defined dictionaries SHOULD NOT be edited.
+#
+#	$Id$
+#
+
+#
+#	The filename given here should be an absolute path.
+#
+$INCLUDE	/usr/local/share/freeradius/dictionary
+
+#
+#	Place additional attributes or $INCLUDEs here.  They will
+#	over-ride the definitions in the pre-defined dictionaries.
+#
+#	See the 'man' page for 'dictionary' for information on
+#	the format of the dictionary files.
+
+#
+#	If you want to add entries to the dictionary file,
+#	which are NOT going to be placed in a RADIUS packet,
+#	add them here.  The numbers you pick should be between
+#	3000 and 4000.
+#
+
+#ATTRIBUTE	My-Local-String		3000	string
+#ATTRIBUTE	My-Local-IPAddr		3001	ipaddr
+#ATTRIBUTE	My-Local-Integer	3002	integer
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/hosts/alice/etc/freeradius/radiusd.conf
index 1143a0473..e4f721738 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/radiusd.conf
+++ b/testing/hosts/alice/etc/freeradius/radiusd.conf
@@ -5,16 +5,16 @@ exec_prefix = ${prefix}
 sysconfdir = /etc
 localstatedir = /var
 sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
+logdir = ${localstatedir}/log/freeradius
+raddbdir = ${sysconfdir}/freeradius
 radacctdir = ${logdir}/radacct
 
 #  name of the running server.  See also the "-n" command-line option.
-name = radiusd
+name = freeradius
 
 #  Location of config and logfiles.
 confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
+run_dir = ${localstatedir}/run
 
 # Should likely be ${localstatedir}/lib/radiusd
 db_dir = ${raddbdir}
@@ -37,7 +37,7 @@ max_requests = 1024
 #  listen: Make the server listen on a particular IP address, and send
 listen {
   type = auth
-  ipaddr = PH_IP_ALICE 
+  ipaddr = 10.1.0.10
   port = 0
 }
 
@@ -46,7 +46,7 @@ listen {
 #
 listen {
   type  = acct
-  ipaddr = PH_IP_ALICE 
+  ipaddr = 10.1.0.10
   port = 0
 }
 
@@ -66,9 +66,9 @@ log {
   file = ${logdir}/radius.log
   syslog_facility = daemon
   stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
+  auth = yes
+  auth_badpass = yes
+  auth_goodpass = yes
 }
 
 #  The program to execute to do concurrency checks.
diff --git a/testing/hosts/alice/etc/hostname b/testing/hosts/alice/etc/hostname
new file mode 100644
index 000000000..c9fc40bfb
--- /dev/null
+++ b/testing/hosts/alice/etc/hostname
@@ -0,0 +1 @@
+alice
diff --git a/testing/hosts/alice/etc/init.d/iptables b/testing/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 1097ac5a4..000000000
--- a/testing/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,74 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/hosts/alice/etc/init.d/net.eth0 b/testing/hosts/alice/etc/init.d/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/alice/etc/init.d/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/alice/etc/init.d/net.eth1 b/testing/hosts/alice/etc/init.d/net.eth1
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/alice/etc/init.d/net.eth1
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/alice/etc/init.d/radiusd b/testing/hosts/alice/etc/init.d/radiusd
deleted file mode 100755
index 8334385f9..000000000
--- a/testing/hosts/alice/etc/init.d/radiusd
+++ /dev/null
@@ -1,64 +0,0 @@
-#!/sbin/runscript
-
-opts="${opts} reload"
-
-depend() {
-	need net
-	use dns
-}
-
-checkconfig() {
-	# set the location of log files
-	if ! cd /var/log/radius ; then
-		eerror "Failed to change current directory to /var/log/radius"
-		return 1
-	fi
-
-	if [ ! -d /var/run/radiusd ] && ! mkdir /var/run/radiusd ; then
-		eerror "Failed to create /var/run/radiusd"
-		return 1
-	fi
-	
-	if [ ! -f /etc/raddb/radiusd.conf ] ; then
-		eerror "No /etc/raddb/radiusd.conf file exists!"
-		return 1
-	fi
-
-	RADIUSD_OPTS="-xx"
-	RADIUSD_USER=`grep '^ *user *=' /etc/raddb/radiusd.conf | cut -d ' ' -f 3`
-	RADIUSD_GROUP=`grep '^ *group *=' /etc/raddb/radiusd.conf | cut -d ' ' -f 3`
-	if [ -n "${RADIUSD_USER}" ] && ! getent passwd ${RADIUSD_USER} > /dev/null ; then
-		eerror "${RADIUSD_USER} user missing!"
-		return 1
-	fi
-	if [ -n "${RADIUSD_GROUP}" ] && ! getent group ${RADIUSD_GROUP} > /dev/null ; then
-		eerror "${RADIUSD_GROUP} group missing!"
-		return 1
-	fi
-
-	# radius.log is created before privileges are dropped - need to set proper permissions on it
-	[ -f radius.log ] || touch radius.log || return 1
-
-	chown -R "${RADIUSD_USER:-root}:${RADIUSD_GROUP:-root}" . /var/run/radiusd && \
-		chmod -R u+rwX,g+rX . /var/run/radiusd || return 1
-}
-
-start() {
-	checkconfig || return 1
-
-	ebegin "Starting radiusd"
-	start-stop-daemon --start --quiet --exec /usr/sbin/radiusd -- ${RADIUSD_OPTS} >/dev/null
-	eend $?
-}
-
-stop () {
-	ebegin "Stopping radiusd"
-	start-stop-daemon --stop --quiet --pidfile=/var/run/radiusd/radiusd.pid
-	eend $?
-}
-
-reload () {
-	ebegin "Reloading radiusd"
-	kill -HUP `</var/run/radiusd/radiusd.pid`
-	eend $?
-}
diff --git a/testing/hosts/alice/etc/ipsec.conf b/testing/hosts/alice/etc/ipsec.conf
index 0671537e9..6d8aa629d 100755..100644
--- a/testing/hosts/alice/etc/ipsec.conf
+++ b/testing/hosts/alice/etc/ipsec.conf
@@ -13,7 +13,7 @@ conn nat-t
 	leftcert=aliceCert.pem
 	leftid=alice@strongswan.org
 	leftfirewall=yes
-	right=PH_IP_SUN
+	right=192.168.0.2
 	rightid=@sun.strongswan.org
 	rightsubnet=10.2.0.0/16
 	auto=add
diff --git a/testing/hosts/alice/etc/network/interfaces b/testing/hosts/alice/etc/network/interfaces
new file mode 100644
index 000000000..6fcbaa597
--- /dev/null
+++ b/testing/hosts/alice/etc/network/interfaces
@@ -0,0 +1,20 @@
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+	address 10.1.0.10
+	netmask 255.255.0.0
+	broadcast 10.1.255.255
+	gateway 10.1.0.1
+iface eth0 inet6 static
+	address fec1::10
+	netmask 16
+
+iface eth1 inet static
+	address 192.168.0.50
+	netmask 255.255.255.0
+	broadcast 192.168.0.255
+iface eth1 inet6 static
+	address fec0::5
+	netmask 16
diff --git a/testing/hosts/alice/etc/runlevels/default/net.eth0 b/testing/hosts/alice/etc/runlevels/default/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/alice/etc/runlevels/default/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/bob/etc/conf.d/hostname b/testing/hosts/bob/etc/conf.d/hostname
deleted file mode 100644
index bbf5a2ea6..000000000
--- a/testing/hosts/bob/etc/conf.d/hostname
+++ /dev/null
@@ -1 +0,0 @@
-HOSTNAME=bob
diff --git a/testing/hosts/bob/etc/conf.d/net b/testing/hosts/bob/etc/conf.d/net
deleted file mode 100644
index bd0b3a5ce..000000000
--- a/testing/hosts/bob/etc/conf.d/net
+++ /dev/null
@@ -1,10 +0,0 @@
-# /etc/conf.d/net:
-
-# This is basically the ifconfig argument without the ifconfig $iface
-#
-config_eth0=( "PH_IP_BOB broadcast 10.2.255.255 netmask 255.255.0.0"
-              "PH_IP6_BOB/16" )
-
-# For setting the default gateway
-#
-routes_eth0=( "default via PH_IP_SUN1" )
diff --git a/testing/hosts/bob/etc/hostname b/testing/hosts/bob/etc/hostname
new file mode 100644
index 000000000..696fb6baa
--- /dev/null
+++ b/testing/hosts/bob/etc/hostname
@@ -0,0 +1 @@
+bob
diff --git a/testing/hosts/bob/etc/init.d/iptables b/testing/hosts/bob/etc/init.d/iptables
deleted file mode 100755
index 7b8756b81..000000000
--- a/testing/hosts/bob/etc/init.d/iptables
+++ /dev/null
@@ -1,74 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
-			
-	# allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/hosts/bob/etc/init.d/net.eth0 b/testing/hosts/bob/etc/init.d/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/bob/etc/init.d/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/bob/etc/ipsec.conf b/testing/hosts/bob/etc/ipsec.conf
index 5896c3436..5896c3436 100755..100644
--- a/testing/hosts/bob/etc/ipsec.conf
+++ b/testing/hosts/bob/etc/ipsec.conf
diff --git a/testing/hosts/bob/etc/network/interfaces b/testing/hosts/bob/etc/network/interfaces
new file mode 100644
index 000000000..eca4f8fe7
--- /dev/null
+++ b/testing/hosts/bob/etc/network/interfaces
@@ -0,0 +1,12 @@
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+	address 10.2.0.10
+	netmask 255.255.0.0
+	broadcast 10.2.255.255
+	gateway 10.2.0.1
+iface eth0 inet6 static
+	address fec2::10
+	netmask 16
diff --git a/testing/hosts/bob/etc/runlevels/default/net.eth0 b/testing/hosts/bob/etc/runlevels/default/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/bob/etc/runlevels/default/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/carol/etc/conf.d/hostname b/testing/hosts/carol/etc/conf.d/hostname
deleted file mode 100644
index d5101b924..000000000
--- a/testing/hosts/carol/etc/conf.d/hostname
+++ /dev/null
@@ -1 +0,0 @@
-HOSTNAME=carol
diff --git a/testing/hosts/carol/etc/conf.d/net b/testing/hosts/carol/etc/conf.d/net
deleted file mode 100644
index f7f685942..000000000
--- a/testing/hosts/carol/etc/conf.d/net
+++ /dev/null
@@ -1,10 +0,0 @@
-# /etc/conf.d/net:
-
-# This is basically the ifconfig argument without the ifconfig $iface
-#
-config_eth0=( "PH_IP_CAROL broadcast 192.168.0.255 netmask 255.255.255.0"
-              "PH_IP6_CAROL/16" )
-
-# For setting the default gateway
-#
-routes_eth0=( "default via 192.168.0.254" )
diff --git a/testing/hosts/carol/etc/hostname b/testing/hosts/carol/etc/hostname
new file mode 100644
index 000000000..da4b06358
--- /dev/null
+++ b/testing/hosts/carol/etc/hostname
@@ -0,0 +1 @@
+carol
diff --git a/testing/hosts/carol/etc/init.d/iptables b/testing/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 6ff11a424..000000000
--- a/testing/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/hosts/carol/etc/init.d/net.eth0 b/testing/hosts/carol/etc/init.d/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/carol/etc/init.d/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/carol/etc/ipsec.conf b/testing/hosts/carol/etc/ipsec.conf
index 0848ee716..d2d481b68 100755..100644
--- a/testing/hosts/carol/etc/ipsec.conf
+++ b/testing/hosts/carol/etc/ipsec.conf
@@ -9,11 +9,11 @@ conn %default
 	keyingtries=1
 
 conn home
-	left=PH_IP_CAROL
+	left=192.168.0.100
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
-	right=PH_IP_MOON
+	right=192.168.0.1
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
diff --git a/testing/hosts/carol/etc/network/interfaces b/testing/hosts/carol/etc/network/interfaces
new file mode 100644
index 000000000..67bc73359
--- /dev/null
+++ b/testing/hosts/carol/etc/network/interfaces
@@ -0,0 +1,12 @@
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+	address 192.168.0.100
+	netmask 255.255.255.0
+	broadcast 192.168.0.255
+	gateway 192.168.0.254
+iface eth0 inet6 static
+	address fec0::10
+	netmask 16
diff --git a/testing/hosts/carol/etc/runlevels/default/net.eth0 b/testing/hosts/carol/etc/runlevels/default/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/carol/etc/runlevels/default/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/dave/etc/conf.d/hostname b/testing/hosts/dave/etc/conf.d/hostname
deleted file mode 100644
index c3fabf331..000000000
--- a/testing/hosts/dave/etc/conf.d/hostname
+++ /dev/null
@@ -1 +0,0 @@
-HOSTNAME=dave
diff --git a/testing/hosts/dave/etc/conf.d/net b/testing/hosts/dave/etc/conf.d/net
deleted file mode 100644
index 2b902525a..000000000
--- a/testing/hosts/dave/etc/conf.d/net
+++ /dev/null
@@ -1,10 +0,0 @@
-# /etc/conf.d/net:
-
-# This is basically the ifconfig argument without the ifconfig $iface
-#
-config_eth0=( "PH_IP_DAVE broadcast 192.168.0.255 netmask 255.255.255.0"
-              "PH_IP6_DAVE/16" )
-
-# For setting the default gateway
-#
-routes_eth0=( "default via 192.168.0.254" )
diff --git a/testing/hosts/dave/etc/hostname b/testing/hosts/dave/etc/hostname
new file mode 100644
index 000000000..9fcf7b10e
--- /dev/null
+++ b/testing/hosts/dave/etc/hostname
@@ -0,0 +1 @@
+dave
diff --git a/testing/hosts/dave/etc/init.d/iptables b/testing/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index 6ff11a424..000000000
--- a/testing/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/hosts/dave/etc/init.d/net.eth0 b/testing/hosts/dave/etc/init.d/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/dave/etc/init.d/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/dave/etc/ipsec.conf b/testing/hosts/dave/etc/ipsec.conf
index 96502581e..5c546e260 100755..100644
--- a/testing/hosts/dave/etc/ipsec.conf
+++ b/testing/hosts/dave/etc/ipsec.conf
@@ -9,11 +9,11 @@ conn %default
 	keyingtries=1
 
 conn home
-	left=PH_IP_DAVE
+	left=192.168.0.200
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
-	right=PH_IP_MOON
+	right=192.168.0.1
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
diff --git a/testing/hosts/dave/etc/network/interfaces b/testing/hosts/dave/etc/network/interfaces
new file mode 100644
index 000000000..59e526751
--- /dev/null
+++ b/testing/hosts/dave/etc/network/interfaces
@@ -0,0 +1,12 @@
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+	address 192.168.0.200
+	netmask 255.255.255.0
+	broadcast 192.168.0.255
+	gateway 192.168.0.254
+iface eth0 inet6 static
+	address fec0::20
+	netmask 16
diff --git a/testing/hosts/dave/etc/runlevels/default/net.eth0 b/testing/hosts/dave/etc/runlevels/default/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/dave/etc/runlevels/default/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/default/etc/default/slapd b/testing/hosts/default/etc/default/slapd
new file mode 100644
index 000000000..a4a0a6e2a
--- /dev/null
+++ b/testing/hosts/default/etc/default/slapd
@@ -0,0 +1,45 @@
+# Default location of the slapd.conf file or slapd.d cn=config directory. If
+# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
+# /etc/ldap/slapd.conf).
+SLAPD_CONF=/etc/ldap/slapd.conf
+
+# System account to run the slapd server under. If empty the server
+# will run as root.
+SLAPD_USER="openldap"
+
+# System group to run the slapd server under. If empty the server will
+# run in the primary group of its user.
+SLAPD_GROUP="openldap"
+
+# Path to the pid file of the slapd server. If not set the init.d script
+# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by
+# default)
+SLAPD_PIDFILE=
+
+# slapd normally serves ldap only on all TCP-ports 389. slapd can also
+# service requests on TCP-port 636 (ldaps) and requests via unix
+# sockets.
+# Example usage:
+# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
+SLAPD_SERVICES="ldap:///"
+
+# If SLAPD_NO_START is set, the init script will not start or restart
+# slapd (but stop will still work).  Uncomment this if you are
+# starting slapd via some other means or if you don't want slapd normally
+# started at boot.
+#SLAPD_NO_START=1
+
+# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
+# the init script will not start or restart slapd (but stop will still
+# work).  Use this for temporarily disabling startup of slapd (when doing
+# maintenance, for example, or through a configuration management system)
+# when you don't want to edit a configuration file.
+SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
+
+# For Kerberos authentication (via SASL), slapd by default uses the system
+# keytab file (/etc/krb5.keytab).  To use a different keytab file,
+# uncomment this line and change the path.
+#export KRB5_KTNAME=/etc/krb5.keytab
+
+# Additional options to pass to slapd
+SLAPD_OPTIONS=""
diff --git a/testing/hosts/default/etc/fstab b/testing/hosts/default/etc/fstab
new file mode 100644
index 000000000..12747232e
--- /dev/null
+++ b/testing/hosts/default/etc/fstab
@@ -0,0 +1 @@
+/hostshare /root/shared 9p trans=virtio,version=9p2000.L 0 0
diff --git a/testing/hosts/default/etc/ip6tables.flush b/testing/hosts/default/etc/ip6tables.flush
new file mode 100644
index 000000000..c3f5a9254
--- /dev/null
+++ b/testing/hosts/default/etc/ip6tables.flush
@@ -0,0 +1,15 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/hosts/default/etc/ip6tables.rules b/testing/hosts/default/etc/ip6tables.rules
new file mode 100644
index 000000000..6a2c6af8e
--- /dev/null
+++ b/testing/hosts/default/etc/ip6tables.rules
@@ -0,0 +1,39 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow last UDP fragment
+-A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# allow crl and certficate fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s fec0::15 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d fec0::15 -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/hosts/default/etc/iptables.drop b/testing/hosts/default/etc/iptables.drop
new file mode 100644
index 000000000..445c45669
--- /dev/null
+++ b/testing/hosts/default/etc/iptables.drop
@@ -0,0 +1,12 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
diff --git a/testing/hosts/default/etc/iptables.flush b/testing/hosts/default/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/hosts/default/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/hosts/default/etc/iptables.rules b/testing/hosts/default/etc/iptables.rules
new file mode 100644
index 000000000..c3f036cf9
--- /dev/null
+++ b/testing/hosts/default/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+COMMIT
diff --git a/testing/hosts/default/etc/profile.d/coredumps.sh b/testing/hosts/default/etc/profile.d/coredumps.sh
new file mode 100644
index 000000000..ea44c0ef6
--- /dev/null
+++ b/testing/hosts/default/etc/profile.d/coredumps.sh
@@ -0,0 +1,5 @@
+#!/bin/sh -e
+
+ulimit -c unlimited >/dev/null 2>&1
+install -m 1777 -d /var/local/dumps >/dev/null 2>&1
+echo "/var/local/dumps/core.%e.%p" > /proc/sys/kernel/core_pattern
diff --git a/testing/hosts/default/etc/rsyslog.conf b/testing/hosts/default/etc/rsyslog.conf
new file mode 100644
index 000000000..9f76da36e
--- /dev/null
+++ b/testing/hosts/default/etc/rsyslog.conf
@@ -0,0 +1,125 @@
+#  /etc/rsyslog.conf	Configuration file for rsyslog.
+#
+#			For more information see
+#			/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
+
+
+#################
+#### MODULES ####
+#################
+
+$ModLoad imuxsock # provides support for local system logging
+$ModLoad imklog   # provides kernel logging support
+#$ModLoad immark  # provides --MARK-- message capability
+
+# Don't drop messages
+$SystemLogRateLimitInterval 0
+$RepeatedMsgReduction off
+
+# provides UDP syslog reception
+#$ModLoad imudp
+#$UDPServerRun 514
+
+# provides TCP syslog reception
+#$ModLoad imtcp
+#$InputTCPServerRun 514
+
+
+###########################
+#### GLOBAL DIRECTIVES ####
+###########################
+
+#
+# Use traditional timestamp format.
+# To enable high precision timestamps, comment out the following line.
+#
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+#
+# Set the default permissions for all log files.
+#
+$FileOwner root
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+
+#
+# Where to place spool and state files
+#
+$WorkDirectory /var/spool/rsyslog
+
+#
+# Include all config files in /etc/rsyslog.d/
+#
+$IncludeConfig /etc/rsyslog.d/*.conf
+
+
+###############
+#### RULES ####
+###############
+
+#
+# First some standard log files.  Log by facility.
+#
+auth,authpriv.*			/var/log/auth.log
+*.*;auth,authpriv.none		-/var/log/syslog
+#cron.*				/var/log/cron.log
+daemon.*			/var/log/daemon.log
+kern.*				-/var/log/kern.log
+lpr.*				-/var/log/lpr.log
+mail.*				-/var/log/mail.log
+user.*				-/var/log/user.log
+
+#
+# Logging for the mail system.  Split it up so that
+# it is easy to write scripts to parse these files.
+#
+mail.info			-/var/log/mail.info
+mail.warn			-/var/log/mail.warn
+mail.err			/var/log/mail.err
+
+#
+# Logging for INN news system.
+#
+news.crit			/var/log/news/news.crit
+news.err			/var/log/news/news.err
+news.notice			-/var/log/news/news.notice
+
+#
+# Some "catch-all" log files.
+#
+*.=debug;\
+	auth,authpriv.none;\
+	news.none;mail.none	-/var/log/debug
+*.=info;*.=notice;*.=warn;\
+	auth,authpriv.none;\
+	cron,daemon.none;\
+	mail,news.none		-/var/log/messages
+
+#
+# Emergencies are sent to everybody logged in.
+#
+*.emerg				:omusrmsg:*
+
+#
+# I like to have messages displayed on the console, but only on a virtual
+# console I usually leave idle.
+#
+#daemon,mail.*;\
+#	news.=crit;news.=err;news.=notice;\
+#	*.=debug;*.=info;\
+#	*.=notice;*.=warn	/dev/tty8
+
+# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
+# you must invoke `xconsole' with the `-file' option:
+#
+#    $ xconsole -file /dev/xconsole [...]
+#
+# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
+#      busy site..
+#
+daemon.*;mail.*;\
+	news.err;\
+	*.=debug;*.=info;\
+	*.=notice;*.=warn	|/dev/xconsole
diff --git a/testing/hosts/default/etc/security/limits.conf b/testing/hosts/default/etc/security/limits.conf
new file mode 100644
index 000000000..2658b3236
--- /dev/null
+++ b/testing/hosts/default/etc/security/limits.conf
@@ -0,0 +1,58 @@
+# /etc/security/limits.conf
+#
+#Each line describes a limit for a user in the form:
+#
+#<domain>        <type>  <item>  <value>
+#
+#Where:
+#<domain> can be:
+#        - an user name
+#        - a group name, with @group syntax
+#        - the wildcard *, for default entry
+#        - the wildcard %, can be also used with %group syntax,
+#                 for maxlogin limit
+#        - NOTE: group and wildcard limits are not applied to root.
+#          To apply a limit to the root user, <domain> must be
+#          the literal username root.
+#
+#<type> can have the two values:
+#        - "soft" for enforcing the soft limits
+#        - "hard" for enforcing hard limits
+#
+#<item> can be one of the following:
+#        - core - limits the core file size (KB)
+#        - data - max data size (KB)
+#        - fsize - maximum filesize (KB)
+#        - memlock - max locked-in-memory address space (KB)
+#        - nofile - max number of open files
+#        - rss - max resident set size (KB)
+#        - stack - max stack size (KB)
+#        - cpu - max CPU time (MIN)
+#        - nproc - max number of processes
+#        - as - address space limit (KB)
+#        - maxlogins - max number of logins for this user
+#        - maxsyslogins - max number of logins on the system
+#        - priority - the priority to run user process with
+#        - locks - max number of file locks the user can hold
+#        - sigpending - max number of pending signals
+#        - msgqueue - max memory used by POSIX message queues (bytes)
+#        - nice - max nice priority allowed to raise to values: [-20, 19]
+#        - rtprio - max realtime priority
+#        - chroot - change root to directory (Debian-specific)
+#
+#<domain>      <type>  <item>         <value>
+#
+
+#*               soft    core            0
+#root            hard    core            100000
+#*               hard    rss             10000
+#@student        hard    nproc           20
+#@faculty        soft    nproc           20
+#@faculty        hard    nproc           50
+#ftp             hard    nproc           0
+#ftp             -       chroot          /ftp
+#@student        -       maxlogins       4
+
+* soft core unlimited
+
+# End of file
diff --git a/testing/hosts/default/etc/ssh/sshd_config b/testing/hosts/default/etc/ssh/sshd_config
new file mode 100644
index 000000000..07b7e78e5
--- /dev/null
+++ b/testing/hosts/default/etc/ssh/sshd_config
@@ -0,0 +1,13 @@
+Port 22
+Protocol 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+UsePrivilegeSeparation no
+PermitRootLogin yes
+StrictModes no
+PubkeyAuthentication no
+PermitEmptyPasswords yes
+PrintMotd no
+PrintLastLog no
+UsePAM no
diff --git a/testing/hosts/default/etc/sysctl.conf b/testing/hosts/default/etc/sysctl.conf
new file mode 100644
index 000000000..43010d52e
--- /dev/null
+++ b/testing/hosts/default/etc/sysctl.conf
@@ -0,0 +1,62 @@
+#
+# /etc/sysctl.conf - Configuration file for setting system variables
+# See /etc/sysctl.d/ for additonal system variables
+# See sysctl.conf (5) for information.
+#
+
+#kernel.domainname = example.com
+
+# Uncomment the following to stop low-level messages on console
+#kernel.printk = 3 4 1 3
+
+##############################################################3
+# Functions previously found in netbase
+#
+
+# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
+# Turn on Source Address Verification in all interfaces to
+# prevent some spoofing attacks
+#net.ipv4.conf.default.rp_filter=1
+#net.ipv4.conf.all.rp_filter=1
+
+# Uncomment the next line to enable TCP/IP SYN cookies
+# See http://lwn.net/Articles/277146/
+# Note: This may impact IPv6 TCP sessions too
+#net.ipv4.tcp_syncookies=1
+
+# Uncomment the next line to enable packet forwarding for IPv4
+net.ipv4.ip_forward=1
+
+# Uncomment the next line to enable packet forwarding for IPv6
+#  Enabling this option disables Stateless Address Autoconfiguration
+#  based on Router Advertisements for this host
+net.ipv6.conf.all.forwarding=1
+
+
+###################################################################
+# Additional settings - these settings can improve the network
+# security of the host and prevent against some network attacks
+# including spoofing attacks and man in the middle attacks through
+# redirection. Some network environments, however, require that these
+# settings are disabled so review and enable them as needed.
+#
+# Do not accept ICMP redirects (prevent MITM attacks)
+#net.ipv4.conf.all.accept_redirects = 0
+#net.ipv6.conf.all.accept_redirects = 0
+# _or_
+# Accept ICMP redirects only for gateways listed in our default
+# gateway list (enabled by default)
+# net.ipv4.conf.all.secure_redirects = 1
+#
+# Do not send ICMP redirects (we are not a router)
+#net.ipv4.conf.all.send_redirects = 0
+#
+# Do not accept IP source route packets (we are not a router)
+#net.ipv4.conf.all.accept_source_route = 0
+#net.ipv6.conf.all.accept_source_route = 0
+#
+# Log Martian Packets
+#net.ipv4.conf.all.log_martians = 1
+
+# Enable coredump for suid binaries
+fs.suid_dumpable = 1
diff --git a/testing/hosts/default/root/.ssh/config b/testing/hosts/default/root/.ssh/config
new file mode 100644
index 000000000..aa102a144
--- /dev/null
+++ b/testing/hosts/default/root/.ssh/config
@@ -0,0 +1,3 @@
+Host *
+	StrictHostKeyChecking no
+	UserKnownHostsFile /dev/null
diff --git a/testing/hosts/default/usr/local/bin/expect-connection b/testing/hosts/default/usr/local/bin/expect-connection
new file mode 100755
index 000000000..10a709255
--- /dev/null
+++ b/testing/hosts/default/usr/local/bin/expect-connection
@@ -0,0 +1,27 @@
+#!/bin/bash
+#
+# Wait until a given IPsec connection becomes available
+#
+# Params:
+# $1 - connection name
+# $2 - maximum time to wait in seconds, default is 5 seconds
+
+if [[ $# -lt 1 || $# -gt 2 ]]
+then
+	echo "invalid arguments"
+	exit 1
+fi
+
+secs=$2
+[ ! $secs ] && secs=5
+
+let steps=$secs*10
+for i in `seq 1 $steps`
+do
+	ipsec statusall 2>&1 | grep ^[[:space:]]*$1: >/dev/null
+	[ $? -eq 0 ] && exit 0
+	sleep 0.1
+done
+
+echo "Connection '$1' not available after $secs second(s)"
+exit 1
diff --git a/testing/hosts/moon/etc/conf.d/hostname b/testing/hosts/moon/etc/conf.d/hostname
deleted file mode 100644
index 78e695337..000000000
--- a/testing/hosts/moon/etc/conf.d/hostname
+++ /dev/null
@@ -1 +0,0 @@
-HOSTNAME=moon
diff --git a/testing/hosts/moon/etc/conf.d/net b/testing/hosts/moon/etc/conf.d/net
deleted file mode 100644
index 7f09fd8a5..000000000
--- a/testing/hosts/moon/etc/conf.d/net
+++ /dev/null
@@ -1,12 +0,0 @@
-# /etc/conf.d/net:
-
-# This is basically the ifconfig argument without the ifconfig $iface
-#
-config_eth0=( "PH_IP_MOON broadcast 192.168.0.255 netmask 255.255.255.0"
-              "PH_IP6_MOON/16" )
-config_eth1=( "PH_IP_MOON1 broadcast 10.1.255.255 netmask 255.255.0.0"
-              "PH_IP6_MOON1/16" )
-
-# For setting the default gateway
-#
-routes_eth0=( "default via 192.168.0.254" )
diff --git a/testing/hosts/moon/etc/hostname b/testing/hosts/moon/etc/hostname
new file mode 100644
index 000000000..605185ef1
--- /dev/null
+++ b/testing/hosts/moon/etc/hostname
@@ -0,0 +1 @@
+moon
diff --git a/testing/hosts/moon/etc/init.d/iptables b/testing/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index f5fa80b26..000000000
--- a/testing/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,80 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/hosts/moon/etc/init.d/net.eth0 b/testing/hosts/moon/etc/init.d/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/moon/etc/init.d/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/moon/etc/init.d/net.eth1 b/testing/hosts/moon/etc/init.d/net.eth1
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/moon/etc/init.d/net.eth1
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/moon/etc/ipsec.conf b/testing/hosts/moon/etc/ipsec.conf
index 6ee481e49..623e75d0a 100755..100644
--- a/testing/hosts/moon/etc/ipsec.conf
+++ b/testing/hosts/moon/etc/ipsec.conf
@@ -7,20 +7,20 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	left=PH_IP_MOON
+	left=192.168.0.1
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
 
 conn net-net
 	leftsubnet=10.1.0.0/16
-	right=PH_IP_SUN
+	right=192.168.0.2
 	rightsubnet=10.2.0.0/16
 	rightid=@sun.strongswan.org
 	auto=add
-        
+
 conn host-host
-	right=PH_IP_SUN
+	right=192.168.0.2
 	rightid=@sun.strongswan.org
 	auto=add
 
diff --git a/testing/hosts/moon/etc/network/interfaces b/testing/hosts/moon/etc/network/interfaces
new file mode 100644
index 000000000..fde2f102f
--- /dev/null
+++ b/testing/hosts/moon/etc/network/interfaces
@@ -0,0 +1,21 @@
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+	address 192.168.0.1
+	netmask 255.255.255.0
+	broadcast 192.168.0.255
+	gateway 192.168.0.254
+iface eth0 inet6 static
+	address fec0::1
+	netmask 16
+
+auto eth1
+iface eth1 inet static
+	address 10.1.0.1
+	netmask 255.255.0.0
+	broadcast 10.1.255.255
+iface eth1 inet6 static
+	address fec1::1
+	netmask 16
diff --git a/testing/hosts/moon/etc/rc.local b/testing/hosts/moon/etc/rc.local
new file mode 100755
index 000000000..8649a2bcb
--- /dev/null
+++ b/testing/hosts/moon/etc/rc.local
@@ -0,0 +1,20 @@
+#!/bin/sh -e
+#
+# rc.local
+#
+# This script is executed at the end of each multiuser runlevel.
+# Make sure that the script will "exit 0" on success or any other
+# value on error.
+#
+# In order to enable or disable this script just change the execution
+# bits.
+#
+
+# Disable checksum offloading on eth1 because it does not currently work with
+# libvirt and isc-dhcp-server running on venus, see [1]
+# [1] - https://bugs.mageia.org/show_bug.cgi?id=1243
+
+ethtool --offload eth1 tx off >/dev/null 2>&1
+ethtool --offload eth1 rx off >/dev/null 2>&1
+
+exit 0
diff --git a/testing/hosts/moon/etc/runlevels/default/net.eth0 b/testing/hosts/moon/etc/runlevels/default/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/moon/etc/runlevels/default/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/moon/etc/runlevels/default/net.eth1 b/testing/hosts/moon/etc/runlevels/default/net.eth1
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/moon/etc/runlevels/default/net.eth1
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/ssh_host_rsa_key.pub b/testing/hosts/ssh_host_rsa_key.pub
deleted file mode 100644
index a5f71de4e..000000000
--- a/testing/hosts/ssh_host_rsa_key.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAsxKfTm05po6leGD8C+M0eAR5EE4s1pQXc0D/dVlqrmfZ65h5BFQY9lnwpCvapV6OVqKWx8ICmeIH3OhaPxPPNKlU81f3d0xgh8BRJpWh459DYkRVa5f7ax5eeFE1lelj9s1d0seUl/IZolpJ8Wmt9TN1hwJ0mrkwN4670rb3urc=
diff --git a/testing/hosts/sun/etc/conf.d/hostname b/testing/hosts/sun/etc/conf.d/hostname
deleted file mode 100644
index bc042b68b..000000000
--- a/testing/hosts/sun/etc/conf.d/hostname
+++ /dev/null
@@ -1 +0,0 @@
-HOSTNAME=sun
diff --git a/testing/hosts/sun/etc/conf.d/net b/testing/hosts/sun/etc/conf.d/net
deleted file mode 100644
index 4a6370ab7..000000000
--- a/testing/hosts/sun/etc/conf.d/net
+++ /dev/null
@@ -1,14 +0,0 @@
-# /etc/conf.d/net:
-
-# This is basically the ifconfig argument without the ifconfig $iface
-#
-config_eth0=( "PH_IP_SUN broadcast 192.168.0.255 netmask 255.255.255.0"
-              "PH_IP6_SUN/16" )
-config_eth1=( "PH_IP_SUN1 broadcast 10.2.255.255 netmask 255.255.0.0"
-              "PH_IP6_SUN1/16" )
-
-# For setting the default gateway
-#
-routes_eth0=( "default via 192.168.0.254" )
-
-
diff --git a/testing/hosts/sun/etc/hostname b/testing/hosts/sun/etc/hostname
new file mode 100644
index 000000000..692699759
--- /dev/null
+++ b/testing/hosts/sun/etc/hostname
@@ -0,0 +1 @@
+sun
diff --git a/testing/hosts/sun/etc/init.d/iptables b/testing/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index aeaf472fb..000000000
--- a/testing/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,80 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
-
-        # allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/hosts/sun/etc/init.d/net.eth0 b/testing/hosts/sun/etc/init.d/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/sun/etc/init.d/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/sun/etc/init.d/net.eth1 b/testing/hosts/sun/etc/init.d/net.eth1
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/sun/etc/init.d/net.eth1
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/sun/etc/ipsec.conf b/testing/hosts/sun/etc/ipsec.conf
index 277928ec1..2f979f122 100755..100644
--- a/testing/hosts/sun/etc/ipsec.conf
+++ b/testing/hosts/sun/etc/ipsec.conf
@@ -7,20 +7,20 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	left=PH_IP_SUN
+	left=192.168.0.2
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
 	leftfirewall=yes
 
 conn net-net
 	leftsubnet=10.2.0.0/16
-	right=PH_IP_MOON
+	right=192.168.0.1
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
 
 conn host-host
-	right=PH_IP_MOON
+	right=192.168.0.1
 	rightid=@moon.strongswan.org
 	auto=add
 
diff --git a/testing/hosts/sun/etc/network/interfaces b/testing/hosts/sun/etc/network/interfaces
new file mode 100644
index 000000000..841735af1
--- /dev/null
+++ b/testing/hosts/sun/etc/network/interfaces
@@ -0,0 +1,21 @@
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+	address 192.168.0.2
+	netmask 255.255.255.0
+	broadcast 192.168.0.255
+	gateway 192.168.0.254
+iface eth0 inet6 static
+	address fec0::2
+	netmask 16
+
+auto eth1
+iface eth1 inet static
+	address 10.2.0.1
+	netmask 255.255.0.0
+	broadcast 10.2.255.255
+iface eth1 inet6 static
+	address fec2::1
+	netmask 16
diff --git a/testing/hosts/sun/etc/runlevels/default/net.eth0 b/testing/hosts/sun/etc/runlevels/default/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/sun/etc/runlevels/default/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/sun/etc/runlevels/default/net.eth1 b/testing/hosts/sun/etc/runlevels/default/net.eth1
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/sun/etc/runlevels/default/net.eth1
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/venus/etc/conf.d/hostname b/testing/hosts/venus/etc/conf.d/hostname
deleted file mode 100644
index c9e3dd1d4..000000000
--- a/testing/hosts/venus/etc/conf.d/hostname
+++ /dev/null
@@ -1 +0,0 @@
-HOSTNAME=venus
diff --git a/testing/hosts/venus/etc/conf.d/net b/testing/hosts/venus/etc/conf.d/net
deleted file mode 100644
index 43ec97807..000000000
--- a/testing/hosts/venus/etc/conf.d/net
+++ /dev/null
@@ -1,10 +0,0 @@
-# /etc/conf.d/net:
-
-# This is basically the ifconfig argument without the ifconfig $iface
-#
-config_eth0=( "PH_IP_VENUS broadcast 10.1.255.255 netmask 255.255.0.0"
-              "PH_IP6_VENUS/16" )
-
-# For setting the default gateway
-#
-routes_eth0=( "default via PH_IP_MOON1" )
diff --git a/testing/hosts/venus/etc/hostname b/testing/hosts/venus/etc/hostname
new file mode 100644
index 000000000..acf16d8be
--- /dev/null
+++ b/testing/hosts/venus/etc/hostname
@@ -0,0 +1 @@
+venus
diff --git a/testing/hosts/venus/etc/init.d/iptables b/testing/hosts/venus/etc/init.d/iptables
deleted file mode 100755
index 1097ac5a4..000000000
--- a/testing/hosts/venus/etc/init.d/iptables
+++ /dev/null
@@ -1,74 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/hosts/venus/etc/init.d/net.eth0 b/testing/hosts/venus/etc/init.d/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/venus/etc/init.d/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/venus/etc/ipsec.conf b/testing/hosts/venus/etc/ipsec.conf
index dd6a82f89..e4604cb44 100755..100644
--- a/testing/hosts/venus/etc/ipsec.conf
+++ b/testing/hosts/venus/etc/ipsec.conf
@@ -13,7 +13,7 @@ conn nat-t
 	leftcert=venusCert.pem
 	leftid=@venus.strongswan.org
 	leftfirewall=yes
-	right=PH_IP_SUN
+	right=192.168.0.2
 	rightid=@sun.strongswan.org
 	rightsubnet=10.2.0.0/16
 	auto=add
diff --git a/testing/hosts/venus/etc/network/interfaces b/testing/hosts/venus/etc/network/interfaces
new file mode 100644
index 000000000..9cbae6041
--- /dev/null
+++ b/testing/hosts/venus/etc/network/interfaces
@@ -0,0 +1,12 @@
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+	address 10.1.0.20
+	netmask 255.255.0.0
+	broadcast 10.1.255.255
+	gateway 10.1.0.1
+iface eth0 inet6 static
+	address fec1::20
+	netmask 16
diff --git a/testing/hosts/venus/etc/runlevels/default/net.eth0 b/testing/hosts/venus/etc/runlevels/default/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/venus/etc/runlevels/default/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text b/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text
new file mode 100644
index 000000000..6f5f3011c
--- /dev/null
+++ b/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text
@@ -0,0 +1 @@
+AddType text/plain .iptables .log .sql
diff --git a/testing/hosts/winnetou/etc/apache2/conf/ssl/ca.crt b/testing/hosts/winnetou/etc/apache2/conf/ssl/ca.crt
deleted file mode 100644
index 0de3b268d..000000000
--- a/testing/hosts/winnetou/etc/apache2/conf/ssl/ca.crt
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
-Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
-X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
-FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
-4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
-7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
-gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
-K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud
-DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw
-ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
-Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/
-lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n
-+g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE
-UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy
-0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy
-gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8=
------END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/apache2/conf/ssl/server.crt b/testing/hosts/winnetou/etc/apache2/conf/ssl/server.crt
deleted file mode 100644
index 956c217d9..000000000
--- a/testing/hosts/winnetou/etc/apache2/conf/ssl/server.crt
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEFTCCAv2gAwIBAgIBDjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDYwODE5MTcxNFoXDTEwMDYwNzE5MTcxNFowSjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xIDAeBgNVBAMTF3dpbm5l
-dG91LnN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
-AQEAwBkz95BmByWVZaEW8cDbeuGr4C1caGAj4QPmuwaIriK+7XqXuh16Ahe3S5vZ
-F56WhUSvMDOIyULckKH84oSa3Jx/SCz0g7X42x8vZuq92tpsjcP/u7BlyqpBUtLa
-r14qm5wYw/1nQqMcSG3k9MQOQ+e9KgaGqpidxWM/8T4M/41AaFRBK2gQGBUULo26
-sjoq3af7Z2jYmWkP/kzj1CHLy9Mgt+UvhKeA+ag5cZnyOG596cqVjlKyqG7vdggk
-wW2n+/KDpHNOndYfT7GMFeGXUNzJPkCImWlttic7ssi0mjP3q3MuOP3FNHIRMd2H
-AcNcqT0bgdJHqnNzGv8C0Ei9XQIDAQABo4IBCTCCAQUwCQYDVR0TBAIwADALBgNV
-HQ8EBAMCA6gwHQYDVR0OBBYEFEMS0mbhrA4zDvmfKf4MntUNxkH4MG0GA1UdIwRm
-MGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290
-IENBggEAMCIGA1UdEQQbMBmCF3dpbm5ldG91LnN0cm9uZ3N3YW4ub3JnMDkGA1Ud
-HwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dh
-bi5jcmwwDQYJKoZIhvcNAQEEBQADggEBACO4+j1Mwt/lbkopeSJst46uFh7OtegG
-6IWNE30i3l3FIn9slSwAOMtmZR0hAF8sExvk61EPlzCR/d9trSJ5+gyjPkeF/enw
-p61rxPMT13Grzomi9gYlk6Q/0zLmE9uYWEY69Q0bEIUcfdZfwB+F7kesa946JNMc
-yHfVEhKtvzmns9ueG0S/8E+6MPDeJv+JHQ++SdWSvOVg6JNxXDGusnim2fjM2Aln
-JmqA6iU4IaPl9DUCuXlLOVv/YhwhviNEbF94upyHq8xjOZdzPbKroHXg/2yvalAw
-4aXc/ZsnFxqsq3i6a2Fj1Y4J7gYsNO/HwA0xvKz3loOTqHaJqO/qeow=
------END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/apache2/conf/ssl/server.key b/testing/hosts/winnetou/etc/apache2/conf/ssl/server.key
deleted file mode 100644
index 727027188..000000000
--- a/testing/hosts/winnetou/etc/apache2/conf/ssl/server.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAwBkz95BmByWVZaEW8cDbeuGr4C1caGAj4QPmuwaIriK+7XqX
-uh16Ahe3S5vZF56WhUSvMDOIyULckKH84oSa3Jx/SCz0g7X42x8vZuq92tpsjcP/
-u7BlyqpBUtLar14qm5wYw/1nQqMcSG3k9MQOQ+e9KgaGqpidxWM/8T4M/41AaFRB
-K2gQGBUULo26sjoq3af7Z2jYmWkP/kzj1CHLy9Mgt+UvhKeA+ag5cZnyOG596cqV
-jlKyqG7vdggkwW2n+/KDpHNOndYfT7GMFeGXUNzJPkCImWlttic7ssi0mjP3q3Mu
-OP3FNHIRMd2HAcNcqT0bgdJHqnNzGv8C0Ei9XQIDAQABAoIBACYiWrCgl8B/c4Lz
-Uay4Tlm8hvQ/zQJjY3v93EXwbB21hBV8qrYlt9zGfHqj+5q2vsbB9c0pzdO2VDba
-EWueS2fUIWhglEG5VCebrztNCldx2O7jo9bMk8iBt+oLNaJunSK7ACeYHHGcE7dF
-KZh1eyd7z4+SMBWZqmhO5ZisasQoHCusVGepcyyMGQNkc3XKJ6resGAsOqrOoq7Q
-C4vO5Kkbnk8nnEGmQ/ldD8LwIyq1hzVLDiiqWXZgh6S5l4BEo7Dy3KYrZoZfVcZK
-GMVhAI2+uA1ZqY9twpwryT6VZ3eK4DXF/COQntiBW5pLOpaqTOnKqiVmZFwfbo3u
-cq8n5jkCgYEA5zgzRLifbM0q34c2HX8pTegh+BH7MGCxtcoU2uRPaXiGkqQObHI9
-aItrgUQp+pAmKSBnEWJKgKsOh2Uf5ogjIeNuruGG/AXw/Pw2ORHNueenhDuhu69T
-E2I4yxT3PPYbdzJ4ylBElfgm9WTrv7Wi7wSSfgQ6rEFdWukXa5vvsqMCgYEA1K+q
-m1Jv9MGVIVc6MxhuOOj2Ym+qcWt/Pjvg78rR8SRsKwHlGTuv1rdWUSXYDr3f2Nf7
-6DdbJtaSx5f8gY/UG34yGZx5FFbYV03vcCYBaLXsi/b6H7vb/VW74Y5g6bXqnprv
-4mcdVU7xfyNFgdbLPAP9sYVLijPYDwm0Qq3cz/8CgYBKSJz4BBR8AQI4JBl3qoXb
-mKtpJmW76iTN0amXlWgJ64XYkMptftpJvxj/w6V08WDBL77NL/XdlpcpWozAJJac
-6ZOCrcQPLd15eZH2Dck5Y7pG2l2gjbgz7wdt/0NbG3pBdj6mSNlwEPR7PDwdMD6z
-aZWi1LsA4lMaxO4YTVXZ3wKBgQCoFhTNH/+e/YawjNFQJFSn4WUnMn0Pmhc7xfLl
-T/NPkqtx6dN3d7ZmCQrMow33yJOqOje5tFXzgc0KtNE4S8Uj3T4XA5SlQGVFyjAa
-/85JRM2naA8RGVSpCCKuBeoNilnb8zL2SOvjyboN8oAyNuDzk2vh6ihjFsoASHkP
-4XwLXQKBgQC0k6rzt/plIwEiP56XXOqwOxJj6kuE/hx1zGIiGT6lWiOsih20Ym2T
-kYegVFvuDIWmSIAxGONWyee1lfnJbEuaHRixWQTnHUpqrU0FSnZTubnR3q/faZat
-hrvLDdpa0ydAKoMEn3qUPSrh3CdBfi3KTQAQn2Mlk7bGHh9ICWi3vA==
------END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/apache2/modules.d/00_mod_mime.conf b/testing/hosts/winnetou/etc/apache2/modules.d/00_mod_mime.conf
deleted file mode 100644
index 72b7e0ea4..000000000
--- a/testing/hosts/winnetou/etc/apache2/modules.d/00_mod_mime.conf
+++ /dev/null
@@ -1,61 +0,0 @@
-# DefaultType: the default MIME type the server will use for a document
-# if it cannot otherwise determine one, such as from filename extensions.
-# If your server contains mostly text or HTML documents, "text/plain" is
-# a good value.  If most of your content is binary, such as applications
-# or images, you may want to use "application/octet-stream" instead to
-# keep browsers from trying to display binary files as though they are
-# text.
-DefaultType text/plain
-
-<IfModule mime_module>
-# TypesConfig points to the file containing the list of mappings from
-# filename extension to MIME-type.
-TypesConfig /etc/mime.types
-
-# AddType allows you to add to or override the MIME configuration
-# file specified in TypesConfig for specific file types.
-#AddType application/x-gzip .tgz
-
-# AddEncoding allows you to have certain browsers uncompress
-# information on the fly. Note: Not all browsers support this.
-#AddEncoding x-compress .Z
-#AddEncoding x-gzip .gz .tgz
-
-# If the AddEncoding directives above are commented-out, then you
-# probably should define those extensions to indicate media types:
-AddType application/x-compress .Z
-AddType application/x-gzip .gz .tgz
-
-# AddHandler allows you to map certain file extensions to "handlers":
-# actions unrelated to filetype. These can be either built into the server
-# or added with the Action directive (see below)
-
-# To use CGI scripts outside of ScriptAliased directories:
-# (You will also need to add "ExecCGI" to the "Options" directive.)
-AddHandler cgi-script .cgi
-
-# For files that include their own HTTP headers:
-#AddHandler send-as-is asis
-
-# For server-parsed imagemap files:
-#AddHandler imap-file map
-
-# For type maps (negotiated resources):
-AddHandler type-map var
-
-# Filters allow you to process content before it is sent to the client.
-#
-# To parse .shtml files for server-side includes (SSI):
-# (You will also need to add "Includes" to the "Options" directive.)
-#AddType text/html .shtml
-#AddOutputFilter INCLUDES .shtml
-</IfModule>
-
-<IfModule mime_magic_module>
-# The mod_mime_magic module allows the server to use various hints from the
-# contents of the file itself to determine its type.  The MIMEMagicFile
-# directive tells the module where the hint definitions are located.
-MIMEMagicFile /etc/apache2/magic
-</IfModule>
-
-# vim: ts=4 filetype=apache
diff --git a/testing/hosts/winnetou/etc/apache2/vhosts.d/01_ocsp_vhost.conf b/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost
index 9a32412db..b76080e37 100644
--- a/testing/hosts/winnetou/etc/apache2/vhosts.d/01_ocsp_vhost.conf
+++ b/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost
@@ -2,6 +2,8 @@
 
 Listen 8880
 
+AddHandler cgi-script .cgi
+
 <VirtualHost *:8880>
     ServerAdmin  root@strongswan.org
     DocumentRoot /etc/openssl/ocsp
diff --git a/testing/hosts/winnetou/etc/conf.d/hostname b/testing/hosts/winnetou/etc/conf.d/hostname
deleted file mode 100644
index 1bfa5acbd..000000000
--- a/testing/hosts/winnetou/etc/conf.d/hostname
+++ /dev/null
@@ -1 +0,0 @@
-HOSTNAME=winnetou
diff --git a/testing/hosts/winnetou/etc/conf.d/net b/testing/hosts/winnetou/etc/conf.d/net
deleted file mode 100644
index 7fbc37014..000000000
--- a/testing/hosts/winnetou/etc/conf.d/net
+++ /dev/null
@@ -1,10 +0,0 @@
-# /etc/conf.d/net:
-
-# This is basically the ifconfig argument without the ifconfig $iface
-#
-config_eth0=( "PH_IP_WINNETOU broadcast 192.168.0.255 netmask 255.255.255.0"
-              "PH_IP6_WINNETOU/16" )
-
-# For setting the default gateway
-#
-routes_eth0=( "default via 192.168.0.254" )
diff --git a/testing/hosts/winnetou/etc/conf.d/slapd b/testing/hosts/winnetou/etc/conf.d/slapd
deleted file mode 100644
index 8d9ac4787..000000000
--- a/testing/hosts/winnetou/etc/conf.d/slapd
+++ /dev/null
@@ -1,8 +0,0 @@
-# conf.d file for the openldap-2.1 series
-#
-# To enable both the standard unciphered server and the ssl encrypted
-# one uncomment this line or set any other server starting options
-# you may desire.
-#
-# OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
-OPTS="-4"
diff --git a/testing/hosts/winnetou/etc/init.d/apache2 b/testing/hosts/winnetou/etc/init.d/apache2
deleted file mode 100755
index 5f72d3090..000000000
--- a/testing/hosts/winnetou/etc/init.d/apache2
+++ /dev/null
@@ -1,121 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2007 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="configtest fullstatus graceful gracefulstop modules reload"
-
-depend() {
-	need net
-	use mysql dns logger netmount postgresql
-	after sshd
-}
-
-configtest() {
-	ebegin "Checking Apache Configuration"
-	checkconfig
-	eend $?
-}
-
-checkconfig() {
-	SERVERROOT="${SERVERROOT:-/usr/lib/apache2}"
-	if [ ! -d ${SERVERROOT} ]; then
-		eerror "SERVERROOT does not exist: ${SERVERROOT}"
-		return 1
-	fi
-
-	CONFIGFILE="${CONFIGFILE:-/etc/apache2/httpd.conf}"
-	[ "${CONFIGFILE#/}" = "${CONFIGFILE}" ] && CONFIGFILE="${SERVERROOT}/${CONFIGFILE}"
-	if [ ! -r "${CONFIGFILE}" ]; then
-		eerror "Unable to read configuration file: ${CONFIGFILE}"
-		return 1
-	fi
-
-	APACHE2_OPTS="${APACHE2_OPTS} -d ${SERVERROOT}"
-	APACHE2_OPTS="${APACHE2_OPTS} -f ${CONFIGFILE}"
-	[ -n "${STARTUPERRORLOG}" ] && APACHE2_OPTS="${APACHE2_OPTS} -E ${STARTUPERRORLOG}"
-
-	APACHE2="/usr/sbin/apache2"
-
-	${APACHE2} ${APACHE2_OPTS} -t 1>/dev/null 2>&1
-	ret=$?
-	if [ $ret -ne 0 ]; then
-		eerror "Apache2 has detected a syntax error in your configuration files:"
-		${APACHE2} ${APACHE2_OPTS} -t
-	fi
-
-	return $ret
-}
-
-start() {
-	checkconfig || return 1
-	ebegin "Starting apache2"
-	[ -f /var/log/apache2/ssl_scache ] && rm /var/log/apache2/ssl_scache
-
-	start-stop-daemon --start --exec ${APACHE2} -- ${APACHE2_OPTS} -k start
-	eend $?
-}
-
-stop() {
-	checkconfig || return 1
-	ebegin "Stopping apache2"
-	start-stop-daemon --stop --retry -TERM/5/-KILL/5 --exec ${APACHE2} --pidfile /var/run/apache2.pid
-	eend $?
-}
-
-reload() {
-	RELOAD_TYPE="${RELOAD_TYPE:-graceful}"
-
-	checkconfig || return 1
-	if [ "${RELOAD_TYPE}" = "restart" ]; then
-		ebegin "Restarting apache2"
-		start-stop-daemon --stop --oknodo --signal HUP --exec ${APACHE2} --pidfile /var/run/apache2.pid
-		eend $?
-	elif [ "${RELOAD_TYPE}" = "graceful" ]; then
-		ebegin "Gracefully restarting apache2"
-		start-stop-daemon --stop --oknodo --signal USR1 --exec ${APACHE2} --pidfile /var/run/apache2.pid
-		eend $?
-	else
-		eerror "${RELOAD_TYPE} is not a valid RELOAD_TYPE. Please edit /etc/conf.d/apache2"
-	fi
-}
-
-graceful() {
-	checkconfig || return 1
-	ebegin "Gracefully restarting apache2"
-	start-stop-daemon --stop --signal USR1 --exec ${APACHE2} --pidfile /var/run/apache2.pid
-	eend $?
-}
-
-gracefulstop() {
-	checkconfig || return 1
-	
-	# zap!
-	if service_started "${myservice}"; then
-		mark_service_stopped "${myservice}"
-	fi
-
-	ebegin "Gracefully stopping apache2"
-	# 28 is SIGWINCH
-	start-stop-daemon --stop --signal 28 --exec ${APACHE2} --pidfile /var/run/apache2.pid
-	eend $?
-}
-
-modules() {
-	checkconfig || return 1
-
-	${APACHE2} ${APACHE2_OPTS} -M 2>&1
-}
-
-status() {
-	LYNX="${LYNX:-lynx -dump}"
-	STATUSURL="${STATUSURL:-http://localhost/server-status}"
-	
-	${LYNX} ${STATUSURL} | awk ' /process$/ { print; exit } { print } '
-}
-
-fullstatus() {
-	LYNX="${LYNX:-lynx -dump}"
-	STATUSURL="${STATUSURL:-http://localhost/server-status}"
-	
-	${LYNX} ${STATUSURL}
-}
diff --git a/testing/hosts/winnetou/etc/init.d/net.eth0 b/testing/hosts/winnetou/etc/init.d/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/winnetou/etc/init.d/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/winnetou/etc/init.d/slapd b/testing/hosts/winnetou/etc/init.d/slapd
deleted file mode 100755
index d4c070b33..000000000
--- a/testing/hosts/winnetou/etc/init.d/slapd
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/strongswan/testing/hosts/winnetou/etc/init.d/slapd,v 1.2 2005/05/31 14:04:43 as Exp $
-
-depend() {
-	need net
-}
-
-start() {
-	ebegin "Starting ldap-server"
-	eval start-stop-daemon --start --quiet --pidfile /var/run/openldap/slapd.pid --exec /usr/lib/openldap/slapd -- -u ldap -g ldap "${OPTS}"
-	eend $?
-	if [ ! -e /var/lib/openldap-data/objectClass.bdb ]
-	then
-		sleep 5
-		ldapadd -x -D "cn=Manager, o=Linux strongSwan, c=CH" -w tuxmux -f /etc/openldap/ldif.txt
-	fi
-}
-
-stop() {
-	ebegin "Stopping ldap-server"
-	start-stop-daemon --stop --signal 2 --quiet --pidfile /var/run/openldap/slapd.pid 
-	eend $?
-}
diff --git a/testing/hosts/winnetou/etc/openldap/ldif.txt b/testing/hosts/winnetou/etc/ldap/ldif.txt
index 3eca4d6c6..d06621adb 100644
--- a/testing/hosts/winnetou/etc/openldap/ldif.txt
+++ b/testing/hosts/winnetou/etc/ldap/ldif.txt
@@ -28,7 +28,7 @@ cACertificate;binary:< file:///etc/openssl/research/researchCert.der
 
 dn: ou=Sales, o=Linux strongSwan, c=CH
 objectclass: organizationalUnit
-ou: Sales 
+ou: Sales
 
 dn: cn=Sales CA, ou=Sales, o=Linux strongSwan, c=CH
 objectClass: organizationalRole
@@ -37,4 +37,3 @@ objectClass: certificationAuthority
 authorityRevocationList;binary:< file:///etc/openssl/sales/sales.crl
 certificateRevocationList;binary:< file:///etc/openssl/sales/sales.crl
 cACertificate;binary:< file:///etc/openssl/sales/salesCert.der
-
diff --git a/testing/hosts/winnetou/etc/ldap/slapd.conf b/testing/hosts/winnetou/etc/ldap/slapd.conf
new file mode 100644
index 000000000..103d4573f
--- /dev/null
+++ b/testing/hosts/winnetou/etc/ldap/slapd.conf
@@ -0,0 +1,23 @@
+#
+# See slapd.conf(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+
+moduleload	back_bdb.la
+
+include		/etc/ldap/schema/core.schema
+
+pidfile		/var/run/openldap/slapd.pid
+argsfile	/var/run/openldap/slapd.args
+
+#######################################################################
+# BDB database definitions
+#######################################################################
+
+database	bdb
+suffix		"o=Linux strongSwan,c=CH"
+rootdn		"cn=Manager,o=Linux strongSwan,c=CH"
+checkpoint	32	30
+rootpw		tuxmux
+directory	/var/lib/ldap
+index		objectClass	eq
diff --git a/testing/hosts/winnetou/etc/network/interfaces b/testing/hosts/winnetou/etc/network/interfaces
new file mode 100644
index 000000000..7bfb6a9f2
--- /dev/null
+++ b/testing/hosts/winnetou/etc/network/interfaces
@@ -0,0 +1,12 @@
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+	address 192.168.0.150
+	netmask 255.255.255.0
+	broadcast 192.168.0.255
+	gateway 192.168.0.254
+iface eth0 inet6 static
+	address fec0::15
+	netmask 16
diff --git a/testing/hosts/winnetou/etc/openldap/slapd.conf b/testing/hosts/winnetou/etc/openldap/slapd.conf
deleted file mode 100644
index 5a99f955d..000000000
--- a/testing/hosts/winnetou/etc/openldap/slapd.conf
+++ /dev/null
@@ -1,68 +0,0 @@
-#
-# See slapd.conf(5) for details on configuration options.
-# This file should NOT be world readable.
-#
-include		/etc/openldap/schema/core.schema
-
-# Define global ACLs to disable default read access.
-
-# Do not enable referrals until AFTER you have a working directory
-# service AND an understanding of referrals.
-#referral	ldap://root.openldap.org
-
-pidfile		/var/run/openldap/slapd.pid
-argsfile	/var/run/openldap/slapd.args
-
-# Load dynamic backend modules:
-# modulepath	/usr/lib/openldap/openldap
-# moduleload	back_bdb.la
-# moduleload	back_ldap.la
-# moduleload	back_ldbm.la
-# moduleload	back_passwd.la
-# moduleload	back_shell.la
-
-# Sample security restrictions
-#	Require integrity protection (prevent hijacking)
-#	Require 112-bit (3DES or better) encryption for updates
-#	Require 63-bit encryption for simple bind
-# security ssf=1 update_ssf=112 simple_bind=64
-
-# Sample access control policy:
-#	Root DSE: allow anyone to read it
-#	Subschema (sub)entry DSE: allow anyone to read it
-#	Other DSEs:
-#		Allow self write access
-#		Allow authenticated users read access
-#		Allow anonymous users to authenticate
-#	Directives needed to implement policy:
-# access to dn.base="" by * read
-# access to dn.base="cn=Subschema" by * read
-# access to *
-#	by self write
-#	by users read
-#	by anonymous auth
-#
-# if no access controls are present, the default policy
-# allows anyone and everyone to read anything but restricts
-# updates to rootdn.  (e.g., "access to * by * read")
-#
-# rootdn can always read and write EVERYTHING!
-
-#######################################################################
-# BDB database definitions
-#######################################################################
-
-database	bdb
-suffix		"o=Linux strongSwan,c=CH"
-rootdn		"cn=Manager,o=Linux strongSwan,c=CH"
-checkpoint	32	30 # <kbyte> <min>
-# Cleartext passwords, especially for the rootdn, should
-# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
-# Use of strong authentication encouraged.
-rootpw		tuxmux	
-# The database directory MUST exist prior to running slapd AND 
-# should only be accessible by the slapd and slap tools.
-# Mode 700 recommended.
-directory	/var/lib/openldap-data
-# Indices to maintain
-index	objectClass	eq
diff --git a/testing/hosts/winnetou/etc/openssl/generate-crl b/testing/hosts/winnetou/etc/openssl/generate-crl
index 60e53a0a4..839816bf5 100755
--- a/testing/hosts/winnetou/etc/openssl/generate-crl
+++ b/testing/hosts/winnetou/etc/openssl/generate-crl
@@ -16,30 +16,32 @@
 
 export COMMON_NAME=strongSwan
 
+ROOT=/var/www
+
 cd /etc/openssl
 openssl ca -gencrl -crldays 30 -config /etc/openssl/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out strongswan.crl
-cp strongswan.crl     /var/www/localhost/htdocs/
-cp strongswanCert.pem /var/www/localhost/htdocs/
-cp index.html         /var/www/localhost/htdocs/
+cp strongswan.crl     ${ROOT}
+cp strongswanCert.pem ${ROOT}
+cp index.html         ${ROOT}
 cd /etc/openssl/research
 openssl ca -gencrl -crldays 15 -config /etc/openssl/research/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out research.crl
-cp research.crl       /var/www/localhost/htdocs/
+cp research.crl       ${ROOT}
 cd /etc/openssl/sales
 openssl ca -gencrl -crldays 15 -config /etc/openssl/sales/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out sales.crl
-cp sales.crl         /var/www/localhost/htdocs/
+cp sales.crl         ${ROOT}
 cd /etc/openssl/ecdsa
 openssl ca -gencrl -crldays 15 -config /etc/openssl/ecdsa/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out strongswan_ec.crl
-cp strongswan_ec.crl /var/www/localhost/htdocs/
+cp strongswan_ec.crl ${ROOT}
 cd /etc/openssl/monster
 openssl ca -gencrl -crldays 15 -config /etc/openssl/monster/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out strongswan-monster.crl
-cp strongswan-monster.crl /var/www/localhost/htdocs/
+cp strongswan-monster.crl ${ROOT}
 cd /etc/openssl/rfc3779
 openssl ca -gencrl -crldays 15 -config /etc/openssl/rfc3779/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out strongswan_rfc3779.crl
-cp strongswan_rfc3779.crl /var/www/localhost/htdocs/
+cp strongswan_rfc3779.crl ${ROOT}
 
diff --git a/testing/hosts/winnetou/etc/openssl/index.html b/testing/hosts/winnetou/etc/openssl/index.html
index 1641768ae..8cbb2c482 100644
--- a/testing/hosts/winnetou/etc/openssl/index.html
+++ b/testing/hosts/winnetou/etc/openssl/index.html
@@ -20,10 +20,10 @@
     </li>
   </ul>
 
-  <h2>strongSwan UML Testing Environment</h2>
+  <h2>strongSwan Testing Environment</h2>
   <ul>
     <li>
-      <a href="testresults/">UML Test Results</a>
+      <a href="testresults/">Test Results</a>
     </li>
   </ul>
   <a href="images/umlArchitecture_large.png" target="_blank">
diff --git a/testing/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
index cb585ed08..a62fe16bd 100755
--- a/testing/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -5,7 +5,7 @@ cd /etc/openssl
 echo "Content-type: application/ocsp-response"
 echo ""
 
-/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-                      -rkey ocspKey.pem -rsigner ocspCert.pem \
-		      -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+	-rkey ocspKey.pem -rsigner ocspCert.pem \
+	-nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/hosts/winnetou/etc/openssl/research/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/openssl/research/ocsp/ocsp.cgi
index c193e8779..32405f81c 100755
--- a/testing/hosts/winnetou/etc/openssl/research/ocsp/ocsp.cgi
+++ b/testing/hosts/winnetou/etc/openssl/research/ocsp/ocsp.cgi
@@ -5,7 +5,7 @@ cd /etc/openssl/research
 echo "Content-type: application/ocsp-response"
 echo ""
 
-/usr/bin/openssl ocsp -index index.txt -CA researchCert.pem \
-                      -rkey ocspKey.pem -rsigner ocspCert.pem \
-		      -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA researchCert.pem \
+	-rkey ocspKey.pem -rsigner ocspCert.pem \
+	-nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/hosts/winnetou/etc/openssl/sales/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/openssl/sales/ocsp/ocsp.cgi
index c53cb9a76..74a2aebc2 100755
--- a/testing/hosts/winnetou/etc/openssl/sales/ocsp/ocsp.cgi
+++ b/testing/hosts/winnetou/etc/openssl/sales/ocsp/ocsp.cgi
@@ -5,7 +5,7 @@ cd /etc/openssl/sales
 echo "Content-type: application/ocsp-response"
 echo ""
 
-/usr/bin/openssl ocsp -index index.txt -CA salesCert.pem \
-                      -rkey ocspKey.pem -rsigner ocspCert.pem \
-		      -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA salesCert.pem \
+	-rkey ocspKey.pem -rsigner ocspCert.pem \
+	-nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/hosts/winnetou/etc/runlevels/default/apache2 b/testing/hosts/winnetou/etc/runlevels/default/apache2
deleted file mode 100755
index 5f72d3090..000000000
--- a/testing/hosts/winnetou/etc/runlevels/default/apache2
+++ /dev/null
@@ -1,121 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2007 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="configtest fullstatus graceful gracefulstop modules reload"
-
-depend() {
-	need net
-	use mysql dns logger netmount postgresql
-	after sshd
-}
-
-configtest() {
-	ebegin "Checking Apache Configuration"
-	checkconfig
-	eend $?
-}
-
-checkconfig() {
-	SERVERROOT="${SERVERROOT:-/usr/lib/apache2}"
-	if [ ! -d ${SERVERROOT} ]; then
-		eerror "SERVERROOT does not exist: ${SERVERROOT}"
-		return 1
-	fi
-
-	CONFIGFILE="${CONFIGFILE:-/etc/apache2/httpd.conf}"
-	[ "${CONFIGFILE#/}" = "${CONFIGFILE}" ] && CONFIGFILE="${SERVERROOT}/${CONFIGFILE}"
-	if [ ! -r "${CONFIGFILE}" ]; then
-		eerror "Unable to read configuration file: ${CONFIGFILE}"
-		return 1
-	fi
-
-	APACHE2_OPTS="${APACHE2_OPTS} -d ${SERVERROOT}"
-	APACHE2_OPTS="${APACHE2_OPTS} -f ${CONFIGFILE}"
-	[ -n "${STARTUPERRORLOG}" ] && APACHE2_OPTS="${APACHE2_OPTS} -E ${STARTUPERRORLOG}"
-
-	APACHE2="/usr/sbin/apache2"
-
-	${APACHE2} ${APACHE2_OPTS} -t 1>/dev/null 2>&1
-	ret=$?
-	if [ $ret -ne 0 ]; then
-		eerror "Apache2 has detected a syntax error in your configuration files:"
-		${APACHE2} ${APACHE2_OPTS} -t
-	fi
-
-	return $ret
-}
-
-start() {
-	checkconfig || return 1
-	ebegin "Starting apache2"
-	[ -f /var/log/apache2/ssl_scache ] && rm /var/log/apache2/ssl_scache
-
-	start-stop-daemon --start --exec ${APACHE2} -- ${APACHE2_OPTS} -k start
-	eend $?
-}
-
-stop() {
-	checkconfig || return 1
-	ebegin "Stopping apache2"
-	start-stop-daemon --stop --retry -TERM/5/-KILL/5 --exec ${APACHE2} --pidfile /var/run/apache2.pid
-	eend $?
-}
-
-reload() {
-	RELOAD_TYPE="${RELOAD_TYPE:-graceful}"
-
-	checkconfig || return 1
-	if [ "${RELOAD_TYPE}" = "restart" ]; then
-		ebegin "Restarting apache2"
-		start-stop-daemon --stop --oknodo --signal HUP --exec ${APACHE2} --pidfile /var/run/apache2.pid
-		eend $?
-	elif [ "${RELOAD_TYPE}" = "graceful" ]; then
-		ebegin "Gracefully restarting apache2"
-		start-stop-daemon --stop --oknodo --signal USR1 --exec ${APACHE2} --pidfile /var/run/apache2.pid
-		eend $?
-	else
-		eerror "${RELOAD_TYPE} is not a valid RELOAD_TYPE. Please edit /etc/conf.d/apache2"
-	fi
-}
-
-graceful() {
-	checkconfig || return 1
-	ebegin "Gracefully restarting apache2"
-	start-stop-daemon --stop --signal USR1 --exec ${APACHE2} --pidfile /var/run/apache2.pid
-	eend $?
-}
-
-gracefulstop() {
-	checkconfig || return 1
-	
-	# zap!
-	if service_started "${myservice}"; then
-		mark_service_stopped "${myservice}"
-	fi
-
-	ebegin "Gracefully stopping apache2"
-	# 28 is SIGWINCH
-	start-stop-daemon --stop --signal 28 --exec ${APACHE2} --pidfile /var/run/apache2.pid
-	eend $?
-}
-
-modules() {
-	checkconfig || return 1
-
-	${APACHE2} ${APACHE2_OPTS} -M 2>&1
-}
-
-status() {
-	LYNX="${LYNX:-lynx -dump}"
-	STATUSURL="${STATUSURL:-http://localhost/server-status}"
-	
-	${LYNX} ${STATUSURL} | awk ' /process$/ { print; exit } { print } '
-}
-
-fullstatus() {
-	LYNX="${LYNX:-lynx -dump}"
-	STATUSURL="${STATUSURL:-http://localhost/server-status}"
-	
-	${LYNX} ${STATUSURL}
-}
diff --git a/testing/hosts/winnetou/etc/runlevels/default/net.eth0 b/testing/hosts/winnetou/etc/runlevels/default/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/winnetou/etc/runlevels/default/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/make-testing b/testing/make-testing
index 7cd3324e0..84ac20bf2 100755
--- a/testing/make-testing
+++ b/testing/make-testing
@@ -1,87 +1,27 @@
 #!/bin/bash
-# Create the strongSwan UML testing environment
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
 
-DIR=`dirname $0`
+DIR=$(dirname `readlink -f $0`)
+. $DIR/testing.conf
 
-source $DIR/scripts/function.sh
+rm -f $LOGFILE
+mkdir -p $BUILDDIR
 
-[ -f $DIR/testing.conf ] || die "!! Configuration file 'testing.conf' not found."
-
-source $DIR/testing.conf
-
-if [ "$#" -eq 0 ]
-then
-    HOSTS=$STRONGSWANHOSTS
-else
-    HOSTS=$*
-fi
-
-##########################################################################
-# build the UML kernel based on a vanilla kernel form kernel.org
-# and a matching UML patch from user-mode-linux.sourceforge.net
-#
-if [ $ENABLE_BUILD_UMLKERNEL = "yes" ]
-then
-   cecho "Building uml kernel (scripts/build-umlkernel)"
-   $DIR/scripts/build-umlkernel
-fi
-
-##########################################################################
-# Adding the ssh RSA public keys to ~/.ssh/known_hosts
-#
-if [ $ENABLE_BUILD_SSHKEYS = "yes" ]
-then
-   cecho "Adding ssh public keys of the uml instances (scripts/build-sshkeys)"
-   $DIR/scripts/build-sshkeys
-fi
-
-##########################################################################
-# copy the default UML host configurations to $BUILDDIR
-# and assign actual IP addresses to the UML hosts
-#
-if [ $ENABLE_BUILD_HOSTCONFIG = "yes" ]
+if [ $ENABLE_BUILD_BASEIMAGE = "yes" ]
 then
-   cecho "Building host configurations (scripts/build-hostconfig)"
-   $DIR/scripts/build-hostconfig
+	$DIR/scripts/build-baseimage || exit 1
 fi
 
-##########################################################################
-# build a generic UML root file system based on a Gentoo root file system.
-# compile and install a specified strongSwan release into the file system.
-#
-if [ $ENABLE_BUILD_UMLROOTFS = "yes" ]
+if [ $ENABLE_BUILD_ROOTIMAGE = "yes" ]
 then
-   cecho "Building uml root file system with strongSwan (scripts/build-umlrootfs)"
-   $DIR/scripts/build-umlrootfs
+	$DIR/scripts/build-rootimage || exit 1
 fi
 
-##########################################################################
-# Creating the root filesystems for the specified UML instances
-#
-if [ $ENABLE_BUILD_UMLHOSTFS = "yes" ]
+if [ $ENABLE_BUILD_GUESTKERNEL = "yes" ]
 then
-   cecho "Building uml host root file systems (scripts/build-umlhostfs)"
-   $DIR/scripts/build-umlhostfs $HOSTS
+	$DIR/scripts/build-guestkernel || exit 1
 fi
 
-##########################################################################
-# Start up the UML switches and designated UML instances
-#
-if [ $ENABLE_START_TESTING = "yes" ]
+if [ $ENABLE_BUILD_GUESTIMAGES = "yes" ]
 then
-   cecho "Starting the uml switches and instances (start-testing)"
-   $DIR/start-testing $HOSTS
+	$DIR/scripts/build-guestimages $HOSTS || exit 1
 fi
diff --git a/testing/scripts/build-baseimage b/testing/scripts/build-baseimage
new file mode 100755
index 000000000..1355d7a05
--- /dev/null
+++ b/testing/scripts/build-baseimage
@@ -0,0 +1,79 @@
+#!/bin/bash
+
+echo "Building base image"
+
+DIR=$(dirname `readlink -f $0`)
+. $DIR/../testing.conf
+. $DIR/function.sh
+
+[ `id -u` -eq 0 ] || die "You must be root to run $0"
+
+check_commands debootstrap mkfs.ext3 partprobe qemu-img qemu-nbd sfdisk
+
+# package includes/excludes
+INC=build-essential,gperf,libgmp-dev,libldap2-dev,libcurl4-openssl-dev,ethtool
+INC=$INC,libxml2-dev,libtspi-dev,libsqlite3-dev,openssh-server,tcpdump,psmisc
+INC=$INC,openssl,vim,sqlite3,conntrack,gdb,cmake,libxerces-c2-dev,libltdl-dev
+INC=$INC,liblog4cxx10-dev,libboost-thread-dev,libboost-system-dev,git-core
+INC=$INC,less,acpid,acpi-support-base
+SERVICES="apache2 dbus isc-dhcp-server slapd"
+INC=$INC,${SERVICES// /,}
+EXC=iptables
+
+CACHEDIR=$BUILDDIR/cache
+APTCACHE=$LOOPDIR/var/cache/apt/archives
+
+mkdir -p $LOOPDIR
+mkdir -p $CACHEDIR
+mkdir -p $IMGDIR
+rm -f $BASEIMG
+
+echo "`date`, building $BASEIMG" >>$LOGFILE
+
+load_qemu_nbd
+
+log_action "Creating base image $BASEIMG"
+execute "qemu-img create -f $IMGEXT $BASEIMG ${BASEIMGSIZE}M"
+
+log_action "Connecting image to NBD device $NBDEV"
+execute "qemu-nbd -c $NBDEV $BASEIMG"
+do_on_exit qemu-nbd -d $NBDEV
+
+log_action "Partitioning disk"
+sfdisk /dev/nbd0 -D -uM >>$LOGFILE 2>&1 << EOF
+;
+EOF
+if [ $? != 0 ]
+then
+	log_status 1
+	exit 1
+else
+	log_status 0
+fi
+partprobe $NBDEV
+
+log_action "Creating ext3 filesystem"
+execute "mkfs.ext3 $NBDPARTITION"
+
+log_action "Mounting $NBDPARTITION to $LOOPDIR"
+execute "mount $NBDPARTITION $LOOPDIR"
+do_on_exit graceful_umount $LOOPDIR
+
+log_action "Using $CACHEDIR as archive for apt"
+mkdir -p $APTCACHE
+execute "mount -o bind $CACHEDIR $APTCACHE"
+do_on_exit graceful_umount $APTCACHE
+
+log_action "Running debootstrap ($BASEIMGSUITE, $BASEIMGARCH)"
+execute "debootstrap --arch=$BASEIMGARCH --include=$INC --exclude $EXC $BASEIMGSUITE $LOOPDIR $BASEIMGMIRROR"
+
+for service in $SERVICES
+do
+	log_action "Stopping service $service"
+	execute_chroot "/etc/init.d/$service stop"
+	log_action "Disabling service $service"
+	execute_chroot "update-rc.d -f $service remove"
+done
+
+log_action "Disabling root password"
+execute_chroot "passwd -d root"
diff --git a/testing/scripts/build-guestimages b/testing/scripts/build-guestimages
new file mode 100755
index 000000000..f5669040e
--- /dev/null
+++ b/testing/scripts/build-guestimages
@@ -0,0 +1,65 @@
+#!/bin/bash
+# create specific guest images
+#
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+echo "Creating guest images"
+
+DIR=$(dirname `readlink -f $0`)
+. $DIR/../testing.conf
+. $DIR/function.sh
+
+HOSTSDIR=$DIR/../hosts
+
+[ `id -u` -eq 0 ] || die "You must be root to run $0"
+[ -f $ROOTIMG ] || die "Root image $ROOTIMG not found"
+[ -f $HOSTDIR ] || die "Hosts directory $HOSTSDIR not found"
+
+check_commands partprobe qemu-img qemu-nbd
+
+load_qemu_nbd
+
+mkdir -p $IMGDIR
+mkdir -p $LOOPDIR
+
+# just to be sure
+do_on_exit qemu-nbd -d $NBDEV
+do_on_exit umount $LOOPDIR
+
+for host in $STRONGSWANHOSTS
+do
+	log_action "Creating guest image for $host"
+	execute "qemu-img create -b $ROOTIMG -f $IMGEXT $IMGDIR/$host.$IMGEXT" 0
+	execute "qemu-nbd -c $NBDEV $IMGDIR/$host.$IMGEXT" 0
+	partprobe $NBDEV
+	execute "mount $NBDPARTITION $LOOPDIR" 0
+	execute "cp -rf $HOSTSDIR/${host}/etc $LOOPDIR" 0
+	execute "cp -rf $HOSTSDIR/default/* $LOOPDIR" 0
+	if [ "$host" = "winnetou" ]
+	then
+		execute "mkdir $LOOPDIR/var/log/apache2/ocsp" 0
+		execute "cp -rf $DIR/../images $LOOPDIR/var/www/" 0
+		execute_chroot "ln -s /etc/openssl/certs /var/www/certs" 0
+		execute_chroot "/etc/openssl/generate-crl" 0
+		execute_chroot "update-rc.d apache2 defaults" 0
+		execute_chroot "update-rc.d slapd defaults" 0
+		execute_chroot "rm -rf /var/lib/ldap/*" 0
+		execute_chroot "slapadd -l /etc/ldap/ldif.txt -f /etc/ldap/slapd.conf" 0
+		execute_chroot "chown -R openldap:openldap /var/lib/ldap" 0
+	fi
+	sync
+	execute "umount $LOOPDIR" 0
+	execute "qemu-nbd -d $NBDEV" 0
+	log_status 0
+done
diff --git a/testing/scripts/build-guestkernel b/testing/scripts/build-guestkernel
new file mode 100755
index 000000000..66a9fe7a4
--- /dev/null
+++ b/testing/scripts/build-guestkernel
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+DIR=$(dirname `readlink -f $0`)
+. $DIR/../testing.conf
+. $DIR/function.sh
+
+echo "Building guest kernel version $KERNELVERSION"
+
+[ -f "$KERNELCONFIG" ] || die "Kernel config $KERNELCONFIG not found"
+
+check_commands bunzip2 bzcat make wget
+
+cd $BUILDDIR
+
+if [ ! -f "$KERNELTARBALL" ]
+then
+	url=ftp://ftp.kernel.org/pub/linux/kernel/v3.x/$KERNELTARBALL
+	log_action "Downloading $url"
+	execute "wget -q $url"
+fi
+
+if [[ $KERNELPATCH && ! -f "$KERNELPATCH" ]]
+then
+	url=http://download.strongswan.org/uml/$KERNELPATCH
+	log_action "Downloading $url"
+	execute "wget -q $url"
+fi
+
+log_action "Unpacking kernel"
+execute "tar xjf $KERNELTARBALL"
+
+KERNELDIR=$BUILDDIR/$KERNEL
+cd $KERNELDIR
+
+if [ $KERNELPATCH ]
+then
+	log_action "Applying kernel patch"
+	bzcat ../$KERNELPATCH | patch -p1 >>$LOGFILE 2>&1
+	log_status $?
+	[ $? -eq 0 ] || exit 1
+fi
+
+execute "cp $KERNELCONFIG .config" 0
+
+echo "Creating kernel configuration, you might get prompted for new parameters"
+make oldconfig 2>&1 | tee -a $LOGFILE
+
+log_action "Compiling the kernel"
+execute "make -j5"
diff --git a/testing/scripts/build-hostconfig b/testing/scripts/build-hostconfig
deleted file mode 100755
index 0ebbc5264..000000000
--- a/testing/scripts/build-hostconfig
+++ /dev/null
@@ -1,122 +0,0 @@
-#!/bin/bash
-# build the hosts configuration directory with the actual IP addresses
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "!! Configuration file 'testing.conf' not found"
-[ -d $DIR/../hosts ]        || die "!! Directory 'hosts' not found"
-
-source $DIR/../testing.conf
-
-if [ ! -d $BUILDDIR ]
-then
-    cecho " * Creating directory '$BUILDDIR'"
-    mkdir $BUILDDIR
-fi
-
-########################################
-# copy default host configs to $BUILDDIR
-#
-
-HOSTCONFIGDIR=${BUILDDIR}/hosts
-
-if [ -d $HOSTCONFIGDIR ]
-then
-    rm -r $HOSTCONFIGDIR
-fi
-
-mkdir $HOSTCONFIGDIR
-cp -rfp ${UMLTESTDIR}/testing/hosts $BUILDDIR
-
-cecho " * Copied default host config directory to '$HOSTCONFIGDIR'"
-
-########################################
-# assign IP for each host to hostname
-#
-
-cecho-n " * Generate default config for.."
-
-HOSTIP=`ifconfig eth0 |grep inet |sed -e "s/.*inet addr://" -e "s/  Bcast.*//"`
-
-for host in $STRONGSWANHOSTS
-do
-    cecho-n "${host}.."
-    eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-    eval ipv6_${host}="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-
-    [ "`eval echo \\\$ipv4_${host}`" != "$HOSTIP" ] || die "$host has the same IP as eth0 (Host)! Please change that."
-
-    case $host in
-    moon)
-        eval ipv4_moon1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        [ "`eval echo \\\$ipv4_moon1`" != "$HOSTIP" ] || die "eth1 of $host has the same IP as eth0 (Host)! Please change that."
-        searchandreplace PH_IP_MOON1 $ipv4_moon1 $HOSTCONFIGDIR
-        searchandreplace PH_IP_MOON  $ipv4_moon  $HOSTCONFIGDIR
-        eval ipv6_moon1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP6_MOON1 $ipv6_moon1 $HOSTCONFIGDIR
-        searchandreplace PH_IP6_MOON  $ipv6_moon  $HOSTCONFIGDIR
-        ;;
-    sun)
-        eval ipv4_sun1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        [ "`eval echo \\\$ipv4_sun1`" != "$HOSTIP" ] || die "eth1 of $host has the same IP as eth0 (Host)! Please change that."
-        searchandreplace PH_IP_SUN1 $ipv4_sun1 $HOSTCONFIGDIR
-        searchandreplace PH_IP_SUN  $ipv4_sun  $HOSTCONFIGDIR
-        eval ipv6_sun1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP6_SUN1 $ipv6_sun1 $HOSTCONFIGDIR
-        searchandreplace PH_IP6_SUN  $ipv6_sun  $HOSTCONFIGDIR
-        ;;
-    alice)
-        eval ipv4_alice1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP_ALICE1 $ipv4_alice1 $HOSTCONFIGDIR
-        searchandreplace PH_IP_ALICE  $ipv4_alice  $HOSTCONFIGDIR
-        eval ipv6_alice1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP6_ALICE1 $ipv6_alice1 $HOSTCONFIGDIR
-        searchandreplace PH_IP6_ALICE  $ipv6_alice  $HOSTCONFIGDIR
-        ;;
-    venus)
-        searchandreplace PH_IP_VENUS  $ipv4_venus $HOSTCONFIGDIR
-        searchandreplace PH_IP6_VENUS $ipv6_venus $HOSTCONFIGDIR
-        ;;
-    bob)
-        searchandreplace PH_IP_BOB  $ipv4_bob $HOSTCONFIGDIR
-        searchandreplace PH_IP6_BOB $ipv6_bob $HOSTCONFIGDIR
-        ;;
-    carol)
-        eval ipv4_carol1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP_CAROL1 $ipv4_carol1 $HOSTCONFIGDIR
-        searchandreplace PH_IP_CAROL  $ipv4_carol  $HOSTCONFIGDIR
-        eval ipv6_carol1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP6_CAROL1 $ipv6_carol1 $HOSTCONFIGDIR
-        searchandreplace PH_IP6_CAROL  $ipv6_carol  $HOSTCONFIGDIR
-        ;;
-    dave)
-        eval ipv4_dave1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP_DAVE1 $ipv4_dave1 $HOSTCONFIGDIR
-        searchandreplace PH_IP_DAVE  $ipv4_dave  $HOSTCONFIGDIR
-        eval ipv6_dave1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP6_DAVE1 $ipv6_dave1 $HOSTCONFIGDIR
-        searchandreplace PH_IP6_DAVE  $ipv6_dave  $HOSTCONFIGDIR
-        ;;
-    winnetou)
-        searchandreplace PH_IP_WINNETOU  $ipv4_winnetou $HOSTCONFIGDIR
-        searchandreplace PH_IP6_WINNETOU $ipv6_winnetou $HOSTCONFIGDIR
-        ;;
-    esac
-done
-
-cgecho "done"
diff --git a/testing/scripts/build-rootimage b/testing/scripts/build-rootimage
new file mode 100755
index 000000000..8e10ce5f3
--- /dev/null
+++ b/testing/scripts/build-rootimage
@@ -0,0 +1,67 @@
+#!/bin/bash
+# Create guest root image
+#
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+echo "Building root image"
+
+DIR=$(dirname `readlink -f $0`)
+. $DIR/../testing.conf
+. $DIR/function.sh
+
+[ `id -u` -eq 0 ] || die "You must be root to run $0"
+[ -f "$BASEIMG" ] || die "Base image $BASEIMG not found"
+
+check_commands partprobe qemu-img qemu-nbd
+
+load_qemu_nbd
+
+mkdir -p $LOOPDIR
+mkdir -p $SHAREDDIR/compile
+mkdir -p $IMGDIR
+
+log_action "Creating root image $ROOTIMG"
+execute "qemu-img create -b $BASEIMG -f $IMGEXT $ROOTIMG"
+
+log_action "Connecting root image to NBD device $NBDEV"
+execute "qemu-nbd -c $NBDEV $ROOTIMG"
+do_on_exit qemu-nbd -d $NBDEV
+partprobe $NBDEV
+
+log_action "Mounting $NBDPARTITION to $LOOPDIR"
+execute "mount $NBDPARTITION $LOOPDIR"
+do_on_exit umount $LOOPDIR
+
+log_action "Mounting proc filesystem to $LOOPDIR/proc"
+execute "mount -t proc none $LOOPDIR/proc"
+do_on_exit umount $LOOPDIR/proc
+
+mkdir -p $LOOPDIR/root/shared
+log_action "Mounting $SHAREDDIR as /root/shared"
+execute "mount -o bind $SHAREDDIR $LOOPDIR/root/shared"
+do_on_exit umount $LOOPDIR/root/shared
+
+echo "Installing software from source"
+RECPDIR=$DIR/recipes
+RECIPES=`ls $RECPDIR/*.mk | xargs -n1 basename`
+execute "cp -r $RECPDIR/patches $LOOPDIR/root/shared/compile" 0
+for r in $RECIPES
+do
+	cp $RECPDIR/$r ${LOOPDIR}/root/shared/compile
+	log_action "Installing from recipe $r"
+	execute_chroot "make SWANVERSION=$SWANVERSION -C /root/shared/compile -f $r"
+done
+
+log_action "Removing /etc/resolv.conf"
+execute "rm -f $LOOPDIR/etc/resolv.conf"
diff --git a/testing/scripts/build-sshkeys b/testing/scripts/build-sshkeys
deleted file mode 100755
index 799078557..000000000
--- a/testing/scripts/build-sshkeys
+++ /dev/null
@@ -1,86 +0,0 @@
-#!/bin/bash
-# build the hosts configuration directory with the actual IP addresses
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "!! Configuration file 'testing.conf' not found"
-[ -d $DIR/../hosts ]        || die "!! Directory 'hosts' not found"
-
-source $DIR/../testing.conf
-
-if [ ! -d $BUILDDIR ]
-then
-    cecho " * Creating directory '$BUILDDIR'"
-    mkdir $BUILDDIR
-fi
-
-LOGFILE=${BUILDDIR}/testing.log
-
-if [ ! -f $LOGFILE ]
-then
-    cecho-n " * Logfile '$LOGFILE' does not exist..creating.."
-    touch $LOGFILE
-    cgecho "done"
-fi
-
-if [ ! -d ~/.ssh ]
-then
-    cecho-n " * Creating directory '~/.ssh'.."
-    mkdir ~/.ssh
-    cgecho "done"
-fi
-
-if [ -f ~/.ssh/known_hosts ]
-then
-    cecho-n " * Backing up ~/.ssh/known_hosts to '~/.ssh/known_hosts.before_uml'.."
-    cp -fp ~/.ssh/known_hosts ~/.ssh/known_hosts.before_uml
-    cgecho "done"
-else
-    cecho-n " * Creating '~/.ssh/known_hosts'"
-    touch ~/.ssh/known_hosts
-    cgecho "done"
-fi
-
-for host in $HOSTNAMEIPV4
-do
-    HOSTNAME=`echo $host | awk -F, '{ print $1 }'`
-    IP=`echo $host | awk -F, '{ print $2 }'`
-    if [ `grep "$IP " ~/.ssh/known_hosts | wc -l` != "0" ]
-    then
-        cecho "!! Warning: An entry exists for the following IP address: $IP"
-    else
-	cecho-n " * Adding uml host $HOSTNAME ($IP) to '~/.ssh/known_hosts'.."
-	echo "$HOSTNAME,$IP `cat $DIR/../hosts/ssh_host_rsa_key.pub`" >> ~/.ssh/known_hosts
-	cgecho "done"
-    fi
-done
-
-#####################################
-# preparing ssh for PK authentication
-#
-
-cecho-n " * Checking for ssh rsa key '~/.ssh/id_rsa.pub'.."
-if [ -f ~/.ssh/id_rsa.pub ]
-then
-    cecho "already exists"
-else
-    cecho "not found"
-    cecho-n " * Generating ssh rsa key pair.."
-    echo "" | ssh-keygen -N "" -t rsa -f ~/.ssh/id_rsa >> $LOGFILE 2>&1
-    cgecho "done"
-fi
diff --git a/testing/scripts/build-umlhostfs b/testing/scripts/build-umlhostfs
deleted file mode 100755
index 75feaa4ed..000000000
--- a/testing/scripts/build-umlhostfs
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/bin/bash
-# create UML host file systems
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "!! Configuration file 'testing.conf' not found."
-
-source $DIR/../testing.conf
-
-cd $BUILDDIR/root-fs
-
-[ -f gentoo-fs ] || die "!! Root file system 'gentoo-fs' not found."
-
-if [ ! -d $BUILDDIR ]
-then
-    cecho-n " * Directory '$BUILDDIR' does not exist..creating.."
-    mkdir $BUILDDIR
-    cgecho "done"
-fi
-
-LOGFILE=${BUILDDIR}/testing.log
-
-if [ ! -f $LOGFILE ]
-then
-    cecho-n " * Logfile '$LOGFILE' does not exist..creating.."
-    touch $LOGFILE
-    cgecho "done"
-fi
-
-LOOPDIR=loop
-
-if [ ! -d $LOOPDIR ]
-then
-    mkdir $LOOPDIR
-fi
-
-cecho-n " * Creating root filesystem for.."
-
-if [ "$#" -eq 0 ]
-then
-    HOSTS=$STRONGSWANHOSTS
-else
-    HOSTS=$*
-fi
-
-for host in $HOSTS
-do
-    cecho-n "$host.."
-    cp gentoo-fs gentoo-fs-$host
-    mount -o loop gentoo-fs-$host $LOOPDIR
-    cp -rf $BUILDDIR/hosts/${host}/etc $LOOPDIR
-    if [ "$host" = "winnetou" ]
-    then
-    	mkdir $LOOPDIR/var/log/apache2/ocsp
-	cp -rf $UMLTESTDIR/testing/images $LOOPDIR/var/www/localhost/htdocs
-	chroot $LOOPDIR ln -s /etc/openssl/certs /var/www/localhost/htdocs/certs
-        chroot $LOOPDIR /etc/openssl/generate-crl >> $LOGFILE 2>&1
-    fi
-    chroot $LOOPDIR /etc/init.d/depscan.sh --update >> $LOGFILE 2>&1
-    umount $LOOPDIR
-done
-
-cgecho "done"
diff --git a/testing/scripts/build-umlkernel b/testing/scripts/build-umlkernel
deleted file mode 100755
index b9f0d710d..000000000
--- a/testing/scripts/build-umlkernel
+++ /dev/null
@@ -1,130 +0,0 @@
-#!/bin/bash
-# build an UML kernel based on a vanilla kernel and UML patch
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-cecho-n " * Looking for kernel at '$KERNEL'.."
-if [ -f "${KERNEL}" ]
-then
-    cecho "found it"
-    KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
-    cecho " * Kernel version is $KERNELVERSION"
-else
-    cecho "none"
-    exit
-fi
-
-if [ ${UMLPATCH} ]
-then
-    cecho-n " * Looking for uml patch at '$UMLPATCH'.."
-    if [ -f "${UMLPATCH}" ]
-    then
-	cecho "found it"
-    else
-	cecho "none"
-	exit
-    fi
-fi
-
-cecho-n " * Looking for kernel config at '$KERNELCONFIG'.."
-if [ -f "${KERNEL}" ]
-then
-    cecho "found it"
-else
-    cecho "none"
-    exit
-fi
-
-#######################################################
-# unpack kernel and create symlink
-#
-
-if [ ! -d $BUILDDIR ]
-then
-    cecho " * Creating directory '$BUILDDIR'"
-    mkdir $BUILDDIR
-fi
-
-cecho " * Changing to directory '$BUILDDIR'"
-cd $BUILDDIR
-
-LOGFILE=${BUILDDIR}/testing.log
-
-if [ ! -f $LOGFILE ]
-then
-    cecho-n " * Logfile '$LOGFILE' does not exist..creating.."
-    touch $LOGFILE
-    cgecho "done"
-fi
-
-cecho-n " * Unpacking kernel.."
-tar xjf $KERNEL >> $LOGFILE 2>&1
-cgecho "done"
-
-KERNELDIR=${BUILDDIR}/linux-${KERNELVERSION}
-
-if [ -d $KERNELDIR ]
-then
-    cecho " * Kernel directory is '$KERNELDIR'"
-    cecho " * Creating symlink 'linux'"
-    if [ -d linux ]
-    then
-	rm linux
-    fi
-    ln -s linux-${KERNELVERSION} linux
-else
-    cecho "!! Kernel directory '$KERNELDIR' can not be found"
-    exit
-fi
-
-#######################################################
-# patch kernel
-#
-
-cecho " * Changing to directory '$KERNELDIR'"
-cd $KERNELDIR
-
-if [ $UMLPATCH ]
-then
-    cecho-n " * Applying uml patch.."
-    bzcat $UMLPATCH | patch -p1 >> $LOGFILE 2>&1
-    cgecho  "done"
-fi
-
-#######################################################
-# copy our default .config to linux and build kernel
-#
-
-cp $KERNELCONFIG .config
-
-cecho "!!"
-cecho "!! Making .config for kernel. You might be prompted for new parameters!"
-cecho "!!"
-make oldconfig ARCH=um SUBARCH=i386 2>&1 | tee -a $LOGFILE
-
-cecho-n " * Now compiling uml kernel.."
-make linux ARCH=um SUBARCH=i386 >> $LOGFILE 2>&1
-cgecho "done"
-
-cecho-n " * Copying uml kernel to '${BUILDDIR}/linux-uml-${KERNELVERSION}'.."
-mv linux ${BUILDDIR}/linux-uml-${KERNELVERSION}
-cgecho "done"
diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs
deleted file mode 100755
index 92595222c..000000000
--- a/testing/scripts/build-umlrootfs
+++ /dev/null
@@ -1,451 +0,0 @@
-#!/bin/bash
-# Create UML root filesystem
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "!! Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-STRONGSWANVERSION=`basename $STRONGSWAN .tar.bz2`
-
-cecho-n " * Looking for strongSwan at '$STRONGSWAN'.."
-if [ -f "$STRONGSWAN" ]
-then
-    cecho "found it"
-    cecho " * strongSwan version is '$STRONGSWANVERSION'"
-else
-    cecho "none"
-    exit
-fi
-
-cecho-n " * Looking for gentoo root filesystem at '$ROOTFS'.."
-if [ -f "$ROOTFS" ]
-then
-    cecho "found it"
-else
-    cecho "none"
-    exit
-fi
-
-[ -d $BUILDDIR ] || die "!! Directory '$BUILDDIR' does not exist"
-
-HOSTCONFIGDIR=$BUILDDIR/hosts
-
-[ -d $HOSTCONFIGDIR ] || die "!! Directory '$HOSTCONFIGDIR' does not exist"
-
-LOGFILE=$BUILDDIR/testing.log
-
-if [ ! -f $LOGFILE ]
-then
-    cecho-n " * Logfile '$LOGFILE' does not exist..creating.."
-    touch $LOGFILE
-    cgecho "done"
-fi
-
-ROOTFSDIR=$BUILDDIR/root-fs
-
-if [ ! -d $ROOTFSDIR ]
-then
-    cecho-n " * Root file system directory '$ROOTFSDIR' does not exist..creating.."
-    mkdir $ROOTFSDIR
-    cgecho "done"
-fi
-
-cd $ROOTFSDIR
-
-LOOPDIR=$ROOTFSDIR/loop
-
-if [ ! -d $LOOPDIR ]
-then
-    mkdir $LOOPDIR
-fi
-
-######################################################
-# creating reiser-based uml root filesystem
-#
-
-cecho-n " * Building basic root filesystem (gentoo).."
-dd if=/dev/zero of=gentoo-fs count=$ROOTFSSIZE bs=1M >> $LOGFILE 2>&1
-mkreiserfs -q -f gentoo-fs       >> $LOGFILE 2>&1
-mount -o loop gentoo-fs $LOOPDIR >> $LOGFILE 2>&1
-tar xjpf $ROOTFS -C $LOOPDIR     >> $LOGFILE 2>&1
-cgecho "done"
-
-######################################################
-# remove /etc/resolv.conf
-#
-cecho " * Removing /etc/resolv.conf"
-rm -f $LOOPDIR/etc/resolv.conf
-
-######################################################
-# copying default /etc/hosts to the root filesystem
-#
-cecho " * Copying '$HOSTCONFIGDIR/default/etc/hosts' to the root filesystem"
-cp -fp $HOSTCONFIGDIR/default/etc/hosts $LOOPDIR/etc/hosts
-
-#####################################################
-# extracting strongSwan into the root filesystem
-#
-cecho " * Extracting strongSwan into the root filesystem"
-tar xjf $STRONGSWAN -C $LOOPDIR/root >> $LOGFILE 2>&1
-
-######################################################
-# setting up mountpoint for shared source tree
-#
-if [ "${SHAREDTREE+set}" = "set" ]; then
-    cecho " * setting up shared strongswan tree at '$SHAREDTREE'"
-    mkdir $LOOPDIR/root/strongswan-shared
-    echo "" >> $LOOPDIR/etc/fstab
-    echo "none /root/strongswan-shared hostfs $SHAREDTREE" >> $LOOPDIR/etc/fstab
-fi
-
-######################################################
-# installing strongSwan and setting the local timezone
-#
-
-INSTALLSHELL=${LOOPDIR}/install.sh
-
-cecho " * Preparing strongSwan installation script"
-echo "ln -sf /usr/share/zoneinfo/${TZUML} /etc/localtime" >> $INSTALLSHELL
-
-echo "cd /root/${STRONGSWANVERSION}" >> $INSTALLSHELL
-echo -n "./configure --sysconfdir=/etc" >> $INSTALLSHELL
-echo -n " --with-random-device=/dev/urandom" >> $INSTALLSHELL
-echo -n " --disable-load-warning" >> $INSTALLSHELL
-
-if [ "$USE_LIBCURL" = "yes" ]
-then
-    echo -n " --enable-curl" >> $INSTALLSHELL
-fi
-
-if [ "$USE_LDAP" = "yes" ]
-then
-    echo -n " --enable-ldap" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_AKA" = "yes" ]
-then
-    echo -n " --enable-eap-aka" >> $INSTALLSHELL
-    echo -n " --enable-eap-aka-3gpp2" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_SIM" = "yes" ]
-then
-    echo -n " --enable-eap-sim" >> $INSTALLSHELL
-    echo -n " --enable-eap-sim-file" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_MD5" = "yes" ]
-then
-    echo -n " --enable-eap-md5" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_MSCHAPV2" = "yes" ]
-then
-    echo -n " --enable-md4" >> $INSTALLSHELL
-    echo -n " --enable-eap-mschapv2" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_IDENTITY" = "yes" ]
-then
-    echo -n " --enable-eap-identity" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_RADIUS" = "yes" ]
-then
-    echo -n " --enable-eap-radius" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_DYNAMIC" = "yes" ]
-then
-    echo -n " --enable-eap-dynamic" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_TLS" = "yes" ]
-then
-    echo -n " --enable-eap-tls" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_TTLS" = "yes" ]
-then
-    echo -n " --enable-eap-ttls" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_PEAP" = "yes" ]
-then
-    echo -n " --enable-eap-peap" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_TNC" = "yes" ]
-then
-    echo -n " --enable-eap-tnc" >> $INSTALLSHELL
-fi
-
-if [ "$USE_TNC_PDP" = "yes" ]
-then
-    echo -n " --enable-tnc-pdp" >> $INSTALLSHELL
-fi
-
-if [ "$USE_TNC_IMC" = "yes" ]
-then
-    echo -n " --enable-tnc-imc" >> $INSTALLSHELL
-fi
-
-if [ "$USE_TNC_IMV" = "yes" ]
-then
-    echo -n " --enable-tnc-imv" >> $INSTALLSHELL
-fi
-
-if [ "$USE_TNCCS_11" = "yes" ]
-then
-    echo -n " --enable-tnccs-11" >> $INSTALLSHELL
-fi
-
-if [ "$USE_TNCCS_20" = "yes" ]
-then
-    echo -n " --enable-tnccs-20" >> $INSTALLSHELL
-fi
-
-if [ "$USE_TNCCS_DYNAMIC" = "yes" ]
-then
-    echo -n " --enable-tnccs-dynamic" >> $INSTALLSHELL
-fi
-
-if [ "$USE_IMC_TEST" = "yes" ]
-then
-    echo -n " --enable-imc-test" >> $INSTALLSHELL
-fi
-
-if [ "$USE_IMV_TEST" = "yes" ]
-then
-    echo -n " --enable-imv-test" >> $INSTALLSHELL
-fi
-
-if [ "$USE_IMC_SCANNER" = "yes" ]
-then
-    echo -n " --enable-imc-scanner" >> $INSTALLSHELL
-fi
-
-if [ "$USE_IMV_SCANNER" = "yes" ]
-then
-    echo -n " --enable-imv-scanner" >> $INSTALLSHELL
-fi
-
-if [ "$USE_IMC_ATTESTATION" = "yes" ]
-then
-    echo -n " --enable-imc-attestation" >> $INSTALLSHELL
-fi
-
-if [ "$USE_IMV_ATTESTATION" = "yes" ]
-then
-    echo -n " --enable-imv-attestation" >> $INSTALLSHELL
-fi
-
-if [ "$USE_SQL" = "yes" ]
-then
-    echo -n " --enable-sql --enable-sqlite" >> $INSTALLSHELL
-    fi
-
-if [ "$USE_MEDIATION" = "yes" ]
-then
-    echo -n " --enable-mediation" >> $INSTALLSHELL
-fi
-
-if [ "$USE_OPENSSL" = "yes" ]
-then
-    echo -n " --enable-openssl" >> $INSTALLSHELL
-fi
-
-if [ "$USE_BLOWFISH" = "yes" ]
-then
-    echo -n " --enable-blowfish" >> $INSTALLSHELL
-fi
-
-if [ "$USE_KERNEL_PFKEY" = "yes" ]
-then
-    echo -n " --enable-kernel-pfkey" >> $INSTALLSHELL
-fi
-  
-if [ "$USE_INTEGRITY_TEST" = "yes" ]
-then
-    echo -n " --enable-integrity-test" >> $INSTALLSHELL
-fi
-
-if [ "$USE_LEAK_DETECTIVE" = "yes" ]
-then
-    echo -n " --enable-leak-detective" >> $INSTALLSHELL
-fi
-
-if [ "$USE_LOAD_TESTER" = "yes" ]
-then
-    echo -n " --enable-load-tester" >> $INSTALLSHELL
-fi
-
-if [ "$USE_TEST_VECTORS" = "yes" ]
-then
-    echo -n " --enable-test-vectors" >> $INSTALLSHELL
-fi
-
-if [ "$USE_GCRYPT" = "yes" ]
-then
-    echo -n " --enable-gcrypt" >> $INSTALLSHELL
-fi
-
-if [ "$USE_SOCKET_DEFAULT" = "yes" ]
-then
-    echo -n " --enable-socket-default" >> $INSTALLSHELL
-fi
-
-if [ "$USE_SOCKET_DYNAMIC" = "yes" ]
-then
-    echo -n " --enable-socket-dynamic" >> $INSTALLSHELL
-fi
-
-if [ "$USE_DHCP" = "yes" ]
-then
-    echo -n " --enable-dhcp" >> $INSTALLSHELL
-fi
-
-if [ "$USE_FARP" = "yes" ]
-then
-    echo -n " --enable-farp" >> $INSTALLSHELL
-fi
-
-if [ "$USE_ADDRBLOCK" = "yes" ]
-then
-    echo -n " --enable-addrblock" >> $INSTALLSHELL
-fi
-
-if [ "$USE_CTR" = "yes" ]
-then
-    echo -n " --enable-ctr" >> $INSTALLSHELL
-fi
-
-if [ "$USE_CCM" = "yes" ]
-then
-    echo -n " --enable-ccm" >> $INSTALLSHELL
-fi
-
-if [ "$USE_GCM" = "yes" ]
-then
-    echo -n " --enable-gcm" >> $INSTALLSHELL
-fi
-
-if [ "$USE_CMAC" = "yes" ]
-then
-    echo -n " --enable-cmac" >> $INSTALLSHELL
-fi
-
-if [ "$USE_HA" = "yes" ]
-then
-    echo -n " --enable-ha" >> $INSTALLSHELL
-fi
-
-if [ "$USE_AF_ALG" = "yes" ]
-then
-    echo -n " --enable-af-alg" >> $INSTALLSHELL
-fi
-
-if [ "$USE_WHITELIST" = "yes" ]
-then
-    echo -n " --enable-whitelist" >> $INSTALLSHELL
-fi
-
-if [ "$USE_XAUTH_GENERIC" = "yes" ]
-then
-    echo -n " --enable-xauth-generic" >> $INSTALLSHELL
-fi
-
-if [ "$USE_XAUTH_EAP" = "yes" ]
-then
-    echo -n " --enable-xauth-eap" >> $INSTALLSHELL
-fi
-
-if [ "$USE_PKCS8" = "yes" ]
-then
-    echo -n " --enable-pkcs8" >> $INSTALLSHELL
-fi
-
-if [ "$USE_IFMAP" = "yes" ]
-then
-    echo -n " --enable-tnc-ifmap" >> $INSTALLSHELL
-fi
-
-if [ "$USE_CISCO_QUIRKS" = "yes" ]
-then
-    echo -n " --enable-cisco-quirks" >> $INSTALLSHELL
-fi
-
-if [ "$USE_UNITY" = "yes" ]
-then
-    echo -n " --enable-unity" >> $INSTALLSHELL
-fi
-
-echo "" >> $INSTALLSHELL
-echo "make -j" >> $INSTALLSHELL
-echo "make install" >> $INSTALLSHELL
-echo "ldconfig" >> $INSTALLSHELL
-
-cecho-n " * Compiling $STRONGSWANVERSION within the root file system as chroot.."
-chroot $LOOPDIR /bin/bash /install.sh >> $LOGFILE 2>&1
-rm -f $INSTALLSHELL
-cgecho "done"
-
-######################################################
-# copying default /etc/ipsec.d/tables.sql to the root filesystem
-#
-cecho " * Copying '$HOSTCONFIGDIR/default/etc/ipsec.d/tables.sql' to the root filesystem"
-cp -fp $HOSTCONFIGDIR/default/etc/ipsec.d/tables.sql $LOOPDIR/etc/ipsec.d/tables.sql
-
-######################################################
-# copying the host's ssh public key
-#
-
-if [ ! -d $LOOPDIR/root/.ssh ]
-then
-    mkdir $LOOPDIR/root/.ssh
-fi
-cp ~/.ssh/id_rsa.pub $LOOPDIR/root/.ssh/authorized_keys
-
-######################################################
-# setup public key based login among all hosts
-#
-cp $LOOPDIR/etc/ssh/ssh_host_rsa_key $LOOPDIR/root/.ssh/id_rsa
-
-for host in $STRONGSWANHOSTS
-do
-    eval ip="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F- '{ print $1 }' | awk '{ print $1 }'`"
-    echo "$host,$ip `cat $HOSTCONFIGDIR/ssh_host_rsa_key.pub`" >> $LOOPDIR/root/.ssh/known_hosts
-    echo "`cat $HOSTCONFIGDIR/ssh_host_rsa_key.pub` root@$host" >> $LOOPDIR/root/.ssh/authorized_keys
-done
-
-######################################################
-# defining an empty modules.dep
-#
-
-if [ $UMLPATCH ]
-then
-    mkdir $LOOPDIR/lib/modules/`basename $UMLPATCH .bz2 | sed s/uml-patch-//`um
-    touch $LOOPDIR/lib/modules/`basename $UMLPATCH .bz2 | sed s/uml-patch-//`um/modules.dep
-else
-    mkdir $LOOPDIR/lib/modules/$KERNELVERSION
-    touch $LOOPDIR/lib/modules/$KERNELVERSION/modules.dep
-fi
-
-umount $LOOPDIR
diff --git a/testing/scripts/function.sh b/testing/scripts/function.sh
index e7ecbcf83..c4769678c 100755
--- a/testing/scripts/function.sh
+++ b/testing/scripts/function.sh
@@ -14,31 +14,146 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 
+export TERM=xterm
+RED=$(tput setaf 1)
+GREEN=$(tput setaf 2)
+NORMAL=$(tput op)
 
-############################################
-# print output in color
-#
+# exit with given error message
+# $1 - error message
+die() {
+	echo -e "${RED}$1${NORMAL}"
+	exit 1
+}
 
-function cecho {
-    echo -e "\033[1;31m$1\033[0m"
+# execute command
+# $1 - command to execute
+# $2 - whether or not to log command exit status
+#      (0 -> disable exit status logging)
+execute()
+{
+	cmd=${1}
+	echo $cmd >>$LOGFILE 2>&1
+	$cmd >>$LOGFILE 2>&1
+	status=$?
+	[ "$2" != 0 ] && log_status $status
+	if [ $status != 0 ]; then
+		echo
+		echo "! Command $cmd failed, exiting (status $status)"
+		echo "! Check why here $LOGFILE"
+		exit 1
+	fi
 }
-function cgecho {
-    echo -e "\033[1;32m$1\033[0m"
+
+# execute command in chroot
+# $1 - command to execute
+execute_chroot()
+{
+	execute "chroot $LOOPDIR $@"
 }
 
-function cecho-n {
-    echo -en "\033[1;31m$1\033[0m"
+# write green status message to console
+# $1 - msg
+echo_ok()
+{
+	echo -e "${GREEN}$1${NORMAL}"
 }
 
+# write red status message to console
+# $1 - msg
+echo_failed()
+{
+	echo -e "${RED}$1${NORMAL}"
+}
 
-#############################################
-# output all args to stderr and exit with
-# return code 1
-#
+# log an action
+# $1 - current action description
+log_action()
+{
+	/bin/echo -n "[....] $1 "
+}
 
-die() {
-    echo $* 1>&2
-    exit 1
+# log an action status
+# $1 - exit status of action
+log_status()
+{
+	tput hpa 0
+	if [ $1 -eq 0 ]; then
+		/bin/echo -ne "[${GREEN} ok ${NORMAL}"
+	else
+		/bin/echo -ne "[${RED}FAIL${NORMAL}"
+	fi
+	echo
+}
+
+# the following two functions are stolen from [1]
+# [1] - http://www.linuxjournal.com/content/use-bash-trap-statement-cleanup-temporary-files
+
+declare -a on_exit_items
+
+# perform registered actions on exit
+on_exit()
+{
+	for ((onex=${#on_exit_items[@]}-1; onex>=0; onex--))
+	do
+		echo "On_Exit: ${on_exit_items[$onex]}" >>$LOGFILE
+		${on_exit_items[$onex]} >>$LOGFILE 2>&1
+	done
+	on_exit_items=""
+	trap - EXIT
+}
+
+# register a command to execute when the calling script terminates. The
+# registered commands are called in FILO order.
+# $* - command to register
+do_on_exit()
+{
+	local n=${#on_exit_items[*]}
+	on_exit_items[$n]="$*"
+	if [ $n -eq 0 ]; then
+		trap on_exit EXIT
+	fi
+}
+
+# wait for a mount to disappear
+# $1 - device/image to wait for
+# $2 - maximum time to wait in seconds, default is 5 seconds
+graceful_umount()
+{
+	secs=$2
+	[ ! $secs ] && secs=5
+
+	let steps=$secs*100
+	for st in `seq 1 $steps`
+	do
+		umount $1 >>$LOGFILE 2>&1
+		mount | grep $1 >/dev/null 2>&1
+		[ $? -eq 0 ] || return 0
+		sleep 0.01
+	done
+
+	return 1
+}
+
+# load qemu NBD kernel module, if not already loaded
+load_qemu_nbd()
+{
+	lsmod | grep ^nbd[[:space:]]* >/dev/null 2>&1
+	if [ $? != 0 ]
+	then
+		log_action "Loading NBD kernel module"
+		execute "modprobe nbd max_part=16"
+	fi
+}
+
+# check if given commands exist in $PATH
+# $* - commands to check
+check_commands()
+{
+	for i in $*
+	do
+		command -v $i >/dev/null || { die "Required command $i not found"; exit 1; }
+	done
 }
 
 #############################################
@@ -55,13 +170,6 @@ function searchandreplace {
     [ -d "$DESTDIR" ] || die "$DESTDIR is not a directory!"
 
 
-    #########################
-    # create a temporary file
-    #
-
-    TMPFILE="/tmp/sr.$$"
-
-
     ###########################################
     # search and replace in each found file the
     # given string
@@ -69,59 +177,7 @@ function searchandreplace {
 
     for eachfoundfile in `find $DESTDIR -type f`
     do
-        sed -e "s/$SEARCHSTRING/$REPLACESTRING/g" "$eachfoundfile" > "$TMPFILE"
-        cp -f "$TMPFILE" "$eachfoundfile"
+        sed -i -e "s/$SEARCHSTRING/$REPLACESTRING/g" "$eachfoundfile"
     done
 
-
-    ###########################
-    # delete the temporary file
-    #
-
-    rm -f "$TMPFILE"
-
-}
-
-#############################################
-# add a bridge
-#
-
-function umlbr_add {
-	brctl addbr     "umlbr$1"
-	brctl setfd     "umlbr$1" 0
-	brctl setageing "umlbr$1" 3600
-	brctl stp       "umlbr$1" off
-	ifconfig        "umlbr$1" "$2" netmask "$3" up 
 }
-
-#############################################
-# delete a bridge
-#
-
-function umlbr_del {
-	ifconfig    "umlbr$1" down                     &> /dev/null 2>&1
-	brctl delbr "umlbr$1"                          &> /dev/null 2>&1
-}
-
-#############################################
-# add a tap interface to a bridge
-#
-
-function umlbr_add_tap {
-	tunctl -t "tap$1_$2"                           &> /dev/null 2>&1
-	ifconfig "tap$1_$2" 0.0.0.0 promisc up         &> /dev/null 2>&1
-	brctl addif "umlbr$1" "tap$1_$2"               &> /dev/null 2>&1
-	cecho-n "$2.."
- }
-
-#############################################
-# delete a tap interface from a bridge
-#
-
-function umlbr_del_tap {
-	ifconfig "umlbr$2" down                        &> /dev/null 2>&1
-	brctl delif "umlbr$1" "tap$1_$2"               &> /dev/null 2>&1
-	tunctl -d "tap$1_$2"                           &> /dev/null 2>&1
-	cecho-n "$2.."
- }
-
diff --git a/testing/scripts/gstart-umls b/testing/scripts/gstart-umls
deleted file mode 100755
index c6fcd26dc..000000000
--- a/testing/scripts/gstart-umls
+++ /dev/null
@@ -1,126 +0,0 @@
-#!/bin/bash
-# starts the UML instances in an gnome-terminal (requires X11R6)
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-if [ "$#" -eq 0 ]
-then
-    HOSTS=$STRONGSWANHOSTS
-else
-    HOSTS=$*
-fi
-
-BOOTING_HOSTS=""
-count_max=12
-count=0
-
-#position of xterm window on the desktop
-x0=8
-y0=52
-dx=12
-dy=24
-
-for host in $HOSTS
-do
-    up=0
-
-    if [ -d ~/.uml/${host} ]
-    then
-	pid=`cat ~/.uml/${host}/pid`
-	up=`ps up $pid | wc -l`
-    fi
-    
-    if [ $up -eq 2 ]
-    then
-	cecho " * Great, ${host} is already running!"
-    else
-	rm -rf ~/.uml/${host}
-	BOOTING_HOSTS="$BOOTING_HOSTS ${host}"
-	let "count_max += 12"
-
-	UMLHOSTFS=$BUILDDIR/root-fs/gentoo-fs-${host}
-	[ -f  $UMLHOSTFS ] || die "!! uml root file system '$UMLHOSTFS' not found"
-
-	cecho-n " * Starting ${host}.."
-	eval gnome-terminal --title=${host} --geometry="+${x0}+${y0}" --show-menubar --execute "$UMLKERNEL \
-            umid=${host} \
-	    ubda=$UMLHOSTFS \
-	    \$SWITCH_${host} \
-	    mem=${MEM}M con=pty con0=fd:0,fd:1" &
-        cgecho "done"
-        sleep 15
-    fi
-    let "x0+=dx"
-    let "y0+=dy"
-done
-
-if [ -z "$BOOTING_HOSTS" ]
-then
-    exit 0
-fi
-
-cecho " * Waiting for the uml instances to finish booting"
-
-for host in $BOOTING_HOSTS
-do
-    cecho-n " * Checking on $host.."
-
-    while [ $count -lt $count_max ] && [ ! -d ~/.uml/$host ]
-    do
-	cecho-n "."
-	sleep 5
-	let "count+=1"
-    done
-
-    if [ $count -ge $count_max ]
-    then
-	cecho "exit"
-	exit 1
-    fi
-
-    up=`uml_mconsole $host proc net/route 2> /dev/null | grep eth0 | wc -l`
-
-    while [ $count -lt $count_max ] && [ $up -eq 0 ]
-    do
-	cecho-n "."
-	sleep 5
-	up=`uml_mconsole $host proc net/route 2> /dev/null | grep eth0 | wc -l`
-	let "count+=1"
-    done
-
-    if [ $count -ge $count_max ]
-    then
-	cecho "exit"
-	exit 1
-    else
-	cgecho "up"
-    fi
-
-    if [ "$host" = "alice" ]
-    then
-	sleep 5
-	eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-	ssh root@$ipv4_alice /etc/init.d/net.eth1 stop
-    fi
-done
-
-cecho " * All uml instances are up now"
diff --git a/testing/scripts/install-shared b/testing/scripts/install-shared
deleted file mode 100755
index 4cfac9e77..000000000
--- a/testing/scripts/install-shared
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/bin/bash
-# Install strongSwan from mounted strongswan-shared tree
-#
-# Copyright (C) 2006 Martin Willi
-# Hochschule fuer Technik Rapperswil
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-cecho "installing strongSwan from shared tree"
-cecho-n "  on: "
-
-for host in $STRONGSWANHOSTS
-do
-    eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-    cecho-n "$host... "
-    ssh $HOSTLOGIN 'cd ~/strongswan-shared && make install' > /dev/null
-done
-
-cecho
diff --git a/testing/scripts/kstart-umls b/testing/scripts/kstart-umls
deleted file mode 100755
index 18dc64a9d..000000000
--- a/testing/scripts/kstart-umls
+++ /dev/null
@@ -1,126 +0,0 @@
-#!/bin/bash
-# starts the UML instances in a konsole (requires KDE)
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-if [ "$#" -eq 0 ]
-then
-    HOSTS=$STRONGSWANHOSTS
-else
-    HOSTS=$*
-fi
-
-BOOTING_HOSTS=""
-count_max=12
-count=0
-
-#position of konsole window on the desktop
-x0=8
-y0=8
-dx=12
-dy=24
-
-for host in $HOSTS
-do
-    up=0
-
-    if [ -d ~/.uml/${host} ]
-    then
-	pid=`cat ~/.uml/${host}/pid`
-	up=`ps up $pid | wc -l`
-    fi
-
-    if [ $up -eq 2 ]
-    then
-	cecho " * Great, ${host} is already running!"
-    else
-	rm -rf ~/.uml/${host}
-	BOOTING_HOSTS="$BOOTING_HOSTS ${host}"
-	let "count_max += 12"
-
-	UMLHOSTFS=$BUILDDIR/root-fs/gentoo-fs-${host}
-	[ -f  $UMLHOSTFS ] || die "!! uml root file system '$UMLHOSTFS' not found"
-
-	cecho-n " * Starting ${host}.."
-	eval konsole -title ${host} --geometry "+${x0}+${y0}" -e "$UMLKERNEL \
-	    umid=${host} \
-	    ubda=$UMLHOSTFS \
-	    \$SWITCH_${host} \
-	    mem=${MEM}M con=pty con0=fd:0,fd:1" &
-        cgecho "done"
-        sleep 15
-    fi
-    let "x0+=dx"
-    let "y0+=dy"
-done
-
-if [ -z "$BOOTING_HOSTS" ]
-then
-    exit 0
-fi
-
-cecho " * Waiting for the uml instances to finish booting"
-
-for host in $BOOTING_HOSTS
-do
-    cecho-n " * Checking on $host.."
-
-    while [ $count -lt $count_max ] && [ ! -d ~/.uml/$host ]
-    do
-	cecho-n "."
-	sleep 5
-	let "count+=1"
-    done
-
-    if [ $count -ge $count_max ]
-    then
-	cecho "exit"
-	exit 1
-    fi
-
-    up=`uml_mconsole $host proc net/route 2> /dev/null | grep eth0 | wc -l`
-
-    while [ $count -lt $count_max ] && [ $up -eq 0 ]
-    do
-	cecho-n "."
-	sleep 5
-	up=`uml_mconsole $host proc net/route 2> /dev/null | grep eth0 | wc -l`
-	let "count+=1"
-    done
-
-    if [ $count -ge $count_max ]
-    then
-	cecho "exit"
-	exit 1
-    else
-	cgecho "up"
-    fi
-
-    if [ "$host" = "alice" ]
-    then
-	sleep 5
-	eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-	ssh root@$ipv4_alice /etc/init.d/net.eth1 stop
-    fi
-done
-
-cecho " * All uml instances are up now"
diff --git a/testing/scripts/load-testconfig b/testing/scripts/load-testconfig
index 43100dbe0..0ea4fbf00 100755
--- a/testing/scripts/load-testconfig
+++ b/testing/scripts/load-testconfig
@@ -14,13 +14,9 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
+DIR=$(dirname `readlink -f $0`)
+. $DIR/../testing.conf
+. $DIR/function.sh
 
 ##########################################################################
 # load-testconfig requires a testname as an argument
@@ -58,17 +54,16 @@ for host in $IPSECHOSTS
 do
     eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
     ssh $SSHCONF $HOSTLOGIN 'rm -f /var/log/auth.log /var/log/daemon.log; \
-		    kill -SIGHUP `cat /var/run/syslogd.pid`' > /dev/null 2>&1
+		    kill -SIGHUP `cat /var/run/rsyslogd.pid`' > /dev/null 2>&1
 done
 
 
 ##########################################################################
-# clear radius.log and daemon.log on FreeRadius servers
+# clear radius.log on FreeRadius servers
 #
 
 for host in $RADIUSHOSTS
 do
     eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-    ssh $SSHCONF $HOSTLOGIN 'rm -f /var/log/radius/radius.log /var/log/daemon.log; \
-		    kill -SIGHUP `cat /var/run/syslogd.pid`' > /dev/null 2>&1
+    ssh $SSHCONF $HOSTLOGIN 'rm -f /var/log/freeradius/radius.log' > /dev/null 2>&1
 done
diff --git a/testing/scripts/recipes/001_libtnc.mk b/testing/scripts/recipes/001_libtnc.mk
new file mode 100644
index 000000000..b835958b7
--- /dev/null
+++ b/testing/scripts/recipes/001_libtnc.mk
@@ -0,0 +1,31 @@
+#!/usr/bin/make
+
+PV  = 1.25
+PKG = libtnc-$(PV)
+TAR = $(PKG).tar.gz
+SRC = http://downloads.sourceforge.net/project/libtnc/libtnc/$(PV)/$(TAR)
+
+NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
+
+CONFIG_OPTS = \
+	--sysconfdir=/etc
+
+all: install
+
+$(TAR):
+	wget $(SRC)
+
+.$(PKG)-unpacked: $(TAR)
+	tar xfz $(TAR)
+	@touch $@
+
+.$(PKG)-configured: .$(PKG)-unpacked
+	cd $(PKG) && ./configure $(CONFIG_OPTS)
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-configured
+	cd $(PKG) && make -j $(NUM_CPUS)
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/002_tnc-fhh.mk b/testing/scripts/recipes/002_tnc-fhh.mk
new file mode 100644
index 000000000..397cef950
--- /dev/null
+++ b/testing/scripts/recipes/002_tnc-fhh.mk
@@ -0,0 +1,28 @@
+#!/usr/bin/make
+
+PKG = fhhtnc
+SRC = git://github.com/trustatfhh/tnc-fhh.git
+
+NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
+
+CONFIG_OPTS = \
+	-DCOMPONENT=all \
+	-DNAL=8021x
+
+all: install
+
+.$(PKG)-cloned:
+	git clone $(SRC) $(PKG)
+	mkdir $(PKG)/build
+	@touch $@
+
+.$(PKG)-configured: .$(PKG)-cloned
+	cd $(PKG)/build && cmake $(CONFIG_OPTS) ../
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-configured
+	cd $(PKG)/build && make -j $(NUM_CPUS)
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG)/build && make install
diff --git a/testing/scripts/recipes/003_freeradius.mk b/testing/scripts/recipes/003_freeradius.mk
new file mode 100644
index 000000000..7b7a5fe82
--- /dev/null
+++ b/testing/scripts/recipes/003_freeradius.mk
@@ -0,0 +1,44 @@
+#!/usr/bin/make
+
+PV  = 2.2.0
+PKG = freeradius-server-$(PV)
+TAR = $(PKG).tar.bz2
+SRC = ftp://ftp.freeradius.org/pub/freeradius/$(TAR)
+
+NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
+
+CONFIG_OPTS = \
+	--with-raddbdir=/etc/freeradius \
+	--sysconfdir=/etc \
+	--with-logdir=/var/log/freeradius \
+	--enable-developer \
+	--with-experimental-modules
+
+PATCHES = \
+	freeradius-eap-sim-identity \
+	freeradius-avp-size \
+	freeradius-tnc-fhh
+
+all: install
+
+$(TAR):
+	wget $(SRC)
+
+.$(PKG)-unpacked: $(TAR)
+	tar xfj $(TAR)
+	@touch $@
+
+.$(PKG)-patches-applied: .$(PKG)-unpacked
+	cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1
+	@touch $@
+
+.$(PKG)-configured: .$(PKG)-patches-applied
+	cd $(PKG) && ./configure $(CONFIG_OPTS)
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-configured
+	cd $(PKG) && make -j $(NUM_CPUS)
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/004_iptables.mk b/testing/scripts/recipes/004_iptables.mk
new file mode 100644
index 000000000..51200201a
--- /dev/null
+++ b/testing/scripts/recipes/004_iptables.mk
@@ -0,0 +1,37 @@
+#!/usr/bin/make
+
+PV  = 1.4.16.3
+PKG = iptables-$(PV)
+TAR = $(PKG).tar.bz2
+SRC = http://www.netfilter.org/projects/iptables/files/$(TAR)
+
+NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
+
+CONFIG_OPTS =
+
+PATCHES = \
+	iptables-xfrm-hooks
+
+all: install
+
+$(TAR):
+	wget $(SRC)
+
+.$(PKG)-unpacked: $(TAR)
+	tar xfj $(TAR)
+	@touch $@
+
+.$(PKG)-patches-applied: .$(PKG)-unpacked
+	cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1
+	@touch $@
+
+.$(PKG)-configured: .$(PKG)-patches-applied
+	cd $(PKG) && ./configure $(CONFIG_OPTS)
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-configured
+	cd $(PKG) && make -j $(NUM_CPUS)
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/005_strongswan.mk b/testing/scripts/recipes/005_strongswan.mk
new file mode 100644
index 000000000..76d2d0882
--- /dev/null
+++ b/testing/scripts/recipes/005_strongswan.mk
@@ -0,0 +1,87 @@
+#!/usr/bin/make
+
+PV  = $(SWANVERSION)
+PKG = strongswan-$(PV)
+TAR = $(PKG).tar.bz2
+SRC = http://download.strongswan.org/$(TAR)
+
+NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
+
+CONFIG_OPTS = \
+	--sysconfdir=/etc \
+	--with-random-device=/dev/urandom \
+	--disable-load-warning \
+	--enable-curl \
+	--enable-ldap \
+	--enable-eap-aka \
+	--enable-eap-aka-3gpp2 \
+	--enable-eap-sim \
+	--enable-eap-sim-file \
+	--enable-eap-md5 \
+	--enable-md4 \
+	--enable-eap-mschapv2 \
+	--enable-eap-identity \
+	--enable-eap-radius \
+	--enable-eap-dynamic \
+	--enable-eap-tls \
+	--enable-eap-ttls \
+	--enable-eap-peap \
+	--enable-eap-tnc \
+	--enable-tnc-pdp \
+	--enable-tnc-imc \
+	--enable-tnc-imv \
+	--enable-tnccs-11 \
+	--enable-tnccs-20 \
+	--enable-tnccs-dynamic \
+	--enable-imc-test \
+	--enable-imv-test \
+	--enable-imc-scanner \
+	--enable-imv-scanner \
+	--enable-imc-os \
+	--enable-imv-os \
+	--enable-imc-attestation \
+	--enable-imv-attestation \
+	--enable-sql \
+	--enable-sqlite \
+	--enable-mediation \
+	--enable-openssl \
+	--enable-blowfish \
+	--enable-kernel-pfkey \
+	--enable-integrity-test \
+	--enable-leak-detective \
+	--enable-load-tester \
+	--enable-test-vectors \
+	--enable-gcrypt \
+	--enable-socket-default \
+	--enable-socket-dynamic \
+	--enable-dhcp \
+	--enable-farp \
+	--enable-addrblock \
+	--enable-ctr \
+	--enable-ccm \
+	--enable-gcm \
+	--enable-cmac \
+	--enable-ha \
+	--enable-af-alg \
+	--enable-whitelist \
+	--enable-xauth-generic \
+	--enable-xauth-eap \
+	--enable-pkcs8 \
+	--enable-unity
+
+all: install
+
+$(TAR):
+	wget $(SRC)
+
+$(PKG): $(TAR)
+	tar xfj $(TAR)
+
+configure: $(PKG)
+	cd $(PKG) && ./configure $(CONFIG_OPTS)
+
+build: configure
+	cd $(PKG) && make -j $(NUM_CPUS)
+
+install: build
+	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/patches/freeradius-avp-size b/testing/scripts/recipes/patches/freeradius-avp-size
new file mode 100644
index 000000000..e7e1f635b
--- /dev/null
+++ b/testing/scripts/recipes/patches/freeradius-avp-size
@@ -0,0 +1,18 @@
+diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
+index 6c9bd13..3344c53 100644
+--- a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
++++ b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
+@@ -201,8 +201,11 @@ static VALUE_PAIR *diameter2vp(REQUEST *request, SSL *ssl,
+ 			goto next_attr;
+ 		}
+ 
+-		if (size > 253) {
+-			RDEBUG2("WARNING: diameter2vp skipping long attribute %u, attr");
++		/*
++		 * EAP-Message AVPs can be larger than 253 octets.
++		 */
++		if ((size > 253) && !((VENDOR(attr) == 0) && (attr == PW_EAP_MESSAGE))) {
++			RDEBUG2("WARNING: diameter2vp skipping long attribute %u", attr);
+ 			goto next_attr;
+ 		}
+ 
diff --git a/testing/scripts/recipes/patches/freeradius-eap-sim-identity b/testing/scripts/recipes/patches/freeradius-eap-sim-identity
new file mode 100644
index 000000000..1ab95ecc6
--- /dev/null
+++ b/testing/scripts/recipes/patches/freeradius-eap-sim-identity
@@ -0,0 +1,30 @@
+--- a/src/modules/rlm_eap/types/rlm_eap_sim/rlm_eap_sim.c	2012-11-28 11:03:05.081225276 +0100
++++ b/src/modules/rlm_eap/types/rlm_eap_sim/rlm_eap_sim.c	2012-11-28 11:46:59.746289881 +0100
+@@ -246,14 +246,21 @@
+	newvp->vp_integer = ess->sim_id++;
+	pairreplace(outvps, newvp);
+
++	ess->keys.identitylen = strlen(handler->identity);
++	memcpy(ess->keys.identity, handler->identity, ess->keys.identitylen);
++
+	/* make a copy of the identity */
+	newvp = pairfind(*invps, ATTRIBUTE_EAP_SIM_BASE + PW_EAP_SIM_IDENTITY);
+-	if (newvp) {
+-		ess->keys.identitylen = newvp->length;
+-		memcpy(ess->keys.identity, newvp->vp_octets, newvp->length);
+-	} else {
+-		ess->keys.identitylen = strlen(handler->identity);
+-		memcpy(ess->keys.identity, handler->identity, ess->keys.identitylen);
++	if (newvp && newvp->length > 2) {
++		uint16_t len;
++
++		memcpy(&len, newvp->vp_octets, sizeof(uint16_t));
++		len = ntohs(len);
++		if (len <= newvp->length - 2 && len <= MAX_STRING_LEN) {
++			ess->keys.identitylen = len;
++			memcpy(ess->keys.identity, newvp->vp_octets + 2,
++			       ess->keys.identitylen);
++		}
+	}
+
+	/* all set, calculate keys! */
diff --git a/testing/scripts/recipes/patches/freeradius-tnc-fhh b/testing/scripts/recipes/patches/freeradius-tnc-fhh
new file mode 100644
index 000000000..5abc6b25f
--- /dev/null
+++ b/testing/scripts/recipes/patches/freeradius-tnc-fhh
@@ -0,0 +1,6687 @@
+diff -u -r -N freeradius-server-2.2.0.orig/share/dictionary freeradius-server-2.2.0/share/dictionary
+--- freeradius-server-2.2.0.orig/share/dictionary	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/share/dictionary	2012-12-04 19:39:42.261423097 +0100
+@@ -196,6 +196,7 @@
+ $INCLUDE dictionary.starent
+ $INCLUDE dictionary.symbol
+ $INCLUDE dictionary.telebit
++$INCLUDE dictionary.tncfhh
+ $INCLUDE dictionary.terena
+ $INCLUDE dictionary.trapeze
+ $INCLUDE dictionary.tropos
+diff -u -r -N freeradius-server-2.2.0.orig/share/dictionary.tncfhh freeradius-server-2.2.0/share/dictionary.tncfhh
+--- freeradius-server-2.2.0.orig/share/dictionary.tncfhh	1970-01-01 01:00:00.000000000 +0100
++++ freeradius-server-2.2.0/share/dictionary.tncfhh	2012-12-04 19:39:49.645421869 +0100
+@@ -0,0 +1,20 @@
++# -*- text -*-
++# Dictionary for the tnc@fhh Server.
++#
++# Website: http://trust.inform.fh-hannover.de
++#
++# Version: 0.8.4
++# Author: Bastian Hellmann
++# Email: trust@f4-i.fh-hannover.de
++#
++
++VENDOR tncfhh	10000
++BEGIN-VENDOR tncfhh
++
++ATTRIBUTE	TNC-Status	1	integer
++
++VALUE	TNC-Status	Access	0 
++VALUE	TNC-Status	Isolate	1
++VALUE	TNC-Status	None	2
++
++END-VENDOR tncfhh
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure	2012-12-04 19:38:00.237420970 +0100
+@@ -1,61 +1,84 @@
+ #! /bin/sh
+ # From configure.in Revision.
+ # Guess values for system-dependent variables and create Makefiles.
+-# Generated by GNU Autoconf 2.61.
++# Generated by GNU Autoconf 2.67.
++#
+ #
+ # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
+-# 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
++# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software
++# Foundation, Inc.
++#
++#
+ # This configure script is free software; the Free Software Foundation
+ # gives unlimited permission to copy, distribute and modify it.
+-## --------------------- ##
+-## M4sh Initialization.  ##
+-## --------------------- ##
++## -------------------- ##
++## M4sh Initialization. ##
++## -------------------- ##
+ 
+ # Be more Bourne compatible
+ DUALCASE=1; export DUALCASE # for MKS sh
+-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
++if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
+   emulate sh
+   NULLCMD=:
+-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
++  # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
+   # is contrary to our usage.  Disable this feature.
+   alias -g '${1+"$@"}'='"$@"'
+   setopt NO_GLOB_SUBST
+ else
+-  case `(set -o) 2>/dev/null` in
+-  *posix*) set -o posix ;;
++  case `(set -o) 2>/dev/null` in #(
++  *posix*) :
++    set -o posix ;; #(
++  *) :
++     ;;
+ esac
+-
+ fi
+ 
+ 
+-
+-
+-# PATH needs CR
+-# Avoid depending upon Character Ranges.
+-as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+-as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+-as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+-as_cr_digits='0123456789'
+-as_cr_alnum=$as_cr_Letters$as_cr_digits
+-
+-# The user is always right.
+-if test "${PATH_SEPARATOR+set}" != set; then
+-  echo "#! /bin/sh" >conf$$.sh
+-  echo  "exit 0"   >>conf$$.sh
+-  chmod +x conf$$.sh
+-  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
+-    PATH_SEPARATOR=';'
++as_nl='
++'
++export as_nl
++# Printing a long string crashes Solaris 7 /usr/bin/printf.
++as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
++as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
++as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
++# Prefer a ksh shell builtin over an external printf program on Solaris,
++# but without wasting forks for bash or zsh.
++if test -z "$BASH_VERSION$ZSH_VERSION" \
++    && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then
++  as_echo='print -r --'
++  as_echo_n='print -rn --'
++elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
++  as_echo='printf %s\n'
++  as_echo_n='printf %s'
++else
++  if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
++    as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
++    as_echo_n='/usr/ucb/echo -n'
+   else
+-    PATH_SEPARATOR=:
++    as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
++    as_echo_n_body='eval
++      arg=$1;
++      case $arg in #(
++      *"$as_nl"*)
++	expr "X$arg" : "X\\(.*\\)$as_nl";
++	arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
++      esac;
++      expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl"
++    '
++    export as_echo_n_body
++    as_echo_n='sh -c $as_echo_n_body as_echo'
+   fi
+-  rm -f conf$$.sh
++  export as_echo_body
++  as_echo='sh -c $as_echo_body as_echo'
+ fi
+ 
+-# Support unset when possible.
+-if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
+-  as_unset=unset
+-else
+-  as_unset=false
++# The user is always right.
++if test "${PATH_SEPARATOR+set}" != set; then
++  PATH_SEPARATOR=:
++  (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
++    (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
++      PATH_SEPARATOR=';'
++  }
+ fi
+ 
+ 
+@@ -64,20 +87,18 @@
+ # there to prevent editors from complaining about space-tab.
+ # (If _AS_PATH_WALK were called with IFS unset, it would disable word
+ # splitting by setting IFS to empty value.)
+-as_nl='
+-'
+ IFS=" ""	$as_nl"
+ 
+ # Find who we are.  Look in the path if we contain no directory separator.
+-case $0 in
++case $0 in #((
+   *[\\/]* ) as_myself=$0 ;;
+   *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+ for as_dir in $PATH
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+-done
++    test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
++  done
+ IFS=$as_save_IFS
+ 
+      ;;
+@@ -88,354 +109,321 @@
+   as_myself=$0
+ fi
+ if test ! -f "$as_myself"; then
+-  echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+-  { (exit 1); exit 1; }
++  $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
++  exit 1
+ fi
+ 
+-# Work around bugs in pre-3.0 UWIN ksh.
+-for as_var in ENV MAIL MAILPATH
+-do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
++# Unset variables that we do not need and which cause bugs (e.g. in
++# pre-3.0 UWIN ksh).  But do not cause bugs in bash 2.01; the "|| exit 1"
++# suppresses any "Segmentation fault" message there.  '((' could
++# trigger a bug in pdksh 5.2.14.
++for as_var in BASH_ENV ENV MAIL MAILPATH
++do eval test x\${$as_var+set} = xset \
++  && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
+ done
+ PS1='$ '
+ PS2='> '
+ PS4='+ '
+ 
+ # NLS nuisances.
+-for as_var in \
+-  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
+-  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
+-  LC_TELEPHONE LC_TIME
+-do
+-  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
+-    eval $as_var=C; export $as_var
+-  else
+-    ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+-  fi
+-done
+-
+-# Required to use basename.
+-if expr a : '\(a\)' >/dev/null 2>&1 &&
+-   test "X`expr 00001 : '.*\(...\)'`" = X001; then
+-  as_expr=expr
+-else
+-  as_expr=false
+-fi
+-
+-if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
+-  as_basename=basename
+-else
+-  as_basename=false
+-fi
+-
+-
+-# Name of the executable.
+-as_me=`$as_basename -- "$0" ||
+-$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
+-	 X"$0" : 'X\(//\)$' \| \
+-	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
+-echo X/"$0" |
+-    sed '/^.*\/\([^/][^/]*\)\/*$/{
+-	    s//\1/
+-	    q
+-	  }
+-	  /^X\/\(\/\/\)$/{
+-	    s//\1/
+-	    q
+-	  }
+-	  /^X\/\(\/\).*/{
+-	    s//\1/
+-	    q
+-	  }
+-	  s/.*/./; q'`
++LC_ALL=C
++export LC_ALL
++LANGUAGE=C
++export LANGUAGE
+ 
+ # CDPATH.
+-$as_unset CDPATH
+-
++(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+ 
+ if test "x$CONFIG_SHELL" = x; then
+-  if (eval ":") 2>/dev/null; then
+-  as_have_required=yes
++  as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then :
++  emulate sh
++  NULLCMD=:
++  # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which
++  # is contrary to our usage.  Disable this feature.
++  alias -g '\${1+\"\$@\"}'='\"\$@\"'
++  setopt NO_GLOB_SUBST
+ else
+-  as_have_required=no
++  case \`(set -o) 2>/dev/null\` in #(
++  *posix*) :
++    set -o posix ;; #(
++  *) :
++     ;;
++esac
+ fi
+-
+-  if test $as_have_required = yes && 	 (eval ":
+-(as_func_return () {
+-  (exit \$1)
+-}
+-as_func_success () {
+-  as_func_return 0
+-}
+-as_func_failure () {
+-  as_func_return 1
+-}
+-as_func_ret_success () {
+-  return 0
+-}
+-as_func_ret_failure () {
+-  return 1
+-}
++"
++  as_required="as_fn_return () { (exit \$1); }
++as_fn_success () { as_fn_return 0; }
++as_fn_failure () { as_fn_return 1; }
++as_fn_ret_success () { return 0; }
++as_fn_ret_failure () { return 1; }
+ 
+ exitcode=0
+-if as_func_success; then
+-  :
+-else
+-  exitcode=1
+-  echo as_func_success failed.
+-fi
+-
+-if as_func_failure; then
+-  exitcode=1
+-  echo as_func_failure succeeded.
+-fi
+-
+-if as_func_ret_success; then
+-  :
+-else
+-  exitcode=1
+-  echo as_func_ret_success failed.
+-fi
+-
+-if as_func_ret_failure; then
+-  exitcode=1
+-  echo as_func_ret_failure succeeded.
+-fi
+-
+-if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
+-  :
++as_fn_success || { exitcode=1; echo as_fn_success failed.; }
++as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; }
++as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; }
++as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; }
++if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then :
++
++else
++  exitcode=1; echo positional parameters were not saved.
++fi
++test x\$exitcode = x0 || exit 1"
++  as_suggested="  as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO
++  as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO
++  eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" &&
++  test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1
++test \$(( 1 + 1 )) = 2 || exit 1"
++  if (eval "$as_required") 2>/dev/null; then :
++  as_have_required=yes
+ else
+-  exitcode=1
+-  echo positional parameters were not saved.
++  as_have_required=no
+ fi
++  if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then :
+ 
+-test \$exitcode = 0) || { (exit 1); exit 1; }
+-
+-(
+-  as_lineno_1=\$LINENO
+-  as_lineno_2=\$LINENO
+-  test \"x\$as_lineno_1\" != \"x\$as_lineno_2\" &&
+-  test \"x\`expr \$as_lineno_1 + 1\`\" = \"x\$as_lineno_2\") || { (exit 1); exit 1; }
+-") 2> /dev/null; then
+-  :
+ else
+-  as_candidate_shells=
+-    as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
++  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
++as_found=false
+ for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  case $as_dir in
++  as_found=:
++  case $as_dir in #(
+ 	 /*)
+ 	   for as_base in sh bash ksh sh5; do
+-	     as_candidate_shells="$as_candidate_shells $as_dir/$as_base"
++	     # Try only shells that exist, to save several forks.
++	     as_shell=$as_dir/$as_base
++	     if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
++		    { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then :
++  CONFIG_SHELL=$as_shell as_have_required=yes
++		   if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then :
++  break 2
++fi
++fi
+ 	   done;;
+        esac
++  as_found=false
+ done
++$as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } &&
++	      { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then :
++  CONFIG_SHELL=$SHELL as_have_required=yes
++fi; }
+ IFS=$as_save_IFS
+ 
+ 
+-      for as_shell in $as_candidate_shells $SHELL; do
+-	 # Try only shells that exist, to save several forks.
+-	 if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
+-		{ ("$as_shell") 2> /dev/null <<\_ASEOF
+-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+-  emulate sh
+-  NULLCMD=:
+-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+-  # is contrary to our usage.  Disable this feature.
+-  alias -g '${1+"$@"}'='"$@"'
+-  setopt NO_GLOB_SUBST
+-else
+-  case `(set -o) 2>/dev/null` in
+-  *posix*) set -o posix ;;
+-esac
+-
++      if test "x$CONFIG_SHELL" != x; then :
++  # We cannot yet assume a decent shell, so we have to provide a
++	# neutralization value for shells without unset; and this also
++	# works around shells that cannot unset nonexistent variables.
++	BASH_ENV=/dev/null
++	ENV=/dev/null
++	(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
++	export CONFIG_SHELL
++	exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
++fi
++
++    if test x$as_have_required = xno; then :
++  $as_echo "$0: This script requires a shell more modern than all"
++  $as_echo "$0: the shells that I found on your system."
++  if test x${ZSH_VERSION+set} = xset ; then
++    $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should"
++    $as_echo "$0: be upgraded to zsh 4.3.4 or later."
++  else
++    $as_echo "$0: Please tell bug-autoconf@gnu.org about your system,
++$0: including any error possibly output before this
++$0: message. Then install a modern shell, or manually run
++$0: the script under such a shell if you do have one."
++  fi
++  exit 1
+ fi
+-
+-
+-:
+-_ASEOF
+-}; then
+-  CONFIG_SHELL=$as_shell
+-	       as_have_required=yes
+-	       if { "$as_shell" 2> /dev/null <<\_ASEOF
+-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+-  emulate sh
+-  NULLCMD=:
+-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+-  # is contrary to our usage.  Disable this feature.
+-  alias -g '${1+"$@"}'='"$@"'
+-  setopt NO_GLOB_SUBST
+-else
+-  case `(set -o) 2>/dev/null` in
+-  *posix*) set -o posix ;;
+-esac
+-
+ fi
++fi
++SHELL=${CONFIG_SHELL-/bin/sh}
++export SHELL
++# Unset more variables known to interfere with behavior of common tools.
++CLICOLOR_FORCE= GREP_OPTIONS=
++unset CLICOLOR_FORCE GREP_OPTIONS
+ 
+-
+-:
+-(as_func_return () {
+-  (exit $1)
+-}
+-as_func_success () {
+-  as_func_return 0
+-}
+-as_func_failure () {
+-  as_func_return 1
+-}
+-as_func_ret_success () {
+-  return 0
+-}
+-as_func_ret_failure () {
+-  return 1
++## --------------------- ##
++## M4sh Shell Functions. ##
++## --------------------- ##
++# as_fn_unset VAR
++# ---------------
++# Portably unset VAR.
++as_fn_unset ()
++{
++  { eval $1=; unset $1;}
+ }
++as_unset=as_fn_unset
+ 
+-exitcode=0
+-if as_func_success; then
+-  :
+-else
+-  exitcode=1
+-  echo as_func_success failed.
+-fi
++# as_fn_set_status STATUS
++# -----------------------
++# Set $? to STATUS, without forking.
++as_fn_set_status ()
++{
++  return $1
++} # as_fn_set_status
+ 
+-if as_func_failure; then
+-  exitcode=1
+-  echo as_func_failure succeeded.
+-fi
++# as_fn_exit STATUS
++# -----------------
++# Exit the shell with STATUS, even in a "trap 0" or "set -e" context.
++as_fn_exit ()
++{
++  set +e
++  as_fn_set_status $1
++  exit $1
++} # as_fn_exit
++
++# as_fn_mkdir_p
++# -------------
++# Create "$as_dir" as a directory, including parents if necessary.
++as_fn_mkdir_p ()
++{
+ 
+-if as_func_ret_success; then
+-  :
+-else
+-  exitcode=1
+-  echo as_func_ret_success failed.
+-fi
++  case $as_dir in #(
++  -*) as_dir=./$as_dir;;
++  esac
++  test -d "$as_dir" || eval $as_mkdir_p || {
++    as_dirs=
++    while :; do
++      case $as_dir in #(
++      *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
++      *) as_qdir=$as_dir;;
++      esac
++      as_dirs="'$as_qdir' $as_dirs"
++      as_dir=`$as_dirname -- "$as_dir" ||
++$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
++	 X"$as_dir" : 'X\(//\)[^/]' \| \
++	 X"$as_dir" : 'X\(//\)$' \| \
++	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
++$as_echo X"$as_dir" |
++    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
++	    s//\1/
++	    q
++	  }
++	  /^X\(\/\/\)[^/].*/{
++	    s//\1/
++	    q
++	  }
++	  /^X\(\/\/\)$/{
++	    s//\1/
++	    q
++	  }
++	  /^X\(\/\).*/{
++	    s//\1/
++	    q
++	  }
++	  s/.*/./; q'`
++      test -d "$as_dir" && break
++    done
++    test -z "$as_dirs" || eval "mkdir $as_dirs"
++  } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir"
+ 
+-if as_func_ret_failure; then
+-  exitcode=1
+-  echo as_func_ret_failure succeeded.
+-fi
+ 
+-if ( set x; as_func_ret_success y && test x = "$1" ); then
+-  :
++} # as_fn_mkdir_p
++# as_fn_append VAR VALUE
++# ----------------------
++# Append the text in VALUE to the end of the definition contained in VAR. Take
++# advantage of any shell optimizations that allow amortized linear growth over
++# repeated appends, instead of the typical quadratic growth present in naive
++# implementations.
++if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then :
++  eval 'as_fn_append ()
++  {
++    eval $1+=\$2
++  }'
+ else
+-  exitcode=1
+-  echo positional parameters were not saved.
+-fi
+-
+-test $exitcode = 0) || { (exit 1); exit 1; }
+-
+-(
+-  as_lineno_1=$LINENO
+-  as_lineno_2=$LINENO
+-  test "x$as_lineno_1" != "x$as_lineno_2" &&
+-  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2") || { (exit 1); exit 1; }
+-
+-_ASEOF
+-}; then
+-  break
+-fi
+-
+-fi
+-
+-      done
+-
+-      if test "x$CONFIG_SHELL" != x; then
+-  for as_var in BASH_ENV ENV
+-        do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+-        done
+-        export CONFIG_SHELL
+-        exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
+-fi
+-
+-
+-    if test $as_have_required = no; then
+-  echo This script requires a shell more modern than all the
+-      echo shells that I found on your system.  Please install a
+-      echo modern shell, or manually run the script under such a
+-      echo shell if you do have one.
+-      { (exit 1); exit 1; }
+-fi
+-
+-
+-fi
+-
+-fi
+-
++  as_fn_append ()
++  {
++    eval $1=\$$1\$2
++  }
++fi # as_fn_append
++
++# as_fn_arith ARG...
++# ------------------
++# Perform arithmetic evaluation on the ARGs, and store the result in the
++# global $as_val. Take advantage of shells that can avoid forks. The arguments
++# must be portable across $(()) and expr.
++if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then :
++  eval 'as_fn_arith ()
++  {
++    as_val=$(( $* ))
++  }'
++else
++  as_fn_arith ()
++  {
++    as_val=`expr "$@" || test $? -eq 1`
++  }
++fi # as_fn_arith
+ 
+ 
+-(eval "as_func_return () {
+-  (exit \$1)
+-}
+-as_func_success () {
+-  as_func_return 0
+-}
+-as_func_failure () {
+-  as_func_return 1
+-}
+-as_func_ret_success () {
+-  return 0
+-}
+-as_func_ret_failure () {
+-  return 1
+-}
++# as_fn_error STATUS ERROR [LINENO LOG_FD]
++# ----------------------------------------
++# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
++# provided, also output the error to LOG_FD, referencing LINENO. Then exit the
++# script with STATUS, using 1 if that was 0.
++as_fn_error ()
++{
++  as_status=$1; test $as_status -eq 0 && as_status=1
++  if test "$4"; then
++    as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++    $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4
++  fi
++  $as_echo "$as_me: error: $2" >&2
++  as_fn_exit $as_status
++} # as_fn_error
+ 
+-exitcode=0
+-if as_func_success; then
+-  :
++if expr a : '\(a\)' >/dev/null 2>&1 &&
++   test "X`expr 00001 : '.*\(...\)'`" = X001; then
++  as_expr=expr
+ else
+-  exitcode=1
+-  echo as_func_success failed.
+-fi
+-
+-if as_func_failure; then
+-  exitcode=1
+-  echo as_func_failure succeeded.
++  as_expr=false
+ fi
+ 
+-if as_func_ret_success; then
+-  :
++if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
++  as_basename=basename
+ else
+-  exitcode=1
+-  echo as_func_ret_success failed.
+-fi
+-
+-if as_func_ret_failure; then
+-  exitcode=1
+-  echo as_func_ret_failure succeeded.
++  as_basename=false
+ fi
+ 
+-if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
+-  :
++if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
++  as_dirname=dirname
+ else
+-  exitcode=1
+-  echo positional parameters were not saved.
++  as_dirname=false
+ fi
+ 
+-test \$exitcode = 0") || {
+-  echo No shell found that supports shell functions.
+-  echo Please tell autoconf@gnu.org about your system,
+-  echo including any error possibly output before this
+-  echo message
+-}
++as_me=`$as_basename -- "$0" ||
++$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
++	 X"$0" : 'X\(//\)$' \| \
++	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
++$as_echo X/"$0" |
++    sed '/^.*\/\([^/][^/]*\)\/*$/{
++	    s//\1/
++	    q
++	  }
++	  /^X\/\(\/\/\)$/{
++	    s//\1/
++	    q
++	  }
++	  /^X\/\(\/\).*/{
++	    s//\1/
++	    q
++	  }
++	  s/.*/./; q'`
+ 
++# Avoid depending upon Character Ranges.
++as_cr_letters='abcdefghijklmnopqrstuvwxyz'
++as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
++as_cr_Letters=$as_cr_letters$as_cr_LETTERS
++as_cr_digits='0123456789'
++as_cr_alnum=$as_cr_Letters$as_cr_digits
+ 
+ 
+-  as_lineno_1=$LINENO
+-  as_lineno_2=$LINENO
+-  test "x$as_lineno_1" != "x$as_lineno_2" &&
+-  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
+-
+-  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
+-  # uniformly replaced by the line number.  The first 'sed' inserts a
+-  # line-number line after each line using $LINENO; the second 'sed'
+-  # does the real work.  The second script uses 'N' to pair each
+-  # line-number line with the line containing $LINENO, and appends
+-  # trailing '-' during substitution so that $LINENO is not a special
+-  # case at line end.
+-  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
+-  # scripts with optimization help from Paolo Bonzini.  Blame Lee
+-  # E. McMahon (1931-1989) for sed's syntax.  :-)
++  as_lineno_1=$LINENO as_lineno_1a=$LINENO
++  as_lineno_2=$LINENO as_lineno_2a=$LINENO
++  eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" &&
++  test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || {
++  # Blame Lee E. McMahon (1931-1989) for sed's syntax.  :-)
+   sed -n '
+     p
+     /[$]LINENO/=
+@@ -452,8 +440,7 @@
+       s/-\n.*//
+     ' >$as_me.lineno &&
+   chmod +x "$as_me.lineno" ||
+-    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
+-   { (exit 1); exit 1; }; }
++    { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; }
+ 
+   # Don't try to exec as it changes $[0], causing all sort of problems
+   # (the dirname of $[0] is not the place where we might find the
+@@ -463,49 +450,40 @@
+   exit
+ }
+ 
+-
+-if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+-  as_dirname=dirname
+-else
+-  as_dirname=false
+-fi
+-
+ ECHO_C= ECHO_N= ECHO_T=
+-case `echo -n x` in
++case `echo -n x` in #(((((
+ -n*)
+-  case `echo 'x\c'` in
++  case `echo 'xy\c'` in
+   *c*) ECHO_T='	';;	# ECHO_T is single tab character.
+-  *)   ECHO_C='\c';;
++  xy)  ECHO_C='\c';;
++  *)   echo `echo ksh88 bug on AIX 6.1` > /dev/null
++       ECHO_T='	';;
+   esac;;
+ *)
+   ECHO_N='-n';;
+ esac
+ 
+-if expr a : '\(a\)' >/dev/null 2>&1 &&
+-   test "X`expr 00001 : '.*\(...\)'`" = X001; then
+-  as_expr=expr
+-else
+-  as_expr=false
+-fi
+-
+ rm -f conf$$ conf$$.exe conf$$.file
+ if test -d conf$$.dir; then
+   rm -f conf$$.dir/conf$$.file
+ else
+   rm -f conf$$.dir
+-  mkdir conf$$.dir
++  mkdir conf$$.dir 2>/dev/null
+ fi
+-echo >conf$$.file
+-if ln -s conf$$.file conf$$ 2>/dev/null; then
+-  as_ln_s='ln -s'
+-  # ... but there are two gotchas:
+-  # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+-  # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+-  # In both cases, we have to default to `cp -p'.
+-  ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
++if (echo >conf$$.file) 2>/dev/null; then
++  if ln -s conf$$.file conf$$ 2>/dev/null; then
++    as_ln_s='ln -s'
++    # ... but there are two gotchas:
++    # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
++    # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
++    # In both cases, we have to default to `cp -p'.
++    ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
++      as_ln_s='cp -p'
++  elif ln conf$$.file conf$$ 2>/dev/null; then
++    as_ln_s=ln
++  else
+     as_ln_s='cp -p'
+-elif ln conf$$.file conf$$ 2>/dev/null; then
+-  as_ln_s=ln
++  fi
+ else
+   as_ln_s='cp -p'
+ fi
+@@ -513,7 +491,7 @@
+ rmdir conf$$.dir 2>/dev/null
+ 
+ if mkdir -p . 2>/dev/null; then
+-  as_mkdir_p=:
++  as_mkdir_p='mkdir -p "$as_dir"'
+ else
+   test -d ./-p && rmdir ./-p
+   as_mkdir_p=false
+@@ -530,12 +508,12 @@
+   as_test_x='
+     eval sh -c '\''
+       if test -d "$1"; then
+-        test -d "$1/.";
++	test -d "$1/.";
+       else
+-	case $1 in
+-        -*)set "./$1";;
++	case $1 in #(
++	-*)set "./$1";;
+ 	esac;
+-	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
++	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
+ 	???[sx]*):;;*)false;;esac;fi
+     '\'' sh
+   '
+@@ -549,11 +527,11 @@
+ as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
+ 
+ 
+-
+-exec 7<&0 </dev/null 6>&1
++test -n "$DJDIR" || exec 7<&0 </dev/null
++exec 6>&1
+ 
+ # Name of the host.
+-# hostname on some systems (SVR3.2, Linux) returns a bogus exit status,
++# hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status,
+ # so uname gets run too.
+ ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q`
+ 
+@@ -568,7 +546,6 @@
+ subdirs=
+ MFLAGS=
+ MAKEFLAGS=
+-SHELL=${CONFIG_SHELL-/bin/sh}
+ 
+ # Identity of this package.
+ PACKAGE_NAME=
+@@ -576,58 +553,102 @@
+ PACKAGE_VERSION=
+ PACKAGE_STRING=
+ PACKAGE_BUGREPORT=
++PACKAGE_URL=
+ 
+ ac_unique_file="rlm_eap_tnc.c"
+-ac_subst_vars='SHELL
+-PATH_SEPARATOR
+-PACKAGE_NAME
+-PACKAGE_TARNAME
+-PACKAGE_VERSION
+-PACKAGE_STRING
+-PACKAGE_BUGREPORT
+-exec_prefix
+-prefix
+-program_transform_name
+-bindir
+-sbindir
+-libexecdir
+-datarootdir
+-datadir
+-sysconfdir
+-sharedstatedir
+-localstatedir
+-includedir
+-oldincludedir
+-docdir
+-infodir
+-htmldir
+-dvidir
+-pdfdir
+-psdir
+-libdir
+-localedir
+-mandir
+-DEFS
+-ECHO_C
+-ECHO_N
+-ECHO_T
+-LIBS
+-build_alias
+-host_alias
+-target_alias
+-CC
+-CFLAGS
+-LDFLAGS
+-CPPFLAGS
+-ac_ct_CC
+-EXEEXT
+-OBJEXT
+-eap_tnc_cflags
+-eap_tnc_ldflags
+-targetname
++# Factoring default headers for most tests.
++ac_includes_default="\
++#include <stdio.h>
++#ifdef HAVE_SYS_TYPES_H
++# include <sys/types.h>
++#endif
++#ifdef HAVE_SYS_STAT_H
++# include <sys/stat.h>
++#endif
++#ifdef STDC_HEADERS
++# include <stdlib.h>
++# include <stddef.h>
++#else
++# ifdef HAVE_STDLIB_H
++#  include <stdlib.h>
++# endif
++#endif
++#ifdef HAVE_STRING_H
++# if !defined STDC_HEADERS && defined HAVE_MEMORY_H
++#  include <memory.h>
++# endif
++# include <string.h>
++#endif
++#ifdef HAVE_STRINGS_H
++# include <strings.h>
++#endif
++#ifdef HAVE_INTTYPES_H
++# include <inttypes.h>
++#endif
++#ifdef HAVE_STDINT_H
++# include <stdint.h>
++#endif
++#ifdef HAVE_UNISTD_H
++# include <unistd.h>
++#endif"
++
++ac_subst_vars='LTLIBOBJS
+ LIBOBJS
+-LTLIBOBJS'
++targetname
++eap_tnc_ldflags
++eap_tnc_cflags
++EGREP
++GREP
++CPP
++OBJEXT
++EXEEXT
++ac_ct_CC
++CPPFLAGS
++LDFLAGS
++CFLAGS
++CC
++target_alias
++host_alias
++build_alias
++LIBS
++ECHO_T
++ECHO_N
++ECHO_C
++DEFS
++mandir
++localedir
++libdir
++psdir
++pdfdir
++dvidir
++htmldir
++infodir
++docdir
++oldincludedir
++includedir
++localstatedir
++sharedstatedir
++sysconfdir
++datadir
++datarootdir
++libexecdir
++sbindir
++bindir
++program_transform_name
++prefix
++exec_prefix
++PACKAGE_URL
++PACKAGE_BUGREPORT
++PACKAGE_STRING
++PACKAGE_VERSION
++PACKAGE_TARNAME
++PACKAGE_NAME
++PATH_SEPARATOR
++SHELL'
+ ac_subst_files=''
++ac_user_opts='
++enable_option_checking
++'
+       ac_precious_vars='build_alias
+ host_alias
+ target_alias
+@@ -635,12 +656,15 @@
+ CFLAGS
+ LDFLAGS
+ LIBS
+-CPPFLAGS'
++CPPFLAGS
++CPP'
+ 
+ 
+ # Initialize some variables set by options.
+ ac_init_help=
+ ac_init_version=false
++ac_unrecognized_opts=
++ac_unrecognized_sep=
+ # The variables have the same names as the options, with
+ # dashes changed to underlines.
+ cache_file=/dev/null
+@@ -696,8 +720,9 @@
+   fi
+ 
+   case $ac_option in
+-  *=*)	ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
+-  *)	ac_optarg=yes ;;
++  *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
++  *=)   ac_optarg= ;;
++  *)    ac_optarg=yes ;;
+   esac
+ 
+   # Accept the important Cygnus configure options, so we can diagnose typos.
+@@ -739,13 +764,20 @@
+     datarootdir=$ac_optarg ;;
+ 
+   -disable-* | --disable-*)
+-    ac_feature=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
++    ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
+     # Reject names that are not valid shell variable names.
+-    expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+-      { echo "$as_me: error: invalid feature name: $ac_feature" >&2
+-   { (exit 1); exit 1; }; }
+-    ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
+-    eval enable_$ac_feature=no ;;
++    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
++      as_fn_error $? "invalid feature name: $ac_useropt"
++    ac_useropt_orig=$ac_useropt
++    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
++    case $ac_user_opts in
++      *"
++"enable_$ac_useropt"
++"*) ;;
++      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig"
++	 ac_unrecognized_sep=', ';;
++    esac
++    eval enable_$ac_useropt=no ;;
+ 
+   -docdir | --docdir | --docdi | --doc | --do)
+     ac_prev=docdir ;;
+@@ -758,13 +790,20 @@
+     dvidir=$ac_optarg ;;
+ 
+   -enable-* | --enable-*)
+-    ac_feature=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
++    ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
+     # Reject names that are not valid shell variable names.
+-    expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+-      { echo "$as_me: error: invalid feature name: $ac_feature" >&2
+-   { (exit 1); exit 1; }; }
+-    ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
+-    eval enable_$ac_feature=\$ac_optarg ;;
++    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
++      as_fn_error $? "invalid feature name: $ac_useropt"
++    ac_useropt_orig=$ac_useropt
++    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
++    case $ac_user_opts in
++      *"
++"enable_$ac_useropt"
++"*) ;;
++      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig"
++	 ac_unrecognized_sep=', ';;
++    esac
++    eval enable_$ac_useropt=\$ac_optarg ;;
+ 
+   -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
+   | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
+@@ -955,22 +994,36 @@
+     ac_init_version=: ;;
+ 
+   -with-* | --with-*)
+-    ac_package=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
++    ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
+     # Reject names that are not valid shell variable names.
+-    expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+-      { echo "$as_me: error: invalid package name: $ac_package" >&2
+-   { (exit 1); exit 1; }; }
+-    ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
+-    eval with_$ac_package=\$ac_optarg ;;
++    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
++      as_fn_error $? "invalid package name: $ac_useropt"
++    ac_useropt_orig=$ac_useropt
++    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
++    case $ac_user_opts in
++      *"
++"with_$ac_useropt"
++"*) ;;
++      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig"
++	 ac_unrecognized_sep=', ';;
++    esac
++    eval with_$ac_useropt=\$ac_optarg ;;
+ 
+   -without-* | --without-*)
+-    ac_package=`expr "x$ac_option" : 'x-*without-\(.*\)'`
++    ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'`
+     # Reject names that are not valid shell variable names.
+-    expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+-      { echo "$as_me: error: invalid package name: $ac_package" >&2
+-   { (exit 1); exit 1; }; }
+-    ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
+-    eval with_$ac_package=no ;;
++    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
++      as_fn_error $? "invalid package name: $ac_useropt"
++    ac_useropt_orig=$ac_useropt
++    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
++    case $ac_user_opts in
++      *"
++"with_$ac_useropt"
++"*) ;;
++      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig"
++	 ac_unrecognized_sep=', ';;
++    esac
++    eval with_$ac_useropt=no ;;
+ 
+   --x)
+     # Obsolete; use --with-x.
+@@ -990,25 +1043,25 @@
+   | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
+     x_libraries=$ac_optarg ;;
+ 
+-  -*) { echo "$as_me: error: unrecognized option: $ac_option
+-Try \`$0 --help' for more information." >&2
+-   { (exit 1); exit 1; }; }
++  -*) as_fn_error $? "unrecognized option: \`$ac_option'
++Try \`$0 --help' for more information"
+     ;;
+ 
+   *=*)
+     ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='`
+     # Reject names that are not valid shell variable names.
+-    expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null &&
+-      { echo "$as_me: error: invalid variable name: $ac_envvar" >&2
+-   { (exit 1); exit 1; }; }
++    case $ac_envvar in #(
++      '' | [0-9]* | *[!_$as_cr_alnum]* )
++      as_fn_error $? "invalid variable name: \`$ac_envvar'" ;;
++    esac
+     eval $ac_envvar=\$ac_optarg
+     export $ac_envvar ;;
+ 
+   *)
+     # FIXME: should be removed in autoconf 3.0.
+-    echo "$as_me: WARNING: you should use --build, --host, --target" >&2
++    $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2
+     expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+-      echo "$as_me: WARNING: invalid host type: $ac_option" >&2
++      $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2
+     : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}
+     ;;
+ 
+@@ -1017,23 +1070,36 @@
+ 
+ if test -n "$ac_prev"; then
+   ac_option=--`echo $ac_prev | sed 's/_/-/g'`
+-  { echo "$as_me: error: missing argument to $ac_option" >&2
+-   { (exit 1); exit 1; }; }
++  as_fn_error $? "missing argument to $ac_option"
++fi
++
++if test -n "$ac_unrecognized_opts"; then
++  case $enable_option_checking in
++    no) ;;
++    fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;;
++    *)     $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;;
++  esac
+ fi
+ 
+-# Be sure to have absolute directory names.
++# Check all directory arguments for consistency.
+ for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
+ 		datadir sysconfdir sharedstatedir localstatedir includedir \
+ 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
+ 		libdir localedir mandir
+ do
+   eval ac_val=\$$ac_var
++  # Remove trailing slashes.
++  case $ac_val in
++    */ )
++      ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'`
++      eval $ac_var=\$ac_val;;
++  esac
++  # Be sure to have absolute directory names.
+   case $ac_val in
+     [\\/$]* | ?:[\\/]* )  continue;;
+     NONE | '' ) case $ac_var in *prefix ) continue;; esac;;
+   esac
+-  { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
+-   { (exit 1); exit 1; }; }
++  as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val"
+ done
+ 
+ # There might be people who depend on the old broken behavior: `$host'
+@@ -1047,8 +1113,8 @@
+ if test "x$host_alias" != x; then
+   if test "x$build_alias" = x; then
+     cross_compiling=maybe
+-    echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host.
+-    If a cross compiler is detected then cross compile mode will be used." >&2
++    $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host.
++    If a cross compiler is detected then cross compile mode will be used" >&2
+   elif test "x$build_alias" != "x$host_alias"; then
+     cross_compiling=yes
+   fi
+@@ -1063,23 +1129,21 @@
+ ac_pwd=`pwd` && test -n "$ac_pwd" &&
+ ac_ls_di=`ls -di .` &&
+ ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` ||
+-  { echo "$as_me: error: Working directory cannot be determined" >&2
+-   { (exit 1); exit 1; }; }
++  as_fn_error $? "working directory cannot be determined"
+ test "X$ac_ls_di" = "X$ac_pwd_ls_di" ||
+-  { echo "$as_me: error: pwd does not report name of working directory" >&2
+-   { (exit 1); exit 1; }; }
++  as_fn_error $? "pwd does not report name of working directory"
+ 
+ 
+ # Find the source files, if location was not specified.
+ if test -z "$srcdir"; then
+   ac_srcdir_defaulted=yes
+   # Try the directory containing this script, then the parent directory.
+-  ac_confdir=`$as_dirname -- "$0" ||
+-$as_expr X"$0" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+-	 X"$0" : 'X\(//\)[^/]' \| \
+-	 X"$0" : 'X\(//\)$' \| \
+-	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
+-echo X"$0" |
++  ac_confdir=`$as_dirname -- "$as_myself" ||
++$as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
++	 X"$as_myself" : 'X\(//\)[^/]' \| \
++	 X"$as_myself" : 'X\(//\)$' \| \
++	 X"$as_myself" : 'X\(/\)' \| . 2>/dev/null ||
++$as_echo X"$as_myself" |
+     sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+ 	    s//\1/
+ 	    q
+@@ -1106,13 +1170,11 @@
+ fi
+ if test ! -r "$srcdir/$ac_unique_file"; then
+   test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .."
+-  { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
+-   { (exit 1); exit 1; }; }
++  as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir"
+ fi
+ ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work"
+ ac_abs_confdir=`(
+-	cd "$srcdir" && test -r "./$ac_unique_file" || { echo "$as_me: error: $ac_msg" >&2
+-   { (exit 1); exit 1; }; }
++	cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg"
+ 	pwd)`
+ # When building in place, set srcdir=.
+ if test "$ac_abs_confdir" = "$ac_pwd"; then
+@@ -1152,7 +1214,7 @@
+       --help=short        display options specific to this package
+       --help=recursive    display the short help of all the included packages
+   -V, --version           display version information and exit
+-  -q, --quiet, --silent   do not print \`checking...' messages
++  -q, --quiet, --silent   do not print \`checking ...' messages
+       --cache-file=FILE   cache test results in FILE [disabled]
+   -C, --config-cache      alias for \`--cache-file=config.cache'
+   -n, --no-create         do not create output files
+@@ -1160,9 +1222,9 @@
+ 
+ Installation directories:
+   --prefix=PREFIX         install architecture-independent files in PREFIX
+-			  [$ac_default_prefix]
++                          [$ac_default_prefix]
+   --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
+-			  [PREFIX]
++                          [PREFIX]
+ 
+ By default, \`make install' will install all the files in
+ \`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc.  You can specify
+@@ -1172,25 +1234,25 @@
+ For better control, use the options below.
+ 
+ Fine tuning of the installation directories:
+-  --bindir=DIR           user executables [EPREFIX/bin]
+-  --sbindir=DIR          system admin executables [EPREFIX/sbin]
+-  --libexecdir=DIR       program executables [EPREFIX/libexec]
+-  --sysconfdir=DIR       read-only single-machine data [PREFIX/etc]
+-  --sharedstatedir=DIR   modifiable architecture-independent data [PREFIX/com]
+-  --localstatedir=DIR    modifiable single-machine data [PREFIX/var]
+-  --libdir=DIR           object code libraries [EPREFIX/lib]
+-  --includedir=DIR       C header files [PREFIX/include]
+-  --oldincludedir=DIR    C header files for non-gcc [/usr/include]
+-  --datarootdir=DIR      read-only arch.-independent data root [PREFIX/share]
+-  --datadir=DIR          read-only architecture-independent data [DATAROOTDIR]
+-  --infodir=DIR          info documentation [DATAROOTDIR/info]
+-  --localedir=DIR        locale-dependent data [DATAROOTDIR/locale]
+-  --mandir=DIR           man documentation [DATAROOTDIR/man]
+-  --docdir=DIR           documentation root [DATAROOTDIR/doc/PACKAGE]
+-  --htmldir=DIR          html documentation [DOCDIR]
+-  --dvidir=DIR           dvi documentation [DOCDIR]
+-  --pdfdir=DIR           pdf documentation [DOCDIR]
+-  --psdir=DIR            ps documentation [DOCDIR]
++  --bindir=DIR            user executables [EPREFIX/bin]
++  --sbindir=DIR           system admin executables [EPREFIX/sbin]
++  --libexecdir=DIR        program executables [EPREFIX/libexec]
++  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
++  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
++  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
++  --libdir=DIR            object code libraries [EPREFIX/lib]
++  --includedir=DIR        C header files [PREFIX/include]
++  --oldincludedir=DIR     C header files for non-gcc [/usr/include]
++  --datarootdir=DIR       read-only arch.-independent data root [PREFIX/share]
++  --datadir=DIR           read-only architecture-independent data [DATAROOTDIR]
++  --infodir=DIR           info documentation [DATAROOTDIR/info]
++  --localedir=DIR         locale-dependent data [DATAROOTDIR/locale]
++  --mandir=DIR            man documentation [DATAROOTDIR/man]
++  --docdir=DIR            documentation root [DATAROOTDIR/doc/PACKAGE]
++  --htmldir=DIR           html documentation [DOCDIR]
++  --dvidir=DIR            dvi documentation [DOCDIR]
++  --pdfdir=DIR            pdf documentation [DOCDIR]
++  --psdir=DIR             ps documentation [DOCDIR]
+ _ACEOF
+ 
+   cat <<\_ACEOF
+@@ -1207,12 +1269,14 @@
+   LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
+               nonstandard directory <lib dir>
+   LIBS        libraries to pass to the linker, e.g. -l<library>
+-  CPPFLAGS    C/C++/Objective C preprocessor flags, e.g. -I<include dir> if
++  CPPFLAGS    (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
+               you have headers in a nonstandard directory <include dir>
++  CPP         C preprocessor
+ 
+ Use these variables to override the choices made by `configure' or to help
+ it to find libraries and programs with nonstandard names/locations.
+ 
++Report bugs to the package provider.
+ _ACEOF
+ ac_status=$?
+ fi
+@@ -1220,15 +1284,17 @@
+ if test "$ac_init_help" = "recursive"; then
+   # If there are subdirs, report their specific --help.
+   for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue
+-    test -d "$ac_dir" || continue
++    test -d "$ac_dir" ||
++      { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } ||
++      continue
+     ac_builddir=.
+ 
+ case "$ac_dir" in
+ .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
+ *)
+-  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
++  ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'`
+   # A ".." for each directory in $ac_dir_suffix.
+-  ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
++  ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
+   case $ac_top_builddir_sub in
+   "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
+   *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
+@@ -1264,7 +1330,7 @@
+       echo &&
+       $SHELL "$ac_srcdir/configure" --help=recursive
+     else
+-      echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
++      $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
+     fi || ac_status=$?
+     cd "$ac_pwd" || { ac_status=$?; break; }
+   done
+@@ -1274,21 +1340,305 @@
+ if $ac_init_version; then
+   cat <<\_ACEOF
+ configure
+-generated by GNU Autoconf 2.61
++generated by GNU Autoconf 2.67
+ 
+-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
+-2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
++Copyright (C) 2010 Free Software Foundation, Inc.
+ This configure script is free software; the Free Software Foundation
+ gives unlimited permission to copy, distribute and modify it.
+ _ACEOF
+   exit
+ fi
++
++## ------------------------ ##
++## Autoconf initialization. ##
++## ------------------------ ##
++
++# ac_fn_c_try_compile LINENO
++# --------------------------
++# Try to compile conftest.$ac_ext, and return whether this succeeded.
++ac_fn_c_try_compile ()
++{
++  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++  rm -f conftest.$ac_objext
++  if { { ac_try="$ac_compile"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++  (eval "$ac_compile") 2>conftest.err
++  ac_status=$?
++  if test -s conftest.err; then
++    grep -v '^ *+' conftest.err >conftest.er1
++    cat conftest.er1 >&5
++    mv -f conftest.er1 conftest.err
++  fi
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest.$ac_objext; then :
++  ac_retval=0
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++	ac_retval=1
++fi
++  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
++  as_fn_set_status $ac_retval
++
++} # ac_fn_c_try_compile
++
++# ac_fn_c_try_link LINENO
++# -----------------------
++# Try to link conftest.$ac_ext, and return whether this succeeded.
++ac_fn_c_try_link ()
++{
++  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++  rm -f conftest.$ac_objext conftest$ac_exeext
++  if { { ac_try="$ac_link"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++  (eval "$ac_link") 2>conftest.err
++  ac_status=$?
++  if test -s conftest.err; then
++    grep -v '^ *+' conftest.err >conftest.er1
++    cat conftest.er1 >&5
++    mv -f conftest.er1 conftest.err
++  fi
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest$ac_exeext && {
++	 test "$cross_compiling" = yes ||
++	 $as_test_x conftest$ac_exeext
++       }; then :
++  ac_retval=0
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++	ac_retval=1
++fi
++  # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
++  # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
++  # interfere with the next link command; also delete a directory that is
++  # left behind by Apple's compiler.  We do this before executing the actions.
++  rm -rf conftest.dSYM conftest_ipa8_conftest.oo
++  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
++  as_fn_set_status $ac_retval
++
++} # ac_fn_c_try_link
++
++# ac_fn_c_try_cpp LINENO
++# ----------------------
++# Try to preprocess conftest.$ac_ext, and return whether this succeeded.
++ac_fn_c_try_cpp ()
++{
++  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++  if { { ac_try="$ac_cpp conftest.$ac_ext"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err
++  ac_status=$?
++  if test -s conftest.err; then
++    grep -v '^ *+' conftest.err >conftest.er1
++    cat conftest.er1 >&5
++    mv -f conftest.er1 conftest.err
++  fi
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; } > conftest.i && {
++	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       }; then :
++  ac_retval=0
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++    ac_retval=1
++fi
++  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
++  as_fn_set_status $ac_retval
++
++} # ac_fn_c_try_cpp
++
++# ac_fn_c_check_header_mongrel LINENO HEADER VAR INCLUDES
++# -------------------------------------------------------
++# Tests whether HEADER exists, giving a warning if it cannot be compiled using
++# the include files in INCLUDES and setting the cache variable VAR
++# accordingly.
++ac_fn_c_check_header_mongrel ()
++{
++  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++  if eval "test \"\${$3+set}\"" = set; then :
++  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
++$as_echo_n "checking for $2... " >&6; }
++if eval "test \"\${$3+set}\"" = set; then :
++  $as_echo_n "(cached) " >&6
++fi
++eval ac_res=\$$3
++	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
++$as_echo "$ac_res" >&6; }
++else
++  # Is the header compilable?
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 usability" >&5
++$as_echo_n "checking $2 usability... " >&6; }
++cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++$4
++#include <$2>
++_ACEOF
++if ac_fn_c_try_compile "$LINENO"; then :
++  ac_header_compiler=yes
++else
++  ac_header_compiler=no
++fi
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_compiler" >&5
++$as_echo "$ac_header_compiler" >&6; }
++
++# Is the header present?
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 presence" >&5
++$as_echo_n "checking $2 presence... " >&6; }
++cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#include <$2>
++_ACEOF
++if ac_fn_c_try_cpp "$LINENO"; then :
++  ac_header_preproc=yes
++else
++  ac_header_preproc=no
++fi
++rm -f conftest.err conftest.i conftest.$ac_ext
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_preproc" >&5
++$as_echo "$ac_header_preproc" >&6; }
++
++# So?  What about this header?
++case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in #((
++  yes:no: )
++    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&5
++$as_echo "$as_me: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&2;}
++    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5
++$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
++    ;;
++  no:yes:* )
++    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: present but cannot be compiled" >&5
++$as_echo "$as_me: WARNING: $2: present but cannot be compiled" >&2;}
++    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2:     check for missing prerequisite headers?" >&5
++$as_echo "$as_me: WARNING: $2:     check for missing prerequisite headers?" >&2;}
++    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: see the Autoconf documentation" >&5
++$as_echo "$as_me: WARNING: $2: see the Autoconf documentation" >&2;}
++    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2:     section \"Present But Cannot Be Compiled\"" >&5
++$as_echo "$as_me: WARNING: $2:     section \"Present But Cannot Be Compiled\"" >&2;}
++    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5
++$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
++    ;;
++esac
++  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
++$as_echo_n "checking for $2... " >&6; }
++if eval "test \"\${$3+set}\"" = set; then :
++  $as_echo_n "(cached) " >&6
++else
++  eval "$3=\$ac_header_compiler"
++fi
++eval ac_res=\$$3
++	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
++$as_echo "$ac_res" >&6; }
++fi
++  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
++
++} # ac_fn_c_check_header_mongrel
++
++# ac_fn_c_try_run LINENO
++# ----------------------
++# Try to link conftest.$ac_ext, and return whether this succeeded. Assumes
++# that executables *can* be run.
++ac_fn_c_try_run ()
++{
++  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++  if { { ac_try="$ac_link"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++  (eval "$ac_link") 2>&5
++  ac_status=$?
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; } && { ac_try='./conftest$ac_exeext'
++  { { case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++  (eval "$ac_try") 2>&5
++  ac_status=$?
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }; }; then :
++  ac_retval=0
++else
++  $as_echo "$as_me: program exited with status $ac_status" >&5
++       $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++       ac_retval=$ac_status
++fi
++  rm -rf conftest.dSYM conftest_ipa8_conftest.oo
++  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
++  as_fn_set_status $ac_retval
++
++} # ac_fn_c_try_run
++
++# ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES
++# -------------------------------------------------------
++# Tests whether HEADER exists and can be compiled using the include files in
++# INCLUDES, setting the cache variable VAR accordingly.
++ac_fn_c_check_header_compile ()
++{
++  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
++$as_echo_n "checking for $2... " >&6; }
++if eval "test \"\${$3+set}\"" = set; then :
++  $as_echo_n "(cached) " >&6
++else
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++$4
++#include <$2>
++_ACEOF
++if ac_fn_c_try_compile "$LINENO"; then :
++  eval "$3=yes"
++else
++  eval "$3=no"
++fi
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++fi
++eval ac_res=\$$3
++	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
++$as_echo "$ac_res" >&6; }
++  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
++
++} # ac_fn_c_check_header_compile
+ cat >config.log <<_ACEOF
+ This file contains any messages produced by compilers while
+ running configure, to aid debugging if configure makes a mistake.
+ 
+ It was created by $as_me, which was
+-generated by GNU Autoconf 2.61.  Invocation command line was
++generated by GNU Autoconf 2.67.  Invocation command line was
+ 
+   $ $0 $@
+ 
+@@ -1324,8 +1674,8 @@
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  echo "PATH: $as_dir"
+-done
++    $as_echo "PATH: $as_dir"
++  done
+ IFS=$as_save_IFS
+ 
+ } >&5
+@@ -1359,12 +1709,12 @@
+     | -silent | --silent | --silen | --sile | --sil)
+       continue ;;
+     *\'*)
+-      ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
++      ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
+     esac
+     case $ac_pass in
+-    1) ac_configure_args0="$ac_configure_args0 '$ac_arg'" ;;
++    1) as_fn_append ac_configure_args0 " '$ac_arg'" ;;
+     2)
+-      ac_configure_args1="$ac_configure_args1 '$ac_arg'"
++      as_fn_append ac_configure_args1 " '$ac_arg'"
+       if test $ac_must_keep_next = true; then
+ 	ac_must_keep_next=false # Got value, back to normal.
+       else
+@@ -1380,13 +1730,13 @@
+ 	  -* ) ac_must_keep_next=true ;;
+ 	esac
+       fi
+-      ac_configure_args="$ac_configure_args '$ac_arg'"
++      as_fn_append ac_configure_args " '$ac_arg'"
+       ;;
+     esac
+   done
+ done
+-$as_unset ac_configure_args0 || test "${ac_configure_args0+set}" != set || { ac_configure_args0=; export ac_configure_args0; }
+-$as_unset ac_configure_args1 || test "${ac_configure_args1+set}" != set || { ac_configure_args1=; export ac_configure_args1; }
++{ ac_configure_args0=; unset ac_configure_args0;}
++{ ac_configure_args1=; unset ac_configure_args1;}
+ 
+ # When interrupted or exit'd, cleanup temporary files, and complete
+ # config.log.  We remove comments because anyway the quotes in there
+@@ -1398,11 +1748,9 @@
+   {
+     echo
+ 
+-    cat <<\_ASBOX
+-## ---------------- ##
++    $as_echo "## ---------------- ##
+ ## Cache variables. ##
+-## ---------------- ##
+-_ASBOX
++## ---------------- ##"
+     echo
+     # The following way of writing the cache mishandles newlines in values,
+ (
+@@ -1411,12 +1759,13 @@
+     case $ac_val in #(
+     *${as_nl}*)
+       case $ac_var in #(
+-      *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
+-echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
++      *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5
++$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
+       esac
+       case $ac_var in #(
+       _ | IFS | as_nl) ;; #(
+-      *) $as_unset $ac_var ;;
++      BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
++      *) { eval $ac_var=; unset $ac_var;} ;;
+       esac ;;
+     esac
+   done
+@@ -1435,128 +1784,136 @@
+ )
+     echo
+ 
+-    cat <<\_ASBOX
+-## ----------------- ##
++    $as_echo "## ----------------- ##
+ ## Output variables. ##
+-## ----------------- ##
+-_ASBOX
++## ----------------- ##"
+     echo
+     for ac_var in $ac_subst_vars
+     do
+       eval ac_val=\$$ac_var
+       case $ac_val in
+-      *\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
++      *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+       esac
+-      echo "$ac_var='\''$ac_val'\''"
++      $as_echo "$ac_var='\''$ac_val'\''"
+     done | sort
+     echo
+ 
+     if test -n "$ac_subst_files"; then
+-      cat <<\_ASBOX
+-## ------------------- ##
++      $as_echo "## ------------------- ##
+ ## File substitutions. ##
+-## ------------------- ##
+-_ASBOX
++## ------------------- ##"
+       echo
+       for ac_var in $ac_subst_files
+       do
+ 	eval ac_val=\$$ac_var
+ 	case $ac_val in
+-	*\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
++	*\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+ 	esac
+-	echo "$ac_var='\''$ac_val'\''"
++	$as_echo "$ac_var='\''$ac_val'\''"
+       done | sort
+       echo
+     fi
+ 
+     if test -s confdefs.h; then
+-      cat <<\_ASBOX
+-## ----------- ##
++      $as_echo "## ----------- ##
+ ## confdefs.h. ##
+-## ----------- ##
+-_ASBOX
++## ----------- ##"
+       echo
+       cat confdefs.h
+       echo
+     fi
+     test "$ac_signal" != 0 &&
+-      echo "$as_me: caught signal $ac_signal"
+-    echo "$as_me: exit $exit_status"
++      $as_echo "$as_me: caught signal $ac_signal"
++    $as_echo "$as_me: exit $exit_status"
+   } >&5
+   rm -f core *.core core.conftest.* &&
+     rm -f -r conftest* confdefs* conf$$* $ac_clean_files &&
+     exit $exit_status
+ ' 0
+ for ac_signal in 1 2 13 15; do
+-  trap 'ac_signal='$ac_signal'; { (exit 1); exit 1; }' $ac_signal
++  trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal
+ done
+ ac_signal=0
+ 
+ # confdefs.h avoids OS command line length limits that DEFS can exceed.
+ rm -f -r conftest* confdefs.h
+ 
++$as_echo "/* confdefs.h */" > confdefs.h
++
+ # Predefined preprocessor variables.
+ 
+ cat >>confdefs.h <<_ACEOF
+ #define PACKAGE_NAME "$PACKAGE_NAME"
+ _ACEOF
+ 
+-
+ cat >>confdefs.h <<_ACEOF
+ #define PACKAGE_TARNAME "$PACKAGE_TARNAME"
+ _ACEOF
+ 
+-
+ cat >>confdefs.h <<_ACEOF
+ #define PACKAGE_VERSION "$PACKAGE_VERSION"
+ _ACEOF
+ 
+-
+ cat >>confdefs.h <<_ACEOF
+ #define PACKAGE_STRING "$PACKAGE_STRING"
+ _ACEOF
+ 
+-
+ cat >>confdefs.h <<_ACEOF
+ #define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT"
+ _ACEOF
+ 
++cat >>confdefs.h <<_ACEOF
++#define PACKAGE_URL "$PACKAGE_URL"
++_ACEOF
++
+ 
+ # Let the site file select an alternate cache file if it wants to.
+-# Prefer explicitly selected file to automatically selected ones.
++# Prefer an explicitly selected file to automatically selected ones.
++ac_site_file1=NONE
++ac_site_file2=NONE
+ if test -n "$CONFIG_SITE"; then
+-  set x "$CONFIG_SITE"
++  # We do not want a PATH search for config.site.
++  case $CONFIG_SITE in #((
++    -*)  ac_site_file1=./$CONFIG_SITE;;
++    */*) ac_site_file1=$CONFIG_SITE;;
++    *)   ac_site_file1=./$CONFIG_SITE;;
++  esac
+ elif test "x$prefix" != xNONE; then
+-  set x "$prefix/share/config.site" "$prefix/etc/config.site"
++  ac_site_file1=$prefix/share/config.site
++  ac_site_file2=$prefix/etc/config.site
+ else
+-  set x "$ac_default_prefix/share/config.site" \
+-	"$ac_default_prefix/etc/config.site"
++  ac_site_file1=$ac_default_prefix/share/config.site
++  ac_site_file2=$ac_default_prefix/etc/config.site
+ fi
+-shift
+-for ac_site_file
++for ac_site_file in "$ac_site_file1" "$ac_site_file2"
+ do
+-  if test -r "$ac_site_file"; then
+-    { echo "$as_me:$LINENO: loading site script $ac_site_file" >&5
+-echo "$as_me: loading site script $ac_site_file" >&6;}
++  test "x$ac_site_file" = xNONE && continue
++  if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then
++    { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5
++$as_echo "$as_me: loading site script $ac_site_file" >&6;}
+     sed 's/^/| /' "$ac_site_file" >&5
+-    . "$ac_site_file"
++    . "$ac_site_file" \
++      || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++as_fn_error $? "failed to load site script $ac_site_file
++See \`config.log' for more details" "$LINENO" 5 ; }
+   fi
+ done
+ 
+ if test -r "$cache_file"; then
+-  # Some versions of bash will fail to source /dev/null (special
+-  # files actually), so we avoid doing that.
+-  if test -f "$cache_file"; then
+-    { echo "$as_me:$LINENO: loading cache $cache_file" >&5
+-echo "$as_me: loading cache $cache_file" >&6;}
++  # Some versions of bash will fail to source /dev/null (special files
++  # actually), so we avoid doing that.  DJGPP emulates it as a regular file.
++  if test /dev/null != "$cache_file" && test -f "$cache_file"; then
++    { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5
++$as_echo "$as_me: loading cache $cache_file" >&6;}
+     case $cache_file in
+       [\\/]* | ?:[\\/]* ) . "$cache_file";;
+       *)                      . "./$cache_file";;
+     esac
+   fi
+ else
+-  { echo "$as_me:$LINENO: creating cache $cache_file" >&5
+-echo "$as_me: creating cache $cache_file" >&6;}
++  { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5
++$as_echo "$as_me: creating cache $cache_file" >&6;}
+   >$cache_file
+ fi
+ 
+@@ -1570,60 +1927,56 @@
+   eval ac_new_val=\$ac_env_${ac_var}_value
+   case $ac_old_set,$ac_new_set in
+     set,)
+-      { echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
+-echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
++      { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
++$as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
+       ac_cache_corrupted=: ;;
+     ,set)
+-      { echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5
+-echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
++      { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5
++$as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
+       ac_cache_corrupted=: ;;
+     ,);;
+     *)
+       if test "x$ac_old_val" != "x$ac_new_val"; then
+-	{ echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5
+-echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
+-	{ echo "$as_me:$LINENO:   former value:  $ac_old_val" >&5
+-echo "$as_me:   former value:  $ac_old_val" >&2;}
+-	{ echo "$as_me:$LINENO:   current value: $ac_new_val" >&5
+-echo "$as_me:   current value: $ac_new_val" >&2;}
+-	ac_cache_corrupted=:
++	# differences in whitespace do not lead to failure.
++	ac_old_val_w=`echo x $ac_old_val`
++	ac_new_val_w=`echo x $ac_new_val`
++	if test "$ac_old_val_w" != "$ac_new_val_w"; then
++	  { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5
++$as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
++	  ac_cache_corrupted=:
++	else
++	  { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5
++$as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;}
++	  eval $ac_var=\$ac_old_val
++	fi
++	{ $as_echo "$as_me:${as_lineno-$LINENO}:   former value:  \`$ac_old_val'" >&5
++$as_echo "$as_me:   former value:  \`$ac_old_val'" >&2;}
++	{ $as_echo "$as_me:${as_lineno-$LINENO}:   current value: \`$ac_new_val'" >&5
++$as_echo "$as_me:   current value: \`$ac_new_val'" >&2;}
+       fi;;
+   esac
+   # Pass precious variables to config.status.
+   if test "$ac_new_set" = set; then
+     case $ac_new_val in
+-    *\'*) ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
++    *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
+     *) ac_arg=$ac_var=$ac_new_val ;;
+     esac
+     case " $ac_configure_args " in
+       *" '$ac_arg' "*) ;; # Avoid dups.  Use of quotes ensures accuracy.
+-      *) ac_configure_args="$ac_configure_args '$ac_arg'" ;;
++      *) as_fn_append ac_configure_args " '$ac_arg'" ;;
+     esac
+   fi
+ done
+ if $ac_cache_corrupted; then
+-  { echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5
+-echo "$as_me: error: changes in the environment can compromise the build" >&2;}
+-  { { echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5
+-echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;}
+-   { (exit 1); exit 1; }; }
+-fi
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
++  { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++  { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5
++$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;}
++  as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5
++fi
++## -------------------- ##
++## Main body of script. ##
++## -------------------- ##
+ 
+ ac_ext=c
+ ac_cpp='$CPP $CPPFLAGS'
+@@ -1635,6 +1988,9 @@
+ 
+ 
+ 
++eap_tnc_cflags=
++eap_tnc_ldflags=-lnaaeap
++
+ if test x$with_rlm_eap_tnc != xno; then
+ 
+ 	ac_ext=c
+@@ -1645,10 +2001,10 @@
+ if test -n "$ac_tool_prefix"; then
+   # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
+ set dummy ${ac_tool_prefix}gcc; ac_word=$2
+-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+-if test "${ac_cv_prog_CC+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
++$as_echo_n "checking for $ac_word... " >&6; }
++if test "${ac_cv_prog_CC+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   if test -n "$CC"; then
+   ac_cv_prog_CC="$CC" # Let the user override the test.
+@@ -1658,25 +2014,25 @@
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  for ac_exec_ext in '' $ac_executable_extensions; do
++    for ac_exec_ext in '' $ac_executable_extensions; do
+   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+     ac_cv_prog_CC="${ac_tool_prefix}gcc"
+-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
++    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+   fi
+ done
+-done
++  done
+ IFS=$as_save_IFS
+ 
+ fi
+ fi
+ CC=$ac_cv_prog_CC
+ if test -n "$CC"; then
+-  { echo "$as_me:$LINENO: result: $CC" >&5
+-echo "${ECHO_T}$CC" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
++$as_echo "$CC" >&6; }
+ else
+-  { echo "$as_me:$LINENO: result: no" >&5
+-echo "${ECHO_T}no" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
+ fi
+ 
+ 
+@@ -1685,10 +2041,10 @@
+   ac_ct_CC=$CC
+   # Extract the first word of "gcc", so it can be a program name with args.
+ set dummy gcc; ac_word=$2
+-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
++$as_echo_n "checking for $ac_word... " >&6; }
++if test "${ac_cv_prog_ac_ct_CC+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   if test -n "$ac_ct_CC"; then
+   ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+@@ -1698,25 +2054,25 @@
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  for ac_exec_ext in '' $ac_executable_extensions; do
++    for ac_exec_ext in '' $ac_executable_extensions; do
+   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+     ac_cv_prog_ac_ct_CC="gcc"
+-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
++    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+   fi
+ done
+-done
++  done
+ IFS=$as_save_IFS
+ 
+ fi
+ fi
+ ac_ct_CC=$ac_cv_prog_ac_ct_CC
+ if test -n "$ac_ct_CC"; then
+-  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+-echo "${ECHO_T}$ac_ct_CC" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5
++$as_echo "$ac_ct_CC" >&6; }
+ else
+-  { echo "$as_me:$LINENO: result: no" >&5
+-echo "${ECHO_T}no" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
+ fi
+ 
+   if test "x$ac_ct_CC" = x; then
+@@ -1724,12 +2080,8 @@
+   else
+     case $cross_compiling:$ac_tool_warned in
+ yes:)
+-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+-whose name does not start with the host triplet.  If you think this
+-configuration is useful to you, please write to autoconf@gnu.org." >&5
+-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+-whose name does not start with the host triplet.  If you think this
+-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
++{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
++$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ ac_tool_warned=yes ;;
+ esac
+     CC=$ac_ct_CC
+@@ -1742,10 +2094,10 @@
+           if test -n "$ac_tool_prefix"; then
+     # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
+ set dummy ${ac_tool_prefix}cc; ac_word=$2
+-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+-if test "${ac_cv_prog_CC+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
++$as_echo_n "checking for $ac_word... " >&6; }
++if test "${ac_cv_prog_CC+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   if test -n "$CC"; then
+   ac_cv_prog_CC="$CC" # Let the user override the test.
+@@ -1755,25 +2107,25 @@
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  for ac_exec_ext in '' $ac_executable_extensions; do
++    for ac_exec_ext in '' $ac_executable_extensions; do
+   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+     ac_cv_prog_CC="${ac_tool_prefix}cc"
+-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
++    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+   fi
+ done
+-done
++  done
+ IFS=$as_save_IFS
+ 
+ fi
+ fi
+ CC=$ac_cv_prog_CC
+ if test -n "$CC"; then
+-  { echo "$as_me:$LINENO: result: $CC" >&5
+-echo "${ECHO_T}$CC" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
++$as_echo "$CC" >&6; }
+ else
+-  { echo "$as_me:$LINENO: result: no" >&5
+-echo "${ECHO_T}no" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
+ fi
+ 
+ 
+@@ -1782,10 +2134,10 @@
+ if test -z "$CC"; then
+   # Extract the first word of "cc", so it can be a program name with args.
+ set dummy cc; ac_word=$2
+-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+-if test "${ac_cv_prog_CC+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
++$as_echo_n "checking for $ac_word... " >&6; }
++if test "${ac_cv_prog_CC+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   if test -n "$CC"; then
+   ac_cv_prog_CC="$CC" # Let the user override the test.
+@@ -1796,18 +2148,18 @@
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  for ac_exec_ext in '' $ac_executable_extensions; do
++    for ac_exec_ext in '' $ac_executable_extensions; do
+   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+     if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
+        ac_prog_rejected=yes
+        continue
+      fi
+     ac_cv_prog_CC="cc"
+-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
++    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+   fi
+ done
+-done
++  done
+ IFS=$as_save_IFS
+ 
+ if test $ac_prog_rejected = yes; then
+@@ -1826,11 +2178,11 @@
+ fi
+ CC=$ac_cv_prog_CC
+ if test -n "$CC"; then
+-  { echo "$as_me:$LINENO: result: $CC" >&5
+-echo "${ECHO_T}$CC" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
++$as_echo "$CC" >&6; }
+ else
+-  { echo "$as_me:$LINENO: result: no" >&5
+-echo "${ECHO_T}no" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
+ fi
+ 
+ 
+@@ -1841,10 +2193,10 @@
+   do
+     # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+ set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+-if test "${ac_cv_prog_CC+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
++$as_echo_n "checking for $ac_word... " >&6; }
++if test "${ac_cv_prog_CC+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   if test -n "$CC"; then
+   ac_cv_prog_CC="$CC" # Let the user override the test.
+@@ -1854,25 +2206,25 @@
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  for ac_exec_ext in '' $ac_executable_extensions; do
++    for ac_exec_ext in '' $ac_executable_extensions; do
+   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+     ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
+-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
++    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+   fi
+ done
+-done
++  done
+ IFS=$as_save_IFS
+ 
+ fi
+ fi
+ CC=$ac_cv_prog_CC
+ if test -n "$CC"; then
+-  { echo "$as_me:$LINENO: result: $CC" >&5
+-echo "${ECHO_T}$CC" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
++$as_echo "$CC" >&6; }
+ else
+-  { echo "$as_me:$LINENO: result: no" >&5
+-echo "${ECHO_T}no" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
+ fi
+ 
+ 
+@@ -1885,10 +2237,10 @@
+ do
+   # Extract the first word of "$ac_prog", so it can be a program name with args.
+ set dummy $ac_prog; ac_word=$2
+-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
++$as_echo_n "checking for $ac_word... " >&6; }
++if test "${ac_cv_prog_ac_ct_CC+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   if test -n "$ac_ct_CC"; then
+   ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+@@ -1898,25 +2250,25 @@
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  for ac_exec_ext in '' $ac_executable_extensions; do
++    for ac_exec_ext in '' $ac_executable_extensions; do
+   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+     ac_cv_prog_ac_ct_CC="$ac_prog"
+-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
++    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+   fi
+ done
+-done
++  done
+ IFS=$as_save_IFS
+ 
+ fi
+ fi
+ ac_ct_CC=$ac_cv_prog_ac_ct_CC
+ if test -n "$ac_ct_CC"; then
+-  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+-echo "${ECHO_T}$ac_ct_CC" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5
++$as_echo "$ac_ct_CC" >&6; }
+ else
+-  { echo "$as_me:$LINENO: result: no" >&5
+-echo "${ECHO_T}no" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
+ fi
+ 
+ 
+@@ -1928,12 +2280,8 @@
+   else
+     case $cross_compiling:$ac_tool_warned in
+ yes:)
+-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+-whose name does not start with the host triplet.  If you think this
+-configuration is useful to you, please write to autoconf@gnu.org." >&5
+-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+-whose name does not start with the host triplet.  If you think this
+-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
++{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
++$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ ac_tool_warned=yes ;;
+ esac
+     CC=$ac_ct_CC
+@@ -1943,51 +2291,37 @@
+ fi
+ 
+ 
+-test -z "$CC" && { { echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH
+-See \`config.log' for more details." >&5
+-echo "$as_me: error: no acceptable C compiler found in \$PATH
+-See \`config.log' for more details." >&2;}
+-   { (exit 1); exit 1; }; }
++test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++as_fn_error $? "no acceptable C compiler found in \$PATH
++See \`config.log' for more details" "$LINENO" 5 ; }
+ 
+ # Provide some information about the compiler.
+-echo "$as_me:$LINENO: checking for C compiler version" >&5
+-ac_compiler=`set X $ac_compile; echo $2`
+-{ (ac_try="$ac_compiler --version >&5"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_compiler --version >&5") 2>&5
+-  ac_status=$?
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); }
+-{ (ac_try="$ac_compiler -v >&5"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_compiler -v >&5") 2>&5
+-  ac_status=$?
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); }
+-{ (ac_try="$ac_compiler -V >&5"
++$as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5
++set X $ac_compile
++ac_compiler=$2
++for ac_option in --version -v -V -qversion; do
++  { { ac_try="$ac_compiler $ac_option >&5"
+ case "(($ac_try" in
+   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+   *) ac_try_echo=$ac_try;;
+ esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_compiler -V >&5") 2>&5
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++  (eval "$ac_compiler $ac_option >&5") 2>conftest.err
+   ac_status=$?
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); }
++  if test -s conftest.err; then
++    sed '10a\
++... rest of stderr output deleted ...
++         10q' conftest.err >conftest.er1
++    cat conftest.er1 >&5
++  fi
++  rm -f conftest.er1 conftest.err
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }
++done
+ 
+-cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h.  */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
++cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
+ int
+@@ -1999,42 +2333,38 @@
+ }
+ _ACEOF
+ ac_clean_files_save=$ac_clean_files
+-ac_clean_files="$ac_clean_files a.out a.exe b.out"
++ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out"
+ # Try to create an executable without -o first, disregard a.out.
+ # It will help us diagnose broken compilers, and finding out an intuition
+ # of exeext.
+-{ echo "$as_me:$LINENO: checking for C compiler default output file name" >&5
+-echo $ECHO_N "checking for C compiler default output file name... $ECHO_C" >&6; }
+-ac_link_default=`echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
+-#
+-# List of possible output files, starting from the most likely.
+-# The algorithm is not robust to junk in `.', hence go to wildcards (a.*)
+-# only as a last resort.  b.out is created by i960 compilers.
+-ac_files='a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out'
+-#
+-# The IRIX 6 linker writes into existing files which may not be
+-# executable, retaining their permissions.  Remove them first so a
+-# subsequent execution test works.
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5
++$as_echo_n "checking whether the C compiler works... " >&6; }
++ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
++
++# The possible output files:
++ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*"
++
+ ac_rmfiles=
+ for ac_file in $ac_files
+ do
+   case $ac_file in
+-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
++    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;;
+     * ) ac_rmfiles="$ac_rmfiles $ac_file";;
+   esac
+ done
+ rm -f $ac_rmfiles
+ 
+-if { (ac_try="$ac_link_default"
++if { { ac_try="$ac_link_default"
+ case "(($ac_try" in
+   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+   *) ac_try_echo=$ac_try;;
+ esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
+   (eval "$ac_link_default") 2>&5
+   ac_status=$?
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); }; then
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }; then :
+   # Autoconf-2.13 could set the ac_cv_exeext variable to `no'.
+ # So ignore a value of `no', otherwise this would lead to `EXEEXT = no'
+ # in a Makefile.  We should not override ac_cv_exeext if it was cached,
+@@ -2044,14 +2374,14 @@
+ do
+   test -f "$ac_file" || continue
+   case $ac_file in
+-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj )
++    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj )
+ 	;;
+     [ab].out )
+ 	# We found the default executable, but exeext='' is most
+ 	# certainly right.
+ 	break;;
+     *.* )
+-        if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no;
++	if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no;
+ 	then :; else
+ 	   ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+ 	fi
+@@ -2070,116 +2400,132 @@
+ else
+   ac_file=''
+ fi
+-
+-{ echo "$as_me:$LINENO: result: $ac_file" >&5
+-echo "${ECHO_T}$ac_file" >&6; }
+-if test -z "$ac_file"; then
+-  echo "$as_me: failed program was:" >&5
++if test -z "$ac_file"; then :
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
++$as_echo "$as_me: failed program was:" >&5
+ sed 's/^/| /' conftest.$ac_ext >&5
+ 
+-{ { echo "$as_me:$LINENO: error: C compiler cannot create executables
+-See \`config.log' for more details." >&5
+-echo "$as_me: error: C compiler cannot create executables
+-See \`config.log' for more details." >&2;}
+-   { (exit 77); exit 77; }; }
+-fi
+-
++{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++as_fn_error 77 "C compiler cannot create executables
++See \`config.log' for more details" "$LINENO" 5 ; }
++else
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
++$as_echo "yes" >&6; }
++fi
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5
++$as_echo_n "checking for C compiler default output file name... " >&6; }
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5
++$as_echo "$ac_file" >&6; }
+ ac_exeext=$ac_cv_exeext
+ 
++rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out
++ac_clean_files=$ac_clean_files_save
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5
++$as_echo_n "checking for suffix of executables... " >&6; }
++if { { ac_try="$ac_link"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++  (eval "$ac_link") 2>&5
++  ac_status=$?
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }; then :
++  # If both `conftest.exe' and `conftest' are `present' (well, observable)
++# catch `conftest.exe'.  For instance with Cygwin, `ls conftest' will
++# work properly (i.e., refer to `conftest.exe'), while it won't with
++# `rm'.
++for ac_file in conftest.exe conftest conftest.*; do
++  test -f "$ac_file" || continue
++  case $ac_file in
++    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;;
++    *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
++	  break;;
++    * ) break;;
++  esac
++done
++else
++  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++as_fn_error $? "cannot compute suffix of executables: cannot compile and link
++See \`config.log' for more details" "$LINENO" 5 ; }
++fi
++rm -f conftest conftest$ac_cv_exeext
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5
++$as_echo "$ac_cv_exeext" >&6; }
++
++rm -f conftest.$ac_ext
++EXEEXT=$ac_cv_exeext
++ac_exeext=$EXEEXT
++cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#include <stdio.h>
++int
++main ()
++{
++FILE *f = fopen ("conftest.out", "w");
++ return ferror (f) || fclose (f) != 0;
++
++  ;
++  return 0;
++}
++_ACEOF
++ac_clean_files="$ac_clean_files conftest.out"
+ # Check that the compiler produces executables we can run.  If not, either
+ # the compiler is broken, or we cross compile.
+-{ echo "$as_me:$LINENO: checking whether the C compiler works" >&5
+-echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6; }
+-# FIXME: These cross compiler hacks should be removed for Autoconf 3.0
+-# If not cross compiling, check that we can run a simple program.
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5
++$as_echo_n "checking whether we are cross compiling... " >&6; }
+ if test "$cross_compiling" != yes; then
+-  if { ac_try='./$ac_file'
+-  { (case "(($ac_try" in
++  { { ac_try="$ac_link"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++  (eval "$ac_link") 2>&5
++  ac_status=$?
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }
++  if { ac_try='./conftest$ac_cv_exeext'
++  { { case "(($ac_try" in
+   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+   *) ac_try_echo=$ac_try;;
+ esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
+   (eval "$ac_try") 2>&5
+   ac_status=$?
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); }; }; then
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }; }; then
+     cross_compiling=no
+   else
+     if test "$cross_compiling" = maybe; then
+ 	cross_compiling=yes
+     else
+-	{ { echo "$as_me:$LINENO: error: cannot run C compiled programs.
+-If you meant to cross compile, use \`--host'.
+-See \`config.log' for more details." >&5
+-echo "$as_me: error: cannot run C compiled programs.
++	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++as_fn_error $? "cannot run C compiled programs.
+ If you meant to cross compile, use \`--host'.
+-See \`config.log' for more details." >&2;}
+-   { (exit 1); exit 1; }; }
++See \`config.log' for more details" "$LINENO" 5 ; }
+     fi
+   fi
+ fi
+-{ echo "$as_me:$LINENO: result: yes" >&5
+-echo "${ECHO_T}yes" >&6; }
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5
++$as_echo "$cross_compiling" >&6; }
+ 
+-rm -f a.out a.exe conftest$ac_cv_exeext b.out
++rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out
+ ac_clean_files=$ac_clean_files_save
+-# Check that the compiler produces executables we can run.  If not, either
+-# the compiler is broken, or we cross compile.
+-{ echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
+-echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6; }
+-{ echo "$as_me:$LINENO: result: $cross_compiling" >&5
+-echo "${ECHO_T}$cross_compiling" >&6; }
+-
+-{ echo "$as_me:$LINENO: checking for suffix of executables" >&5
+-echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6; }
+-if { (ac_try="$ac_link"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_link") 2>&5
+-  ac_status=$?
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); }; then
+-  # If both `conftest.exe' and `conftest' are `present' (well, observable)
+-# catch `conftest.exe'.  For instance with Cygwin, `ls conftest' will
+-# work properly (i.e., refer to `conftest.exe'), while it won't with
+-# `rm'.
+-for ac_file in conftest.exe conftest conftest.*; do
+-  test -f "$ac_file" || continue
+-  case $ac_file in
+-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
+-    *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+-	  break;;
+-    * ) break;;
+-  esac
+-done
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5
++$as_echo_n "checking for suffix of object files... " >&6; }
++if test "${ac_cv_objext+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+-  { { echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link
+-See \`config.log' for more details." >&5
+-echo "$as_me: error: cannot compute suffix of executables: cannot compile and link
+-See \`config.log' for more details." >&2;}
+-   { (exit 1); exit 1; }; }
+-fi
+-
+-rm -f conftest$ac_cv_exeext
+-{ echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
+-echo "${ECHO_T}$ac_cv_exeext" >&6; }
+-
+-rm -f conftest.$ac_ext
+-EXEEXT=$ac_cv_exeext
+-ac_exeext=$EXEEXT
+-{ echo "$as_me:$LINENO: checking for suffix of object files" >&5
+-echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6; }
+-if test "${ac_cv_objext+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
+-else
+-  cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h.  */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
+ int
+@@ -2191,51 +2537,46 @@
+ }
+ _ACEOF
+ rm -f conftest.o conftest.obj
+-if { (ac_try="$ac_compile"
++if { { ac_try="$ac_compile"
+ case "(($ac_try" in
+   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+   *) ac_try_echo=$ac_try;;
+ esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
+   (eval "$ac_compile") 2>&5
+   ac_status=$?
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); }; then
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }; then :
+   for ac_file in conftest.o conftest.obj conftest.*; do
+   test -f "$ac_file" || continue;
+   case $ac_file in
+-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf ) ;;
++    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;;
+     *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'`
+        break;;
+   esac
+ done
+ else
+-  echo "$as_me: failed program was:" >&5
++  $as_echo "$as_me: failed program was:" >&5
+ sed 's/^/| /' conftest.$ac_ext >&5
+ 
+-{ { echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile
+-See \`config.log' for more details." >&5
+-echo "$as_me: error: cannot compute suffix of object files: cannot compile
+-See \`config.log' for more details." >&2;}
+-   { (exit 1); exit 1; }; }
++{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++as_fn_error $? "cannot compute suffix of object files: cannot compile
++See \`config.log' for more details" "$LINENO" 5 ; }
+ fi
+-
+ rm -f conftest.$ac_cv_objext conftest.$ac_ext
+ fi
+-{ echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
+-echo "${ECHO_T}$ac_cv_objext" >&6; }
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5
++$as_echo "$ac_cv_objext" >&6; }
+ OBJEXT=$ac_cv_objext
+ ac_objext=$OBJEXT
+-{ echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
+-echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6; }
+-if test "${ac_cv_c_compiler_gnu+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5
++$as_echo_n "checking whether we are using the GNU C compiler... " >&6; }
++if test "${ac_cv_c_compiler_gnu+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+-  cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h.  */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
+ int
+@@ -2249,54 +2590,34 @@
+   return 0;
+ }
+ _ACEOF
+-rm -f conftest.$ac_objext
+-if { (ac_try="$ac_compile"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_compile") 2>conftest.er1
+-  ac_status=$?
+-  grep -v '^ *+' conftest.er1 >conftest.err
+-  rm -f conftest.er1
+-  cat conftest.err >&5
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); } && {
+-	 test -z "$ac_c_werror_flag" ||
+-	 test ! -s conftest.err
+-       } && test -s conftest.$ac_objext; then
++if ac_fn_c_try_compile "$LINENO"; then :
+   ac_compiler_gnu=yes
+ else
+-  echo "$as_me: failed program was:" >&5
+-sed 's/^/| /' conftest.$ac_ext >&5
+-
+-	ac_compiler_gnu=no
++  ac_compiler_gnu=no
+ fi
+-
+ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ ac_cv_c_compiler_gnu=$ac_compiler_gnu
+ 
+ fi
+-{ echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
+-echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6; }
+-GCC=`test $ac_compiler_gnu = yes && echo yes`
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5
++$as_echo "$ac_cv_c_compiler_gnu" >&6; }
++if test $ac_compiler_gnu = yes; then
++  GCC=yes
++else
++  GCC=
++fi
+ ac_test_CFLAGS=${CFLAGS+set}
+ ac_save_CFLAGS=$CFLAGS
+-{ echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
+-echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6; }
+-if test "${ac_cv_prog_cc_g+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5
++$as_echo_n "checking whether $CC accepts -g... " >&6; }
++if test "${ac_cv_prog_cc_g+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   ac_save_c_werror_flag=$ac_c_werror_flag
+    ac_c_werror_flag=yes
+    ac_cv_prog_cc_g=no
+    CFLAGS="-g"
+-   cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h.  */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
++   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
+ int
+@@ -2307,34 +2628,11 @@
+   return 0;
+ }
+ _ACEOF
+-rm -f conftest.$ac_objext
+-if { (ac_try="$ac_compile"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_compile") 2>conftest.er1
+-  ac_status=$?
+-  grep -v '^ *+' conftest.er1 >conftest.err
+-  rm -f conftest.er1
+-  cat conftest.err >&5
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); } && {
+-	 test -z "$ac_c_werror_flag" ||
+-	 test ! -s conftest.err
+-       } && test -s conftest.$ac_objext; then
++if ac_fn_c_try_compile "$LINENO"; then :
+   ac_cv_prog_cc_g=yes
+ else
+-  echo "$as_me: failed program was:" >&5
+-sed 's/^/| /' conftest.$ac_ext >&5
+-
+-	CFLAGS=""
+-      cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h.  */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
++  CFLAGS=""
++      cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
+ int
+@@ -2345,35 +2643,12 @@
+   return 0;
+ }
+ _ACEOF
+-rm -f conftest.$ac_objext
+-if { (ac_try="$ac_compile"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_compile") 2>conftest.er1
+-  ac_status=$?
+-  grep -v '^ *+' conftest.er1 >conftest.err
+-  rm -f conftest.er1
+-  cat conftest.err >&5
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); } && {
+-	 test -z "$ac_c_werror_flag" ||
+-	 test ! -s conftest.err
+-       } && test -s conftest.$ac_objext; then
+-  :
+-else
+-  echo "$as_me: failed program was:" >&5
+-sed 's/^/| /' conftest.$ac_ext >&5
++if ac_fn_c_try_compile "$LINENO"; then :
+ 
+-	ac_c_werror_flag=$ac_save_c_werror_flag
++else
++  ac_c_werror_flag=$ac_save_c_werror_flag
+ 	 CFLAGS="-g"
+-	 cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h.  */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
++	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
+ int
+@@ -2384,42 +2659,18 @@
+   return 0;
+ }
+ _ACEOF
+-rm -f conftest.$ac_objext
+-if { (ac_try="$ac_compile"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_compile") 2>conftest.er1
+-  ac_status=$?
+-  grep -v '^ *+' conftest.er1 >conftest.err
+-  rm -f conftest.er1
+-  cat conftest.err >&5
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); } && {
+-	 test -z "$ac_c_werror_flag" ||
+-	 test ! -s conftest.err
+-       } && test -s conftest.$ac_objext; then
++if ac_fn_c_try_compile "$LINENO"; then :
+   ac_cv_prog_cc_g=yes
+-else
+-  echo "$as_me: failed program was:" >&5
+-sed 's/^/| /' conftest.$ac_ext >&5
+-
+-
+ fi
+-
+ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ fi
+-
+ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ fi
+-
+ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+    ac_c_werror_flag=$ac_save_c_werror_flag
+ fi
+-{ echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
+-echo "${ECHO_T}$ac_cv_prog_cc_g" >&6; }
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5
++$as_echo "$ac_cv_prog_cc_g" >&6; }
+ if test "$ac_test_CFLAGS" = set; then
+   CFLAGS=$ac_save_CFLAGS
+ elif test $ac_cv_prog_cc_g = yes; then
+@@ -2435,18 +2686,14 @@
+     CFLAGS=
+   fi
+ fi
+-{ echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5
+-echo $ECHO_N "checking for $CC option to accept ISO C89... $ECHO_C" >&6; }
+-if test "${ac_cv_prog_cc_c89+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5
++$as_echo_n "checking for $CC option to accept ISO C89... " >&6; }
++if test "${ac_cv_prog_cc_c89+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   ac_cv_prog_cc_c89=no
+ ac_save_CC=$CC
+-cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h.  */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
++cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ #include <stdarg.h>
+ #include <stdio.h>
+@@ -2503,31 +2750,9 @@
+ 	-Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
+ do
+   CC="$ac_save_CC $ac_arg"
+-  rm -f conftest.$ac_objext
+-if { (ac_try="$ac_compile"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_compile") 2>conftest.er1
+-  ac_status=$?
+-  grep -v '^ *+' conftest.er1 >conftest.err
+-  rm -f conftest.er1
+-  cat conftest.err >&5
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); } && {
+-	 test -z "$ac_c_werror_flag" ||
+-	 test ! -s conftest.err
+-       } && test -s conftest.$ac_objext; then
++  if ac_fn_c_try_compile "$LINENO"; then :
+   ac_cv_prog_cc_c89=$ac_arg
+-else
+-  echo "$as_me: failed program was:" >&5
+-sed 's/^/| /' conftest.$ac_ext >&5
+-
+-
+ fi
+-
+ rm -f core conftest.err conftest.$ac_objext
+   test "x$ac_cv_prog_cc_c89" != "xno" && break
+ done
+@@ -2538,17 +2763,19 @@
+ # AC_CACHE_VAL
+ case "x$ac_cv_prog_cc_c89" in
+   x)
+-    { echo "$as_me:$LINENO: result: none needed" >&5
+-echo "${ECHO_T}none needed" >&6; } ;;
++    { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5
++$as_echo "none needed" >&6; } ;;
+   xno)
+-    { echo "$as_me:$LINENO: result: unsupported" >&5
+-echo "${ECHO_T}unsupported" >&6; } ;;
++    { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5
++$as_echo "unsupported" >&6; } ;;
+   *)
+     CC="$CC $ac_cv_prog_cc_c89"
+-    { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5
+-echo "${ECHO_T}$ac_cv_prog_cc_c89" >&6; } ;;
++    { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5
++$as_echo "$ac_cv_prog_cc_c89" >&6; } ;;
+ esac
++if test "x$ac_cv_prog_cc_c89" != xno; then :
+ 
++fi
+ 
+ ac_ext=c
+ ac_cpp='$CPP $CPPFLAGS'
+@@ -2557,81 +2784,474 @@
+ ac_compiler_gnu=$ac_cv_c_compiler_gnu
+ 
+ 
+-
+-{ echo "$as_me:$LINENO: checking for exchangeTNCCSMessages in -lTNCS" >&5
+-echo $ECHO_N "checking for exchangeTNCCSMessages in -lTNCS... $ECHO_C" >&6; }
+-if test "${ac_cv_lib_TNCS_exchangeTNCCSMessages+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for processEAPTNCData in -lnaaeap" >&5
++$as_echo_n "checking for processEAPTNCData in -lnaaeap... " >&6; }
++if test "${ac_cv_lib_naaeap_processEAPTNCData+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   ac_check_lib_save_LIBS=$LIBS
+-LIBS="-lTNCS  $LIBS"
+-cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h.  */
++LIBS="-lnaaeap  $LIBS"
++cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++
++/* Override any GCC internal prototype to avoid an error.
++   Use char because int might match the return type of a GCC
++   builtin and then its argument prototype would still apply.  */
++#ifdef __cplusplus
++extern "C"
++#endif
++char processEAPTNCData ();
++int
++main ()
++{
++return processEAPTNCData ();
++  ;
++  return 0;
++}
++_ACEOF
++if ac_fn_c_try_link "$LINENO"; then :
++  ac_cv_lib_naaeap_processEAPTNCData=yes
++else
++  ac_cv_lib_naaeap_processEAPTNCData=no
++fi
++rm -f core conftest.err conftest.$ac_objext \
++    conftest$ac_exeext conftest.$ac_ext
++LIBS=$ac_check_lib_save_LIBS
++fi
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_naaeap_processEAPTNCData" >&5
++$as_echo "$ac_cv_lib_naaeap_processEAPTNCData" >&6; }
++if test "x$ac_cv_lib_naaeap_processEAPTNCData" = x""yes; then :
++  cat >>confdefs.h <<_ACEOF
++#define HAVE_LIBNAAEAP 1
++_ACEOF
++
++  LIBS="-lnaaeap $LIBS"
++
++else
++  fail="$fail -lnaaeap"
++fi
++
++	if test -x"$ac_cv_lib_NAAEAP_processEAPTNCData" == -x"no"; then
++		{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: the NAAEAP library was not found!" >&5
++$as_echo "$as_me: WARNING: the NAAEAP library was not found!" >&2;}
++		fail="$fail -lNAAEAP"
++	fi
++
++	ac_ext=c
++ac_cpp='$CPP $CPPFLAGS'
++ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
++ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
++ac_compiler_gnu=$ac_cv_c_compiler_gnu
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5
++$as_echo_n "checking how to run the C preprocessor... " >&6; }
++# On Suns, sometimes $CPP names a directory.
++if test -n "$CPP" && test -d "$CPP"; then
++  CPP=
++fi
++if test -z "$CPP"; then
++  if test "${ac_cv_prog_CPP+set}" = set; then :
++  $as_echo_n "(cached) " >&6
++else
++      # Double quotes because CPP needs to be expanded
++    for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp"
++    do
++      ac_preproc_ok=false
++for ac_c_preproc_warn_flag in '' yes
++do
++  # Use a header file that comes with gcc, so configuring glibc
++  # with a fresh cross-compiler works.
++  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
++  # <limits.h> exists even on freestanding compilers.
++  # On the NeXT, cc -E runs the code through the compiler's parser,
++  # not just through cpp. "Syntax error" is here to catch this case.
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#ifdef __STDC__
++# include <limits.h>
++#else
++# include <assert.h>
++#endif
++		     Syntax error
++_ACEOF
++if ac_fn_c_try_cpp "$LINENO"; then :
++
++else
++  # Broken: fails on valid input.
++continue
++fi
++rm -f conftest.err conftest.i conftest.$ac_ext
++
++  # OK, works on sane cases.  Now check whether nonexistent headers
++  # can be detected and how.
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#include <ac_nonexistent.h>
++_ACEOF
++if ac_fn_c_try_cpp "$LINENO"; then :
++  # Broken: success on invalid input.
++continue
++else
++  # Passes both tests.
++ac_preproc_ok=:
++break
++fi
++rm -f conftest.err conftest.i conftest.$ac_ext
++
++done
++# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
++rm -f conftest.i conftest.err conftest.$ac_ext
++if $ac_preproc_ok; then :
++  break
++fi
++
++    done
++    ac_cv_prog_CPP=$CPP
++
++fi
++  CPP=$ac_cv_prog_CPP
++else
++  ac_cv_prog_CPP=$CPP
++fi
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5
++$as_echo "$CPP" >&6; }
++ac_preproc_ok=false
++for ac_c_preproc_warn_flag in '' yes
++do
++  # Use a header file that comes with gcc, so configuring glibc
++  # with a fresh cross-compiler works.
++  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
++  # <limits.h> exists even on freestanding compilers.
++  # On the NeXT, cc -E runs the code through the compiler's parser,
++  # not just through cpp. "Syntax error" is here to catch this case.
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#ifdef __STDC__
++# include <limits.h>
++#else
++# include <assert.h>
++#endif
++		     Syntax error
++_ACEOF
++if ac_fn_c_try_cpp "$LINENO"; then :
++
++else
++  # Broken: fails on valid input.
++continue
++fi
++rm -f conftest.err conftest.i conftest.$ac_ext
++
++  # OK, works on sane cases.  Now check whether nonexistent headers
++  # can be detected and how.
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#include <ac_nonexistent.h>
++_ACEOF
++if ac_fn_c_try_cpp "$LINENO"; then :
++  # Broken: success on invalid input.
++continue
++else
++  # Passes both tests.
++ac_preproc_ok=:
++break
++fi
++rm -f conftest.err conftest.i conftest.$ac_ext
++
++done
++# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
++rm -f conftest.i conftest.err conftest.$ac_ext
++if $ac_preproc_ok; then :
++
++else
++  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++as_fn_error $? "C preprocessor \"$CPP\" fails sanity check
++See \`config.log' for more details" "$LINENO" 5 ; }
++fi
++
++ac_ext=c
++ac_cpp='$CPP $CPPFLAGS'
++ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
++ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
++ac_compiler_gnu=$ac_cv_c_compiler_gnu
++
++
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5
++$as_echo_n "checking for grep that handles long lines and -e... " >&6; }
++if test "${ac_cv_path_GREP+set}" = set; then :
++  $as_echo_n "(cached) " >&6
++else
++  if test -z "$GREP"; then
++  ac_path_GREP_found=false
++  # Loop through the user's path and test for each of PROGNAME-LIST
++  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
++for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
++do
++  IFS=$as_save_IFS
++  test -z "$as_dir" && as_dir=.
++    for ac_prog in grep ggrep; do
++    for ac_exec_ext in '' $ac_executable_extensions; do
++      ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
++      { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
++# Check for GNU ac_path_GREP and select it if it is found.
++  # Check for GNU $ac_path_GREP
++case `"$ac_path_GREP" --version 2>&1` in
++*GNU*)
++  ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;;
++*)
++  ac_count=0
++  $as_echo_n 0123456789 >"conftest.in"
++  while :
++  do
++    cat "conftest.in" "conftest.in" >"conftest.tmp"
++    mv "conftest.tmp" "conftest.in"
++    cp "conftest.in" "conftest.nl"
++    $as_echo 'GREP' >> "conftest.nl"
++    "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break
++    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
++    as_fn_arith $ac_count + 1 && ac_count=$as_val
++    if test $ac_count -gt ${ac_path_GREP_max-0}; then
++      # Best one so far, save it but keep looking for a better one
++      ac_cv_path_GREP="$ac_path_GREP"
++      ac_path_GREP_max=$ac_count
++    fi
++    # 10*(2^10) chars as input seems more than enough
++    test $ac_count -gt 10 && break
++  done
++  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
++esac
++
++      $ac_path_GREP_found && break 3
++    done
++  done
++  done
++IFS=$as_save_IFS
++  if test -z "$ac_cv_path_GREP"; then
++    as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
++  fi
++else
++  ac_cv_path_GREP=$GREP
++fi
++
++fi
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5
++$as_echo "$ac_cv_path_GREP" >&6; }
++ GREP="$ac_cv_path_GREP"
++
++
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5
++$as_echo_n "checking for egrep... " >&6; }
++if test "${ac_cv_path_EGREP+set}" = set; then :
++  $as_echo_n "(cached) " >&6
++else
++  if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
++   then ac_cv_path_EGREP="$GREP -E"
++   else
++     if test -z "$EGREP"; then
++  ac_path_EGREP_found=false
++  # Loop through the user's path and test for each of PROGNAME-LIST
++  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
++for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
++do
++  IFS=$as_save_IFS
++  test -z "$as_dir" && as_dir=.
++    for ac_prog in egrep; do
++    for ac_exec_ext in '' $ac_executable_extensions; do
++      ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
++      { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
++# Check for GNU ac_path_EGREP and select it if it is found.
++  # Check for GNU $ac_path_EGREP
++case `"$ac_path_EGREP" --version 2>&1` in
++*GNU*)
++  ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;;
++*)
++  ac_count=0
++  $as_echo_n 0123456789 >"conftest.in"
++  while :
++  do
++    cat "conftest.in" "conftest.in" >"conftest.tmp"
++    mv "conftest.tmp" "conftest.in"
++    cp "conftest.in" "conftest.nl"
++    $as_echo 'EGREP' >> "conftest.nl"
++    "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break
++    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
++    as_fn_arith $ac_count + 1 && ac_count=$as_val
++    if test $ac_count -gt ${ac_path_EGREP_max-0}; then
++      # Best one so far, save it but keep looking for a better one
++      ac_cv_path_EGREP="$ac_path_EGREP"
++      ac_path_EGREP_max=$ac_count
++    fi
++    # 10*(2^10) chars as input seems more than enough
++    test $ac_count -gt 10 && break
++  done
++  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
++esac
++
++      $ac_path_EGREP_found && break 3
++    done
++  done
++  done
++IFS=$as_save_IFS
++  if test -z "$ac_cv_path_EGREP"; then
++    as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
++  fi
++else
++  ac_cv_path_EGREP=$EGREP
++fi
++
++   fi
++fi
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5
++$as_echo "$ac_cv_path_EGREP" >&6; }
++ EGREP="$ac_cv_path_EGREP"
++
++
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5
++$as_echo_n "checking for ANSI C header files... " >&6; }
++if test "${ac_cv_header_stdc+set}" = set; then :
++  $as_echo_n "(cached) " >&6
++else
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#include <stdlib.h>
++#include <stdarg.h>
++#include <string.h>
++#include <float.h>
++
++int
++main ()
++{
++
++  ;
++  return 0;
++}
++_ACEOF
++if ac_fn_c_try_compile "$LINENO"; then :
++  ac_cv_header_stdc=yes
++else
++  ac_cv_header_stdc=no
++fi
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++
++if test $ac_cv_header_stdc = yes; then
++  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#include <string.h>
++
+ _ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
++if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
++  $EGREP "memchr" >/dev/null 2>&1; then :
++
++else
++  ac_cv_header_stdc=no
++fi
++rm -f conftest*
++
++fi
++
++if test $ac_cv_header_stdc = yes; then
++  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#include <stdlib.h>
++
++_ACEOF
++if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
++  $EGREP "free" >/dev/null 2>&1; then :
++
++else
++  ac_cv_header_stdc=no
++fi
++rm -f conftest*
++
++fi
++
++if test $ac_cv_header_stdc = yes; then
++  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
++  if test "$cross_compiling" = yes; then :
++  :
++else
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+-
+-/* Override any GCC internal prototype to avoid an error.
+-   Use char because int might match the return type of a GCC
+-   builtin and then its argument prototype would still apply.  */
+-#ifdef __cplusplus
+-extern "C"
++#include <ctype.h>
++#include <stdlib.h>
++#if ((' ' & 0x0FF) == 0x020)
++# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
++# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
++#else
++# define ISLOWER(c) \
++		   (('a' <= (c) && (c) <= 'i') \
++		     || ('j' <= (c) && (c) <= 'r') \
++		     || ('s' <= (c) && (c) <= 'z'))
++# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
+ #endif
+-char exchangeTNCCSMessages ();
++
++#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
+ int
+ main ()
+ {
+-return exchangeTNCCSMessages ();
+-  ;
++  int i;
++  for (i = 0; i < 256; i++)
++    if (XOR (islower (i), ISLOWER (i))
++	|| toupper (i) != TOUPPER (i))
++      return 2;
+   return 0;
+ }
+ _ACEOF
+-rm -f conftest.$ac_objext conftest$ac_exeext
+-if { (ac_try="$ac_link"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_link") 2>conftest.er1
+-  ac_status=$?
+-  grep -v '^ *+' conftest.er1 >conftest.err
+-  rm -f conftest.er1
+-  cat conftest.err >&5
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); } && {
+-	 test -z "$ac_c_werror_flag" ||
+-	 test ! -s conftest.err
+-       } && test -s conftest$ac_exeext &&
+-       $as_test_x conftest$ac_exeext; then
+-  ac_cv_lib_TNCS_exchangeTNCCSMessages=yes
++if ac_fn_c_try_run "$LINENO"; then :
++
+ else
+-  echo "$as_me: failed program was:" >&5
+-sed 's/^/| /' conftest.$ac_ext >&5
++  ac_cv_header_stdc=no
++fi
++rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
++  conftest.$ac_objext conftest.beam conftest.$ac_ext
++fi
+ 
+-	ac_cv_lib_TNCS_exchangeTNCCSMessages=no
+ fi
++fi
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdc" >&5
++$as_echo "$ac_cv_header_stdc" >&6; }
++if test $ac_cv_header_stdc = yes; then
++
++$as_echo "#define STDC_HEADERS 1" >>confdefs.h
+ 
+-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+-      conftest$ac_exeext conftest.$ac_ext
+-LIBS=$ac_check_lib_save_LIBS
+ fi
+-{ echo "$as_me:$LINENO: result: $ac_cv_lib_TNCS_exchangeTNCCSMessages" >&5
+-echo "${ECHO_T}$ac_cv_lib_TNCS_exchangeTNCCSMessages" >&6; }
+-if test $ac_cv_lib_TNCS_exchangeTNCCSMessages = yes; then
++
++# On IRIX 5.3, sys/types and inttypes.h are conflicting.
++for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
++		  inttypes.h stdint.h unistd.h
++do :
++  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
++ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
++"
++if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+   cat >>confdefs.h <<_ACEOF
+-#define HAVE_LIBTNCS 1
++#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+ _ACEOF
+ 
+-  LIBS="-lTNCS $LIBS"
++fi
++
++done
++
++
++for ac_header in naaeap/naaeap.h
++do :
++  ac_fn_c_check_header_mongrel "$LINENO" "naaeap/naaeap.h" "ac_cv_header_naaeap_naaeap_h" "$ac_includes_default"
++if test "x$ac_cv_header_naaeap_naaeap_h" = x""yes; then :
++  cat >>confdefs.h <<_ACEOF
++#define HAVE_NAAEAP_NAAEAP_H 1
++_ACEOF
+ 
++else
++  fail="$fail -Inaaeap.h"
+ fi
+ 
+-	if test "x$ac_cv_lib_tncs_exchangetnccsmessages" != xyes; then
+-		{ echo "$as_me:$LINENO: WARNING: the TNCS library isn't found!" >&5
+-echo "$as_me: WARNING: the TNCS library isn't found!" >&2;}
+-		fail="$fail -lTNCS"
++done
++
++	if test -x"$ac_cv_header_naaeap_h" == -x"no"; then
++		{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: the naaeap header was not found!" >&5
++$as_echo "$as_me: WARNING: the naaeap header was not found!" >&2;}
++		fail="$fail -Inaaeap.h"
+ 	fi
+ 
+ 	targetname=rlm_eap_tnc
+@@ -2642,14 +3262,12 @@
+ 
+ if test x"$fail" != x""; then
+ 	if test x"${enable_strict_dependencies}" = x"yes"; then
+-		{ { echo "$as_me:$LINENO: error: set --without-rlm_eap_tnc to disable it explicitly." >&5
+-echo "$as_me: error: set --without-rlm_eap_tnc to disable it explicitly." >&2;}
+-   { (exit 1); exit 1; }; }
++		as_fn_error $? "set --without-rlm_eap_tnc to disable it explicitly." "$LINENO" 5
+ 	else
+-		{ echo "$as_me:$LINENO: WARNING: silently not building rlm_eap_tnc." >&5
+-echo "$as_me: WARNING: silently not building rlm_eap_tnc." >&2;}
+-		{ echo "$as_me:$LINENO: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&5
+-echo "$as_me: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&2;};
++		{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: silently not building rlm_eap_tnc." >&5
++$as_echo "$as_me: WARNING: silently not building rlm_eap_tnc." >&2;}
++		{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&5
++$as_echo "$as_me: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&2;};
+ 		targetname=""
+ 	fi
+ fi
+@@ -2658,11 +3276,7 @@
+ 
+ 
+ 
+-
+-  unset ac_cv_env_LIBS_set
+-  unset ac_cv_env_LIBS_value
+-
+-  ac_config_files="$ac_config_files Makefile"
++ac_config_files="$ac_config_files Makefile"
+ 
+ cat >confcache <<\_ACEOF
+ # This file is a shell script that caches the results of configure
+@@ -2691,12 +3305,13 @@
+     case $ac_val in #(
+     *${as_nl}*)
+       case $ac_var in #(
+-      *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
+-echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
++      *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5
++$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
+       esac
+       case $ac_var in #(
+       _ | IFS | as_nl) ;; #(
+-      *) $as_unset $ac_var ;;
++      BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
++      *) { eval $ac_var=; unset $ac_var;} ;;
+       esac ;;
+     esac
+   done
+@@ -2704,8 +3319,8 @@
+   (set) 2>&1 |
+     case $as_nl`(ac_space=' '; set) 2>&1` in #(
+     *${as_nl}ac_space=\ *)
+-      # `set' does not quote correctly, so add quotes (double-quote
+-      # substitution turns \\\\ into \\, and sed turns \\ into \).
++      # `set' does not quote correctly, so add quotes: double-quote
++      # substitution turns \\\\ into \\, and sed turns \\ into \.
+       sed -n \
+ 	"s/'/'\\\\''/g;
+ 	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
+@@ -2728,12 +3343,12 @@
+ if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
+   if test -w "$cache_file"; then
+     test "x$cache_file" != "x/dev/null" &&
+-      { echo "$as_me:$LINENO: updating cache $cache_file" >&5
+-echo "$as_me: updating cache $cache_file" >&6;}
++      { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5
++$as_echo "$as_me: updating cache $cache_file" >&6;}
+     cat confcache >$cache_file
+   else
+-    { echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5
+-echo "$as_me: not updating unwritable cache $cache_file" >&6;}
++    { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5
++$as_echo "$as_me: not updating unwritable cache $cache_file" >&6;}
+   fi
+ fi
+ rm -f confcache
+@@ -2750,6 +3365,12 @@
+ # take arguments), then branch to the quote section.  Otherwise,
+ # look for a macro that doesn't take arguments.
+ ac_script='
++:mline
++/\\$/{
++ N
++ s,\\\n,,
++ b mline
++}
+ t clear
+ :clear
+ s/^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 (][^	 (]*([^)]*)\)[	 ]*\(.*\)/-D\1=\2/g
+@@ -2776,14 +3397,15 @@
+ 
+ ac_libobjs=
+ ac_ltlibobjs=
++U=
+ for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
+   # 1. Remove the extension, and $U if already installed.
+   ac_script='s/\$U\././;s/\.o$//;s/\.obj$//'
+-  ac_i=`echo "$ac_i" | sed "$ac_script"`
++  ac_i=`$as_echo "$ac_i" | sed "$ac_script"`
+   # 2. Prepend LIBOBJDIR.  When used with automake>=1.10 LIBOBJDIR
+   #    will be set to the directory where LIBOBJS objects are built.
+-  ac_libobjs="$ac_libobjs \${LIBOBJDIR}$ac_i\$U.$ac_objext"
+-  ac_ltlibobjs="$ac_ltlibobjs \${LIBOBJDIR}$ac_i"'$U.lo'
++  as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext"
++  as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo'
+ done
+ LIBOBJS=$ac_libobjs
+ 
+@@ -2792,11 +3414,13 @@
+ 
+ 
+ : ${CONFIG_STATUS=./config.status}
++ac_write_fail=0
+ ac_clean_files_save=$ac_clean_files
+ ac_clean_files="$ac_clean_files $CONFIG_STATUS"
+-{ echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5
+-echo "$as_me: creating $CONFIG_STATUS" >&6;}
+-cat >$CONFIG_STATUS <<_ACEOF
++{ $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5
++$as_echo "$as_me: creating $CONFIG_STATUS" >&6;}
++as_write_fail=0
++cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1
+ #! $SHELL
+ # Generated by $as_me.
+ # Run this file to recreate the current configuration.
+@@ -2806,59 +3430,79 @@
+ debug=false
+ ac_cs_recheck=false
+ ac_cs_silent=false
+-SHELL=\${CONFIG_SHELL-$SHELL}
+-_ACEOF
+ 
+-cat >>$CONFIG_STATUS <<\_ACEOF
+-## --------------------- ##
+-## M4sh Initialization.  ##
+-## --------------------- ##
++SHELL=\${CONFIG_SHELL-$SHELL}
++export SHELL
++_ASEOF
++cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1
++## -------------------- ##
++## M4sh Initialization. ##
++## -------------------- ##
+ 
+ # Be more Bourne compatible
+ DUALCASE=1; export DUALCASE # for MKS sh
+-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
++if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
+   emulate sh
+   NULLCMD=:
+-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
++  # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
+   # is contrary to our usage.  Disable this feature.
+   alias -g '${1+"$@"}'='"$@"'
+   setopt NO_GLOB_SUBST
+ else
+-  case `(set -o) 2>/dev/null` in
+-  *posix*) set -o posix ;;
++  case `(set -o) 2>/dev/null` in #(
++  *posix*) :
++    set -o posix ;; #(
++  *) :
++     ;;
+ esac
+-
+ fi
+ 
+ 
+-
+-
+-# PATH needs CR
+-# Avoid depending upon Character Ranges.
+-as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+-as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+-as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+-as_cr_digits='0123456789'
+-as_cr_alnum=$as_cr_Letters$as_cr_digits
+-
+-# The user is always right.
+-if test "${PATH_SEPARATOR+set}" != set; then
+-  echo "#! /bin/sh" >conf$$.sh
+-  echo  "exit 0"   >>conf$$.sh
+-  chmod +x conf$$.sh
+-  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
+-    PATH_SEPARATOR=';'
++as_nl='
++'
++export as_nl
++# Printing a long string crashes Solaris 7 /usr/bin/printf.
++as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
++as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
++as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
++# Prefer a ksh shell builtin over an external printf program on Solaris,
++# but without wasting forks for bash or zsh.
++if test -z "$BASH_VERSION$ZSH_VERSION" \
++    && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then
++  as_echo='print -r --'
++  as_echo_n='print -rn --'
++elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
++  as_echo='printf %s\n'
++  as_echo_n='printf %s'
++else
++  if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
++    as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
++    as_echo_n='/usr/ucb/echo -n'
+   else
+-    PATH_SEPARATOR=:
++    as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
++    as_echo_n_body='eval
++      arg=$1;
++      case $arg in #(
++      *"$as_nl"*)
++	expr "X$arg" : "X\\(.*\\)$as_nl";
++	arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
++      esac;
++      expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl"
++    '
++    export as_echo_n_body
++    as_echo_n='sh -c $as_echo_n_body as_echo'
+   fi
+-  rm -f conf$$.sh
++  export as_echo_body
++  as_echo='sh -c $as_echo_body as_echo'
+ fi
+ 
+-# Support unset when possible.
+-if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
+-  as_unset=unset
+-else
+-  as_unset=false
++# The user is always right.
++if test "${PATH_SEPARATOR+set}" != set; then
++  PATH_SEPARATOR=:
++  (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
++    (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
++      PATH_SEPARATOR=';'
++  }
+ fi
+ 
+ 
+@@ -2867,20 +3511,18 @@
+ # there to prevent editors from complaining about space-tab.
+ # (If _AS_PATH_WALK were called with IFS unset, it would disable word
+ # splitting by setting IFS to empty value.)
+-as_nl='
+-'
+ IFS=" ""	$as_nl"
+ 
+ # Find who we are.  Look in the path if we contain no directory separator.
+-case $0 in
++case $0 in #((
+   *[\\/]* ) as_myself=$0 ;;
+   *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+ for as_dir in $PATH
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+-done
++    test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
++  done
+ IFS=$as_save_IFS
+ 
+      ;;
+@@ -2891,32 +3533,111 @@
+   as_myself=$0
+ fi
+ if test ! -f "$as_myself"; then
+-  echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+-  { (exit 1); exit 1; }
++  $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
++  exit 1
+ fi
+ 
+-# Work around bugs in pre-3.0 UWIN ksh.
+-for as_var in ENV MAIL MAILPATH
+-do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
++# Unset variables that we do not need and which cause bugs (e.g. in
++# pre-3.0 UWIN ksh).  But do not cause bugs in bash 2.01; the "|| exit 1"
++# suppresses any "Segmentation fault" message there.  '((' could
++# trigger a bug in pdksh 5.2.14.
++for as_var in BASH_ENV ENV MAIL MAILPATH
++do eval test x\${$as_var+set} = xset \
++  && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
+ done
+ PS1='$ '
+ PS2='> '
+ PS4='+ '
+ 
+ # NLS nuisances.
+-for as_var in \
+-  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
+-  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
+-  LC_TELEPHONE LC_TIME
+-do
+-  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
+-    eval $as_var=C; export $as_var
+-  else
+-    ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
++LC_ALL=C
++export LC_ALL
++LANGUAGE=C
++export LANGUAGE
++
++# CDPATH.
++(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
++
++
++# as_fn_error STATUS ERROR [LINENO LOG_FD]
++# ----------------------------------------
++# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
++# provided, also output the error to LOG_FD, referencing LINENO. Then exit the
++# script with STATUS, using 1 if that was 0.
++as_fn_error ()
++{
++  as_status=$1; test $as_status -eq 0 && as_status=1
++  if test "$4"; then
++    as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++    $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4
+   fi
+-done
++  $as_echo "$as_me: error: $2" >&2
++  as_fn_exit $as_status
++} # as_fn_error
++
++
++# as_fn_set_status STATUS
++# -----------------------
++# Set $? to STATUS, without forking.
++as_fn_set_status ()
++{
++  return $1
++} # as_fn_set_status
++
++# as_fn_exit STATUS
++# -----------------
++# Exit the shell with STATUS, even in a "trap 0" or "set -e" context.
++as_fn_exit ()
++{
++  set +e
++  as_fn_set_status $1
++  exit $1
++} # as_fn_exit
++
++# as_fn_unset VAR
++# ---------------
++# Portably unset VAR.
++as_fn_unset ()
++{
++  { eval $1=; unset $1;}
++}
++as_unset=as_fn_unset
++# as_fn_append VAR VALUE
++# ----------------------
++# Append the text in VALUE to the end of the definition contained in VAR. Take
++# advantage of any shell optimizations that allow amortized linear growth over
++# repeated appends, instead of the typical quadratic growth present in naive
++# implementations.
++if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then :
++  eval 'as_fn_append ()
++  {
++    eval $1+=\$2
++  }'
++else
++  as_fn_append ()
++  {
++    eval $1=\$$1\$2
++  }
++fi # as_fn_append
++
++# as_fn_arith ARG...
++# ------------------
++# Perform arithmetic evaluation on the ARGs, and store the result in the
++# global $as_val. Take advantage of shells that can avoid forks. The arguments
++# must be portable across $(()) and expr.
++if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then :
++  eval 'as_fn_arith ()
++  {
++    as_val=$(( $* ))
++  }'
++else
++  as_fn_arith ()
++  {
++    as_val=`expr "$@" || test $? -eq 1`
++  }
++fi # as_fn_arith
++
+ 
+-# Required to use basename.
+ if expr a : '\(a\)' >/dev/null 2>&1 &&
+    test "X`expr 00001 : '.*\(...\)'`" = X001; then
+   as_expr=expr
+@@ -2930,13 +3651,17 @@
+   as_basename=false
+ fi
+ 
++if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
++  as_dirname=dirname
++else
++  as_dirname=false
++fi
+ 
+-# Name of the executable.
+ as_me=`$as_basename -- "$0" ||
+ $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
+ 	 X"$0" : 'X\(//\)$' \| \
+ 	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
+-echo X/"$0" |
++$as_echo X/"$0" |
+     sed '/^.*\/\([^/][^/]*\)\/*$/{
+ 	    s//\1/
+ 	    q
+@@ -2951,104 +3676,103 @@
+ 	  }
+ 	  s/.*/./; q'`
+ 
+-# CDPATH.
+-$as_unset CDPATH
+-
+-
+-
+-  as_lineno_1=$LINENO
+-  as_lineno_2=$LINENO
+-  test "x$as_lineno_1" != "x$as_lineno_2" &&
+-  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
+-
+-  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
+-  # uniformly replaced by the line number.  The first 'sed' inserts a
+-  # line-number line after each line using $LINENO; the second 'sed'
+-  # does the real work.  The second script uses 'N' to pair each
+-  # line-number line with the line containing $LINENO, and appends
+-  # trailing '-' during substitution so that $LINENO is not a special
+-  # case at line end.
+-  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
+-  # scripts with optimization help from Paolo Bonzini.  Blame Lee
+-  # E. McMahon (1931-1989) for sed's syntax.  :-)
+-  sed -n '
+-    p
+-    /[$]LINENO/=
+-  ' <$as_myself |
+-    sed '
+-      s/[$]LINENO.*/&-/
+-      t lineno
+-      b
+-      :lineno
+-      N
+-      :loop
+-      s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
+-      t loop
+-      s/-\n.*//
+-    ' >$as_me.lineno &&
+-  chmod +x "$as_me.lineno" ||
+-    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
+-   { (exit 1); exit 1; }; }
+-
+-  # Don't try to exec as it changes $[0], causing all sort of problems
+-  # (the dirname of $[0] is not the place where we might find the
+-  # original and so on.  Autoconf is especially sensitive to this).
+-  . "./$as_me.lineno"
+-  # Exit status is that of the last command.
+-  exit
+-}
+-
+-
+-if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+-  as_dirname=dirname
+-else
+-  as_dirname=false
+-fi
++# Avoid depending upon Character Ranges.
++as_cr_letters='abcdefghijklmnopqrstuvwxyz'
++as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
++as_cr_Letters=$as_cr_letters$as_cr_LETTERS
++as_cr_digits='0123456789'
++as_cr_alnum=$as_cr_Letters$as_cr_digits
+ 
+ ECHO_C= ECHO_N= ECHO_T=
+-case `echo -n x` in
++case `echo -n x` in #(((((
+ -n*)
+-  case `echo 'x\c'` in
++  case `echo 'xy\c'` in
+   *c*) ECHO_T='	';;	# ECHO_T is single tab character.
+-  *)   ECHO_C='\c';;
++  xy)  ECHO_C='\c';;
++  *)   echo `echo ksh88 bug on AIX 6.1` > /dev/null
++       ECHO_T='	';;
+   esac;;
+ *)
+   ECHO_N='-n';;
+ esac
+ 
+-if expr a : '\(a\)' >/dev/null 2>&1 &&
+-   test "X`expr 00001 : '.*\(...\)'`" = X001; then
+-  as_expr=expr
+-else
+-  as_expr=false
+-fi
+-
+ rm -f conf$$ conf$$.exe conf$$.file
+ if test -d conf$$.dir; then
+   rm -f conf$$.dir/conf$$.file
+ else
+   rm -f conf$$.dir
+-  mkdir conf$$.dir
++  mkdir conf$$.dir 2>/dev/null
+ fi
+-echo >conf$$.file
+-if ln -s conf$$.file conf$$ 2>/dev/null; then
+-  as_ln_s='ln -s'
+-  # ... but there are two gotchas:
+-  # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+-  # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+-  # In both cases, we have to default to `cp -p'.
+-  ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
++if (echo >conf$$.file) 2>/dev/null; then
++  if ln -s conf$$.file conf$$ 2>/dev/null; then
++    as_ln_s='ln -s'
++    # ... but there are two gotchas:
++    # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
++    # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
++    # In both cases, we have to default to `cp -p'.
++    ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
++      as_ln_s='cp -p'
++  elif ln conf$$.file conf$$ 2>/dev/null; then
++    as_ln_s=ln
++  else
+     as_ln_s='cp -p'
+-elif ln conf$$.file conf$$ 2>/dev/null; then
+-  as_ln_s=ln
++  fi
+ else
+   as_ln_s='cp -p'
+ fi
+ rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+ rmdir conf$$.dir 2>/dev/null
+ 
++
++# as_fn_mkdir_p
++# -------------
++# Create "$as_dir" as a directory, including parents if necessary.
++as_fn_mkdir_p ()
++{
++
++  case $as_dir in #(
++  -*) as_dir=./$as_dir;;
++  esac
++  test -d "$as_dir" || eval $as_mkdir_p || {
++    as_dirs=
++    while :; do
++      case $as_dir in #(
++      *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
++      *) as_qdir=$as_dir;;
++      esac
++      as_dirs="'$as_qdir' $as_dirs"
++      as_dir=`$as_dirname -- "$as_dir" ||
++$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
++	 X"$as_dir" : 'X\(//\)[^/]' \| \
++	 X"$as_dir" : 'X\(//\)$' \| \
++	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
++$as_echo X"$as_dir" |
++    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
++	    s//\1/
++	    q
++	  }
++	  /^X\(\/\/\)[^/].*/{
++	    s//\1/
++	    q
++	  }
++	  /^X\(\/\/\)$/{
++	    s//\1/
++	    q
++	  }
++	  /^X\(\/\).*/{
++	    s//\1/
++	    q
++	  }
++	  s/.*/./; q'`
++      test -d "$as_dir" && break
++    done
++    test -z "$as_dirs" || eval "mkdir $as_dirs"
++  } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir"
++
++
++} # as_fn_mkdir_p
+ if mkdir -p . 2>/dev/null; then
+-  as_mkdir_p=:
++  as_mkdir_p='mkdir -p "$as_dir"'
+ else
+   test -d ./-p && rmdir ./-p
+   as_mkdir_p=false
+@@ -3065,12 +3789,12 @@
+   as_test_x='
+     eval sh -c '\''
+       if test -d "$1"; then
+-        test -d "$1/.";
++	test -d "$1/.";
+       else
+-	case $1 in
+-        -*)set "./$1";;
++	case $1 in #(
++	-*)set "./$1";;
+ 	esac;
+-	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
++	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
+ 	???[sx]*):;;*)false;;esac;fi
+     '\'' sh
+   '
+@@ -3085,13 +3809,19 @@
+ 
+ 
+ exec 6>&1
++## ----------------------------------- ##
++## Main body of $CONFIG_STATUS script. ##
++## ----------------------------------- ##
++_ASEOF
++test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1
+ 
+-# Save the log message, to keep $[0] and so on meaningful, and to
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
++# Save the log message, to keep $0 and so on meaningful, and to
+ # report actual input values of CONFIG_FILES etc. instead of their
+ # values after options handling.
+ ac_log="
+ This file was extended by $as_me, which was
+-generated by GNU Autoconf 2.61.  Invocation command line was
++generated by GNU Autoconf 2.67.  Invocation command line was
+ 
+   CONFIG_FILES    = $CONFIG_FILES
+   CONFIG_HEADERS  = $CONFIG_HEADERS
+@@ -3104,59 +3834,74 @@
+ 
+ _ACEOF
+ 
+-cat >>$CONFIG_STATUS <<_ACEOF
++case $ac_config_files in *"
++"*) set x $ac_config_files; shift; ac_config_files=$*;;
++esac
++
++
++
++cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+ # Files that config.status was made for.
+ config_files="$ac_config_files"
+ 
+ _ACEOF
+ 
+-cat >>$CONFIG_STATUS <<\_ACEOF
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+ ac_cs_usage="\
+-\`$as_me' instantiates files from templates according to the
+-current configuration.
++\`$as_me' instantiates files and other configuration actions
++from templates according to the current configuration.  Unless the files
++and actions are specified as TAGs, all are instantiated by default.
+ 
+-Usage: $0 [OPTIONS] [FILE]...
++Usage: $0 [OPTION]... [TAG]...
+ 
+   -h, --help       print this help, then exit
+   -V, --version    print version number and configuration settings, then exit
+-  -q, --quiet      do not print progress messages
++      --config     print configuration, then exit
++  -q, --quiet, --silent
++                   do not print progress messages
+   -d, --debug      don't remove temporary files
+       --recheck    update $as_me by reconfiguring in the same conditions
+-  --file=FILE[:TEMPLATE]
+-		   instantiate the configuration file FILE
++      --file=FILE[:TEMPLATE]
++                   instantiate the configuration file FILE
+ 
+ Configuration files:
+ $config_files
+ 
+-Report bugs to <bug-autoconf@gnu.org>."
++Report bugs to the package provider."
+ 
+ _ACEOF
+-cat >>$CONFIG_STATUS <<_ACEOF
++cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
++ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
+ ac_cs_version="\\
+ config.status
+-configured by $0, generated by GNU Autoconf 2.61,
+-  with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
++configured by $0, generated by GNU Autoconf 2.67,
++  with options \\"\$ac_cs_config\\"
+ 
+-Copyright (C) 2006 Free Software Foundation, Inc.
++Copyright (C) 2010 Free Software Foundation, Inc.
+ This config.status script is free software; the Free Software Foundation
+ gives unlimited permission to copy, distribute and modify it."
+ 
+ ac_pwd='$ac_pwd'
+ srcdir='$srcdir'
++test -n "\$AWK" || AWK=awk
+ _ACEOF
+ 
+-cat >>$CONFIG_STATUS <<\_ACEOF
+-# If no file are specified by the user, then we need to provide default
+-# value.  By we need to know if files were specified by the user.
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
++# The default lists apply if the user does not specify any file.
+ ac_need_defaults=:
+ while test $# != 0
+ do
+   case $1 in
+-  --*=*)
++  --*=?*)
+     ac_option=`expr "X$1" : 'X\([^=]*\)='`
+     ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'`
+     ac_shift=:
+     ;;
++  --*=)
++    ac_option=`expr "X$1" : 'X\([^=]*\)='`
++    ac_optarg=
++    ac_shift=:
++    ;;
+   *)
+     ac_option=$1
+     ac_optarg=$2
+@@ -3169,25 +3914,30 @@
+   -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
+     ac_cs_recheck=: ;;
+   --version | --versio | --versi | --vers | --ver | --ve | --v | -V )
+-    echo "$ac_cs_version"; exit ;;
++    $as_echo "$ac_cs_version"; exit ;;
++  --config | --confi | --conf | --con | --co | --c )
++    $as_echo "$ac_cs_config"; exit ;;
+   --debug | --debu | --deb | --de | --d | -d )
+     debug=: ;;
+   --file | --fil | --fi | --f )
+     $ac_shift
+-    CONFIG_FILES="$CONFIG_FILES $ac_optarg"
++    case $ac_optarg in
++    *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;;
++    '') as_fn_error $? "missing file argument" ;;
++    esac
++    as_fn_append CONFIG_FILES " '$ac_optarg'"
+     ac_need_defaults=false;;
+   --he | --h |  --help | --hel | -h )
+-    echo "$ac_cs_usage"; exit ;;
++    $as_echo "$ac_cs_usage"; exit ;;
+   -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+   | -silent | --silent | --silen | --sile | --sil | --si | --s)
+     ac_cs_silent=: ;;
+ 
+   # This is an error.
+-  -*) { echo "$as_me: error: unrecognized option: $1
+-Try \`$0 --help' for more information." >&2
+-   { (exit 1); exit 1; }; } ;;
++  -*) as_fn_error $? "unrecognized option: \`$1'
++Try \`$0 --help' for more information." ;;
+ 
+-  *) ac_config_targets="$ac_config_targets $1"
++  *) as_fn_append ac_config_targets " $1"
+      ac_need_defaults=false ;;
+ 
+   esac
+@@ -3202,30 +3952,32 @@
+ fi
+ 
+ _ACEOF
+-cat >>$CONFIG_STATUS <<_ACEOF
++cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+ if \$ac_cs_recheck; then
+-  echo "running CONFIG_SHELL=$SHELL $SHELL $0 "$ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6
+-  CONFIG_SHELL=$SHELL
++  set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
++  shift
++  \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6
++  CONFIG_SHELL='$SHELL'
+   export CONFIG_SHELL
+-  exec $SHELL "$0"$ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
++  exec "\$@"
+ fi
+ 
+ _ACEOF
+-cat >>$CONFIG_STATUS <<\_ACEOF
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+ exec 5>>config.log
+ {
+   echo
+   sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
+ ## Running $as_me. ##
+ _ASBOX
+-  echo "$ac_log"
++  $as_echo "$ac_log"
+ } >&5
+ 
+ _ACEOF
+-cat >>$CONFIG_STATUS <<_ACEOF
++cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+ _ACEOF
+ 
+-cat >>$CONFIG_STATUS <<\_ACEOF
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+ 
+ # Handling of arguments.
+ for ac_config_target in $ac_config_targets
+@@ -3233,9 +3985,7 @@
+   case $ac_config_target in
+     "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
+ 
+-  *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
+-echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
+-   { (exit 1); exit 1; }; };;
++  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5 ;;
+   esac
+ done
+ 
+@@ -3260,7 +4010,7 @@
+   trap 'exit_status=$?
+   { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status
+ ' 0
+-  trap '{ (exit 1); exit 1; }' 1 2 13 15
++  trap 'as_fn_exit 1' 1 2 13 15
+ }
+ # Create a (secure) tmp directory for tmp files.
+ 
+@@ -3271,145 +4021,177 @@
+ {
+   tmp=./conf$$-$RANDOM
+   (umask 077 && mkdir "$tmp")
+-} ||
+-{
+-   echo "$me: cannot create a temporary directory in ." >&2
+-   { (exit 1); exit 1; }
+-}
+-
+-#
+-# Set up the sed scripts for CONFIG_FILES section.
+-#
++} || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5
+ 
+-# No need to generate the scripts if there are no CONFIG_FILES.
+-# This happens for instance when ./config.status config.h
++# Set up the scripts for CONFIG_FILES section.
++# No need to generate them if there are no CONFIG_FILES.
++# This happens for instance with `./config.status config.h'.
+ if test -n "$CONFIG_FILES"; then
+ 
+-_ACEOF
+ 
++ac_cr=`echo X | tr X '\015'`
++# On cygwin, bash can eat \r inside `` if the user requested igncr.
++# But we know of no other shell where ac_cr would be empty at this
++# point, so we can use a bashism as a fallback.
++if test "x$ac_cr" = x; then
++  eval ac_cr=\$\'\\r\'
++fi
++ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' </dev/null 2>/dev/null`
++if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then
++  ac_cs_awk_cr='\\r'
++else
++  ac_cs_awk_cr=$ac_cr
++fi
++
++echo 'BEGIN {' >"$tmp/subs1.awk" &&
++_ACEOF
+ 
+ 
++{
++  echo "cat >conf$$subs.awk <<_ACEOF" &&
++  echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' &&
++  echo "_ACEOF"
++} >conf$$subs.sh ||
++  as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
++ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'`
+ ac_delim='%!_!# '
+ for ac_last_try in false false false false false :; do
+-  cat >conf$$subs.sed <<_ACEOF
+-SHELL!$SHELL$ac_delim
+-PATH_SEPARATOR!$PATH_SEPARATOR$ac_delim
+-PACKAGE_NAME!$PACKAGE_NAME$ac_delim
+-PACKAGE_TARNAME!$PACKAGE_TARNAME$ac_delim
+-PACKAGE_VERSION!$PACKAGE_VERSION$ac_delim
+-PACKAGE_STRING!$PACKAGE_STRING$ac_delim
+-PACKAGE_BUGREPORT!$PACKAGE_BUGREPORT$ac_delim
+-exec_prefix!$exec_prefix$ac_delim
+-prefix!$prefix$ac_delim
+-program_transform_name!$program_transform_name$ac_delim
+-bindir!$bindir$ac_delim
+-sbindir!$sbindir$ac_delim
+-libexecdir!$libexecdir$ac_delim
+-datarootdir!$datarootdir$ac_delim
+-datadir!$datadir$ac_delim
+-sysconfdir!$sysconfdir$ac_delim
+-sharedstatedir!$sharedstatedir$ac_delim
+-localstatedir!$localstatedir$ac_delim
+-includedir!$includedir$ac_delim
+-oldincludedir!$oldincludedir$ac_delim
+-docdir!$docdir$ac_delim
+-infodir!$infodir$ac_delim
+-htmldir!$htmldir$ac_delim
+-dvidir!$dvidir$ac_delim
+-pdfdir!$pdfdir$ac_delim
+-psdir!$psdir$ac_delim
+-libdir!$libdir$ac_delim
+-localedir!$localedir$ac_delim
+-mandir!$mandir$ac_delim
+-DEFS!$DEFS$ac_delim
+-ECHO_C!$ECHO_C$ac_delim
+-ECHO_N!$ECHO_N$ac_delim
+-ECHO_T!$ECHO_T$ac_delim
+-LIBS!$LIBS$ac_delim
+-build_alias!$build_alias$ac_delim
+-host_alias!$host_alias$ac_delim
+-target_alias!$target_alias$ac_delim
+-CC!$CC$ac_delim
+-CFLAGS!$CFLAGS$ac_delim
+-LDFLAGS!$LDFLAGS$ac_delim
+-CPPFLAGS!$CPPFLAGS$ac_delim
+-ac_ct_CC!$ac_ct_CC$ac_delim
+-EXEEXT!$EXEEXT$ac_delim
+-OBJEXT!$OBJEXT$ac_delim
+-eap_tnc_cflags!$eap_tnc_cflags$ac_delim
+-eap_tnc_ldflags!$eap_tnc_ldflags$ac_delim
+-targetname!$targetname$ac_delim
+-LIBOBJS!$LIBOBJS$ac_delim
+-LTLIBOBJS!$LTLIBOBJS$ac_delim
+-_ACEOF
++  . ./conf$$subs.sh ||
++    as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
+ 
+-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 49; then
++  ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X`
++  if test $ac_delim_n = $ac_delim_num; then
+     break
+   elif $ac_last_try; then
+-    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
+-echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
+-   { (exit 1); exit 1; }; }
++    as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
+   else
+     ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
+   fi
+ done
++rm -f conf$$subs.sh
+ 
+-ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
+-if test -n "$ac_eof"; then
+-  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
+-  ac_eof=`expr $ac_eof + 1`
+-fi
+-
+-cat >>$CONFIG_STATUS <<_ACEOF
+-cat >"\$tmp/subs-1.sed" <<\CEOF$ac_eof
+-/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end
+-_ACEOF
+-sed '
+-s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
+-s/^/s,@/; s/!/@,|#_!!_#|/
+-:n
+-t n
+-s/'"$ac_delim"'$/,g/; t
+-s/$/\\/; p
+-N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
+-' >>$CONFIG_STATUS <conf$$subs.sed
+-rm -f conf$$subs.sed
+-cat >>$CONFIG_STATUS <<_ACEOF
+-:end
+-s/|#_!!_#|//g
+-CEOF$ac_eof
++cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
++cat >>"\$tmp/subs1.awk" <<\\_ACAWK &&
+ _ACEOF
++sed -n '
++h
++s/^/S["/; s/!.*/"]=/
++p
++g
++s/^[^!]*!//
++:repl
++t repl
++s/'"$ac_delim"'$//
++t delim
++:nl
++h
++s/\(.\{148\}\)..*/\1/
++t more1
++s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/
++p
++n
++b repl
++:more1
++s/["\\]/\\&/g; s/^/"/; s/$/"\\/
++p
++g
++s/.\{148\}//
++t nl
++:delim
++h
++s/\(.\{148\}\)..*/\1/
++t more2
++s/["\\]/\\&/g; s/^/"/; s/$/"/
++p
++b
++:more2
++s/["\\]/\\&/g; s/^/"/; s/$/"\\/
++p
++g
++s/.\{148\}//
++t delim
++' <conf$$subs.awk | sed '
++/^[^""]/{
++  N
++  s/\n//
++}
++' >>$CONFIG_STATUS || ac_write_fail=1
++rm -f conf$$subs.awk
++cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
++_ACAWK
++cat >>"\$tmp/subs1.awk" <<_ACAWK &&
++  for (key in S) S_is_set[key] = 1
++  FS = ""
++
++}
++{
++  line = $ 0
++  nfields = split(line, field, "@")
++  substed = 0
++  len = length(field[1])
++  for (i = 2; i < nfields; i++) {
++    key = field[i]
++    keylen = length(key)
++    if (S_is_set[key]) {
++      value = S[key]
++      line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3)
++      len += length(value) + length(field[++i])
++      substed = 1
++    } else
++      len += 1 + keylen
++  }
++
++  print line
++}
+ 
++_ACAWK
++_ACEOF
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
++if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then
++  sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g"
++else
++  cat
++fi < "$tmp/subs1.awk" > "$tmp/subs.awk" \
++  || as_fn_error $? "could not setup config files machinery" "$LINENO" 5
++_ACEOF
+ 
+-# VPATH may cause trouble with some makes, so we remove $(srcdir),
+-# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
++# VPATH may cause trouble with some makes, so we remove sole $(srcdir),
++# ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and
+ # trailing colons and then remove the whole line if VPATH becomes empty
+ # (actually we leave an empty line to preserve line numbers).
+ if test "x$srcdir" = x.; then
+-  ac_vpsub='/^[	 ]*VPATH[	 ]*=/{
+-s/:*\$(srcdir):*/:/
+-s/:*\${srcdir}:*/:/
+-s/:*@srcdir@:*/:/
+-s/^\([^=]*=[	 ]*\):*/\1/
++  ac_vpsub='/^[	 ]*VPATH[	 ]*=[	 ]*/{
++h
++s///
++s/^/:/
++s/[	 ]*$/:/
++s/:\$(srcdir):/:/g
++s/:\${srcdir}:/:/g
++s/:@srcdir@:/:/g
++s/^:*//
+ s/:*$//
++x
++s/\(=[	 ]*\).*/\1/
++G
++s/\n//
+ s/^[^=]*=[	 ]*$//
+ }'
+ fi
+ 
+-cat >>$CONFIG_STATUS <<\_ACEOF
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+ fi # test -n "$CONFIG_FILES"
+ 
+ 
+-for ac_tag in  :F $CONFIG_FILES
++eval set X "  :F $CONFIG_FILES      "
++shift
++for ac_tag
+ do
+   case $ac_tag in
+   :[FHLC]) ac_mode=$ac_tag; continue;;
+   esac
+   case $ac_mode$ac_tag in
+   :[FHL]*:*);;
+-  :L* | :C*:*) { { echo "$as_me:$LINENO: error: Invalid tag $ac_tag." >&5
+-echo "$as_me: error: Invalid tag $ac_tag." >&2;}
+-   { (exit 1); exit 1; }; };;
++  :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5 ;;
+   :[FH]-) ac_tag=-:-;;
+   :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
+   esac
+@@ -3437,26 +4219,34 @@
+ 	   [\\/$]*) false;;
+ 	   *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
+ 	   esac ||
+-	   { { echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5
+-echo "$as_me: error: cannot find input file: $ac_f" >&2;}
+-   { (exit 1); exit 1; }; };;
++	   as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5 ;;
+       esac
+-      ac_file_inputs="$ac_file_inputs $ac_f"
++      case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac
++      as_fn_append ac_file_inputs " '$ac_f'"
+     done
+ 
+     # Let's still pretend it is `configure' which instantiates (i.e., don't
+     # use $as_me), people would be surprised to read:
+     #    /* config.h.  Generated by config.status.  */
+-    configure_input="Generated from "`IFS=:
+-	  echo $* | sed 's|^[^:]*/||;s|:[^:]*/|, |g'`" by configure."
++    configure_input='Generated from '`
++	  $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g'
++	`' by configure.'
+     if test x"$ac_file" != x-; then
+       configure_input="$ac_file.  $configure_input"
+-      { echo "$as_me:$LINENO: creating $ac_file" >&5
+-echo "$as_me: creating $ac_file" >&6;}
++      { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5
++$as_echo "$as_me: creating $ac_file" >&6;}
+     fi
++    # Neutralize special characters interpreted by sed in replacement strings.
++    case $configure_input in #(
++    *\&* | *\|* | *\\* )
++       ac_sed_conf_input=`$as_echo "$configure_input" |
++       sed 's/[\\\\&|]/\\\\&/g'`;; #(
++    *) ac_sed_conf_input=$configure_input;;
++    esac
+ 
+     case $ac_tag in
+-    *:-:* | *:-) cat >"$tmp/stdin";;
++    *:-:* | *:-) cat >"$tmp/stdin" \
++      || as_fn_error $? "could not create $ac_file" "$LINENO" 5  ;;
+     esac
+     ;;
+   esac
+@@ -3466,42 +4256,7 @@
+ 	 X"$ac_file" : 'X\(//\)[^/]' \| \
+ 	 X"$ac_file" : 'X\(//\)$' \| \
+ 	 X"$ac_file" : 'X\(/\)' \| . 2>/dev/null ||
+-echo X"$ac_file" |
+-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+-	    s//\1/
+-	    q
+-	  }
+-	  /^X\(\/\/\)[^/].*/{
+-	    s//\1/
+-	    q
+-	  }
+-	  /^X\(\/\/\)$/{
+-	    s//\1/
+-	    q
+-	  }
+-	  /^X\(\/\).*/{
+-	    s//\1/
+-	    q
+-	  }
+-	  s/.*/./; q'`
+-  { as_dir="$ac_dir"
+-  case $as_dir in #(
+-  -*) as_dir=./$as_dir;;
+-  esac
+-  test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || {
+-    as_dirs=
+-    while :; do
+-      case $as_dir in #(
+-      *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #(
+-      *) as_qdir=$as_dir;;
+-      esac
+-      as_dirs="'$as_qdir' $as_dirs"
+-      as_dir=`$as_dirname -- "$as_dir" ||
+-$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+-	 X"$as_dir" : 'X\(//\)[^/]' \| \
+-	 X"$as_dir" : 'X\(//\)$' \| \
+-	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
+-echo X"$as_dir" |
++$as_echo X"$ac_file" |
+     sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+ 	    s//\1/
+ 	    q
+@@ -3519,20 +4274,15 @@
+ 	    q
+ 	  }
+ 	  s/.*/./; q'`
+-      test -d "$as_dir" && break
+-    done
+-    test -z "$as_dirs" || eval "mkdir $as_dirs"
+-  } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
+-echo "$as_me: error: cannot create directory $as_dir" >&2;}
+-   { (exit 1); exit 1; }; }; }
++  as_dir="$ac_dir"; as_fn_mkdir_p
+   ac_builddir=.
+ 
+ case "$ac_dir" in
+ .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
+ *)
+-  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
++  ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'`
+   # A ".." for each directory in $ac_dir_suffix.
+-  ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
++  ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
+   case $ac_top_builddir_sub in
+   "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
+   *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
+@@ -3568,12 +4318,12 @@
+ 
+ _ACEOF
+ 
+-cat >>$CONFIG_STATUS <<\_ACEOF
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+ # If the template does not know about datarootdir, expand it.
+ # FIXME: This hack should be removed a few years after 2.60.
+ ac_datarootdir_hack=; ac_datarootdir_seen=
+-
+-case `sed -n '/datarootdir/ {
++ac_sed_dataroot='
++/datarootdir/ {
+   p
+   q
+ }
+@@ -3581,36 +4331,37 @@
+ /@docdir@/p
+ /@infodir@/p
+ /@localedir@/p
+-/@mandir@/p
+-' $ac_file_inputs` in
++/@mandir@/p'
++case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in
+ *datarootdir*) ac_datarootdir_seen=yes;;
+ *@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*)
+-  { echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
+-echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
++  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
++$as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
+ _ACEOF
+-cat >>$CONFIG_STATUS <<_ACEOF
++cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+   ac_datarootdir_hack='
+   s&@datadir@&$datadir&g
+   s&@docdir@&$docdir&g
+   s&@infodir@&$infodir&g
+   s&@localedir@&$localedir&g
+   s&@mandir@&$mandir&g
+-    s&\\\${datarootdir}&$datarootdir&g' ;;
++  s&\\\${datarootdir}&$datarootdir&g' ;;
+ esac
+ _ACEOF
+ 
+ # Neutralize VPATH when `$srcdir' = `.'.
+ # Shell code in configure.ac might set extrasub.
+ # FIXME: do we really want to maintain this feature?
+-cat >>$CONFIG_STATUS <<_ACEOF
+-  sed "$ac_vpsub
++cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
++ac_sed_extra="$ac_vpsub
+ $extrasub
+ _ACEOF
+-cat >>$CONFIG_STATUS <<\_ACEOF
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+ :t
+ /@[a-zA-Z_][a-zA-Z_0-9]*@/!b
+-s&@configure_input@&$configure_input&;t t
++s|@configure_input@|$ac_sed_conf_input|;t t
+ s&@top_builddir@&$ac_top_builddir_sub&;t t
++s&@top_build_prefix@&$ac_top_build_prefix&;t t
+ s&@srcdir@&$ac_srcdir&;t t
+ s&@abs_srcdir@&$ac_abs_srcdir&;t t
+ s&@top_srcdir@&$ac_top_srcdir&;t t
+@@ -3619,21 +4370,24 @@
+ s&@abs_builddir@&$ac_abs_builddir&;t t
+ s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
+ $ac_datarootdir_hack
+-" $ac_file_inputs | sed -f "$tmp/subs-1.sed" >$tmp/out
++"
++eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$tmp/subs.awk" >$tmp/out \
++  || as_fn_error $? "could not create $ac_file" "$LINENO" 5
+ 
+ test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
+   { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&
+   { ac_out=`sed -n '/^[	 ]*datarootdir[	 ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } &&
+-  { echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+-which seems to be undefined.  Please make sure it is defined." >&5
+-echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+-which seems to be undefined.  Please make sure it is defined." >&2;}
++  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir'
++which seems to be undefined.  Please make sure it is defined" >&5
++$as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
++which seems to be undefined.  Please make sure it is defined" >&2;}
+ 
+   rm -f "$tmp/stdin"
+   case $ac_file in
+-  -) cat "$tmp/out"; rm -f "$tmp/out";;
+-  *) rm -f "$ac_file"; mv "$tmp/out" $ac_file;;
+-  esac
++  -) cat "$tmp/out" && rm -f "$tmp/out";;
++  *) rm -f "$ac_file" && mv "$tmp/out" "$ac_file";;
++  esac \
++  || as_fn_error $? "could not create $ac_file" "$LINENO" 5
+  ;;
+ 
+ 
+@@ -3643,11 +4397,13 @@
+ done # for ac_tag
+ 
+ 
+-{ (exit 0); exit 0; }
++as_fn_exit 0
+ _ACEOF
+-chmod +x $CONFIG_STATUS
+ ac_clean_files=$ac_clean_files_save
+ 
++test $ac_write_fail = 0 ||
++  as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5
++
+ 
+ # configure is writing to config.log, and then calls config.status.
+ # config.status does its own redirection, appending to config.log.
+@@ -3667,7 +4423,10 @@
+   exec 5>>config.log
+   # Use ||, not &&, to avoid exiting from the if with $? = 1, which
+   # would make configure fail if this is the last instruction.
+-  $ac_cs_success || { (exit 1); exit 1; }
++  $ac_cs_success || as_fn_exit 1
++fi
++if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then
++  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5
++$as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;}
+ fi
+-
+ 
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in	2012-12-04 19:38:00.241420966 +0100
+@@ -2,12 +2,21 @@
+ AC_REVISION($Revision$)
+ AC_DEFUN(modname,[rlm_eap_tnc])
+ 
++eap_tnc_cflags=
++eap_tnc_ldflags=-lnaaeap
++
+ if test x$with_[]modname != xno; then
+ 
+-	AC_CHECK_LIB(TNCS, exchangeTNCCSMessages)
+-	if test "x$ac_cv_lib_tncs_exchangetnccsmessages" != xyes; then
+-		AC_MSG_WARN([the TNCS library isn't found!])
+-		fail="$fail -lTNCS"
++	AC_CHECK_LIB(naaeap,processEAPTNCData,,fail="$fail -lnaaeap",)
++	if test -x"$ac_cv_lib_NAAEAP_processEAPTNCData" == -x"no"; then
++		AC_MSG_WARN([the NAAEAP library was not found!])
++		fail="$fail -lNAAEAP"
++	fi
++	
++	AC_CHECK_HEADERS(naaeap/naaeap.h,,fail="$fail -Inaaeap.h",)
++	if test -x"$ac_cv_header_naaeap_h" == -x"no"; then
++		AC_MSG_WARN([the naaeap header was not found!])
++		fail="$fail -Inaaeap.h"
+ 	fi
+ 
+ 	targetname=modname
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c	2012-12-04 19:38:00.241420966 +0100
+@@ -1,12 +1,12 @@
+ /*
+  *   eap_tnc.c  EAP TNC functionality.
+  *
+- *   This software is Copyright (C) 2006,2007 FH Hannover
++ *   This software is Copyright (C) 2006-2009 FH Hannover
+  *
+  *   Portions of this code unrelated to FreeRADIUS are available
+  *   separately under a commercial license.  If you require an
+  *   implementation of EAP-TNC that is not under the GPLv2, please
+- *   contact tnc@inform.fh-hannover.de for details.
++ *   contact trust@f4-i.fh-hannover.de for details.
+  *
+  *   This program is free software; you can redistribute it and/or modify
+  *   it under the terms of the GNU General Public License as published by
+@@ -23,230 +23,41 @@
+  *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+  *
+  */
+-#include <freeradius-devel/ident.h>
+-RCSID("$Id$")
+-
+-
+-/*
+- *
+- *  MD5 Packet Format in EAP Type-Data
+- *  --- ------ ------ -- --- ---------
+- *  0                   1                   2                   3
+- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- * |  Value-Size   |  Value ...
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- * |  Name ...
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- *
+- * EAP-TNC Packet Format in EAP Type-Data
+- * 
+- *  0                   1                   2                   3
+- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- * |  Flags  |Ver  | Data Length ...                                   
+- * |L M S R R|=1   |                                               
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- * |...            |  Data ...
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- 
+- *
+- */
+-
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include "eap.h"
+ 
+ #include "eap_tnc.h"
+ 
+-     /*
+-      *	WTF is wrong with htonl ?
+-      */
+-static uint32_t ByteSwap2 (uint32_t nLongNumber)
+-{
+-   return (((nLongNumber&0x000000FF)<<24)+((nLongNumber&0x0000FF00)<<8)+
+-   ((nLongNumber&0x00FF0000)>>8)+((nLongNumber&0xFF000000)>>24));
+-}
+-
+ /*
+- *      Allocate a new TNC_PACKET
++ *	Forms an EAP_REQUEST packet from the EAP_TNC specific data.
+  */
+-TNC_PACKET *eaptnc_alloc(void)
++int eaptnc_compose(EAP_HANDLER *handler, TNC_BufferReference request, TNC_UInt32 length, uint8_t code)
+ {
+-	TNC_PACKET   *rp;
+-
+-	if ((rp = malloc(sizeof(TNC_PACKET))) == NULL) {
+-		radlog(L_ERR, "rlm_eap_tnc: out of memory");
+-		return NULL;
++	// check parameters
++	if(handler == NULL || (request == NULL && length != 0) || (request != NULL && length < 1) || code > PW_EAP_MAX_CODES){
++		radlog(L_ERR, "rlm_eap_tnc: eaptnc_compose invalid parameters: handler == %p, request == %p, length == %lu, code == %u", handler, request, length, code);
++		return 0;
+ 	}
+-	memset(rp, 0, sizeof(TNC_PACKET));
+-	return rp;
+-}
+-
+-/*
+- *      Free TNC_PACKET
+- */
+-void eaptnc_free(TNC_PACKET **tnc_packet_ptr)
+-{
+-	TNC_PACKET *tnc_packet;
+-
+-	if (!tnc_packet_ptr) return;
+-	tnc_packet = *tnc_packet_ptr;
+-	if (tnc_packet == NULL) return;
+-
+-	if (tnc_packet->data) free(tnc_packet->data);
+ 
+-	free(tnc_packet);
+-
+-	*tnc_packet_ptr = NULL;
+-}
+-
+-/*
+- *	We expect only RESPONSE for which REQUEST, SUCCESS or FAILURE is sent back
+- */
+-TNC_PACKET *eaptnc_extract(EAP_DS *eap_ds)
+-{
+-	tnc_packet_t	*data;
+-	TNC_PACKET	*packet;
+-	/*
+-	 *	We need a response, of type EAP-TNC
+-     */
+-	if (!eap_ds 					 ||
+-	    !eap_ds->response 				 ||
+-	    (eap_ds->response->code != PW_TNC_RESPONSE)	 ||
+-	    eap_ds->response->type.type != PW_EAP_TNC	 ||
+-	    !eap_ds->response->type.data 		 ||
+-	    (eap_ds->response->length <= TNC_HEADER_LEN) ||
+-	    (eap_ds->response->type.data[0] <= 0)) {
+-		radlog(L_ERR, "rlm_eap_tnc: corrupted data");
+-		return NULL;
++	// further check parameters
++	if(handler->opaque == NULL || handler->eap_ds == NULL){
++		radlog(L_ERR, "rlm_eap_tnc: eaptnc_compose invalid parameters: handler->opaque == %p, handler->eap_ds == %p", handler->opaque, handler->eap_ds);
++		return 0;
+ 	}
+-	packet = eaptnc_alloc();
+-	if (!packet) return NULL;
+-
+ 
+-	packet->code = eap_ds->response->code;
+-	packet->id = eap_ds->response->id;
+-	packet->length = eap_ds->response->length; 
+-
+-	data = (tnc_packet_t *)eap_ds->response->type.data;
+-	/*
+-	 *	Already checked the size above.
+-	 */
+-    packet->flags_ver = data->flags_ver;
+-    unsigned char *ptr = (unsigned char*)data;
+-
+-
+-	DEBUG2("Flags/Ver: %x\n", packet->flags_ver);
+-	int thisDataLength;
+-    int dataStart;
+-    if(TNC_LENGTH_INCLUDED(packet->flags_ver)){
+-        DEBUG2("data_length included\n");
+-//        memcpy(&packet->flags_ver[1], &data->flags_ver[1], 4);
+-        //packet->data_length = data->data_length;
+-        memcpy(&packet->data_length, &ptr[1], TNC_DATA_LENGTH_LENGTH);
+-        DEBUG2("data_length: %x\n", packet->data_length);
+-        DEBUG2("data_length: %d\n", packet->data_length);
+-        DEBUG2("data_length: %x\n", ByteSwap2(packet->data_length));
+-        DEBUG2("data_length: %d\n", ByteSwap2(packet->data_length));
+-        packet->data_length = ByteSwap2(packet->data_length);
+-		thisDataLength = packet->length-TNC_PACKET_LENGTH; //1: we need space for flags_ver
+-        dataStart = TNC_DATA_LENGTH_LENGTH+TNC_FLAGS_VERSION_LENGTH;
+-    }else{
+-        DEBUG2("no data_length included\n");
+-	 	thisDataLength = packet->length-TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH;
+-        packet->data_length = 0;
+-        dataStart = TNC_FLAGS_VERSION_LENGTH;
+-        
+-    }
+-	/*
+-	 *	Allocate room for the data, and copy over the data.
+-	 */
+-	packet->data = malloc(thisDataLength);
+-	if (packet->data == NULL) {
+-		radlog(L_ERR, "rlm_eap_tnc: out of memory");
+-		eaptnc_free(&packet);
+-		return NULL;
++	if(handler->eap_ds->request == NULL){
++		radlog(L_ERR, "rlm_eap_tnc: eaptnc_compose invalid parameters: handler->eap_ds->request == %p", handler->eap_ds->request);
++		return 0;
+ 	}
+-    
+-    memcpy(packet->data, &(eap_ds->response->type.data[dataStart]), thisDataLength);
+-
+-	return packet;
+-}
+ 
+-
+-/*
+- *	Compose the portions of the reply packet specific to the
+- *	EAP-TNC protocol, in the EAP reply typedata
+- */
+-int eaptnc_compose(EAP_DS *eap_ds, TNC_PACKET *reply)
+-{
+-	uint8_t *ptr;
+-
+-
+-	if (reply->code < 3) {
+-		//fill: EAP-Type (0x888e)
+-		eap_ds->request->type.type = PW_EAP_TNC;
+-        DEBUG2("TYPE: EAP-TNC set\n");
+-		rad_assert(reply->length > 0);
+-		
+-		//alloc enough space for whole TNC-Packet (from Code on)
+-		eap_ds->request->type.data = calloc(reply->length, sizeof(unsigned char*));
+-        DEBUG2("Malloc %d bytes for packet\n", reply->length);
+-		if (eap_ds->request->type.data == NULL) {
+-			radlog(L_ERR, "rlm_eap_tnc: out of memory");
+-			return 0;
+-		}
+-		//put pointer at position where data starts (behind Type)
+-		ptr = eap_ds->request->type.data;
+-		//*ptr = (uint8_t)(reply->data_length & 0xFF);
+-
+-		//ptr++;
+-		*ptr = reply->flags_ver;
+-        DEBUG2("Set Flags/Version: %d\n", *ptr);
+-		if(reply->data_length!=0){
+-            DEBUG2("Set data-length: %d\n", reply->data_length);
+-			ptr++; //move to start-position of "data_length"
+-            DEBUG2("Set data-length: %x\n", reply->data_length);
+-            DEBUG2("Set data-length (swapped): %x\n", ByteSwap2(reply->data_length));
+-            unsigned long swappedDataLength = ByteSwap2(reply->data_length);
+-            //DEBUG2("DATA-length: %d", reply->data_
+-            memcpy(ptr, &swappedDataLength, 4);
+-			//*ptr = swappedDataLength;
+-		}
+-		uint16_t thisDataLength=0;
+-		if(reply->data!=NULL){
+-            DEBUG2("Adding TNCCS-Data ");
+-			int offset;
+-			//if data_length-Field present
+-			if(reply->data_length !=0){
+-                DEBUG2("with Fragmentation\n");
+-				offset = TNC_DATA_LENGTH_LENGTH; //length of data_length-field: 4
+-				thisDataLength = reply->length-TNC_PACKET_LENGTH;
+-			}else{ //data_length-Field not present
+-                DEBUG2("without Fragmentation\n");
+-				offset = 1;
+-				thisDataLength = reply->length-TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH;
+-			}
+-            DEBUG2("TNCCS-Datalength: %d\n", thisDataLength);
+-			ptr=ptr+offset; //move to start-position of "data"
+-			memcpy(ptr,reply->data, thisDataLength);
+-		}else{
+-            DEBUG2("No TNCCS-Data present");
+-        }
+-
+-		//the length of the TNC-packet (behind Type)
+-        if(reply->data_length!=0){
+-    		eap_ds->request->type.length = TNC_DATA_LENGTH_LENGTH+TNC_FLAGS_VERSION_LENGTH+thisDataLength; //4:data_length, 1: flags_ver
+-        }else{
+-            eap_ds->request->type.length = TNC_FLAGS_VERSION_LENGTH+thisDataLength; //1: flags_ver
+-        }
+-        DEBUG2("Packet built\n");
+-
+-	} else {
+-		eap_ds->request->type.length = 0;
+-	}
+-	eap_ds->request->code = reply->code;
++	// fill EAP data to handler
++	handler->eap_ds->request->code = code;
++	handler->eap_ds->request->type.type = PW_EAP_TNC;
++	// fill EAP TYPE specific data to handler
++	handler->eap_ds->request->type.length = length;
++	free(handler->eap_ds->request->type.data);
++	handler->eap_ds->request->type.data = request;
+ 
+ 	return 1;
+ }
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h	2012-12-04 19:38:00.241420966 +0100
+@@ -1,10 +1,10 @@
+ /*
+- *   This software is Copyright (C) 2006,2007 FH Hannover
++ *   This software is Copyright (C) 2006-2009 FH Hannover
+  *
+  *   Portions of this code unrelated to FreeRADIUS are available
+  *   separately under a commercial license.  If you require an
+  *   implementation of EAP-TNC that is not under the GPLv2, please
+- *   contact tnc@inform.fh-hannover.de for details.
++ *   contact trust@f4-i.fh-hannover.de for details.
+  *
+  *   This program is free software; you can redistribute it and/or modify
+  *   it under the terms of the GNU General Public License as published by
+@@ -26,105 +26,20 @@
+ #define _EAP_TNC_H
+ 
+ #include "eap.h"
++#include <naaeap/naaeap.h>
+ 
+-#define PW_TNC_REQUEST	1
+-#define PW_TNC_RESPONSE		2
+-#define PW_TNC_SUCCESS		3
+-#define PW_TNC_FAILURE		4
+-#define PW_TNC_MAX_CODES	4
+-
+-#define TNC_HEADER_LEN 		4
+-#define TNC_CHALLENGE_LEN 	16
+-#define TNC_START_LEN 	8
+-
+-#define TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH 6
+-#define TNC_PACKET_LENGTH 10
+-#define TNC_DATA_LENGTH_LENGTH 4
+-#define TNC_FLAGS_VERSION_LENGTH 1
+-
+-typedef unsigned int VlanAccessMode;
+-
+-#define VLAN_ISOLATE 97
+-#define VLAN_ACCESS 2
+-/*
+- ****
+- * EAP - MD5 doesnot specify code, id & length but chap specifies them,
+- *	for generalization purpose, complete header should be sent
+- *	and not just value_size, value and name.
+- *	future implementation.
+- *
+- *	Huh? What does that mean?
+- */
++#define SET_START(x) 		((x) | (0x20))
+ 
+-/*
++/**
++ * Composes the EAP packet.
+  *
+- *  MD5 Packet Format in EAP Type-Data
+- *  --- ------ ------ -- --- ---------
+- *  0                   1                   2                   3
+- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- * |  Value-Size   |  Value ...
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- * |  Name ...
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- *
+- * EAP-TNC Packet Format in EAP Type-Data
+- * 
+- *  0                   1                   2                   3
+- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- * |  Flags  |Ver  | Data Length ...                                   
+- * |L M S R R|=1   |                                               
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- * |...            |  Data ...
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- 
++ * @param handler The EAP_HANDLER from tnc_initiate() or tnc_authenticate
++ * @param request The EAP_TNC packet received from NAA-TNCS
++ * @param length The length of the EAP_TNC packet received from NAA-TNCS
++ * @param code EAP_CODE for the request
+  *
++ * @return True if operation was successful, otherwise false.
+  */
+-
+-/* eap packet structure */
+-typedef struct tnc_packet_t {
+-/*
+-	uint8_t	code;
+-	uint8_t	id;
+-	uint16_t	length;
+-*/
+-	uint8_t	flags_ver;
+-	uint32_t data_length;
+-	uint8_t *data;
+-} tnc_packet_t;
+-
+-typedef struct tnc_packet {
+-	uint8_t		code;
+-	uint8_t		id;
+-	uint16_t	length;
+-	uint8_t	flags_ver;
+-	uint32_t data_length;
+-	uint8_t *data;
+-} TNC_PACKET;
+-
+-#define TNC_START(x) 		(((x) & 0x20) != 0)
+-#define TNC_MORE_FRAGMENTS(x) 	(((x) & 0x40) != 0)
+-#define TNC_LENGTH_INCLUDED(x) 	(((x) & 0x80) != 0)
+-#define TNC_RESERVED_EQ_NULL(x) (((x) & 0x10) == 0 && ((x) & 0x8) == 0)
+-#define TNC_VERSION_EQ_ONE(x) (((x) & 0x07) == 1)
+-
+-#define SET_START(x) 		((x) | (0x20))
+-#define SET_MORE_FRAGMENTS(x) 	((x) | (0x40))
+-#define SET_LENGTH_INCLUDED(x) 	((x) | (0x80))
+-
+-
+-/* function declarations here */
+-
+-TNC_PACKET 	*eaptnc_alloc(void);
+-void 		eaptnc_free(TNC_PACKET **tnc_packet_ptr);
+-
+-int 		eaptnc_compose(EAP_DS *auth, TNC_PACKET *reply);
+-TNC_PACKET 	*eaptnc_extract(EAP_DS *auth);
+-int 		eaptnc_verify(TNC_PACKET *pkt, VALUE_PAIR* pwd, uint8_t *ch);
+-
+-
+-
+-
++int eaptnc_compose(EAP_HANDLER *handler, TNC_BufferReference request, TNC_UInt32 length, uint8_t code);
+ 
+ #endif /*_EAP_TNC_H*/
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in	2012-12-04 19:38:49.277421870 +0100
+@@ -3,8 +3,8 @@
+ #
+ 
+ TARGET      = @targetname@
+-SRCS        = rlm_eap_tnc.c eap_tnc.c tncs_connect.c 
+-HEADERS     = eap_tnc.h tncs.h tncs_connect.h ../../eap.h ../../rlm_eap.h
++SRCS        = rlm_eap_tnc.c eap_tnc.c
++HEADERS     = eap_tnc.h ../../eap.h ../../rlm_eap.h
+ RLM_CFLAGS  = -I../.. -I../../libeap $(OPENSSL_INCLUDE) @eap_tnc_cflags@
+ RLM_LIBS    = @eap_tnc_ldflags@ ../../libeap/$(LIBPREFIX)freeradius-eap.la $(OPENSSL_LIBS)
+ RLM_INSTALL =
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c	2012-12-04 19:38:00.241420966 +0100
+@@ -1,12 +1,12 @@
+ /*
+  * rlm_eap_tnc.c    Handles that are called from eap
+  *
+- *   This software is Copyright (C) 2006,2007 FH Hannover
++ *   This software is Copyright (C) 2006-2009 FH Hannover
+  *
+  *   Portions of this code unrelated to FreeRADIUS are available
+  *   separately under a commercial license.  If you require an
+  *   implementation of EAP-TNC that is not under the GPLv2, please
+- *   contact tnc@inform.fh-hannover.de for details.
++ *   contact trust@f4-i.fh-hannover.de for details.
+  *
+  *   This program is free software; you can redistribute it and/or modify
+  *   it under the terms of the GNU General Public License as published by
+@@ -26,96 +26,262 @@
+  *   Copyright (C) 2007 Alan DeKok <aland@deployingradius.com>
+  */
+ 
+-#include <freeradius-devel/ident.h>
+-RCSID("$Id$")
++/*
++ * EAP-TNC Packet with EAP Header, general structure
++ *
++ *  0                   1                   2                   3
++ *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++ * |      Code     |   Identifier  |            Length             |
++ * |               |               |                               |
++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++ * |      Type     |  Flags  | Ver |          Data Length          |
++ * |               |L M S R R| =1  |                               |
++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++ * |          Data Length          |           Data ...
++ * |                               |
++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++ */
+ 
+ #include <freeradius-devel/autoconf.h>
+ 
+ #include <stdio.h>
+ #include <stdlib.h>
+ 
+-#include "tncs_connect.h"
+ #include "eap_tnc.h"
+-#include "tncs.h"
++#include <naaeap/naaeap.h>
+ #include <freeradius-devel/rad_assert.h>
++//#include <freeradius-devel/libradius.h>
+ 
+-typedef struct rlm_eap_tnc_t {
+-	char	*vlan_access;
+-	char	*vlan_isolate;
+-	char	*tnc_path;
+-} rlm_eap_tnc_t;
++#include <netinet/in.h>
+ 
+-static int sessionCounter=0;
++/**
++ * Calculates an identifying string based upon nas_port, nas_ip and nas_port_type.
++ * The maximum length of the calculated string is 70 (not including the trailing '\0').
++ *
++ * @return the number of bytes written to out (not including the trailing '\0')
++ */
++static uint32_t calculateConnectionString(RADIUS_PACKET* radius_packet, char *out, size_t outMaxLength)
++{
++	VALUE_PAIR *vp = NULL;
++	uint32_t nas_port = 0;
++	uint32_t nas_ip = 0;
++	uint32_t nas_port_type = 0;
++
++	char out_nas_port[11];
++	char out_nas_ip_byte_0[4];
++	char out_nas_ip_byte_1[4];
++	char out_nas_ip_byte_2[4];
++	char out_nas_ip_byte_3[4];
++	char out_nas_port_type[11];
++
++    // check for NULL
++	if (radius_packet == NULL) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: calculateConnectionString failed. radius_packet == NULL!");
++		return 0;
++	}
++
++	// read NAS port, ip and port type
++	for (vp = radius_packet->vps; vp; vp=vp->next) {
++		switch (vp->attribute) {
++		case PW_NAS_PORT:
++			nas_port = vp->vp_integer;
++			DEBUG("NAS scr port = %u\n", nas_port);
++			break;
++		case PW_NAS_IP_ADDRESS:
++			nas_ip = vp->vp_ipaddr;
++			DEBUG("NAS scr ip = %X\n", ntohl(nas_ip));
++			break;
++		case PW_NAS_PORT_TYPE:
++			nas_port_type = vp->vp_integer;
++			DEBUG("NAS scr port type = %u\n", nas_port_type);
++			break;
++		}
++	}
++
++	snprintf(out_nas_port, 11, "%u", nas_port);
++	snprintf(out_nas_ip_byte_0, 4, "%u", nas_ip & 0xFF);
++	snprintf(out_nas_ip_byte_1, 4, "%u", (nas_ip >> 8) & 0xFF);
++	snprintf(out_nas_ip_byte_2, 4, "%u", (nas_ip >> 16) & 0xFF);
++	snprintf(out_nas_ip_byte_3, 4, "%u", (nas_ip >> 24) & 0xFF);
++	snprintf(out_nas_port_type, 11, "%u", nas_port_type);
++
++	return snprintf(out, outMaxLength, "NAS Port: %s NAS IP: %s.%s.%s.%s NAS_PORT_TYPE: %s", out_nas_port, out_nas_ip_byte_3, out_nas_ip_byte_2, out_nas_ip_byte_1, out_nas_ip_byte_0, out_nas_port_type);
++}
++
++/*
++ * This function is called when the FreeRADIUS attach this module.
++ */
++static int tnc_attach(CONF_SECTION *conf, void **type_data)
++{
++    // initialize NAA-EAP
++	DEBUG2("TNC-ATTACH initializing NAA-EAP");
++	TNC_Result result = initializeDefault();
++	if (result != TNC_RESULT_SUCCESS) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_attach error while calling NAA-EAP initializeDefault()");
++		return -1;
++	}
++	return 0;
++}
++
++/*
++ * This function is called when the FreeRADIUS detach this module.
++ */
++static int tnc_detach(void *args)
++{
++    // terminate NAA-EAP
++	DEBUG2("TNC-TERMINATE terminating NAA-EAP");
++	TNC_Result result = terminate();
++	if (result != TNC_RESULT_SUCCESS) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_attach error while calling NAA-EAP terminate()");
++		return -1;
++	}
++	return 0;
++}
+ 
+ /*
+- *	Initiate the EAP-MD5 session by sending a challenge to the peer.
+- *  Initiate the EAP-TNC session by sending a EAP Request witch Start Bit set 
+- *  and with no data
++ * This function is called when the first EAP_IDENTITY_RESPONSE message
++ * was received.
++ *
++ * Initiates the EPA_TNC session by sending the first EAP_TNC_RESPONSE
++ * to the peer. The packet has the Start-Bit set and contains no data.
++ *
++ *  0                   1                   2                   3
++ *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++ * |      Code     |   Identifier  |            Length             |
++ * |               |               |                               |
++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++ * |      Type     |  Flags  | Ver |
++ * |               |0 0 1 0 0|0 0 1|
++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++ *
++ * For this package, only 'Identifier' has to be set dynamically. Any
++ * other information is static.
+  */
+ static int tnc_initiate(void *type_data, EAP_HANDLER *handler)
+ {
+-	uint8_t flags_ver = 1; //set version to 1
+-	rlm_eap_tnc_t *inst = type_data;
+-	TNC_PACKET *reply;
++	size_t buflen = 71;
++	size_t ret = 0;
++	char buf[buflen];
++	REQUEST * request = NULL;
++	TNC_Result result;
++	TNC_ConnectionID conID;
++	TNC_BufferReference username;
+ 
++	// check if we run inside a secure EAP method.
++	// FIXME check concrete outer EAP method
+ 	if (!handler->request || !handler->request->parent) {
+-		DEBUG("rlm_eap_tnc: EAP-TNC can only be run inside of a TLS-based method.");
++		DEBUG2("rlm_eap_tnc: EAP_TNC must only be used as an inner method within a protected tunneled EAP created by an outer EAP method.");
++		request = handler->request;
+ 		return 0;
++	} else {
++		request = handler->request->parent;
+ 	}
+ 
+-	/*
+-	 *	FIXME: Update this when the TTLS and PEAP methods can
+-	 *	run EAP-TLC *after* the user has been authenticated.
+-	 *	This likely means moving the phase2 handlers to a
+-	 *	common code base.
+-	 */
+-	if (1) {
+-		DEBUG("rlm-eap_tnc: EAP-TNC can only be run after the user has been authenticated.");
++	if (request->packet == NULL) {
++		DEBUG2("rlm_eap_tnc: ERROR request->packet is NULL.");
+ 		return 0;
+ 	}
+ 
+ 	DEBUG("tnc_initiate: %ld", handler->timestamp);
+ 
+-	if(connectToTncs(inst->tnc_path)==-1){
+-		DEBUG("Could not connect to TNCS");
++	//calculate connectionString
++	ret = calculateConnectionString(request->packet, buf, buflen);
++	if(ret == 0){
++		radlog(L_ERR, "rlm_eap_tnc:tnc_attach: calculating connection String failed.");
++		return 0;
+ 	}
+ 
++	DEBUG2("TNC-INITIATE getting connection from NAA-EAP");
++
+ 	/*
+-	 *	Allocate an EAP-MD5 packet.
++	 * get connection
++	 * (uses a function from the NAA-EAP-library)
++	 * the presence of the library is checked via the configure-script
+ 	 */
+-	reply = eaptnc_alloc();
+-	if (reply == NULL)  {
+-		radlog(L_ERR, "rlm_eap_tnc: out of memory");
++	result = getConnection(buf, &conID);
++
++	// check for errors
++	if (result != TNC_RESULT_SUCCESS) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_initiate error while calling NAA-EAP getConnection");
+ 		return 0;
+ 	}
+ 
+ 	/*
+-	 *	Fill it with data.
++	 * tries to get the username from FreeRADIUS;
++	 * copied from modules/rlm_eap/types/rlm_eap_ttls/ttls.c
+ 	 */
+-	reply->code = PW_TNC_REQUEST;
+-	flags_ver = SET_START(flags_ver); //set start-flag
+-	DEBUG("$$$$$$$$$$$$$$$$Flags: %d", flags_ver);
+-	reply->flags_ver = flags_ver;
+-	reply->length = 1+1; /* one byte of flags_ver */
++	VALUE_PAIR *usernameValuePair;
++	usernameValuePair = pairfind(request->packet->vps, PW_USER_NAME);
+ 
++	VALUE_PAIR *eapMessageValuePair;
++	if (!usernameValuePair) {
++		eapMessageValuePair = pairfind(request->packet->vps, PW_EAP_MESSAGE);
++
++		if (eapMessageValuePair &&
++			(eapMessageValuePair->length >= EAP_HEADER_LEN + 2) &&
++			(eapMessageValuePair->vp_strvalue[0] == PW_EAP_RESPONSE) &&
++			(eapMessageValuePair->vp_strvalue[EAP_HEADER_LEN] == PW_EAP_IDENTITY) &&
++			(eapMessageValuePair->vp_strvalue[EAP_HEADER_LEN + 1] != 0)) {
++
++			/*
++			 *	Create & remember a User-Name
++			 */
++			usernameValuePair = pairmake("User-Name", "", T_OP_EQ);
++			rad_assert(usernameValuePair != NULL);
++
++			memcpy(usernameValuePair->vp_strvalue, eapMessageValuePair->vp_strvalue + 5,
++					eapMessageValuePair->length - 5);
++			usernameValuePair->length = eapMessageValuePair->length - 5;
++			usernameValuePair->vp_strvalue[usernameValuePair->length] = 0;
++		}
++	}
++
++	username = malloc(usernameValuePair->length + 1);
++	memcpy(username, usernameValuePair->vp_strvalue, usernameValuePair->length);
++	username[usernameValuePair->length] = '\0';
++
++	RDEBUG("Username for current TNC connection: %s", username);
++
++	/*
++	 * stores the username of this connection
++	 * (uses a function from the NAA-EAP-library)
++	 * the presence of the library is checked via the configure-script
++	 */
++	result = storeUsername(conID, username, usernameValuePair->length);
++
++	// check for errors
++	if (result != TNC_RESULT_SUCCESS) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_initiate error while calling NAA-EAP storeUsername");
++		return 0;
++	}
++
++	// set connection ID in FreeRADIUS
++	handler->opaque = malloc(sizeof(TNC_ConnectionID));
++	memcpy(handler->opaque, &conID, sizeof(TNC_ConnectionID));
++
++	// build first EAP TNC request
++	TNC_BufferReference eap_tnc_request = malloc(sizeof(unsigned char));
++	if (eap_tnc_request == NULL) {
++		radlog(L_ERR, "rlm_eap_tnc:tnc_initiate: malloc failed.");
++		return 0;
++	}
++	*eap_tnc_request = SET_START(1);
++	TNC_UInt32 eap_tnc_length = 1;
++	type_data = type_data; /* suppress -Wunused */
+ 
+ 	/*
+ 	 *	Compose the EAP-TNC packet out of the data structure,
+ 	 *	and free it.
+ 	 */
+-	eaptnc_compose(handler->eap_ds, reply);
+-	eaptnc_free(&reply);
++	eaptnc_compose(handler, eap_tnc_request, eap_tnc_length, PW_EAP_REQUEST);
+ 
+-    //put sessionAttribute to Handler and increase sessionCounter
+-    handler->opaque = calloc(sizeof(TNC_ConnectionID), 1);
+-    if (handler->opaque == NULL)  {
+-	radlog(L_ERR, "rlm_eap_tnc: out of memory");
+-	return 0;
+-    }
+-    handler->free_opaque = free;
+-    memcpy(handler->opaque, &sessionCounter, sizeof(int));
+-    sessionCounter++;
+-    
+ 	/*
+ 	 *	We don't need to authorize the user at this point.
+ 	 *
+@@ -124,246 +290,114 @@
+ 	 *	to us...
+ 	 */
+ 	handler->stage = AUTHENTICATE;
+-    
+-	return 1;
+-}
+ 
+-static void setVlanAttribute(rlm_eap_tnc_t *inst, EAP_HANDLER *handler,
+-			     VlanAccessMode mode){
+-	VALUE_PAIR *vp;
+-    char *vlanNumber = NULL;
+-    switch(mode){
+-        case VLAN_ISOLATE:
+-            vlanNumber = inst->vlan_isolate;
+-	    vp = pairfind(handler->request->config_items,
+-			  PW_TNC_VLAN_ISOLATE);
+-	    if (vp) vlanNumber = vp->vp_strvalue;
+-            break;
+-        case VLAN_ACCESS:
+-            vlanNumber = inst->vlan_access;
+-	    vp = pairfind(handler->request->config_items,
+-			  PW_TNC_VLAN_ACCESS);
+-	    if (vp) vlanNumber = vp->vp_strvalue;
+-            break;
+-
+-    default:
+-	    DEBUG2("  rlm_eap_tnc: Internal error.  Not setting vlan number");
+-	    return;
+-    }
+-    pairadd(&handler->request->reply->vps,
+-	    pairmake("Tunnel-Type", "VLAN", T_OP_SET));
+-    
+-    pairadd(&handler->request->reply->vps,
+-	    pairmake("Tunnel-Medium-Type", "IEEE-802", T_OP_SET));
+-    
+-    pairadd(&handler->request->reply->vps,
+-	    pairmake("Tunnel-Private-Group-ID", vlanNumber, T_OP_SET));
+-    
++	return 1;
+ }
+ 
+-/*
+- *	Authenticate a previously sent challenge.
++/**
++ * This function is called when a EAP_TNC_RESPONSE was received.
++ * It basically forwards the EAP_TNC data to NAA-TNCS and forms
++ * and appropriate EAP_RESPONSE. Furthermore, it sets the VlanID
++ * based on the TNC_ConnectionState determined by NAA-TNCS.
++ *
++ * @param type_arg The configuration data
++ * @param handler The EAP_HANDLER
++ * @return True, if successfully, else false.
+  */
+-static int tnc_authenticate(void *type_arg, EAP_HANDLER *handler)
+-{
+-    TNC_PACKET	*packet;
+-    TNC_PACKET	*reply;
+-    TNC_ConnectionID connId = *((TNC_ConnectionID *) (handler->opaque));
+-    TNC_ConnectionState state;
+-    rlm_eap_tnc_t *inst = type_arg;
+-    int isAcknowledgement = 0;
+-    TNC_UInt32 tnccsMsgLength = 0;
+-    int isLengthIncluded;
+-    int moreFragments;
+-    TNC_UInt32 overallLength;
+-    TNC_BufferReference outMessage;
+-    TNC_UInt32 outMessageLength = 2;
+-    int outIsLengthIncluded=0;
+-    int outMoreFragments=0;
+-    TNC_UInt32 outOverallLength=0;
++static int tnc_authenticate(void *type_arg, EAP_HANDLER *handler) {
+ 
+-    DEBUG2("HANDLER_OPAQUE: %d", (int) *((TNC_ConnectionID *) (handler->opaque)));
+-    DEBUG2("TNC-AUTHENTICATE is starting now for %d..........", (int) connId);
++	rad_assert(handler->request != NULL); // check that request has been sent previously
++	rad_assert(handler->stage == AUTHENTICATE); // check if initiate has been called
+ 
+-	/*
+-	 *	Get the User-Password for this user.
+-	 */
+-    rad_assert(handler->request != NULL);
+-	rad_assert(handler->stage == AUTHENTICATE);
+-    
+-	/*
+-	 *	Extract the EAP-TNC packet.
+-	 */
+-    if (!(packet = eaptnc_extract(handler->eap_ds)))
++	if (handler == NULL) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_authenticate invalid parameters: handler == NULL");
+ 		return 0;
++	}
++	if (handler->eap_ds == NULL) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_authenticate invalid parameters: handler->eap_ds == NULL");
++		return 0;
++	}
++	if (handler->eap_ds->response == NULL) {
++		radlog(
++				L_ERR,
++				"rlm_eap_tnc: tnc_authenticate invalid parameters: handler->eap_ds->resonse == NULL");
++		return 0;
++	}
++	if (handler->eap_ds->response->type.type != PW_EAP_TNC
++			|| handler->eap_ds->response->type.length < 1
++			|| handler->eap_ds->response->type.data == NULL) {
++		radlog(
++				L_ERR,
++				"rlm_eap_tnc: tnc_authenticate invalid parameters: handler->eap_ds->response->type.type == %X, ->type.length == %u, ->type.data == %p",
++				handler->eap_ds->response->type.type,
++				handler->eap_ds->response->type.length,
++				handler->eap_ds->response->type.data);
++		return 0;
++	}
+ 
+-	/*
+-	 *	Create a reply, and initialize it.
+-	 */
+-	reply = eaptnc_alloc();
+-	if (!reply) {
+-		eaptnc_free(&packet);
+-		return 0;
+-	}
+-    
+-	reply->id = handler->eap_ds->request->id;
+-	reply->length = 0;
+-    if(packet->data_length==0){
+-        tnccsMsgLength = packet->length-TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH;
+-    }else{
+-        tnccsMsgLength = packet->length-TNC_PACKET_LENGTH;
+-    }
+-    isLengthIncluded = TNC_LENGTH_INCLUDED(packet->flags_ver);
+-    moreFragments = TNC_MORE_FRAGMENTS(packet->flags_ver);
+-    overallLength = packet->data_length;
+-    if(isLengthIncluded == 0 
+-        && moreFragments == 0 
+-        && overallLength == 0 
+-        && tnccsMsgLength == 0
+-        && TNC_START(packet->flags_ver)==0){
+-        
+-        isAcknowledgement = 1;
+-    }
+-    
+-    DEBUG("Data received: (%d)", (int) tnccsMsgLength);
+-/*    int i;
+-    for(i=0;i<tnccsMsgLength;i++){
+-        DEBUG2("%c", (packet->data)[i]);
+-    }
+-    DEBUG2("\n");
+-   */
+-    state = exchangeTNCCSMessages(inst->tnc_path,
+-                                  connId,
+-                                  isAcknowledgement,
+-                                  packet->data, 
+-                                  tnccsMsgLength, 
+-                                  isLengthIncluded, 
+-                                  moreFragments, 
+-                                  overallLength, 
+-                                  &outMessage, 
+-                                  &outMessageLength,
+-                                  &outIsLengthIncluded,
+-                                  &outMoreFragments,
+-                                  &outOverallLength);
+-    DEBUG("GOT State %08x from TNCS", (unsigned int) state);
+-    if(state == TNC_CONNECTION_EAP_ACKNOWLEDGEMENT){ //send back acknoledgement
+-        reply->code = PW_TNC_REQUEST;
+-        reply->data = NULL;
+-        reply->data_length = 0;
+-        reply->flags_ver = 1;
+-        reply->length =TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH; 
+-    }else{ //send back normal message
+-        DEBUG("GOT Message from TNCS (length: %d)", (int) outMessageLength);
+-        
+- /*       for(i=0;i<outMessageLength;i++){
+-            DEBUG2("%c", outMessage[i]);
+-        }
+-        DEBUG2("\n");
+- */
+-        DEBUG("outIsLengthIncluded: %d, outMoreFragments: %d, outOverallLength: %d", 
+-                outIsLengthIncluded, outMoreFragments, (int) outOverallLength);
+-        DEBUG("NEW STATE: %08x", (unsigned int) state);
+-        switch(state){
+-            case TNC_CONNECTION_STATE_HANDSHAKE:
+-                reply->code = PW_TNC_REQUEST;
+-                DEBUG2("Set Reply->Code to EAP-REQUEST\n");
+-                break;
+-            case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
+-                reply->code = PW_TNC_SUCCESS;
+-                setVlanAttribute(inst, handler,VLAN_ACCESS);
+-                break;
+-            case TNC_CONNECTION_STATE_ACCESS_NONE:
+-                reply->code = PW_TNC_FAILURE;
+-                //setVlanAttribute(inst, handler, VLAN_ISOLATE);
+-                break;
+-            case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
+-                reply->code = PW_TNC_SUCCESS;
+-                setVlanAttribute(inst, handler, VLAN_ISOLATE);
+-                break;
+-            default:
+-                reply->code= PW_TNC_FAILURE;
+-                
+-        }
+-        if(outMessage!=NULL && outMessageLength!=0){
+-            reply->data = outMessage;
+-        }
+-        reply->flags_ver = 1;
+-        if(outIsLengthIncluded){
+-            reply->flags_ver = SET_LENGTH_INCLUDED(reply->flags_ver);
+-            reply->data_length = outOverallLength;
+-            reply->length = TNC_PACKET_LENGTH + outMessageLength;
+-            DEBUG("SET LENGTH: %d", reply->length);
+-            DEBUG("SET DATALENGTH: %d", (int) outOverallLength);
+-        }else{
+-            reply->data_length = 0;
+-            reply->length = TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH + outMessageLength;        
+-            DEBUG("SET LENGTH: %d", reply->length);
+-        }
+-        if(outMoreFragments){
+-            reply->flags_ver = SET_MORE_FRAGMENTS(reply->flags_ver);
+-        }
+-    }
+-    
+-	/*
+-	 *	Compose the EAP-MD5 packet out of the data structure,
+-	 *	and free it.
+-	 */
+-	eaptnc_compose(handler->eap_ds, reply);
+-    	eaptnc_free(&reply);
+-
+-    handler->stage = AUTHENTICATE;
+-    
+-	eaptnc_free(&packet);
+-	return 1;
+-}
+-
+-/*
+- *	Detach the EAP-TNC module.
+- */
+-static int tnc_detach(void *arg)
+-{
+-	free(arg);
+-	return 0;
+-}
+-
+-
+-static CONF_PARSER module_config[] = {
+-	{ "vlan_access", PW_TYPE_STRING_PTR,
+-	  offsetof(rlm_eap_tnc_t, vlan_access), NULL, NULL },
+-	{ "vlan_isolate", PW_TYPE_STRING_PTR,
+-	  offsetof(rlm_eap_tnc_t, vlan_isolate), NULL, NULL },
+-	{ "tnc_path", PW_TYPE_STRING_PTR,
+-	  offsetof(rlm_eap_tnc_t, tnc_path), NULL,
+-	"/usr/local/lib/libTNCS.so"},
++	// get connection ID
++	TNC_ConnectionID conID = *((TNC_ConnectionID *) (handler->opaque));
+ 
+- 	{ NULL, -1, 0, NULL, NULL }           /* end the list */
+-};
++	DEBUG2("TNC-AUTHENTICATE is starting now for connection ID %lX !", conID);
+ 
+-/*
+- *	Attach the EAP-TNC module.
+- */
+-static int tnc_attach(CONF_SECTION *cs, void **instance)
+-{
+-	rlm_eap_tnc_t *inst;
++	// pass EAP_TNC data to NAA-EAP and get answer data
++	TNC_BufferReference output = NULL;
++	TNC_UInt32 outputLength = 0;
++	TNC_ConnectionState connectionState = TNC_CONNECTION_STATE_CREATE;
+ 
+-	inst = malloc(sizeof(*inst));
+-	if (!inst) return -1;
+-	memset(inst, 0, sizeof(*inst));
++	/*
++	 * forwards the eap_tnc data to NAA-EAP and gets the response
++	 * (uses a function from the NAA-EAP-library)
++	 * the presence of the library is checked via the configure-script
++	 */
++	TNC_Result result = processEAPTNCData(conID, handler->eap_ds->response->type.data,
++			handler->eap_ds->response->type.length, &output, &outputLength,
++			&connectionState);
++
++	// check for errors
++	if (result != TNC_RESULT_SUCCESS) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_authenticate error while calling NAA-EAP processEAPTNCData");
++		return 0;
++	}
+ 
+-	if (cf_section_parse(cs, inst, module_config) < 0) {
+-		tnc_detach(inst);
+-		return -1;
++	// output contains now the answer from NAA-EAP
++	uint8_t eapCode = 0;
++	// determine eapCode for request
++	switch (connectionState) {
++	case TNC_CONNECTION_STATE_HANDSHAKE:
++		eapCode = PW_EAP_REQUEST;
++		break;
++	case TNC_CONNECTION_STATE_ACCESS_NONE:
++		eapCode = PW_EAP_FAILURE;
++		break;
++	case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
++		eapCode = PW_EAP_SUCCESS;
++		pairadd(&handler->request->config_items, pairmake("TNC-Status", "Access", T_OP_SET));
++		break;
++	case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
++		eapCode = PW_EAP_SUCCESS;
++		pairadd(&handler->request->config_items, pairmake("TNC-Status", "Isolate", T_OP_SET));
++		break;
++	default:
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_authenticate invalid TNC_CONNECTION_STATE.");
++		return 0;
+ 	}
+ 
+-	
+-	if (!inst->vlan_access || !inst->vlan_isolate) {
+-		radlog(L_ERR, "rlm_eap_tnc: Must set both vlan_access and vlan_isolate");
+-		tnc_detach(inst);
+-		return -1;
++	// form EAP_REQUEST
++	if (!eaptnc_compose(handler, output, outputLength, eapCode)) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_authenticate error while forming EAP_REQUEST.");
++		return 0;
+ 	}
+ 
+-	*instance = inst;
+-	return 0;
++	// FIXME: Why is that needed?
++	handler->stage = AUTHENTICATE;
++
++	return 1;
+ }
+ 
+ /*
+@@ -371,10 +405,10 @@
+  *	That is, everything else should be 'static'.
+  */
+ EAP_TYPE rlm_eap_tnc = {
+-	"eap_tnc",
+-	tnc_attach,			/* attach */
+-	tnc_initiate,			/* Start the initial request */
+-	NULL,				/* authorization */
+-	tnc_authenticate,		/* authentication */
+-	tnc_detach		      	/* detach */
++		"eap_tnc",
++		tnc_attach, /* attach */
++		tnc_initiate, /* Start the initial request */
++		NULL, /* authorization */
++		tnc_authenticate, /* authentication */
++		tnc_detach /* detach */
+ };
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c	1970-01-01 01:00:00.000000000 +0100
+@@ -1,146 +0,0 @@
+-/*
+- *   This software is Copyright (C) 2006,2007 FH Hannover
+- *
+- *   Portions of this code unrelated to FreeRADIUS are available
+- *   separately under a commercial license.  If you require an
+- *   implementation of EAP-TNC that is not under the GPLv2, please
+- *   contact tnc@inform.fh-hannover.de for details.
+- *
+- *   This program is free software; you can redistribute it and/or modify
+- *   it under the terms of the GNU General Public License as published by
+- *   the Free Software Foundation; either version 2 of the License, or
+- *   (at your option) any later version.
+- *
+- *   This program is distributed in the hope that it will be useful,
+- *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+- *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+- *   GNU General Public License for more details.
+- *
+- *   You should have received a copy of the GNU General Public License
+- *   along with this program; if not, write to the Free Software
+- *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+- *
+- */
+-#include <freeradius-devel/ident.h>
+-RCSID("$Id$")
+-
+-#include "tncs_connect.h"
+-#include <ltdl.h>
+-#include <stdlib.h>
+-#include <stdio.h>
+-#include <eap.h>
+-
+-     /*
+-      *	FIXME: This linking should really be done at compile time.
+-      */
+-static lt_dlhandle handle = NULL;
+-
+-static ExchangeTNCCSMessagePointer callTNCS = NULL;
+-
+-/*
+- * returns the function-pointer to a function of a shared-object
+- * 
+- * soHandle: handle to a shared-object
+- * name: name of the requested function
+- * 
+- * return: the procAddress if found, else NULL
+- */
+-static void *getProcAddress(lt_dlhandle soHandle, const char *name){
+-	void *proc = lt_dlsym(soHandle, name);
+-	DEBUG("Searching for function %s", name);
+-	if(proc == NULL){
+-		DEBUG("rlm_eap_tnc: Failed to resolve symbol %s: %s",
+-		      name, lt_dlerror());
+-	}
+-	return proc;
+-}
+-
+-
+-/*
+- * establishs the connection to the TNCCS without calling functionality.
+- * That means that the TNCS-shared-object is loaded and the function-pointer
+- * to "exchangeTNCCSMessages" is explored.
+- * 
+- * return: -1 if connect failed, 0 if connect was successful
+- */
+-int connectToTncs(char *pathToSO){
+-	int state = -1;
+-	if(handle==NULL){
+-		handle = lt_dlopen(pathToSO);
+-		DEBUG("OPENED HANDLE!");
+-	}
+-	
+-	if(handle==NULL){
+-		DEBUG("HANDLE IS NULL");
+-        DEBUG("rlm_eap_tnc: Failed to link to library %s: %s",
+-	      pathToSO, lt_dlerror());
+-	}else{
+-		DEBUG("SO %s found!", pathToSO);
+-		if(callTNCS==NULL){
+-			callTNCS = (ExchangeTNCCSMessagePointer) getProcAddress(handle, "exchangeTNCCSMessages");
+-		}
+-		if(callTNCS!=NULL){
+-			DEBUG("TNCS is connected");
+-			state = 0;
+-//			int ret = callTNCS2(2, "Bla", NULL);
+-	//		DEBUG("GOT %d from exchangeTNCCSMessages", ret);
+-		}else{
+-			DEBUG("Could not find exchangeTNCCSMessages");
+-		}
+-
+-	}
+-	return state;	
+-}
+-
+-/*
+- * Accesspoint to the TNCS for sending and receiving TNCCS-Messages.
+- * -pathToSO: Path to TNCCS-Shared Object 
+- * -connId: identifies the client which the passed message belongs to.
+- * -isAcknoledgement: 1 if acknoledgement received (then all following in-parameters unimportant
+- * -input: input-TNCCS-message received from the client with connId
+- * -inputLength: length of input-TNCCS-message
+- * -isFirst: 1 if first message in fragmentation else 0
+- * -moreFragments: are there more Fragments to come (yes: 1, no: 0)?
+- * -overallLength: length of all fragments together (only set if fragmentation)
+- * -output: answer-TNCCS-message from the TNCS to the client
+- * -outputLength: length of answer-TNCCS-message
+- * -answerIsFirst: returned answer is first in row
+- * -moreFragmentsFollow: more fragments after this answer
+- * -overallLengthOut: length of all fragments together (only set if fragmentation) as answer
+- * 
+- * return: state of connection as result of the exchange
+- */
+-TNC_ConnectionState exchangeTNCCSMessages(/*in*/ char *pathToSO,
+-                                          /*in*/ TNC_ConnectionID connId, 
+-                                          /*in*/ int isAcknoledgement,
+-					  /*in*/ TNC_BufferReference input, 
+-                                          /*in*/ TNC_UInt32 inputLength,
+-                                          /*in*/ int isFirst, 
+-                                          /*in*/ int moreFragments,
+-                                          /*in*/ TNC_UInt32 overallLength,
+-					  /*out*/ TNC_BufferReference *output,
+-                                          /*out*/ TNC_UInt32 *outputLength,
+-                                          /*out*/ int *answerIsFirst,
+-                                          /*out*/ int *moreFragmentsFollow,
+-                                          /*out*/ TNC_UInt32 *overallLengthOut){
+-	TNC_ConnectionState state = TNC_CONNECTION_STATE_ACCESS_NONE;
+-	int connectStatus = connectToTncs(pathToSO);
+-    if(connectStatus!=-1){
+-		state = callTNCS(connId,
+-                            isAcknoledgement,
+-                            input,
+-                            inputLength, 
+-                            isFirst, 
+-                            moreFragments, 
+-                            overallLength, 
+-                            output, 
+-                            outputLength, 
+-                            answerIsFirst, 
+-                            moreFragmentsFollow, 
+-                            overallLengthOut);
+-        DEBUG("GOT TNC_ConnectionState (juhuuu): %u", (unsigned int) state);
+-	}else{
+-		DEBUG("CAN NOT CONNECT TO TNCS");
+-	}
+-	return state;
+-}
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h	1970-01-01 01:00:00.000000000 +0100
+@@ -1,70 +0,0 @@
+-/*
+- *   This software is Copyright (C) 2006,2007 FH Hannover
+- *
+- *   Portions of this code unrelated to FreeRADIUS are available
+- *   separately under a commercial license.  If you require an
+- *   implementation of EAP-TNC that is not under the GPLv2, please
+- *   contact tnc@inform.fh-hannover.de for details.
+- *
+- *   This program is free software; you can redistribute it and/or modify
+- *   it under the terms of the GNU General Public License as published by
+- *   the Free Software Foundation; either version 2 of the License, or
+- *   (at your option) any later version.
+- *
+- *   This program is distributed in the hope that it will be useful,
+- *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+- *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+- *   GNU General Public License for more details.
+- *
+- *   You should have received a copy of the GNU General Public License
+- *   along with this program; if not, write to the Free Software
+- *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+- *
+- */
+-
+-#ifndef _TNCS_CONNECT_H_
+-#define _TNCS_CONNECT_H_
+-
+-#include "tncs.h"
+-
+-/*
+- * establishs the connection to the TNCCS without calling functionality.
+- * That means that the TNCS-shared-object is loaded and the function-pointer
+- * to "exchangeTNCCSMessages" is explored.
+- * 
+- * return: -1 if connect failed, 0 if connect was successful
+- */
+-int connectToTncs(char *pathToSO);
+-/*
+- * Accesspoint to the TNCS for sending and receiving TNCCS-Messages.
+- * -pathToSO: Path to TNCCS-Shared Object
+- * -connId: identifies the client which the passed message belongs to.
+- * -isAcknoledgement: 1 if acknoledgement received (then all following in-parameters unimportant
+- * -input: input-TNCCS-message received from the client with connId
+- * -inputLength: length of input-TNCCS-message
+- * -isFirst: 1 if first message in fragmentation else 0
+- * -moreFragments: are there more Fragments to come (yes: 1, no: 0)?
+- * -overallLength: length of all fragments together (only set if fragmentation) 
+- * -output: answer-TNCCS-message from the TNCS to the client
+- * -outputLength: length of answer-TNCCS-message
+- * -answerIsFirst: returned answer is first in row
+- * -moreFragmentsFollow: more fragments after this answer
+- * -overallLengthOut: length of all fragments together (only set if fragmentation) as answer
+- * 
+- * return: state of connection as result of the exchange
+- */
+-TNC_ConnectionState exchangeTNCCSMessages(/*in*/ char *pathToSO,
+-                                          /*in*/ TNC_ConnectionID connId, 
+-                                          /*in*/ int isAcknoledgement, 
+-                                          /*in*/ TNC_BufferReference input, 
+-                                          /*in*/ TNC_UInt32 inputLength,
+-                                          /*in*/ int isFirst,
+-                                          /*in*/ int moreFragments,
+-                                          /*in*/ TNC_UInt32 overallLength,
+-                                          /*out*/ TNC_BufferReference *output,
+-                                          /*out*/ TNC_UInt32 *outputLength,
+-                                          /*out*/ int *answerIsFirst,
+-                                          /*out*/ int *moreFragmentsFollow,
+-                                          /*out*/ TNC_UInt32 *overallLengthOut);
+-
+-#endif //_TNCS_CONNECT_H_
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h	1970-01-01 01:00:00.000000000 +0100
+@@ -1,86 +0,0 @@
+-/*
+- *   This software is Copyright (C) 2006,2007 FH Hannover
+- *
+- *   Portions of this code unrelated to FreeRADIUS are available
+- *   separately under a commercial license.  If you require an
+- *   implementation of EAP-TNC that is not under the GPLv2, please
+- *   contact tnc@inform.fh-hannover.de for details.
+- *
+- *   This program is free software; you can redistribute it and/or modify
+- *   it under the terms of the GNU General Public License as published by
+- *   the Free Software Foundation; either version 2 of the License, or
+- *   (at your option) any later version.
+- *
+- *   This program is distributed in the hope that it will be useful,
+- *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+- *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+- *   GNU General Public License for more details.
+- *
+- *   You should have received a copy of the GNU General Public License
+- *   along with this program; if not, write to the Free Software
+- *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+- *
+- */
+-
+-#ifndef _TNCS_H_
+-#define _TNCS_H_
+-
+-
+-
+-#ifdef __cplusplus
+-extern "C" {
+-#endif 
+-
+-/*
+- * copied from tncimv.h:
+- */
+-typedef unsigned long TNC_UInt32;
+-typedef TNC_UInt32 TNC_ConnectionState;
+-typedef unsigned char *TNC_BufferReference;
+-typedef TNC_UInt32 TNC_ConnectionID;
+-
+-#define TNC_CONNECTION_STATE_CREATE 0
+-#define TNC_CONNECTION_STATE_HANDSHAKE 1
+-#define TNC_CONNECTION_STATE_ACCESS_ALLOWED 2
+-#define TNC_CONNECTION_STATE_ACCESS_ISOLATED 3
+-#define TNC_CONNECTION_STATE_ACCESS_NONE 4
+-#define TNC_CONNECTION_STATE_DELETE 5
+-#define TNC_CONNECTION_EAP_ACKNOWLEDGEMENT 6
+-
+-/*
+- * Accesspoint (as function-pointer) to the TNCS for sending and receiving 
+- * TNCCS-Messages.
+- * 
+- * -connId: identifies the client which the passed message belongs to.
+- * -isAcknoledgement: 1 if acknoledgement received (then all following in-parameters unimportant
+- * -input: input-TNCCS-message received from the client with connId
+- * -inputLength: length of input-TNCCS-message
+- * -isFirst: 1 if first message in fragmentation else 0
+- * -moreFragments: are there more Fragments to come (yes: 1, no: 0)?
+- * -overallLength: length of all fragments together (only set if fragmentation) 
+- * -output: answer-TNCCS-message from the TNCS to the client
+- * -outputLength: length of answer-TNCCS-message
+- * -answerIsFirst: returned answer is first in row
+- * -moreFragmentsFollow: more fragments after this answer
+- * -overallLengthOut: length of all fragments together (only set if fragmentation) as answer
+- * 
+- * return: state of connection as result of the exchange
+- */
+-typedef TNC_ConnectionState (*ExchangeTNCCSMessagePointer)(/*in*/ TNC_ConnectionID connId, 
+-                                          /*in*/ int isAcknoledgement, 
+-                                          /*in*/ TNC_BufferReference input, 
+-                                          /*in*/ TNC_UInt32 inputLength,
+-                                          /*in*/ int isFirst,
+-                                          /*in*/ int moreFragments,
+-                                          /*in*/ TNC_UInt32 overallLength,
+-                                          /*out*/ TNC_BufferReference *output,
+-                                          /*out*/ TNC_UInt32 *outputLength,
+-                                          /*out*/ int *answerIsFirst,
+-                                          /*out*/ int *moreFragmentsFollow,
+-                                          /*out*/ TNC_UInt32 *overallLengthOut
+-);
+-
+-#ifdef __cplusplus
+-}
+-#endif
+-#endif //_TNCS_H_
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h	2012-12-04 19:39:54.749423138 +0100
+@@ -37,6 +37,10 @@
+ 	int		copy_request_to_tunnel;
+ 	int		use_tunneled_reply;
+ 	const char	*virtual_server;
++	const char	*tnc_virtual_server;	// virtual server for EAP-TNC as the second inner method
++	VALUE_PAIR	*auth_reply;		// cache storage of the last reply of the first inner method
++	int		auth_code;		// cache storage of the reply-code of the first inner method
++	int		doing_tnc;		// status if we're doing EAP-TNC
+ } ttls_tunnel_t;
+ 
+ /*
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c	2012-12-04 19:39:54.749423138 +0100
+@@ -62,6 +62,11 @@
+ 	 *	Virtual server for inner tunnel session.
+ 	 */
+ 	char	*virtual_server;
++
++	/*
++	 *	Virtual server for the second inner tunnel method, which is EAP-TNC.
++	 */
++	char	*tnc_virtual_server;
+ } rlm_eap_ttls_t;
+ 
+ 
+@@ -78,6 +83,9 @@
+ 	{ "virtual_server", PW_TYPE_STRING_PTR,
+ 	  offsetof(rlm_eap_ttls_t, virtual_server), NULL, NULL },
+ 
++	{ "tnc_virtual_server", PW_TYPE_STRING_PTR,
++	  offsetof(rlm_eap_ttls_t, tnc_virtual_server), NULL, NULL },
++
+ 	{ "include_length", PW_TYPE_BOOLEAN,
+ 	  offsetof(rlm_eap_ttls_t, include_length), NULL, "yes" },
+ 
+@@ -171,6 +179,10 @@
+ 	t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
+ 	t->use_tunneled_reply = inst->use_tunneled_reply;
+ 	t->virtual_server = inst->virtual_server;
++	t->tnc_virtual_server = inst->tnc_virtual_server;	// virtual server for EAP-TNC as the second inner method
++	t->auth_reply = NULL;								// cache storage of the last reply of the first inner method
++	t->auth_code = -1;									// cache storage of the reply-code of the first inner method
++	t->doing_tnc = 0;									// status if we're doing EAP-TNC (on start we're doing NOT)
+ 	return t;
+ }
+ 
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c	2012-12-04 19:39:54.749423138 +0100
+@@ -585,6 +585,94 @@
+ }
+ 
+ /*
++ *	Start EAP-TNC as a second inner method.
++ *	Creates a new fake-request out of the original incoming request (via EAP_HANDLER).
++ *	If it's the first time, we create a EAP-START-packet and send
++ *	EAP-START :=	code = PW_EAP_REQUEST
++ *
++ */
++static REQUEST* start_tnc(EAP_HANDLER *handler, ttls_tunnel_t *t) {
++	REQUEST* request = handler->request;
++	RDEBUG2("EAP-TNC as second inner authentication method starts now");
++
++	/*
++	 *	Allocate a fake REQUEST struct,
++	 *	to make a new request, based on the original request.
++	 */
++	REQUEST* fake = request_alloc_fake(request);
++
++	/*
++	 * Set the virtual server to that of EAP-TNC.
++	 */
++	fake->server = t->tnc_virtual_server;
++
++	/*
++	 * Build a new EAP-Message.
++	 */
++	VALUE_PAIR *eap_msg;
++	eap_msg = paircreate(PW_EAP_MESSAGE, PW_TYPE_OCTETS);
++
++	/*
++	 * Set the EAP-Message to look like EAP-Start
++	 */
++	eap_msg->vp_octets[0] = PW_EAP_RESPONSE;
++	eap_msg->vp_octets[1] = 0x00;
++
++	/*
++	 * Only setting EAP-TNC here,
++	 * because it is intended to do user-authentication in the first inner method,
++	 * and then a hardware-authentication (like EAP-TNC) as the second method.
++	 */
++	eap_msg->vp_octets[4] = PW_EAP_TNC;
++
++	eap_msg->length = 0;
++
++	/*
++	 * Add the EAP-Message to the request.
++	 */
++	pairadd(&(fake->packet->vps), eap_msg);
++
++	/*
++	 * Process the new request by the virtual server configured for
++	 * EAP-TNC.
++	 */
++	rad_authenticate(fake);
++
++	/*
++	 * From now on we're doing EAP-TNC as the second inner authentication method.
++	 */
++	t->doing_tnc = TRUE;
++
++	return fake;
++}
++
++/*
++ * 	Stop EAP-TNC as a second inner method.
++ *	Copy the value pairs from the cached Access-Accept of the first inner method
++ *	to the Access-Accept/Reject package of EAP-TNC.
++ */
++static REQUEST* stop_tnc(REQUEST *request, ttls_tunnel_t *t) {
++	RDEBUG2("EAP-TNC as second inner authentication method stops now");
++
++	/*
++	 * Copy the value-pairs of the origina Access-Accept of the first
++	 * inner authentication method to the Access-Accept/Reject of the
++	 * second inner authentication method (EAP-TNC).
++	 */
++	if (request->reply->code == PW_AUTHENTICATION_ACK) {
++		pairadd(&(request->reply->vps), t->auth_reply);
++	} else if (request->reply->code == PW_AUTHENTICATION_REJECT) {
++		pairadd(&(request->reply->vps), t->auth_reply);
++	}
++
++	pairdelete(&(request->reply->vps), PW_MESSAGE_AUTHENTICATOR);
++	pairdelete(&(request->reply->vps), PW_PROXY_STATE);
++	pairdelete(&(request->reply->vps), PW_USER_NAME);
++
++	return request;
++}
++
++/*
+  *	Use a reply packet to determine what to do.
+  */
+ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session,
+@@ -1135,6 +1223,16 @@
+ 
+ 	} /* else fake->server == request->server */
+ 
++	/*
++	 * If we're doing EAP-TNC as a second method,
++	 * then set the server to that one.
++	 * Then, rad_authenticate will run EAP-TNC,
++	 * so that afterwards we have to look for the state of
++	 * EAP-TNC.
++	 */
++	if (t->doing_tnc) {
++		fake->server = t->tnc_virtual_server;
++	}
+ 
+ 	if ((debug_flag > 0) && fr_log_fp) {
+ 		RDEBUG("Sending tunneled request");
+@@ -1248,6 +1346,53 @@
+ 
+ 	default:
+ 		/*
++		 * If the result of the first method was an acknowledgment OR
++		 * if were already running EAP-TNC,
++		 * we're doing additional things before processing the reply.
++		 * Also the configuration for EAP-TTLS has to contain a virtual server
++		 * for EAP-TNC as the second method.
++		 */
++		if (t->tnc_virtual_server) {
++			/*
++			 * If the reply code of the first inner method is PW_AUTHENTICATION_ACK
++			 * which means that the method was successful,
++			 * and we're not doing EAP-TNC as the second method,
++			 * then we want to intercept the Access-Accept and start EAP-TNC as the second inner method.
++			 */
++			if (fake->reply->code == PW_AUTHENTICATION_ACK
++				 && t->doing_tnc == FALSE) {
++				RDEBUG2("Reply-Code of the first inner method was: %d (PW_AUTHENTICATION_ACK)", fake->reply->code);
++
++				/*
++				 * Save reply-value pairs and reply-code of the first method.
++				 */
++				t->auth_reply = fake->reply->vps;
++				fake->reply->vps = NULL;
++				t->auth_code = fake->reply->code;
++
++				/*
++				 * Create the start package for EAP-TNC.
++				 */
++				fake = start_tnc(handler, t);
++
++				/*
++				 * If we're doing EAP-TNC as the second inner method,
++				 * and the reply->code was PW_AUTHENTICATION_ACK or PW_AUTHENTICATION_REJECT,
++				 * then we stop EAP-TNC and create an combined Access-Accept or Access-Reject.
++				 */
++			} else if (t->doing_tnc == TRUE
++					&& (fake->reply->code == PW_AUTHENTICATION_ACK || fake->reply->code == PW_AUTHENTICATION_REJECT)) {
++
++				/*
++				 * Create the combined Access-Accept or -Reject.
++				 */
++				RDEBUG2("Reply-Code of EAP-TNC as the second inner method was: %d (%s)", fake->reply->code,
++						fake->reply->code == PW_AUTHENTICATION_ACK ? "PW_AUTHENTICATION_ACK" : "PW_AUTHENTICATION_REJECT");
++				fake = stop_tnc(fake, t);
++			}
++		}
++
++		/*
+ 		 *	Returns RLM_MODULE_FOO, and we want to return
+ 		 *	PW_FOO
+ 		 */
diff --git a/testing/scripts/recipes/patches/iptables-xfrm-hooks b/testing/scripts/recipes/patches/iptables-xfrm-hooks
new file mode 100644
index 000000000..baa4a65c1
--- /dev/null
+++ b/testing/scripts/recipes/patches/iptables-xfrm-hooks
@@ -0,0 +1,61 @@
+From 4553ba0130bb9f0aa266cc1e4c3288a52f34eed6 Mon Sep 17 00:00:00 2001
+From: Martin Willi <martin@revosec.ch>
+Date: Wed, 7 Apr 2010 11:40:15 +0200
+Subject: [PATCH] Added XFRM hooks to iptables headers
+
+---
+ include/linux/netfilter.h      |    2 ++
+ include/linux/netfilter_ipv4.h |    6 +++++-
+ include/linux/netfilter_ipv6.h |    6 +++++-
+ 3 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
+index 2eb00b6..b692c67 100644
+--- a/include/linux/netfilter.h
++++ b/include/linux/netfilter.h
+@@ -35,6 +35,8 @@ enum nf_inet_hooks {
+ 	NF_INET_FORWARD,
+ 	NF_INET_LOCAL_OUT,
+ 	NF_INET_POST_ROUTING,
++	NF_INET_XFRM_IN,
++	NF_INET_XFRM_OUT,
+ 	NF_INET_NUMHOOKS
+ };
+ 
+diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
+index 4d7ba3e..28d3ca9 100644
+--- a/include/linux/netfilter_ipv4.h
++++ b/include/linux/netfilter_ipv4.h
+@@ -47,7 +47,11 @@
+ #define NF_IP_LOCAL_OUT		3
+ /* Packets about to hit the wire. */
+ #define NF_IP_POST_ROUTING	4
+-#define NF_IP_NUMHOOKS		5
++/* Packets going into XFRM input transformation. */
++#define NF_IP_XFRM_IN		5
++/* Packets going into XFRM output transformation. */
++#define NF_IP_XFRM_OUT		6
++#define NF_IP_NUMHOOKS		7
+ 
+ enum nf_ip_hook_priorities {
+ 	NF_IP_PRI_FIRST = INT_MIN,
+diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
+index 7430b39..18590a5 100644
+--- a/include/linux/netfilter_ipv6.h
++++ b/include/linux/netfilter_ipv6.h
+@@ -51,7 +51,11 @@
+ #define NF_IP6_LOCAL_OUT		3
+ /* Packets about to hit the wire. */
+ #define NF_IP6_POST_ROUTING	4
+-#define NF_IP6_NUMHOOKS		5
++/* Packets going into XFRM input transformation. */
++#define NF_IP6_XFRM_IN		5
++/* Packets going into XFRM output transformation. */
++#define NF_IP6_XFRM_OUT		6
++#define NF_IP6_NUMHOOKS		7
+ 
+ 
+ enum nf_ip6_hook_priorities {
+-- 
+1.6.3.3
+
diff --git a/testing/scripts/restore-defaults b/testing/scripts/restore-defaults
index 64cc0262e..953548a1b 100755
--- a/testing/scripts/restore-defaults
+++ b/testing/scripts/restore-defaults
@@ -14,32 +14,20 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-##########################################################################
-# load-testconfig requires a testname as an argument
-#
+DIR=$(dirname `readlink -f $0`)
+. $DIR/../testing.conf
+. $DIR/function.sh
 
 testname=$1
 
-HOSTCONFIGDIR=$BUILDDIR/hosts
+HOSTCONFIGDIR=$DIR/../hosts
 TESTSDIR=$BUILDDIR/tests
 
 [ -d $TESTSDIR ] || die "Directory '$TESTSDIR' not found"
 [ -d $TESTSDIR/$testname ] || die "Test '$testname' not found"
 [ -f $TESTSDIR/$testname/test.conf ] || die "File 'test.conf' is missing"
 
-source $TESTSDIR/$testname/test.conf
-
-##########################################################################
-# copy default host config back if necessary
-#
+. $TESTSDIR/$testname/test.conf
 
 if [ -d $TESTSDIR/${testname}/hosts ]
 then
@@ -47,5 +35,6 @@ then
     do
 	eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
 	scp $SSHCONF -r $HOSTCONFIGDIR/${host}/etc $HOSTLOGIN:/ > /dev/null 2>&1
+	scp $SSHCONF -r $HOSTCONFIGDIR/default/etc $HOSTLOGIN:/ > /dev/null 2>&1
     done
 fi
diff --git a/testing/scripts/shutdown-umls b/testing/scripts/shutdown-umls
deleted file mode 100755
index e71e46602..000000000
--- a/testing/scripts/shutdown-umls
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/bin/bash
-# Install strongSwan from mounted strongswan-shared tree
-#
-# Copyright (C) 2006 Martin Willi
-# Hochschule fuer Technik Rapperswil
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-cecho "shutting down"
-cecho-n "  "
-
-for host in $STRONGSWANHOSTS
-do
-    eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-    cecho-n "$host... "
-    ssh $HOSTLOGIN 'shutdown now -h' > /dev/null
-done
-
-cecho
diff --git a/testing/scripts/start-bridges b/testing/scripts/start-bridges
deleted file mode 100755
index 1e09d6e7d..000000000
--- a/testing/scripts/start-bridges
+++ /dev/null
@@ -1,64 +0,0 @@
-#!/bin/bash
-# start the UML bridges in the kernel using the brctl command
-#
-# Copyright (C) 2009  Andreas Steffen
-# HSR Hochschule fuer Technik Rapperswil
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-# create umlbr1 and its taps 
-#
-if [ `brctl show | grep umlbr1 | wc -l` -eq 1 ]
-then
-	cecho " * Great, umlbr1 is already running!"
-else
-	cecho-n " * Starting umlbr1 with taps.."
-	umlbr_add     1 10.1.0.254 255.255.0.0
-	umlbr_add_tap 1 alice
-	umlbr_add_tap 1 venus
-	umlbr_add_tap 1 moon
-	cgecho "done"
-fi
-
-# create umlbr0 and its taps
-#
-if [ `brctl show | grep umlbr0 | wc -l` -eq 1 ]
-then
-	cecho " * Great, umlbr0 is already running!"
-else
-	cecho-n " * Starting umlbr0 with taps.."
-	umlbr_add     0 192.168.0.254 255.255.255.0
-	umlbr_add_tap 0 alice
-	umlbr_add_tap 0 moon
-	umlbr_add_tap 0 carol
-	umlbr_add_tap 0 winnetou
-	umlbr_add_tap 0 dave
-	umlbr_add_tap 0 sun
-	cgecho "done"
-fi
-
-# create umlbr2 and its taps
-#
-if [ `brctl show | grep umlbr2 | wc -l` -eq 1 ]
-then
-	cecho " * Great, umlbr2 is already running!"
-else
-	cecho-n " * Starting umlbr2 with taps.."
-	umlbr_add     2 10.2.0.254 255.255.0.0
-	umlbr_add_tap 2 sun
-	umlbr_add_tap 2 bob
-	cgecho "done"
-fi
-
diff --git a/testing/scripts/start-umls b/testing/scripts/start-umls
deleted file mode 100755
index 878494370..000000000
--- a/testing/scripts/start-umls
+++ /dev/null
@@ -1,117 +0,0 @@
-#!/bin/bash
-# starts the UML instances with a hidden screen
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-if [ "$#" -eq 0 ]
-then
-    HOSTS=$STRONGSWANHOSTS
-else
-    HOSTS=$*
-fi
-
-BOOTING_HOSTS=""
-count_max=12
-count=0
-
-for host in $HOSTS
-do
-    up=0
-
-    if [ -d ~/.uml/${host} ]
-    then
-	pid=`cat ~/.uml/${host}/pid`
-	up=`ps up $pid | wc -l`
-    fi
-    
-    if [ $up -eq 2 ]
-    then
-	cecho " * Great, ${host} is already running!"
-    else
-	rm -rf ~/.uml/${host}
-	BOOTING_HOSTS="$BOOTING_HOSTS ${host}"
-	let "count_max += 12"
-
-	UMLHOSTFS=$BUILDDIR/root-fs/gentoo-fs-${host}
-	[ -f  $UMLHOSTFS ] || die "!! uml root file system '$UMLHOSTFS' not found"
-
-	cecho-n " * Starting ${host}.."
-	eval screen -dmS ${host} "$UMLKERNEL \
-	    umid=${host} \
-	    ubda=$UMLHOSTFS \
-	    \$SWITCH_${host} \
-	    mem=${MEM}M con=pty con0=fd:0,fd:1"
-        cgecho "done"
-    fi
-done
-
-if [ -z "$BOOTING_HOSTS" ]
-then
-    exit 0
-fi
-
-cecho " * Waiting for the uml instances to finish booting"
-
-for host in $BOOTING_HOSTS
-do
-    cecho-n " * Checking on $host.."
-
-    while [ $count -lt $count_max ] && [ ! -d ~/.uml/$host ]
-    do
-	cecho-n "."
-	sleep 5
-	let "count+=1"
-    done
-
-    if [ $count -ge $count_max ]
-    then
-	cecho "exit"
-	exit 1
-    fi
-
-    up=`uml_mconsole $host proc net/route 2> /dev/null | grep eth0 | wc -l`
-
-    while [ $count -lt $count_max ] && [ $up -eq 0 ]
-    do
-	cecho-n "."
-	sleep 5
-	up=`uml_mconsole $host proc net/route 2> /dev/null | grep eth0 | wc -l`
-	let "count+=1"
-    done
-
-    if [ $count -ge $count_max ]
-    then
-	cecho "exit"
-	exit 1
-    else
-	cgecho "up"
-    fi
-
-    if [ "$host" = "alice" ]
-    then
-	sleep 5
-	eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-	ssh root@$ipv4_alice /etc/init.d/net.eth1 stop
-    fi
-done
-
-cecho " * All uml instances are up now"
diff --git a/testing/scripts/stop-bridges b/testing/scripts/stop-bridges
deleted file mode 100755
index eb92bd0eb..000000000
--- a/testing/scripts/stop-bridges
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/bin/bash
-# stop the UML bridges in the kernel using the brctl command
-#
-# Copyright (C) 2009  Andreas Steffen
-# HSR Hochschule fuer Technik Rapperswil
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-# stop umlbr1 and its taps 
-#
-cecho-n " * Stopping umlbr1 with taps.."
-umlbr_del_tap 1 alice
-umlbr_del_tap 1 venus
-umlbr_del_tap 1 moon
-umlbr_del     1
-cgecho "done"
-
-# stop umlbr0 and its taps
-#
-cecho-n " * Stopping umlbr0 with taps.."
-umlbr_del_tap 0 alice
-umlbr_del_tap 0 moon
-umlbr_del_tap 0 carol
-umlbr_del_tap 0 winnetou
-umlbr_del_tap 0 dave
-umlbr_del_tap 0 sun
-umlbr_del     0
-cgecho "done"
-
-# stop umlbr2 and its taps
-#
-cecho-n " * Stopping umlbr2 with taps.."
-umlbr_del_tap 2 sun
-umlbr_del_tap 2 bob
-umlbr_del     2
-cgecho "done"
-
diff --git a/testing/scripts/xstart-umls b/testing/scripts/xstart-umls
deleted file mode 100755
index ed2662b6c..000000000
--- a/testing/scripts/xstart-umls
+++ /dev/null
@@ -1,126 +0,0 @@
-#!/bin/bash
-# starts the UML instances in an xterm (requires X11R6)
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-if [ "$#" -eq 0 ]
-then
-    HOSTS=$STRONGSWANHOSTS
-else
-    HOSTS=$*
-fi
-
-BOOTING_HOSTS=""
-count_max=12
-count=0
-
-#position of xterm window on the desktop
-x0=8
-y0=8
-dx=12
-dy=24
-
-for host in $HOSTS
-do
-    up=0
-
-    if [ -d ~/.uml/${host} ]
-    then
-	pid=`cat ~/.uml/${host}/pid`
-	up=`ps up $pid | wc -l`
-    fi
-    
-    if [ $up -eq 2 ]
-    then
-	cecho " * Great, ${host} is already running!"
-    else
-	rm -rf ~/.uml/${host}
-	BOOTING_HOSTS="$BOOTING_HOSTS ${host}"
-	let "count_max += 12"
-
-	UMLHOSTFS=$BUILDDIR/root-fs/gentoo-fs-${host}
-	[ -f  $UMLHOSTFS ] || die "!! uml root file system '$UMLHOSTFS' not found"
-
-	cecho-n " * Starting ${host}.."
-	eval xterm -title ${host} -geometry "+${x0}+${y0}" -rightbar -sb -sl 500 -e "$UMLKERNEL \
-	    umid=${host} \
-	    ubda=$UMLHOSTFS \
-	    \$SWITCH_${host} \
-	    mem=${MEM}M con=pty con0=fd:0,fd:1" &
-        cgecho "done"
-        sleep 15
-    fi
-    let "x0+=dx"
-    let "y0+=dy"
-done
-
-if [ -z "$BOOTING_HOSTS" ]
-then
-    exit 0
-fi
-
-cecho " * Waiting for the uml instances to finish booting"
-
-for host in $BOOTING_HOSTS
-do
-    cecho-n " * Checking on $host.."
-
-    while [ $count -lt $count_max ] && [ ! -d ~/.uml/$host ]
-    do
-	cecho-n "."
-	sleep 5
-	let "count+=1"
-    done
-
-    if [ $count -ge $count_max ]
-    then
-	cecho "exit"
-	exit 1
-    fi
-
-    up=`uml_mconsole $host proc net/route 2> /dev/null | grep eth0 | wc -l`
-
-    while [ $count -lt $count_max ] && [ $up -eq 0 ]
-    do
-	cecho-n "."
-	sleep 5
-	up=`uml_mconsole $host proc net/route 2> /dev/null | grep eth0 | wc -l`
-	let "count+=1"
-    done
-
-    if [ $count -ge $count_max ]
-    then
-	cecho "exit"
-	exit 1
-    else
-	cgecho "up"
-    fi
-
-    if [ "$host" = "alice" ]
-    then
-	sleep 5
-	eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-	ssh root@$ipv4_alice /etc/init.d/net.eth1 stop
-    fi
-done
-
-cecho " * All uml instances are up now"
diff --git a/testing/ssh_config b/testing/ssh_config
index 36569c07c..831b9dc1a 100644
--- a/testing/ssh_config
+++ b/testing/ssh_config
@@ -1,7 +1,8 @@
 Host *
 	# debian default
 	SendEnv LANG LC_*
-	HashKnownHosts yes
+	StrictHostKeyChecking no
+	UserKnownHostsFile /dev/null
 	GSSAPIAuthentication yes
 	# faster encryption
 	Ciphers arcfour
diff --git a/testing/start-testing b/testing/start-testing
index 278500e6f..183729423 100755
--- a/testing/start-testing
+++ b/testing/start-testing
@@ -1,85 +1,48 @@
 #!/bin/bash
-# Start up the specified UML instances and wait for them to finish booting
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/scripts/function.sh
-
-[ -f $DIR/testing.conf ] || die "!! Configuration file 'testing.conf' not found"
-[ -d $DIR/hosts ] || die "Directory hosts cannot be found."
-
-source $DIR/testing.conf
-
-if [ "$#" -eq 0 ]
-then
-    HOSTS=$STRONGSWANHOSTS
-else
-    HOSTS=$*
-fi
-
-#####################################################
-# start the uml bridges
-#
-cecho "Start the uml bridges  (scripts/start-bridges)"
-$DIR/scripts/start-bridges
-
-
-#####################################################
-# start the uml instances
-#
-case $UMLSTARTMODE in
-    konsole)
-	cecho "Start the uml instances  (scripts/kstart-umls)"
-	$DIR/scripts/kstart-umls $HOSTS
-	;;
-    gnome-terminal)
-	cecho "Start the uml instances  (scripts/gstart-umls)"
-	$DIR/scripts/gstart-umls $HOSTS
-	;;
-    xterm)
-	cecho "Start the uml instances  (scripts/xstart-umls)"
-	$DIR/scripts/xstart-umls $HOSTS
-	;;
-    screen)
-	cecho "Start the uml instances  (scripts/start-umls)"
-	$DIR/scripts/start-umls $HOSTS
-	;;
-    *)
-        die "The start mode is unknown! Please set $UMLSTARTMODE properly."
-	;;
-esac
-
-
-#####################################################
-# do the automated testing
-#
-if [ $ENABLE_DO_TESTS = "yes" ]
-then
-   cecho "Run the automated tests (do-tests)"
-   $DIR/do-tests
-fi
-
-
-##############################################################################
-# stop all UML instances and switches
-#
-
-if [ $ENABLE_STOP_TESTING = "yes" ]
-then
-   cecho "Stopping all UML instances and switches (stop-testing)"
-   $DIR/stop-testing $HOSTS
-fi
 
+DIR=$(dirname `readlink -f $0`)
+. $DIR/testing.conf
+. $DIR/scripts/function.sh
+
+NETWORKS="vnet1 vnet2 vnet3"
+CONFDIR=$DIR/config/kvm
+KNLSRC=$BUILDDIR/$KERNEL/arch/x86/boot/bzImage
+KNLTARGET=/var/run/kvm-swan-kernel
+HOSTFSTARGET=/var/run/kvm-swan-hostfs
+MCASTBRS="virbr1 virbr2"
+
+echo "Starting test environment"
+
+[ `id -u` -eq 0 ] || die "You must be root to run $0"
+
+check_commands virsh
+
+log_action "Deploying kernel $KERNEL"
+execute "ln -fs $KNLSRC $KNLTARGET"
+
+log_action "Deploying $SHAREDDIR as hostfs"
+execute "chown -R $KVMUSER:$KVMGROUP $SHAREDDIR" 0
+execute "ln -Tfs $SHAREDDIR $HOSTFSTARGET"
+
+for net in $NETWORKS
+do
+	log_action "Network $net"
+	execute "virsh net-create $CONFDIR/$net.xml"
+done
+
+for host in $STRONGSWANHOSTS
+do
+	ln -fs $IMGDIR/$host.$IMGEXT $VIRTIMGSTORE/$host.$IMGEXT
+	log_action "Guest $host"
+	execute "virsh create $CONFDIR/$host.xml"
+done
+
+# Enforce reception of multicast traffic on bridges
+for br in $MCASTBRS
+do
+	cd /sys/devices/virtual/net/$br/brif
+	for vnet in `find . -name "vnet*"`
+	do
+		echo 2 > $vnet/multicast_router
+	done
+done
diff --git a/testing/stop-testing b/testing/stop-testing
index 023a5b39e..704ae6667 100755
--- a/testing/stop-testing
+++ b/testing/stop-testing
@@ -1,48 +1,34 @@
 #!/bin/bash
-# Stop all UML instances and UML switches
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/scripts/function.sh
-
-[ -f $DIR/testing.conf ] || die "No configuration file testing.conf found."
-
-source $DIR/testing.conf
-
-if [ "$#" -eq 0 ]
-then
-    HOSTS=$STRONGSWANHOSTS
-else
-    HOSTS=$*
-fi
-
-#####################################################
-# Shutting down the uml instances
-#
-cecho-n " * Halting all UML instances.."
-for host in $HOSTS
+
+DIR=$(dirname `readlink -f $0`)
+. $DIR/testing.conf
+. $DIR/scripts/function.sh
+
+echo "Stopping test environment"
+
+NETWORKS="vnet1 vnet2 vnet3"
+KNLTARGET=/var/run/kvm-swan-kernel
+HOSTFSTARGET=/var/run/kvm-swan-hostfs
+
+[ `id -u` -eq 0 ] || die "You must be root to run $0"
+
+check_commands virsh
+
+for net in $NETWORKS
 do
-    uml_mconsole $host halt &> /dev/null
+	log_action "Network $net"
+	execute "virsh net-destroy $net"
 done
-cgecho "done"
 
-#####################################################
-# Shutting down the uml bridhges
-#
-cecho "Stop the uml bridges  (scripts/stop-bridges)"
-$DIR/scripts/stop-bridges
+for host in $STRONGSWANHOSTS
+do
+	log_action "Guest $host"
+	execute "virsh shutdown $host"
+	rm -f $VIRTIMGSTORE/$host.$IMGEXT
+done
 
+log_action "Removing kernel $KERNEL"
+execute "rm $KNLTARGET"
 
+log_action "Removing link to hostfs"
+execute "rm $HOSTFSTARGET"
diff --git a/testing/testing.conf b/testing/testing.conf
index d0c918860..960d3f63e 100755..100644
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -1,5 +1,5 @@
 #!/bin/bash
-# Global configuration file for strongswan UML testing.
+# Global configuration file for strongswan integration testing.
 #
 # Copyright (C) 2004  Eric Marchionni, Patrik Rayo
 # Zuercher Hochschule Winterthur
@@ -15,146 +15,66 @@
 # for more details.
 
 # Root directory of testing
-UMLTESTDIR=~/strongswan-testing
-
-# Bzipped kernel sources
-# (file extension .tar.bz2 required)
-KERNEL=$UMLTESTDIR/linux-3.5.3.tar.bz2
-
-# Extract kernel version
-KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
-
-# Kernel configuration file
-KERNELCONFIG=$UMLTESTDIR/.config-3.5
-
-
-# Bzipped uml patch for kernel
-UMLPATCH=$UMLTESTDIR/ha-3.0.patch.bz2
-
-# Bzipped source of strongSwan
-STRONGSWAN=$UMLTESTDIR/strongswan-5.0.1.tar.bz2
-
-# strongSwan compile options (use "yes" or "no")
-USE_LIBCURL="yes"
-USE_LDAP="yes"
-USE_EAP_AKA="yes"
-USE_EAP_SIM="yes"
-USE_EAP_MD5="yes"
-USE_EAP_MSCHAPV2="yes"
-USE_EAP_IDENTITY="yes"
-USE_EAP_RADIUS="yes"
-USE_EAP_DYNAMIC="yes"
-USE_EAP_TLS="yes"
-USE_EAP_TTLS="yes"
-USE_EAP_PEAP="yes"
-USE_EAP_TNC="yes"
-USE_TNC_PDP="yes"
-USE_TNC_IMC="yes"
-USE_TNC_IMV="yes"
-USE_TNCCS_11="yes"
-USE_TNCCS_20="yes"
-USE_TNCCS_DYNAMIC="yes"
-USE_IMC_TEST="yes"
-USE_IMV_TEST="yes"
-USE_IMC_SCANNER="yes"
-USE_IMV_SCANNER="yes"
-USE_IMC_ATTESTATION="yes"
-USE_IMV_ATTESTATION="yes"
-USE_SQL="yes"
-USE_MEDIATION="yes"
-USE_OPENSSL="yes"
-USE_BLOWFISH="yes"
-USE_KERNEL_PFKEY="yes"
-USE_INTEGRITY_TEST="yes"
-USE_LEAK_DETECTIVE="yes"
-USE_LOAD_TESTER="yes"
-USE_TEST_VECTORS="yes"
-USE_GCRYPT="yes"
-USE_SOCKET_DEFAULT="yes"
-USE_SOCKET_DYNAMIC="yes"
-USE_DHCP="yes"
-USE_FARP="yes"
-USE_ADDRBLOCK="yes"
-USE_CTR="yes"
-USE_CCM="yes"
-USE_GCM="yes"
-USE_CMAC="yes"
-USE_HA="yes"
-USE_AF_ALG="yes"
-USE_WHITELIST="yes"
-USE_XAUTH_GENERIC="yes"
-USE_XAUTH_EAP="yes"
-USE_PKCS8="yes"
-USE_IFMAP="no"
-USE_CISCO_QUIRKS="no"
-USE_UNITY="yes"
-
-# Gentoo linux root filesystem
-ROOTFS=$UMLTESTDIR/gentoo-fs-20111212.tar.bz2
-
-# Size of the finished root filesystem in MB
-ROOTFSSIZE=850
-
-# Amount of Memory to use per UML [MB].
-# If "auto" is stated 1/12 of total host ram will be used.
-# Examples: MEM=64, MEM="128", MEM="auto"
-MEM=96
-
-# Directory where the UML kernels and file system will be built
-BUILDDIR=$UMLTESTDIR/umlbuild
-
-# Filename of the built UML Kernel
-UMLKERNEL=$BUILDDIR/linux-uml-$KERNELVERSION
+TESTDIR=/srv/strongswan-testing
+
+# Kernel configuration
+KERNELVERSION=3.5.3
+KERNEL=linux-$KERNELVERSION
+KERNELTARBALL=$KERNEL.tar.bz2
+KERNELCONFIG=$DIR/../config/kernel/config-3.5
+KERNELPATCH=ha-3.0.patch.bz2
+
+# strongSwan version used in tests
+SWANVERSION=5.0.2dr4
+
+# Build directory where the guest kernel and images will be built
+BUILDDIR=$TESTDIR/build
+# Directory shared between host and guests
+SHAREDDIR=$BUILDDIR/shared
+
+# Logfile
+LOGFILE=$BUILDDIR/testing.log
+
+# Directory used for loop-mounts
+LOOPDIR=$BUILDDIR/loop
+
+# Common image settings
+IMGEXT=qcow2
+IMGDIR=$BUILDDIR/images
+
+# Base image settings
+# The base image is a pristine OS installation created using debootstrap.
+BASEIMGSIZE=1024
+BASEIMGSUITE=wheezy
+BASEIMGARCH=amd64
+BASEIMG=$IMGDIR/debian-$BASEIMGSUITE-$BASEIMGARCH.$IMGEXT
+BASEIMGMIRROR=http://cdn.debian.net/debian
+
+# Root image settings
+# The root image is the origin of all guest images. It is a clone of the base
+# image and contains additional test-specific software and patches.
+ROOTIMG=$IMGDIR/root.$IMGEXT
+
+# libvirt config
+NBDEV=/dev/nbd0
+NBDPARTITION=${NBDEV}p1
+VIRTIMGSTORE=/var/lib/libvirt/images
+KVMUSER=libvirt-qemu
+KVMGROUP=kvm
 
 # Directory where test results will be stored
-TESTRESULTSDIR=$UMLTESTDIR/testresults
+TESTRESULTSDIR=$TESTDIR/testresults
 
 # SSH configuration (speedup SSH)
-SSHCONF="-F $UMLTESTDIR/testing/ssh_config"
-
-# Path to a full strongswan tree on the host system, which is
-# mounted into /root/strongswan-shared. This gives us an easy
-# way to apply and test changes instantly.
-#SHAREDTREE=/home/martin/strongswan/trunk
-
-# Timezone for the UMLs, look in /usr/share/zoneinfo!
-TZUML="Europe/Zurich"
-
-##############################################################
-# Enable particular steps in the make-testing and
-# start-testing scripts
-#
-ENABLE_BUILD_UMLKERNEL="yes"
-ENABLE_BUILD_SSHKEYS="yes"
-ENABLE_BUILD_HOSTCONFIG="yes"
-ENABLE_BUILD_UMLROOTFS="yes"
-ENABLE_BUILD_UMLHOSTFS="yes"
-ENABLE_START_TESTING="yes"
-ENABLE_DO_TESTS="no"
-ENABLE_STOP_TESTING="no"
+SSHCONF="-F $TESTDIR/testing/ssh_config"
 
 ##############################################################
-# How to start the UMLs?
-#
-# Start the UML instance in KDE konsole (requires KDE)
-# UMLSTARTMODE="konsole"
-# Start the UML instance in a gnome-terminal (requires gnome)
-UMLSTARTMODE="gnome-terminal"
-# Start the UML instance in an xterm (requires X11R6)
-# UMLSTARTMODE="xterm"
-# Start the UML instance without a terminal window
-# but screen -r <host> can open a window anytime
-# UMLSTARTMODE="screen"
-
-##############################################################
-# If set to "yes" only the tests stated at $SELECTEDTESTS
-# will be executed. (use "yes" or "no")
-#
-SELECTEDTESTSONLY="no"
-
-# Tests to do if $SELECTEDTESTSONLY is set "yes".
+# Enable particular steps in the make-testing
 #
-SELECTEDTESTS="ikev2/rw-cert"
+ENABLE_BUILD_BASEIMAGE="yes"
+ENABLE_BUILD_ROOTIMAGE="yes"
+ENABLE_BUILD_GUESTKERNEL="yes"
+ENABLE_BUILD_GUESTIMAGES="yes"
 
 ##############################################################
 # hostname and corresponding IPv4 and IPv6 addresses
@@ -186,35 +106,5 @@ bob,fec2::10"
 # VPN gateways / clients
 # The hosts stated here will be created. Possible values
 # are sun, moon, dave, carol, alice, venus, bob, winnetou.
-# It's fine to make them all unless you don't have much
-# resources. In this case we assume you know what you do!
-#
-STRONGSWANHOSTS="sun moon dave carol alice venus bob winnetou"
-
-##############################################################
-# Needed programs, do not change!
-#
-PROGRAMS="uml_switch uml_mconsole ssh ssh-keygen iptables \
-          chroot screen mkreiserfs"
-
-##############################################################
-# IP parameters of the UML switches
-#
-IFCONFIG_0="192.168.0.254 netmask 255.255.255.0"
-IFCONFIG_1="10.1.0.254 netmask 255.255.0.0"
-IFCONFIG_2="10.2.0.254 netmask 255.255.0.0"
-
-##############################################################
-# Network interfaces of the UML instances
 #
-SWITCH_alice="eth0=tuntap,tap1_alice,fe:fd:0a:01:00:0a \
-              eth1=tuntap,tap0_alice,fe:fd:c0:a8:00:32"
-SWITCH_venus="eth0=tuntap,tap1_venus,fe:fd:0a:01:00:14"
-SWITCH_moon="eth0=tuntap,tap0_moon,fe:fd:c0:a8:00:01 \
-             eth1=tuntap,tap1_moon,fe:fd:0a:01:00:01"
-SWITCH_carol="eth0=tuntap,tap0_carol,fe:fd:c0:a8:00:64"
-SWITCH_winnetou="eth0=tuntap,tap0_winnetou,fe:fd:c0:a8:00:96"
-SWITCH_dave="eth0=tuntap,tap0_dave,fe:fd:c0:a8:00:c8"
-SWITCH_sun="eth0=tuntap,tap0_sun,fe:fd:c0:a8:00:02 \
-            eth1=tuntap,tap2_sun,fe:fd:0a:02:00:01"
-SWITCH_bob="eth0=tuntap,tap2_bob,fe:fd:0a:02:00:0a"
+STRONGSWANHOSTS="alice bob carol dave moon sun venus winnetou"
diff --git a/testing/tests/af-alg/alg-camellia/evaltest.dat b/testing/tests/af-alg/alg-camellia/evaltest.dat
index 72e3c5e29..2096cb994 100644
--- a/testing/tests/af-alg/alg-camellia/evaltest.dat
+++ b/testing/tests/af-alg/alg-camellia/evaltest.dat
@@ -2,7 +2,7 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.
 moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
 carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
 carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
 moon:: ip xfrm state::enc cbc(camellia)::YES
diff --git a/testing/tests/af-alg/alg-camellia/posttest.dat b/testing/tests/af-alg/alg-camellia/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/af-alg/alg-camellia/posttest.dat
+++ b/testing/tests/af-alg/alg-camellia/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/af-alg/alg-camellia/pretest.dat b/testing/tests/af-alg/alg-camellia/pretest.dat
index 3c3df0196..886fdf55c 100644
--- a/testing/tests/af-alg/alg-camellia/pretest.dat
+++ b/testing/tests/af-alg/alg-camellia/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/af-alg/alg-camellia/test.conf b/testing/tests/af-alg/alg-camellia/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/af-alg/alg-camellia/test.conf
+++ b/testing/tests/af-alg/alg-camellia/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/af-alg/rw-cert/evaltest.dat b/testing/tests/af-alg/rw-cert/evaltest.dat
index f8cfb111b..ba661975b 100644
--- a/testing/tests/af-alg/rw-cert/evaltest.dat
+++ b/testing/tests/af-alg/rw-cert/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/af-alg/rw-cert/posttest.dat b/testing/tests/af-alg/rw-cert/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/af-alg/rw-cert/posttest.dat
+++ b/testing/tests/af-alg/rw-cert/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/af-alg/rw-cert/pretest.dat b/testing/tests/af-alg/rw-cert/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/af-alg/rw-cert/pretest.dat
+++ b/testing/tests/af-alg/rw-cert/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/af-alg/rw-cert/test.conf b/testing/tests/af-alg/rw-cert/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/af-alg/rw-cert/test.conf
+++ b/testing/tests/af-alg/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat
index 81e413f98..db5a76204 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat
@@ -4,7 +4,7 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec statusall 2> /dev/null::IKE proposal: SERPENT_CBC_256/HMAC_SHA2_512_256::YES
 moon:: ipsec statusall 2> /dev/null::IKE proposal: SERPENT_CBC_256/HMAC_SHA2_512_256::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 carol::ipsec statusall 2> /dev/null::SERPENT_CBC_256/HMAC_SHA2_512_256,::YES
 moon:: ipsec statusall 2> /dev/null::SERPENT_CBC_256/HMAC_SHA2_512_256,::YES
 carol::ip xfrm state::enc cbc(serpent)::YES
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat
index 6d2eeb5f9..1b8fc3b79 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 moon::ipsec start
 carol::sleep 2 
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/test.conf b/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
index 6abbb89a9..d7b71426c 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat
index 7003977f9..ac3b5e0b0 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat
@@ -4,7 +4,7 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec statusall 2> /dev/null::IKE proposal: TWOFISH_CBC_256/HMAC_SHA2_512_256::YES
 moon:: ipsec statusall 2> /dev/null::IKE proposal: TWOFISH_CBC_256/HMAC_SHA2_512_256::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 carol::ipsec statusall 2> /dev/null::TWOFISH_CBC_256/HMAC_SHA2_512_256,::YES
 moon:: ipsec statusall 2> /dev/null::TWOFISH_CBC_256/HMAC_SHA2_512_256,::YES
 carol::ip xfrm state::enc cbc(twofish)::YES
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat
index 6d2eeb5f9..1b8fc3b79 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 moon::ipsec start
 carol::sleep 2 
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/test.conf b/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
index 6abbb89a9..d7b71426c 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat
index d82b68dcb..5f0bb3cdc 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat
@@ -4,7 +4,7 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
 carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
 carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
 moon:: ip xfrm state::enc cbc(camellia)::YES
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat
index 3c3df0196..886fdf55c 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/test.conf b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat b/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat
index b545c2289..2342d024b 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat
+++ b/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat b/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat
+++ b/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat
+++ b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/test.conf b/testing/tests/gcrypt-ikev2/rw-cert/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/test.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ha/both-active/evaltest.dat b/testing/tests/ha/both-active/evaltest.dat
index 36d72ff97..89e5f4b6e 100644
--- a/testing/tests/ha/both-active/evaltest.dat
+++ b/testing/tests/ha/both-active/evaltest.dat
@@ -8,8 +8,8 @@ alice::cat /var/log/daemon.log::HA segment 1 activated::YES
 moon:: cat /var/log/daemon.log::HA segment 2 activated::YES
 alice::cat /var/log/daemon.log::handling HA CHILD_SA::YES
 moon:: cat /var/log/daemon.log::installed HA CHILD_SA::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
 carol::tcpdump::IP carol.strongswan.org > mars.strongswan.org: ESP::YES
 carol::tcpdump::IP mars.strongswan.org > carol.strongswan.org: ESP::YES
 dave::tcpdump::IP dave.strongswan.org > mars.strongswan.org: ESP::YES
diff --git a/testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables b/testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 95d3b8828..000000000
--- a/testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# forward ESP-tunneled traffic
-	iptables -A FORWARD -i eth1 -m policy --dir in  --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT
-	iptables -A FORWARD -i eth1 -m policy --dir in  --pol ipsec --proto esp -s PH_IP_DAVE  -j ACCEPT
-	iptables -A FORWARD -o eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-        # clusterip rules
-        iptables -A INPUT -i eth1 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip \
-                          --clustermac 01:00:c0:a8:00:05 --total-nodes 2 --local-node 2 
-        iptables -A INPUT -i eth0 -d 10.1.0.5 -j CLUSTERIP --new --hashmode sourceip \
-                          --clustermac 01:00:0a:01:00:05 --total-nodes 2 --local-node 2 
-
-	# allow esp
-	iptables -A INPUT  -p 50 -j ACCEPT
-	iptables -A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT
-	iptables -A OUTPUT -p 50 -d PH_IP_DAVE -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # allow heartbeat
-        iptables -A INPUT  -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT
-
-	# allow ICMP type 3
-	iptables -A INPUT  -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT
-
-	# allow IGMP multicasts
-	iptables -A INPUT  -d 224.0.0.1 -p igmp -j ACCEPT
-	iptables -A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT
- 
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ha/both-active/hosts/alice/etc/iptables.rules b/testing/tests/ha/both-active/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..cad1d202a
--- /dev/null
+++ b/testing/tests/ha/both-active/hosts/alice/etc/iptables.rules
@@ -0,0 +1,50 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# forward ESP-tunneled traffic
+-A FORWARD -i eth1 -m policy --dir in  --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT
+-A FORWARD -i eth1 -m policy --dir in  --pol ipsec --proto esp -s PH_IP_DAVE  -j ACCEPT
+-A FORWARD -o eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# clusterip rules
+-A INPUT -i eth1 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:c0:a8:00:05 --total-nodes 2 --local-node 2 
+-A INPUT -i eth0 -d 10.1.0.5    -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:0a:01:00:05 --total-nodes 2 --local-node 2 
+
+# allow esp
+-A INPUT  -p 50 -j ACCEPT
+-A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT
+-A OUTPUT -p 50 -d PH_IP_DAVE -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow heartbeat
+-A INPUT  -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT
+-A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT
+
+# allow ICMP type 3
+-A INPUT  -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT
+-A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT
+
+# allow IGMP multicasts
+-A INPUT  -d 224.0.0.1 -p igmp -j ACCEPT
+-A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables b/testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 6f7a0316b..000000000
--- a/testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# forward ESP-tunneled traffic
-	iptables -A FORWARD -m policy -i eth0 --dir in  --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT
-	iptables -A FORWARD -m policy -i eth0 --dir in  --pol ipsec --proto esp -s PH_IP_DAVE  -j ACCEPT
-	iptables -A FORWARD -m policy -o eth0 --dir out --pol ipsec --proto esp -j ACCEPT
-
-        # clusterip rules
-        iptables -A INPUT -i eth0 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip \
-                          --clustermac 01:00:c0:a8:00:05 --total-nodes 2 --local-node 1
-        iptables -A INPUT -i eth1 -d 10.1.0.5 -j CLUSTERIP --new --hashmode sourceip \
-                          --clustermac 01:00:0a:01:00:05 --total-nodes 2 --local-node 1
-
-	# allow esp
-	iptables -A INPUT  -p 50 -j ACCEPT
-	iptables -A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT
-	iptables -A OUTPUT -p 50 -d PH_IP_DAVE  -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# allow heartbeat
-	iptables -A INPUT  -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT
-
-	# allow ICMP type 3
-        iptables -A INPUT  -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT
-
-	# allow IGMP multicasts
-	iptables -A INPUT  -d 224.0.0.1 -p igmp -j ACCEPT
-	iptables -A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ha/both-active/hosts/moon/etc/iptables.rules b/testing/tests/ha/both-active/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..ab7fd7fcb
--- /dev/null
+++ b/testing/tests/ha/both-active/hosts/moon/etc/iptables.rules
@@ -0,0 +1,50 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# forward ESP-tunneled traffic
+-A FORWARD -m policy -i eth0 --dir in  --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT
+-A FORWARD -m policy -i eth0 --dir in  --pol ipsec --proto esp -s PH_IP_DAVE  -j ACCEPT
+-A FORWARD -m policy -o eth0 --dir out --pol ipsec --proto esp -j ACCEPT
+
+# clusterip rules
+-A INPUT -i eth0 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:c0:a8:00:05 --total-nodes 2 --local-node 1
+-A INPUT -i eth1 -d 10.1.0.5    -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:0a:01:00:05 --total-nodes 2 --local-node 1
+
+# allow esp
+-A INPUT  -p 50 -j ACCEPT
+-A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT
+-A OUTPUT -p 50 -d PH_IP_DAVE  -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow heartbeat
+-A INPUT  -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT
+-A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT
+
+# allow ICMP type 3
+-A INPUT  -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT
+-A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT
+
+# allow IGMP multicasts
+-A INPUT  -d 224.0.0.1 -p igmp -j ACCEPT
+-A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ha/both-active/posttest.dat b/testing/tests/ha/both-active/posttest.dat
index 49bf76055..e4ffe8eef 100644
--- a/testing/tests/ha/both-active/posttest.dat
+++ b/testing/tests/ha/both-active/posttest.dat
@@ -2,15 +2,15 @@ carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
 alice::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-alice::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+alice::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::ip addr del 192.168.0.5/24 dev eth0
 moon::ip addr del 10.1.0.5/16 dev eth1
 alice::ip addr del 192.168.0.5/24 dev eth1
 alice::ip addr del 10.1.0.5/16 dev eth0
-alice::/etc/init.d/net.eth1 stop
+alice::ifdown eth1
 venus::ip route del default via 10.1.0.5 dev eth0
 venus::ip route add default via 10.1.0.1 dev eth0
 moon::conntrack -F
diff --git a/testing/tests/ha/both-active/pretest.dat b/testing/tests/ha/both-active/pretest.dat
index e2e509855..af4d66cfc 100644
--- a/testing/tests/ha/both-active/pretest.dat
+++ b/testing/tests/ha/both-active/pretest.dat
@@ -1,14 +1,14 @@
 moon::ip addr add 192.168.0.5/24 dev eth0
 moon::ip addr add 10.1.0.5/16 dev eth1
-alice::/etc/init.d/net.eth1 start
+alice::ifup eth1
 alice::ip addr add 192.168.0.5/24 dev eth1
 alice::ip addr add 10.1.0.5/16 dev eth0
 venus::ip route del default via 10.1.0.1 dev eth0
 venus::ip route add default via 10.1.0.5 dev eth0
-moon::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+alice::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 alice::ipsec start
 carol::ipsec start
diff --git a/testing/tests/ha/both-active/test.conf b/testing/tests/ha/both-active/test.conf
index 0473013e1..8056d9ce4 100644
--- a/testing/tests/ha/both-active/test.conf
+++ b/testing/tests/ha/both-active/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="venus carol dave"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice moon carol dave"
diff --git a/testing/tests/ike/rw-cert/evaltest.dat b/testing/tests/ike/rw-cert/evaltest.dat
index c8fcb2370..e431ce533 100644
--- a/testing/tests/ike/rw-cert/evaltest.dat
+++ b/testing/tests/ike/rw-cert/evaltest.dat
@@ -10,8 +10,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ike/rw-cert/pretest.dat b/testing/tests/ike/rw-cert/pretest.dat
index 587b6aeed..e50793830 100644
--- a/testing/tests/ike/rw-cert/pretest.dat
+++ b/testing/tests/ike/rw-cert/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ike/rw-cert/test.conf b/testing/tests/ike/rw-cert/test.conf
index 845a6dcd7..51bf2b7f2 100644
--- a/testing/tests/ike/rw-cert/test.conf
+++ b/testing/tests/ike/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ike/rw_v1-net_v2/evaltest.dat b/testing/tests/ike/rw_v1-net_v2/evaltest.dat
index f12b19e3d..847a2d92d 100644
--- a/testing/tests/ike/rw_v1-net_v2/evaltest.dat
+++ b/testing/tests/ike/rw_v1-net_v2/evaltest.dat
@@ -2,13 +2,13 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES 
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ike/rw_v1-net_v2/pretest.dat b/testing/tests/ike/rw_v1-net_v2/pretest.dat
index 03b8dc218..f61a4cb51 100644
--- a/testing/tests/ike/rw_v1-net_v2/pretest.dat
+++ b/testing/tests/ike/rw_v1-net_v2/pretest.dat
@@ -1,5 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
 moon::ipsec start
 sun::ipsec start
 carol::ipsec start
diff --git a/testing/tests/ike/rw_v1-net_v2/test.conf b/testing/tests/ike/rw_v1-net_v2/test.conf
index 983881e5d..864f944d7 100644
--- a/testing/tests/ike/rw_v1-net_v2/test.conf
+++ b/testing/tests/ike/rw_v1-net_v2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="carol moon sun"
diff --git a/testing/tests/ikev1/alg-3des-md5/evaltest.dat b/testing/tests/ikev1/alg-3des-md5/evaltest.dat
index a553ff168..abd29e97e 100644
--- a/testing/tests/ikev1/alg-3des-md5/evaltest.dat
+++ b/testing/tests/ikev1/alg-3des-md5/evaltest.dat
@@ -4,12 +4,12 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*3DES_CBC/HMAC_MD5_96,::YES
 carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_MD5_96,::YES
 moon:: ip xfrm state::enc cbc(des3_ede)::YES
 carol::ip xfrm state::enc cbc(des3_ede)::YES
-moon:: ip xfrm state::auth hmac(md5)::YES
-carol::ip xfrm state::auth hmac(md5)::YES
+moon:: ip xfrm state::auth-trunc hmac(md5)::YES
+carol::ip xfrm state::auth-trunc hmac(md5)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev1/alg-3des-md5/posttest.dat b/testing/tests/ikev1/alg-3des-md5/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/alg-3des-md5/posttest.dat
+++ b/testing/tests/ikev1/alg-3des-md5/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/alg-3des-md5/pretest.dat b/testing/tests/ikev1/alg-3des-md5/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev1/alg-3des-md5/pretest.dat
+++ b/testing/tests/ikev1/alg-3des-md5/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev1/alg-3des-md5/test.conf b/testing/tests/ikev1/alg-3des-md5/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/alg-3des-md5/test.conf
+++ b/testing/tests/ikev1/alg-3des-md5/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/alg-blowfish/evaltest.dat b/testing/tests/ikev1/alg-blowfish/evaltest.dat
index 3787bdb68..cd83c56b4 100644
--- a/testing/tests/ikev1/alg-blowfish/evaltest.dat
+++ b/testing/tests/ikev1/alg-blowfish/evaltest.dat
@@ -4,8 +4,8 @@ moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*caro
 moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
 carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
 dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_384_192,::YES
 dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA2_256_128,::YES
 carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
diff --git a/testing/tests/ikev1/alg-blowfish/posttest.dat b/testing/tests/ikev1/alg-blowfish/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/alg-blowfish/posttest.dat
+++ b/testing/tests/ikev1/alg-blowfish/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/alg-blowfish/pretest.dat b/testing/tests/ikev1/alg-blowfish/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev1/alg-blowfish/pretest.dat
+++ b/testing/tests/ikev1/alg-blowfish/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev1/alg-blowfish/test.conf b/testing/tests/ikev1/alg-blowfish/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/alg-blowfish/test.conf
+++ b/testing/tests/ikev1/alg-blowfish/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat b/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat
index c07c176b5..8230ee30c 100644
--- a/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat
+++ b/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat
@@ -8,8 +8,8 @@ moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024_160::YES
 dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048_256::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/alg-modp-subgroup/posttest.dat b/testing/tests/ikev1/alg-modp-subgroup/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/alg-modp-subgroup/posttest.dat
+++ b/testing/tests/ikev1/alg-modp-subgroup/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/alg-modp-subgroup/pretest.dat b/testing/tests/ikev1/alg-modp-subgroup/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev1/alg-modp-subgroup/pretest.dat
+++ b/testing/tests/ikev1/alg-modp-subgroup/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev1/alg-modp-subgroup/test.conf b/testing/tests/ikev1/alg-modp-subgroup/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/alg-modp-subgroup/test.conf
+++ b/testing/tests/ikev1/alg-modp-subgroup/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/alg-sha256/evaltest.dat b/testing/tests/ikev1/alg-sha256/evaltest.dat
index 7b5640af8..eba856742 100644
--- a/testing/tests/ikev1/alg-sha256/evaltest.dat
+++ b/testing/tests/ikev1/alg-sha256/evaltest.dat
@@ -4,10 +4,10 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES
-moon:: ip xfrm state::auth hmac(sha256)::YES
-carol::ip xfrm state::auth hmac(sha256)::YES
+moon:: ip xfrm state::auth-trunc hmac(sha256)::YES
+carol::ip xfrm state::auth-trunc hmac(sha256)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES
diff --git a/testing/tests/ikev1/alg-sha256/posttest.dat b/testing/tests/ikev1/alg-sha256/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/alg-sha256/posttest.dat
+++ b/testing/tests/ikev1/alg-sha256/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/alg-sha256/pretest.dat b/testing/tests/ikev1/alg-sha256/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev1/alg-sha256/pretest.dat
+++ b/testing/tests/ikev1/alg-sha256/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev1/alg-sha256/test.conf b/testing/tests/ikev1/alg-sha256/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/alg-sha256/test.conf
+++ b/testing/tests/ikev1/alg-sha256/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/alg-sha384/evaltest.dat b/testing/tests/ikev1/alg-sha384/evaltest.dat
index 21b3d5a4f..3b24217c5 100644
--- a/testing/tests/ikev1/alg-sha384/evaltest.dat
+++ b/testing/tests/ikev1/alg-sha384/evaltest.dat
@@ -4,10 +4,10 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES
-moon:: ip xfrm state::auth hmac(sha384)::YES
-carol::ip xfrm state::auth hmac(sha384)::YES
+moon:: ip xfrm state::auth-trunc hmac(sha384)::YES
+carol::ip xfrm state::auth-trunc hmac(sha384)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/ikev1/alg-sha384/posttest.dat b/testing/tests/ikev1/alg-sha384/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/alg-sha384/posttest.dat
+++ b/testing/tests/ikev1/alg-sha384/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/alg-sha384/pretest.dat b/testing/tests/ikev1/alg-sha384/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev1/alg-sha384/pretest.dat
+++ b/testing/tests/ikev1/alg-sha384/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev1/alg-sha384/test.conf b/testing/tests/ikev1/alg-sha384/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/alg-sha384/test.conf
+++ b/testing/tests/ikev1/alg-sha384/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/alg-sha512/evaltest.dat b/testing/tests/ikev1/alg-sha512/evaltest.dat
index 7b94d2182..6bdceeb44 100644
--- a/testing/tests/ikev1/alg-sha512/evaltest.dat
+++ b/testing/tests/ikev1/alg-sha512/evaltest.dat
@@ -4,10 +4,10 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_256/HMAC_SHA2_512_256,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256,::YES
-moon:: ip xfrm state::auth hmac(sha512)::YES
-carol::ip xfrm state::auth hmac(sha512)::YES
+moon:: ip xfrm state::auth-trunc hmac(sha512)::YES
+carol::ip xfrm state::auth-trunc hmac(sha512)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES
diff --git a/testing/tests/ikev1/alg-sha512/posttest.dat b/testing/tests/ikev1/alg-sha512/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/alg-sha512/posttest.dat
+++ b/testing/tests/ikev1/alg-sha512/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/alg-sha512/pretest.dat b/testing/tests/ikev1/alg-sha512/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev1/alg-sha512/pretest.dat
+++ b/testing/tests/ikev1/alg-sha512/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev1/alg-sha512/test.conf b/testing/tests/ikev1/alg-sha512/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/alg-sha512/test.conf
+++ b/testing/tests/ikev1/alg-sha512/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/compress/pretest.dat b/testing/tests/ikev1/compress/pretest.dat
index 7d077c126..f5aa989fe 100644
--- a/testing/tests/ikev1/compress/pretest.dat
+++ b/testing/tests/ikev1/compress/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 moon::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev1/compress/test.conf b/testing/tests/ikev1/compress/test.conf
index 6abbb89a9..d7b71426c 100644
--- a/testing/tests/ikev1/compress/test.conf
+++ b/testing/tests/ikev1/compress/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/config-payload/evaltest.dat b/testing/tests/ikev1/config-payload/evaltest.dat
index a429e9b32..b46dfddf6 100644
--- a/testing/tests/ikev1/config-payload/evaltest.dat
+++ b/testing/tests/ikev1/config-payload/evaltest.dat
@@ -5,13 +5,13 @@ carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
 carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
 carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev1/config-payload/posttest.dat b/testing/tests/ikev1/config-payload/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/config-payload/posttest.dat
+++ b/testing/tests/ikev1/config-payload/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/config-payload/pretest.dat b/testing/tests/ikev1/config-payload/pretest.dat
index 014e80517..3864bdac3 100644
--- a/testing/tests/ikev1/config-payload/pretest.dat
+++ b/testing/tests/ikev1/config-payload/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev1/config-payload/test.conf b/testing/tests/ikev1/config-payload/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev1/config-payload/test.conf
+++ b/testing/tests/ikev1/config-payload/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/double-nat-net/evaltest.dat b/testing/tests/ikev1/double-nat-net/evaltest.dat
index 05dc82d70..52c561964 100644
--- a/testing/tests/ikev1/double-nat-net/evaltest.dat
+++ b/testing/tests/ikev1/double-nat-net/evaltest.dat
@@ -2,6 +2,6 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@
 bob::  ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
 alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
 bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
+alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/iptables.rules b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev1/double-nat-net/posttest.dat b/testing/tests/ikev1/double-nat-net/posttest.dat
index 484297418..63d4f98e7 100644
--- a/testing/tests/ikev1/double-nat-net/posttest.dat
+++ b/testing/tests/ikev1/double-nat-net/posttest.dat
@@ -1,7 +1,7 @@
 bob::ipsec stop
 alice::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-bob::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+bob::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 sun::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/ikev1/double-nat-net/pretest.dat b/testing/tests/ikev1/double-nat-net/pretest.dat
index 41b69aed6..17a4fe5eb 100644
--- a/testing/tests/ikev1/double-nat-net/pretest.dat
+++ b/testing/tests/ikev1/double-nat-net/pretest.dat
@@ -1,8 +1,5 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-bob::/etc/init.d/iptables start 2> /dev/null
-bob::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+bob::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
diff --git a/testing/tests/ikev1/double-nat-net/test.conf b/testing/tests/ikev1/double-nat-net/test.conf
index 1ca2ffe5a..d2e31d257 100644
--- a/testing/tests/ikev1/double-nat-net/test.conf
+++ b/testing/tests/ikev1/double-nat-net/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice bob"
diff --git a/testing/tests/ikev1/double-nat/evaltest.dat b/testing/tests/ikev1/double-nat/evaltest.dat
index b080482f9..9ddad2de5 100644
--- a/testing/tests/ikev1/double-nat/evaltest.dat
+++ b/testing/tests/ikev1/double-nat/evaltest.dat
@@ -2,6 +2,6 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@
 bob::  ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
 alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
 bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev1/double-nat/hosts/bob/etc/iptables.rules b/testing/tests/ikev1/double-nat/hosts/bob/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev1/double-nat/hosts/bob/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev1/double-nat/posttest.dat b/testing/tests/ikev1/double-nat/posttest.dat
index 5d39e406d..aa806bfc9 100644
--- a/testing/tests/ikev1/double-nat/posttest.dat
+++ b/testing/tests/ikev1/double-nat/posttest.dat
@@ -1,7 +1,7 @@
 bob::ipsec stop
 alice::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-bob::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+bob::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 sun::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/ikev1/double-nat/pretest.dat b/testing/tests/ikev1/double-nat/pretest.dat
index 10ba6d735..65f18b756 100644
--- a/testing/tests/ikev1/double-nat/pretest.dat
+++ b/testing/tests/ikev1/double-nat/pretest.dat
@@ -1,7 +1,5 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-bob::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+bob::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
diff --git a/testing/tests/ikev1/double-nat/test.conf b/testing/tests/ikev1/double-nat/test.conf
index 1ca2ffe5a..d2e31d257 100644
--- a/testing/tests/ikev1/double-nat/test.conf
+++ b/testing/tests/ikev1/double-nat/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice bob"
diff --git a/testing/tests/ikev1/dpd-clear/test.conf b/testing/tests/ikev1/dpd-clear/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev1/dpd-clear/test.conf
+++ b/testing/tests/ikev1/dpd-clear/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/dpd-restart/test.conf b/testing/tests/ikev1/dpd-restart/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev1/dpd-restart/test.conf
+++ b/testing/tests/ikev1/dpd-restart/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/dynamic-initiator/evaltest.dat b/testing/tests/ikev1/dynamic-initiator/evaltest.dat
index f22f1247f..61546f417 100644
--- a/testing/tests/ikev1/dynamic-initiator/evaltest.dat
+++ b/testing/tests/ikev1/dynamic-initiator/evaltest.dat
@@ -5,6 +5,6 @@ dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
 moon:: cat /var/log/auth.log::IKE_SA carol\[1] established.*PH_IP_CAROL::YES
 moon:: cat /var/log/daemon.log::deleting duplicate IKE_SA for.*carol@strongswan.org.*due to uniqueness policy::YES
 moon:: cat /var/log/auth.log::IKE_SA carol\[2] established.*PH_IP_DAVE::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/dynamic-initiator/posttest.dat b/testing/tests/ikev1/dynamic-initiator/posttest.dat
index 4dbf3d4a4..32ac12ddc 100644
--- a/testing/tests/ikev1/dynamic-initiator/posttest.dat
+++ b/testing/tests/ikev1/dynamic-initiator/posttest.dat
@@ -2,8 +2,6 @@ dave::ipsec stop
 carol::ipsec stop
 dave::sleep 1
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+carol::iptables-restore < /etc/iptables.flush
 dave::rm /etc/ipsec.d/certs/*
 dave::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev1/dynamic-initiator/pretest.dat b/testing/tests/ikev1/dynamic-initiator/pretest.dat
index 92681011f..9aadb2a4c 100644
--- a/testing/tests/ikev1/dynamic-initiator/pretest.dat
+++ b/testing/tests/ikev1/dynamic-initiator/pretest.dat
@@ -1,6 +1,4 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+carol::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
@@ -10,4 +8,4 @@ carol::sleep 1
 carol::iptables -D INPUT  -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 dave::ipsec up moon
-dave::sleep 2 
+dave::sleep 2
diff --git a/testing/tests/ikev1/dynamic-initiator/test.conf b/testing/tests/ikev1/dynamic-initiator/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev1/dynamic-initiator/test.conf
+++ b/testing/tests/ikev1/dynamic-initiator/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/dynamic-responder/evaltest.dat b/testing/tests/ikev1/dynamic-responder/evaltest.dat
index f22f1247f..61546f417 100644
--- a/testing/tests/ikev1/dynamic-responder/evaltest.dat
+++ b/testing/tests/ikev1/dynamic-responder/evaltest.dat
@@ -5,6 +5,6 @@ dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
 moon:: cat /var/log/auth.log::IKE_SA carol\[1] established.*PH_IP_CAROL::YES
 moon:: cat /var/log/daemon.log::deleting duplicate IKE_SA for.*carol@strongswan.org.*due to uniqueness policy::YES
 moon:: cat /var/log/auth.log::IKE_SA carol\[2] established.*PH_IP_DAVE::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/dynamic-responder/posttest.dat b/testing/tests/ikev1/dynamic-responder/posttest.dat
index 4dbf3d4a4..32ac12ddc 100644
--- a/testing/tests/ikev1/dynamic-responder/posttest.dat
+++ b/testing/tests/ikev1/dynamic-responder/posttest.dat
@@ -2,8 +2,6 @@ dave::ipsec stop
 carol::ipsec stop
 dave::sleep 1
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+carol::iptables-restore < /etc/iptables.flush
 dave::rm /etc/ipsec.d/certs/*
 dave::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev1/dynamic-responder/pretest.dat b/testing/tests/ikev1/dynamic-responder/pretest.dat
index c0f166ff4..8dc744f9a 100644
--- a/testing/tests/ikev1/dynamic-responder/pretest.dat
+++ b/testing/tests/ikev1/dynamic-responder/pretest.dat
@@ -1,6 +1,4 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+carol::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
@@ -10,4 +8,4 @@ moon::sleep 1
 carol::iptables -D INPUT  -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 dave::ipsec up moon
-dave::sleep 2 
+dave::sleep 2
diff --git a/testing/tests/ikev1/dynamic-responder/test.conf b/testing/tests/ikev1/dynamic-responder/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev1/dynamic-responder/test.conf
+++ b/testing/tests/ikev1/dynamic-responder/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/dynamic-two-peers/evaltest.dat b/testing/tests/ikev1/dynamic-two-peers/evaltest.dat
index 1d5ff68ec..82d2e7318 100644
--- a/testing/tests/ikev1/dynamic-two-peers/evaltest.dat
+++ b/testing/tests/ikev1/dynamic-two-peers/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::carol.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::dave.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev1/dynamic-two-peers/posttest.dat b/testing/tests/ikev1/dynamic-two-peers/posttest.dat
index e120b87db..7b2609846 100644
--- a/testing/tests/ikev1/dynamic-two-peers/posttest.dat
+++ b/testing/tests/ikev1/dynamic-two-peers/posttest.dat
@@ -3,6 +3,6 @@ dave::ipsec stop
 moon::sleep 1
 moon::ipsec stop
 moon::mv /etc/hosts.ori /etc/hosts
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/dynamic-two-peers/pretest.dat b/testing/tests/ikev1/dynamic-two-peers/pretest.dat
index 6596a2527..4bb2a4686 100644
--- a/testing/tests/ikev1/dynamic-two-peers/pretest.dat
+++ b/testing/tests/ikev1/dynamic-two-peers/pretest.dat
@@ -1,8 +1,8 @@
 moon::mv /etc/hosts /etc/hosts.ori
 moon::mv /etc/hosts.stale /etc/hosts
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev1/dynamic-two-peers/test.conf b/testing/tests/ikev1/dynamic-two-peers/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev1/dynamic-two-peers/test.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat
index 6f7c13704..648920105 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat
@@ -2,7 +2,7 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.
 moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::AES_CCM_12_128::YES
 carol::ipsec statusall 2> /dev/null::AES_CCM_12_128::YES
 carol::ip xfrm state::aead rfc4309(ccm(aes))::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/test.conf b/testing/tests/ikev1/esp-alg-aes-ccm/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat
index 9a8b46897..c86f58081 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat
@@ -2,7 +2,7 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.
 moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::AES_CTR_256/AES_XCBC_96::YES
 carol::ipsec statusall 2> /dev/null::AES_CTR_256/AES_XCBC_96::YES
 moon:: ip xfrm state::rfc3686(ctr(aes))::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/test.conf b/testing/tests/ikev1/esp-alg-aes-ctr/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat
index 9d5fb7cc3..a7f52c72e 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat
@@ -2,7 +2,7 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.
 moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::AES_GCM_16_256::YES
 carol::ipsec statusall 2> /dev/null::AES_GCM_16_256::YES
 carol::ip xfrm state::aead rfc4106(gcm(aes))::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/test.conf b/testing/tests/ikev1/esp-alg-aes-gcm/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat
index 74150fb04..d5d3bc0d3 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat
@@ -2,7 +2,7 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES
 carol::ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES
 carol::ip xfrm state::aead rfc4543(gcm(aes))::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/test.conf b/testing/tests/ikev1/esp-alg-aes-gmac/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-xcbc/evaltest.dat
index 6f5b89332..b466813fe 100644
--- a/testing/tests/ikev1/esp-alg-aes-xcbc/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/evaltest.dat
@@ -2,10 +2,10 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.
 moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 carol::ipsec statusall 2> /dev/null::AES_CBC_256/AES_XCBC_96,::YES
 moon:: ipsec statusall 2> /dev/null::AES_CBC_256/AES_XCBC_96,::YES
-carol::ip xfrm state::auth xcbc(aes)::YES
-moon:: ip xfrm state::auth xcbc(aes)::YES
+carol::ip xfrm state::auth-trunc xcbc(aes)::YES
+moon:: ip xfrm state::auth-trunc xcbc(aes)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat b/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat
index 7d077c126..f5aa989fe 100644
--- a/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 moon::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/test.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/test.conf
index 6abbb89a9..d7b71426c 100644
--- a/testing/tests/ikev1/esp-alg-aes-xcbc/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/esp-alg-null/evaltest.dat b/testing/tests/ikev1/esp-alg-null/evaltest.dat
index 937d85ed2..1b9c6c27e 100644
--- a/testing/tests/ikev1/esp-alg-null/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-null/evaltest.dat
@@ -2,7 +2,7 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
 carol::ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
 moon:: ip xfrm state::enc ecb(cipher_null)::YES
diff --git a/testing/tests/ikev1/esp-alg-null/posttest.dat b/testing/tests/ikev1/esp-alg-null/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/esp-alg-null/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-null/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/esp-alg-null/pretest.dat b/testing/tests/ikev1/esp-alg-null/pretest.dat
index 3c3df0196..886fdf55c 100644
--- a/testing/tests/ikev1/esp-alg-null/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-null/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev1/esp-alg-null/test.conf b/testing/tests/ikev1/esp-alg-null/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/esp-alg-null/test.conf
+++ b/testing/tests/ikev1/esp-alg-null/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/host2host-cert/evaltest.dat b/testing/tests/ikev1/host2host-cert/evaltest.dat
index 53e5589ca..3305f4558 100644
--- a/testing/tests/ikev1/host2host-cert/evaltest.dat
+++ b/testing/tests/ikev1/host2host-cert/evaltest.dat
@@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*su
 sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
 sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/host2host-cert/posttest.dat b/testing/tests/ikev1/host2host-cert/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev1/host2host-cert/posttest.dat
+++ b/testing/tests/ikev1/host2host-cert/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/host2host-cert/pretest.dat b/testing/tests/ikev1/host2host-cert/pretest.dat
index 1fa70177c..3bce9f6e5 100644
--- a/testing/tests/ikev1/host2host-cert/pretest.dat
+++ b/testing/tests/ikev1/host2host-cert/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev1/host2host-cert/test.conf b/testing/tests/ikev1/host2host-cert/test.conf
index 305a67316..55d6e9fd6 100644
--- a/testing/tests/ikev1/host2host-cert/test.conf
+++ b/testing/tests/ikev1/host2host-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/host2host-transport/evaltest.dat b/testing/tests/ikev1/host2host-transport/evaltest.dat
index 3021b5e04..fc49e57d8 100644
--- a/testing/tests/ikev1/host2host-transport/evaltest.dat
+++ b/testing/tests/ikev1/host2host-transport/evaltest.dat
@@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*su
 sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
 sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/host2host-transport/posttest.dat b/testing/tests/ikev1/host2host-transport/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev1/host2host-transport/posttest.dat
+++ b/testing/tests/ikev1/host2host-transport/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/host2host-transport/pretest.dat b/testing/tests/ikev1/host2host-transport/pretest.dat
index e2d98f2eb..99789b90f 100644
--- a/testing/tests/ikev1/host2host-transport/pretest.dat
+++ b/testing/tests/ikev1/host2host-transport/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 2
diff --git a/testing/tests/ikev1/host2host-transport/test.conf b/testing/tests/ikev1/host2host-transport/test.conf
index cf2e704fd..5a286c84f 100644
--- a/testing/tests/ikev1/host2host-transport/test.conf
+++ b/testing/tests/ikev1/host2host-transport/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/ip-pool-db/evaltest.dat b/testing/tests/ikev1/ip-pool-db/evaltest.dat
index 941cb34c0..42e353084 100644
--- a/testing/tests/ikev1/ip-pool-db/evaltest.dat
+++ b/testing/tests/ikev1/ip-pool-db/evaltest.dat
@@ -6,7 +6,7 @@ carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
 dave:: cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
@@ -15,7 +15,7 @@ dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
 moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP::YES
diff --git a/testing/tests/ikev1/ip-pool-db/posttest.dat b/testing/tests/ikev1/ip-pool-db/posttest.dat
index 5b88b2163..c99f347e3 100644
--- a/testing/tests/ikev1/ip-pool-db/posttest.dat
+++ b/testing/tests/ikev1/ip-pool-db/posttest.dat
@@ -1,9 +1,9 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::ipsec pool --del bigpool 2> /dev/null
 moon::ipsec pool --del dns 2> /dev/null
 moon::ipsec pool --del nbns 2> /dev/null
diff --git a/testing/tests/ikev1/ip-pool-db/pretest.dat b/testing/tests/ikev1/ip-pool-db/pretest.dat
index 4a2add194..fce551c69 100644
--- a/testing/tests/ikev1/ip-pool-db/pretest.dat
+++ b/testing/tests/ikev1/ip-pool-db/pretest.dat
@@ -4,9 +4,9 @@ moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2>
 moon::ipsec pool --addattr dns  --server PH_IP_WINNETOU 2> /dev/null
 moon::ipsec pool --addattr dns  --server PH_IP_VENUS 2> /dev/null
 moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev1/ip-pool-db/test.conf b/testing/tests/ikev1/ip-pool-db/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev1/ip-pool-db/test.conf
+++ b/testing/tests/ikev1/ip-pool-db/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/ip-pool/evaltest.dat b/testing/tests/ikev1/ip-pool/evaltest.dat
index db46646a6..1fdc3f087 100644
--- a/testing/tests/ikev1/ip-pool/evaltest.dat
+++ b/testing/tests/ikev1/ip-pool/evaltest.dat
@@ -3,13 +3,13 @@ carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: cat /var/log/daemon.log::adding virtual IP address pool::YES
 moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP::YES
diff --git a/testing/tests/ikev1/ip-pool/posttest.dat b/testing/tests/ikev1/ip-pool/posttest.dat
index 1777f439f..b757d8b15 100644
--- a/testing/tests/ikev1/ip-pool/posttest.dat
+++ b/testing/tests/ikev1/ip-pool/posttest.dat
@@ -1,6 +1,6 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/ip-pool/pretest.dat b/testing/tests/ikev1/ip-pool/pretest.dat
index 014e80517..3864bdac3 100644
--- a/testing/tests/ikev1/ip-pool/pretest.dat
+++ b/testing/tests/ikev1/ip-pool/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev1/ip-pool/test.conf b/testing/tests/ikev1/ip-pool/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev1/ip-pool/test.conf
+++ b/testing/tests/ikev1/ip-pool/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat b/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat
index c8e7adcb7..2eebc0f84 100644
--- a/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/test.conf b/testing/tests/ikev1/multi-level-ca-cr-init/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev1/multi-level-ca-cr-init/test.conf
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat b/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat
index f15265e32..86dd31e83 100644
--- a/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/test.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev1/multi-level-ca-cr-resp/test.conf
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/multi-level-ca/pretest.dat b/testing/tests/ikev1/multi-level-ca/pretest.dat
index 67c50c2ef..755564cbc 100644
--- a/testing/tests/ikev1/multi-level-ca/pretest.dat
+++ b/testing/tests/ikev1/multi-level-ca/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev1/multi-level-ca/test.conf b/testing/tests/ikev1/multi-level-ca/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev1/multi-level-ca/test.conf
+++ b/testing/tests/ikev1/multi-level-ca/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/nat-rw/evaltest.dat b/testing/tests/ikev1/nat-rw/evaltest.dat
index e0b458dba..387dbae23 100644
--- a/testing/tests/ikev1/nat-rw/evaltest.dat
+++ b/testing/tests/ikev1/nat-rw/evaltest.dat
@@ -6,13 +6,13 @@ alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
 venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
 sun::  ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL, ESP in UDP::YES
 sun::  ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL, ESP in UDP::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 moon:: sleep 6::no output expected::NO
-bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP-encap: ESP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP-encap: ESP::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: isakmp-nat-keep-alive::YES
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: isakmp-nat-keep-alive::YES
 alice::cat /var/log/daemon.log::sending keep alive::YES
 venus::cat /var/log/daemon.log::sending keep alive::YES
diff --git a/testing/tests/ikev1/nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/ikev1/nat-rw/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev1/nat-rw/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev1/nat-rw/posttest.dat b/testing/tests/ikev1/nat-rw/posttest.dat
index 52572ece8..4643a3a7b 100644
--- a/testing/tests/ikev1/nat-rw/posttest.dat
+++ b/testing/tests/ikev1/nat-rw/posttest.dat
@@ -1,8 +1,8 @@
 sun::ipsec stop
 alice::ipsec stop
 venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/ikev1/nat-rw/pretest.dat b/testing/tests/ikev1/nat-rw/pretest.dat
index e365ff5c5..d701a1d61 100644
--- a/testing/tests/ikev1/nat-rw/pretest.dat
+++ b/testing/tests/ikev1/nat-rw/pretest.dat
@@ -1,7 +1,6 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 alice::ipsec start
diff --git a/testing/tests/ikev1/nat-rw/test.conf b/testing/tests/ikev1/nat-rw/test.conf
index 84317fd70..f515d4bc7 100644
--- a/testing/tests/ikev1/nat-rw/test.conf
+++ b/testing/tests/ikev1/nat-rw/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev1/nat-virtual-ip/description.txt b/testing/tests/ikev1/nat-virtual-ip/description.txt
new file mode 100644
index 000000000..31d24cda6
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/description.txt
@@ -0,0 +1,6 @@
+The router <b>moon</b> sets up a connection to gateway <b>sun</b> in order
+to reach the subnet hidden behind <b>sun</b>. The gateway <b>sun</b> assigns a
+virtual IP address to router <b>moon</b>. A special updown script on <b>moon</b>
+specified by <b>leftupdown=/etc/nat_updown</b> dynamically inserts a source NAT rule
+which maps the IP address of client <b>alice</b> to the virtual IP of <b>moon</b>.
+This allows <b>alice</b> to access client <b>bob</b> via the established IPsec tunnel.
diff --git a/testing/tests/ikev1/nat-virtual-ip/evaltest.dat b/testing/tests/ikev1/nat-virtual-ip/evaltest.dat
new file mode 100644
index 000000000..c60ffc772
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/evaltest.dat
@@ -0,0 +1,8 @@
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: cat /var/log/daemon.log::inserted NAT rule mapping PH_IP_ALICE to virtual IP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+bob::tcpdump::IP alice2.strongswan.org > bob.strongswan.org: ICMP::YES
+bob::tcpdump::IP bob.strongswan.org > alice2.strongswan.org: ICMP::YES
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/bob/etc/hosts b/testing/tests/ikev1/nat-virtual-ip/hosts/bob/etc/hosts
new file mode 100644
index 000000000..ee854da09
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/bob/etc/hosts
@@ -0,0 +1,70 @@
+# /etc/hosts:  This file describes a number of hostname-to-address
+#              mappings for the TCP/IP subsystem.  It is mostly
+#              used at boot time, when no name servers are running.
+#              On small systems, this file can be used instead of a
+#              "named" name server.  Just add the names, addresses
+#              and any aliases to this file...
+#
+
+127.0.0.1	localhost
+
+192.168.0.254	uml0.strongswan.org	uml0
+10.1.0.254	uml1.strongswan.org	uml1
+10.2.0.254	uml1.strongswan.org	uml2
+
+10.1.0.10	alice.strongswan.org	alice
+10.1.0.20	venus.strongswan.org	venus
+10.1.0.1	moon1.strongswan.org	moon1
+192.168.0.1	moon.strongswan.org	moon
+192.168.0.50	alice1.strongswan.org	alice1
+192.168.0.100	carol.strongswan.org	carol
+10.3.0.1	carol1.strongswan.org	carol1
+192.168.0.150	winnetou.strongswan.org	winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org
+192.168.0.200	dave.strongswan.org	dave
+10.3.0.2	dave1.strongswan.org	dave1
+192.168.0.2	sun.strongswan.org	sun
+10.2.0.1	sun1.strongswan.org	sun1
+10.2.0.10	bob.strongswan.org	bob
+10.4.0.1	alice2.strongswan.org	alice2
+
+# IPv6 versions of localhost and co
+::1 ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+ff02::3 ip6-allhosts
+
+# IPv6 solicited-node multicast addresses
+ff02::1:ff00:1	ip6-mcast-1
+ff02::1:ff00:2	ip6-mcast-2
+ff02::1:ff00:10	ip6-mcast-10
+ff02::1:ff00:15	ip6-mcast-15
+ff02::1:ff00:20	ip6-mcast-20
+
+# IPv6 site-local addresses
+fec0::5		ip6-alice1.strongswan.org   ip6-alice1
+fec1::10	ip6-alice.strongswan.org    ip6-alice
+fec1::20	ip6-venus.strongswan.org    ip6-venus
+fec1::1 	ip6-moon1.strongswan.org    ip6-moon1
+fec0::1 	ip6-moon.strongswan.org     ip6-moon
+fec0::10	ip6-carol.strongswan.org    ip6-carol
+fec3::1 	ip6-carol1.strongswan.org   ip6-carol1
+fec0::15	ip6-winnetou.strongswan.org ip6-winnetou 
+fec0::20	ip6-dave.strongswan.org     ip6-dave
+fec3::2 	ip6-dave1.strongswan.org    ip6-dave1
+fec0::2 	ip6-sun.strongswan.org      ip6-sun
+fec2::1 	ip6-sun1.strongswan.org     ip6-sun1
+fec2::10	ip6-bob.strongswan.org      ip6-bob
+
+# IPv6 link-local HW derived addresses
+fe80::fcfd:0aff:fe01:14	ip6-hw-venus.strongswan.org    ip6-hw-venus
+fe80::fcfd:0aff:fe01:0a	ip6-hw-alice.strongswan.org    ip6-hw-alice
+fe80::fcfd:0aff:fe01:01	ip6-hw-moon1.strongswan.org    ip6-hw-moon1
+fe80::fcfd:c0ff:fea8:01 ip6-hw-moon.strongswan.org     ip6-hw-moon
+fe80::fcfd:c0ff:fea8:64	ip6-hw-carol.strongswan.org    ip6-hw-carol
+fe80::fcfd:c0ff:fea8:96 ip6-hw-winnetou.strongswan.org ip6-hw-winnetou
+fe80::fcfd:c0ff:fea8:c8	ip6-hw-dave.strongswan.org     ip6-hw-dave
+fe80::fcfd:c0ff:fea8:02	ip6-hw-sun.strongswan.org      ip6-hw-sun
+fe80::fcfd:0aff:fe02:01	ip6-hw-sun1.strongswan.org     ip6-hw-sun1
+fe80::fcfd:0aff:fe02:0a ip6-hw-bob.strongswan.org      ip6-hw-bob
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..28853ce75
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	mobike=no
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsourceip=%config
+	leftupdown=/etc/nat_updown
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown
new file mode 100755
index 000000000..aab1df687
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown
@@ -0,0 +1,152 @@
+#! /bin/sh
+# NAT updown script
+#
+# Copyright (C) 2010 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#              if non-empty, then the source address for the route will be
+#              set to this IP address.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin"
+export PATH
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+case "$PLUTO_VERB:$1" in
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	iptables -A FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+	    -d $PLUTO_PEER_CLIENT -j ACCEPT
+        iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
+            -s $PLUTO_PEER_CLIENT -j ACCEPT
+	iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+	    -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
+	echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+        iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+            -d $PLUTO_PEER_CLIENT -j ACCEPT
+        iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
+            -s $PLUTO_PEER_CLIENT -j ACCEPT
+         iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+            -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
+        echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2    
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..ff030b5b5
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev1
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsourceip=10.4.0.0/24
+	auto=add
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev1/nat-virtual-ip/posttest.dat b/testing/tests/ikev1/nat-virtual-ip/posttest.dat
new file mode 100644
index 000000000..11bd19da7
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::conntrack -F
+moon::rm /etc/nat_updown
diff --git a/testing/tests/ikev1/nat-virtual-ip/pretest.dat b/testing/tests/ikev1/nat-virtual-ip/pretest.dat
new file mode 100644
index 000000000..eb0c28c7f
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::conntrack -F
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
+moon::sleep 1
diff --git a/testing/tests/ikev1/nat-virtual-ip/test.conf b/testing/tests/ikev1/nat-virtual-ip/test.conf
new file mode 100644
index 000000000..f46f137b4
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun bob"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-cert/evaltest.dat b/testing/tests/ikev1/net2net-cert/evaltest.dat
index c98f5d78d..2b37cad99 100644
--- a/testing/tests/ikev1/net2net-cert/evaltest.dat
+++ b/testing/tests/ikev1/net2net-cert/evaltest.dat
@@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.
 sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-cert/posttest.dat b/testing/tests/ikev1/net2net-cert/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/ikev1/net2net-cert/posttest.dat
+++ b/testing/tests/ikev1/net2net-cert/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/ikev1/net2net-cert/pretest.dat b/testing/tests/ikev1/net2net-cert/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/ikev1/net2net-cert/pretest.dat
+++ b/testing/tests/ikev1/net2net-cert/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev1/net2net-cert/test.conf b/testing/tests/ikev1/net2net-cert/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/ikev1/net2net-cert/test.conf
+++ b/testing/tests/ikev1/net2net-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-psk-fail/posttest.dat b/testing/tests/ikev1/net2net-psk-fail/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev1/net2net-psk-fail/posttest.dat
+++ b/testing/tests/ikev1/net2net-psk-fail/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/net2net-psk-fail/pretest.dat b/testing/tests/ikev1/net2net-psk-fail/pretest.dat
index 9e40684ab..0f4ae0f4f 100644
--- a/testing/tests/ikev1/net2net-psk-fail/pretest.dat
+++ b/testing/tests/ikev1/net2net-psk-fail/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev1/net2net-psk-fail/test.conf b/testing/tests/ikev1/net2net-psk-fail/test.conf
index f6e064e7d..eb4822b5d 100644
--- a/testing/tests/ikev1/net2net-psk-fail/test.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-psk/evaltest.dat b/testing/tests/ikev1/net2net-psk/evaltest.dat
index c98f5d78d..2b37cad99 100644
--- a/testing/tests/ikev1/net2net-psk/evaltest.dat
+++ b/testing/tests/ikev1/net2net-psk/evaltest.dat
@@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.
 sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-psk/posttest.dat b/testing/tests/ikev1/net2net-psk/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev1/net2net-psk/posttest.dat
+++ b/testing/tests/ikev1/net2net-psk/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/net2net-psk/pretest.dat b/testing/tests/ikev1/net2net-psk/pretest.dat
index 9e40684ab..0f4ae0f4f 100644
--- a/testing/tests/ikev1/net2net-psk/pretest.dat
+++ b/testing/tests/ikev1/net2net-psk/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev1/net2net-psk/test.conf b/testing/tests/ikev1/net2net-psk/test.conf
index f74d0f7d6..afa2accbe 100644
--- a/testing/tests/ikev1/net2net-psk/test.conf
+++ b/testing/tests/ikev1/net2net-psk/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/protoport-dual/evaltest.dat b/testing/tests/ikev1/protoport-dual/evaltest.dat
index a65460cc8..cf45f3b52 100644
--- a/testing/tests/ikev1/protoport-dual/evaltest.dat
+++ b/testing/tests/ikev1/protoport-dual/evaltest.dat
@@ -2,8 +2,8 @@ carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
 carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/protoport-dual/posttest.dat b/testing/tests/ikev1/protoport-dual/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/protoport-dual/posttest.dat
+++ b/testing/tests/ikev1/protoport-dual/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/protoport-dual/pretest.dat b/testing/tests/ikev1/protoport-dual/pretest.dat
index d3d0061c3..efb2e5712 100644
--- a/testing/tests/ikev1/protoport-dual/pretest.dat
+++ b/testing/tests/ikev1/protoport-dual/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev1/protoport-dual/test.conf b/testing/tests/ikev1/protoport-dual/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/protoport-dual/test.conf
+++ b/testing/tests/ikev1/protoport-dual/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/rw-cert-aggressive/evaltest.dat b/testing/tests/ikev1/rw-cert-aggressive/evaltest.dat
index f8cfb111b..ba661975b 100644
--- a/testing/tests/ikev1/rw-cert-aggressive/evaltest.dat
+++ b/testing/tests/ikev1/rw-cert-aggressive/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-cert-aggressive/posttest.dat b/testing/tests/ikev1/rw-cert-aggressive/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/rw-cert-aggressive/posttest.dat
+++ b/testing/tests/ikev1/rw-cert-aggressive/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-cert-aggressive/pretest.dat b/testing/tests/ikev1/rw-cert-aggressive/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev1/rw-cert-aggressive/pretest.dat
+++ b/testing/tests/ikev1/rw-cert-aggressive/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev1/rw-cert-aggressive/test.conf b/testing/tests/ikev1/rw-cert-aggressive/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/rw-cert-aggressive/test.conf
+++ b/testing/tests/ikev1/rw-cert-aggressive/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/rw-cert-unity/evaltest.dat b/testing/tests/ikev1/rw-cert-unity/evaltest.dat
index b6a860b86..c183f48e9 100644
--- a/testing/tests/ikev1/rw-cert-unity/evaltest.dat
+++ b/testing/tests/ikev1/rw-cert-unity/evaltest.dat
@@ -3,6 +3,6 @@ moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*caro
 carol::ipsec status 2> /dev/null::10.2.1.1/32 === 192.168.0.0/24 PASS::YES
 carol::ipsec status 2> /dev/null::home.*10.2.1.1/32 === 10.1.0.0/16 10.2.1.0/24::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 10.2.1.0/24 === 10.2.1.1/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-cert-unity/test.conf b/testing/tests/ikev1/rw-cert-unity/test.conf
index 25cff970f..09e6f6cdb 100644
--- a/testing/tests/ikev1/rw-cert-unity/test.conf
+++ b/testing/tests/ikev1/rw-cert-unity/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/rw-cert/evaltest.dat b/testing/tests/ikev1/rw-cert/evaltest.dat
index f8cfb111b..ba661975b 100644
--- a/testing/tests/ikev1/rw-cert/evaltest.dat
+++ b/testing/tests/ikev1/rw-cert/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-cert/posttest.dat b/testing/tests/ikev1/rw-cert/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/rw-cert/posttest.dat
+++ b/testing/tests/ikev1/rw-cert/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-cert/pretest.dat b/testing/tests/ikev1/rw-cert/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev1/rw-cert/pretest.dat
+++ b/testing/tests/ikev1/rw-cert/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev1/rw-cert/test.conf b/testing/tests/ikev1/rw-cert/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/rw-cert/test.conf
+++ b/testing/tests/ikev1/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/rw-psk-aggressive/evaltest.dat b/testing/tests/ikev1/rw-psk-aggressive/evaltest.dat
index b545c2289..2342d024b 100644
--- a/testing/tests/ikev1/rw-psk-aggressive/evaltest.dat
+++ b/testing/tests/ikev1/rw-psk-aggressive/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-psk-aggressive/posttest.dat b/testing/tests/ikev1/rw-psk-aggressive/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/rw-psk-aggressive/posttest.dat
+++ b/testing/tests/ikev1/rw-psk-aggressive/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-psk-aggressive/pretest.dat b/testing/tests/ikev1/rw-psk-aggressive/pretest.dat
index 761abe274..44f41f995 100644
--- a/testing/tests/ikev1/rw-psk-aggressive/pretest.dat
+++ b/testing/tests/ikev1/rw-psk-aggressive/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev1/rw-psk-aggressive/test.conf b/testing/tests/ikev1/rw-psk-aggressive/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/rw-psk-aggressive/test.conf
+++ b/testing/tests/ikev1/rw-psk-aggressive/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat b/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat
index ef964a234..77f548848 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat
+++ b/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-psk-fqdn/posttest.dat b/testing/tests/ikev1/rw-psk-fqdn/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/posttest.dat
+++ b/testing/tests/ikev1/rw-psk-fqdn/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-psk-fqdn/pretest.dat b/testing/tests/ikev1/rw-psk-fqdn/pretest.dat
index 761abe274..44f41f995 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/pretest.dat
+++ b/testing/tests/ikev1/rw-psk-fqdn/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev1/rw-psk-fqdn/test.conf b/testing/tests/ikev1/rw-psk-fqdn/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/test.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat b/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat
index d56c5220f..df37719e9 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat
+++ b/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-psk-ipv4/posttest.dat b/testing/tests/ikev1/rw-psk-ipv4/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/posttest.dat
+++ b/testing/tests/ikev1/rw-psk-ipv4/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-psk-ipv4/pretest.dat b/testing/tests/ikev1/rw-psk-ipv4/pretest.dat
index 761abe274..44f41f995 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/pretest.dat
+++ b/testing/tests/ikev1/rw-psk-ipv4/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev1/rw-psk-ipv4/test.conf b/testing/tests/ikev1/rw-psk-ipv4/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/test.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/virtual-ip/evaltest.dat b/testing/tests/ikev1/virtual-ip/evaltest.dat
index dd3143ae7..0f5df71d7 100644
--- a/testing/tests/ikev1/virtual-ip/evaltest.dat
+++ b/testing/tests/ikev1/virtual-ip/evaltest.dat
@@ -14,12 +14,12 @@ carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::src PH_IP_CAROL1::YES
 dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::src PH_IP_DAVE1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-moon:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
-moon:: ping -c 1 PH_IP_DAVE1::64 bytes from PH_IP_DAVE1: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_DAVE1::64 bytes from PH_IP_DAVE1: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/virtual-ip/posttest.dat b/testing/tests/ikev1/virtual-ip/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/virtual-ip/posttest.dat
+++ b/testing/tests/ikev1/virtual-ip/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/virtual-ip/pretest.dat b/testing/tests/ikev1/virtual-ip/pretest.dat
index 5ec37aae1..1765a83cd 100644
--- a/testing/tests/ikev1/virtual-ip/pretest.dat
+++ b/testing/tests/ikev1/virtual-ip/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev1/virtual-ip/test.conf b/testing/tests/ikev1/virtual-ip/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev1/virtual-ip/test.conf
+++ b/testing/tests/ikev1/virtual-ip/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-id-psk-config/evaltest.dat b/testing/tests/ikev1/xauth-id-psk-config/evaltest.dat
index 02ed911ba..cd4ebd8ec 100644
--- a/testing/tests/ikev1/xauth-id-psk-config/evaltest.dat
+++ b/testing/tests/ikev1/xauth-id-psk-config/evaltest.dat
@@ -12,8 +12,8 @@ moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol::YE
 moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave::YES
 carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-id-psk-config/posttest.dat b/testing/tests/ikev1/xauth-id-psk-config/posttest.dat
index 1777f439f..b757d8b15 100644
--- a/testing/tests/ikev1/xauth-id-psk-config/posttest.dat
+++ b/testing/tests/ikev1/xauth-id-psk-config/posttest.dat
@@ -1,6 +1,6 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-id-psk-config/pretest.dat b/testing/tests/ikev1/xauth-id-psk-config/pretest.dat
index 95a6be131..88a91ae86 100644
--- a/testing/tests/ikev1/xauth-id-psk-config/pretest.dat
+++ b/testing/tests/ikev1/xauth-id-psk-config/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev1/xauth-id-psk-config/test.conf b/testing/tests/ikev1/xauth-id-psk-config/test.conf
index 75510b295..9b1ec0b54 100644
--- a/testing/tests/ikev1/xauth-id-psk-config/test.conf
+++ b/testing/tests/ikev1/xauth-id-psk-config/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa-aggressive/evaltest.dat
index 5b021a09a..34c124c95 100644
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/evaltest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/evaltest.dat
@@ -8,8 +8,8 @@ moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES
 moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/posttest.dat b/testing/tests/ikev1/xauth-id-rsa-aggressive/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/posttest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat
index 78e2d57f8..e5a06d44c 100644
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/test.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/test.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa-config/evaltest.dat
index 198dd3782..7604a1527 100644
--- a/testing/tests/ikev1/xauth-id-rsa-config/evaltest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-config/evaltest.dat
@@ -12,8 +12,8 @@ moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol::YE
 moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave::YES
 carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/posttest.dat b/testing/tests/ikev1/xauth-id-rsa-config/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/xauth-id-rsa-config/posttest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-config/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat
index 78e2d57f8..e5a06d44c 100644
--- a/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/test.conf b/testing/tests/ikev1/xauth-id-rsa-config/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/xauth-id-rsa-config/test.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-config/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa-hybrid/evaltest.dat
index 5b021a09a..34c124c95 100644
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/evaltest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/evaltest.dat
@@ -8,8 +8,8 @@ moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES
 moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/posttest.dat b/testing/tests/ikev1/xauth-id-rsa-hybrid/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/posttest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat
index 78e2d57f8..e5a06d44c 100644
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/test.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/test.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-psk/evaltest.dat b/testing/tests/ikev1/xauth-psk/evaltest.dat
index 988a6c541..c6637cbfe 100644
--- a/testing/tests/ikev1/xauth-psk/evaltest.dat
+++ b/testing/tests/ikev1/xauth-psk/evaltest.dat
@@ -8,8 +8,8 @@ moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES
 moon:: cat /var/log/daemon.log::XAuth authentication of.*dave@strongswan.org.*successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-psk/posttest.dat b/testing/tests/ikev1/xauth-psk/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/xauth-psk/posttest.dat
+++ b/testing/tests/ikev1/xauth-psk/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-psk/pretest.dat b/testing/tests/ikev1/xauth-psk/pretest.dat
index 95a6be131..88a91ae86 100644
--- a/testing/tests/ikev1/xauth-psk/pretest.dat
+++ b/testing/tests/ikev1/xauth-psk/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev1/xauth-psk/test.conf b/testing/tests/ikev1/xauth-psk/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/xauth-psk/test.conf
+++ b/testing/tests/ikev1/xauth-psk/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat
index 0591e22b6..d568273d1 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat
@@ -5,6 +5,6 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf
index 623f42904..623f42904 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default
index 802fcfd8d..dd0825858 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -41,4 +41,3 @@ pre-proxy {
 post-proxy {
   eap
 }
-
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/users
index 4fb07b912..4fb07b912 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat
index 920d6a20d..181949fb5 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 carol::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat
index 280d62e3c..9adc43d3e 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/radiusd start 
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/test.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/test.conf
index e0d77b583..eb1e15dd2 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/test.conf
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev1/xauth-rsa/evaltest.dat b/testing/tests/ikev1/xauth-rsa/evaltest.dat
index 988a6c541..c6637cbfe 100644
--- a/testing/tests/ikev1/xauth-rsa/evaltest.dat
+++ b/testing/tests/ikev1/xauth-rsa/evaltest.dat
@@ -8,8 +8,8 @@ moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES
 moon:: cat /var/log/daemon.log::XAuth authentication of.*dave@strongswan.org.*successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-rsa/posttest.dat b/testing/tests/ikev1/xauth-rsa/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/xauth-rsa/posttest.dat
+++ b/testing/tests/ikev1/xauth-rsa/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-rsa/pretest.dat b/testing/tests/ikev1/xauth-rsa/pretest.dat
index 78e2d57f8..e5a06d44c 100644
--- a/testing/tests/ikev1/xauth-rsa/pretest.dat
+++ b/testing/tests/ikev1/xauth-rsa/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev1/xauth-rsa/test.conf b/testing/tests/ikev1/xauth-rsa/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/xauth-rsa/test.conf
+++ b/testing/tests/ikev1/xauth-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/after-2038-certs/evaltest.dat b/testing/tests/ikev2/after-2038-certs/evaltest.dat
index 3efaa5a98..427aa74da 100644
--- a/testing/tests/ikev2/after-2038-certs/evaltest.dat
+++ b/testing/tests/ikev2/after-2038-certs/evaltest.dat
@@ -2,7 +2,7 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/after-2038-certs/posttest.dat b/testing/tests/ikev2/after-2038-certs/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/after-2038-certs/posttest.dat
+++ b/testing/tests/ikev2/after-2038-certs/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/after-2038-certs/pretest.dat b/testing/tests/ikev2/after-2038-certs/pretest.dat
index 4921d5097..baacc1605 100644
--- a/testing/tests/ikev2/after-2038-certs/pretest.dat
+++ b/testing/tests/ikev2/after-2038-certs/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/after-2038-certs/test.conf b/testing/tests/ikev2/after-2038-certs/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/after-2038-certs/test.conf
+++ b/testing/tests/ikev2/after-2038-certs/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-3des-md5/evaltest.dat b/testing/tests/ikev2/alg-3des-md5/evaltest.dat
index a553ff168..abd29e97e 100644
--- a/testing/tests/ikev2/alg-3des-md5/evaltest.dat
+++ b/testing/tests/ikev2/alg-3des-md5/evaltest.dat
@@ -4,12 +4,12 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*3DES_CBC/HMAC_MD5_96,::YES
 carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_MD5_96,::YES
 moon:: ip xfrm state::enc cbc(des3_ede)::YES
 carol::ip xfrm state::enc cbc(des3_ede)::YES
-moon:: ip xfrm state::auth hmac(md5)::YES
-carol::ip xfrm state::auth hmac(md5)::YES
+moon:: ip xfrm state::auth-trunc hmac(md5)::YES
+carol::ip xfrm state::auth-trunc hmac(md5)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev2/alg-3des-md5/posttest.dat b/testing/tests/ikev2/alg-3des-md5/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-3des-md5/posttest.dat
+++ b/testing/tests/ikev2/alg-3des-md5/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-3des-md5/pretest.dat b/testing/tests/ikev2/alg-3des-md5/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-3des-md5/pretest.dat
+++ b/testing/tests/ikev2/alg-3des-md5/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-3des-md5/test.conf b/testing/tests/ikev2/alg-3des-md5/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-3des-md5/test.conf
+++ b/testing/tests/ikev2/alg-3des-md5/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-aes-ccm/evaltest.dat b/testing/tests/ikev2/alg-aes-ccm/evaltest.dat
index e2cf773ea..5a14b98d6 100644
--- a/testing/tests/ikev2/alg-aes-ccm/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-ccm/evaltest.dat
@@ -2,7 +2,7 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::IKE proposal: AES_CCM_12_128::YES
 carol::ipsec statusall 2> /dev/null::IKE proposal: AES_CCM_12_128::YES
 moon:: ipsec statusall 2> /dev/null::AES_CCM_12_128,::YES
diff --git a/testing/tests/ikev2/alg-aes-ccm/posttest.dat b/testing/tests/ikev2/alg-aes-ccm/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-aes-ccm/posttest.dat
+++ b/testing/tests/ikev2/alg-aes-ccm/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-aes-ccm/pretest.dat b/testing/tests/ikev2/alg-aes-ccm/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-aes-ccm/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-ccm/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-aes-ccm/test.conf b/testing/tests/ikev2/alg-aes-ccm/test.conf
index acb73b06f..11423f723 100644
--- a/testing/tests/ikev2/alg-aes-ccm/test.conf
+++ b/testing/tests/ikev2/alg-aes-ccm/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-aes-ctr/evaltest.dat b/testing/tests/ikev2/alg-aes-ctr/evaltest.dat
index 177e0ea62..6a5203a2d 100644
--- a/testing/tests/ikev2/alg-aes-ctr/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-ctr/evaltest.dat
@@ -2,7 +2,7 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::IKE proposal: AES_CTR_128::YES
 carol::ipsec statusall 2> /dev/null::IKE proposal: AES_CTR_128::YES
 moon:: ipsec statusall 2> /dev/null::AES_CTR_128/AES_XCBC_96,::YES
diff --git a/testing/tests/ikev2/alg-aes-ctr/posttest.dat b/testing/tests/ikev2/alg-aes-ctr/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-aes-ctr/posttest.dat
+++ b/testing/tests/ikev2/alg-aes-ctr/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-aes-ctr/pretest.dat b/testing/tests/ikev2/alg-aes-ctr/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-aes-ctr/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-ctr/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-aes-ctr/test.conf b/testing/tests/ikev2/alg-aes-ctr/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-aes-ctr/test.conf
+++ b/testing/tests/ikev2/alg-aes-ctr/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-aes-gcm/evaltest.dat b/testing/tests/ikev2/alg-aes-gcm/evaltest.dat
index 39f8b1cc4..ce27fcc05 100644
--- a/testing/tests/ikev2/alg-aes-gcm/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-gcm/evaltest.dat
@@ -2,7 +2,7 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_256::YES
 carol::ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_256::YES
 moon:: ipsec statusall 2> /dev/null::AES_GCM_16_256,::YES
diff --git a/testing/tests/ikev2/alg-aes-gcm/posttest.dat b/testing/tests/ikev2/alg-aes-gcm/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-aes-gcm/posttest.dat
+++ b/testing/tests/ikev2/alg-aes-gcm/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-aes-gcm/pretest.dat b/testing/tests/ikev2/alg-aes-gcm/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-aes-gcm/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-gcm/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-aes-gcm/test.conf b/testing/tests/ikev2/alg-aes-gcm/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-aes-gcm/test.conf
+++ b/testing/tests/ikev2/alg-aes-gcm/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
index 7a9874528..f11018347 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
@@ -4,11 +4,11 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/AES_XCBC_96,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/AES_XCBC_96,::YES
-moon:: ip xfrm state::auth xcbc(aes)::YES
-carol::ip xfrm state::auth xcbc(aes)::YES
+moon:: ip xfrm state::auth-trunc xcbc(aes)::YES
+carol::ip xfrm state::auth-trunc xcbc(aes)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
 
diff --git a/testing/tests/ikev2/alg-aes-xcbc/posttest.dat b/testing/tests/ikev2/alg-aes-xcbc/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/posttest.dat
+++ b/testing/tests/ikev2/alg-aes-xcbc/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-aes-xcbc/pretest.dat b/testing/tests/ikev2/alg-aes-xcbc/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-xcbc/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-aes-xcbc/test.conf b/testing/tests/ikev2/alg-aes-xcbc/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/test.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-blowfish/evaltest.dat b/testing/tests/ikev2/alg-blowfish/evaltest.dat
index a458f0241..f76522c5c 100644
--- a/testing/tests/ikev2/alg-blowfish/evaltest.dat
+++ b/testing/tests/ikev2/alg-blowfish/evaltest.dat
@@ -4,8 +4,8 @@ moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*caro
 moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
 carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
 dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_256_128,::YES
 dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA1_96,::YES
 carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
diff --git a/testing/tests/ikev2/alg-blowfish/posttest.dat b/testing/tests/ikev2/alg-blowfish/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/alg-blowfish/posttest.dat
+++ b/testing/tests/ikev2/alg-blowfish/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-blowfish/pretest.dat b/testing/tests/ikev2/alg-blowfish/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev2/alg-blowfish/pretest.dat
+++ b/testing/tests/ikev2/alg-blowfish/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/alg-blowfish/test.conf b/testing/tests/ikev2/alg-blowfish/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/alg-blowfish/test.conf
+++ b/testing/tests/ikev2/alg-blowfish/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat b/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat
index 0acd6d2ce..5e4ab98b3 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat
+++ b/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat
@@ -10,8 +10,8 @@ carol::cat /var/log/daemon.log::DH group MODP_2048_224.*MODP_1024_160::YES
 dave:: cat /var/log/daemon.log::DH group MODP_2048_224.*MODP_2048_256::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024_160::YES
 dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048_256::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/alg-modp-subgroup/posttest.dat b/testing/tests/ikev2/alg-modp-subgroup/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/posttest.dat
+++ b/testing/tests/ikev2/alg-modp-subgroup/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-modp-subgroup/pretest.dat b/testing/tests/ikev2/alg-modp-subgroup/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/pretest.dat
+++ b/testing/tests/ikev2/alg-modp-subgroup/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/alg-modp-subgroup/test.conf b/testing/tests/ikev2/alg-modp-subgroup/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/test.conf
+++ b/testing/tests/ikev2/alg-modp-subgroup/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/alg-sha256-96/evaltest.dat b/testing/tests/ikev2/alg-sha256-96/evaltest.dat
index 4bbc82d9b..6c4e23710 100644
--- a/testing/tests/ikev2/alg-sha256-96/evaltest.dat
+++ b/testing/tests/ikev2/alg-sha256-96/evaltest.dat
@@ -6,10 +6,10 @@ moon:: cat /var/log/daemon.log::received strongSwan vendor ID::YES
 carol::cat /var/log/daemon.log::received strongSwan vendor ID::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_96,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_96,::YES
-moon:: ip xfrm state::auth hmac(sha256)::YES
-carol::ip xfrm state::auth hmac(sha256)::YES
+moon:: ip xfrm state::auth-trunc hmac(sha256)::YES
+carol::ip xfrm state::auth-trunc hmac(sha256)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
diff --git a/testing/tests/ikev2/alg-sha256-96/posttest.dat b/testing/tests/ikev2/alg-sha256-96/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-sha256-96/posttest.dat
+++ b/testing/tests/ikev2/alg-sha256-96/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-sha256-96/pretest.dat b/testing/tests/ikev2/alg-sha256-96/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-sha256-96/pretest.dat
+++ b/testing/tests/ikev2/alg-sha256-96/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-sha256-96/test.conf b/testing/tests/ikev2/alg-sha256-96/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-sha256-96/test.conf
+++ b/testing/tests/ikev2/alg-sha256-96/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-sha256/evaltest.dat b/testing/tests/ikev2/alg-sha256/evaltest.dat
index 7b5640af8..eba856742 100644
--- a/testing/tests/ikev2/alg-sha256/evaltest.dat
+++ b/testing/tests/ikev2/alg-sha256/evaltest.dat
@@ -4,10 +4,10 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES
-moon:: ip xfrm state::auth hmac(sha256)::YES
-carol::ip xfrm state::auth hmac(sha256)::YES
+moon:: ip xfrm state::auth-trunc hmac(sha256)::YES
+carol::ip xfrm state::auth-trunc hmac(sha256)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES
diff --git a/testing/tests/ikev2/alg-sha256/posttest.dat b/testing/tests/ikev2/alg-sha256/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-sha256/posttest.dat
+++ b/testing/tests/ikev2/alg-sha256/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-sha256/pretest.dat b/testing/tests/ikev2/alg-sha256/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-sha256/pretest.dat
+++ b/testing/tests/ikev2/alg-sha256/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-sha256/test.conf b/testing/tests/ikev2/alg-sha256/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-sha256/test.conf
+++ b/testing/tests/ikev2/alg-sha256/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-sha384/evaltest.dat b/testing/tests/ikev2/alg-sha384/evaltest.dat
index 21b3d5a4f..3b24217c5 100644
--- a/testing/tests/ikev2/alg-sha384/evaltest.dat
+++ b/testing/tests/ikev2/alg-sha384/evaltest.dat
@@ -4,10 +4,10 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES
-moon:: ip xfrm state::auth hmac(sha384)::YES
-carol::ip xfrm state::auth hmac(sha384)::YES
+moon:: ip xfrm state::auth-trunc hmac(sha384)::YES
+carol::ip xfrm state::auth-trunc hmac(sha384)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/ikev2/alg-sha384/posttest.dat b/testing/tests/ikev2/alg-sha384/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-sha384/posttest.dat
+++ b/testing/tests/ikev2/alg-sha384/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-sha384/pretest.dat b/testing/tests/ikev2/alg-sha384/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-sha384/pretest.dat
+++ b/testing/tests/ikev2/alg-sha384/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-sha384/test.conf b/testing/tests/ikev2/alg-sha384/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-sha384/test.conf
+++ b/testing/tests/ikev2/alg-sha384/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-sha512/evaltest.dat b/testing/tests/ikev2/alg-sha512/evaltest.dat
index 7b94d2182..6bdceeb44 100644
--- a/testing/tests/ikev2/alg-sha512/evaltest.dat
+++ b/testing/tests/ikev2/alg-sha512/evaltest.dat
@@ -4,10 +4,10 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_256/HMAC_SHA2_512_256,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256,::YES
-moon:: ip xfrm state::auth hmac(sha512)::YES
-carol::ip xfrm state::auth hmac(sha512)::YES
+moon:: ip xfrm state::auth-trunc hmac(sha512)::YES
+carol::ip xfrm state::auth-trunc hmac(sha512)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES
diff --git a/testing/tests/ikev2/alg-sha512/posttest.dat b/testing/tests/ikev2/alg-sha512/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-sha512/posttest.dat
+++ b/testing/tests/ikev2/alg-sha512/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-sha512/pretest.dat b/testing/tests/ikev2/alg-sha512/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-sha512/pretest.dat
+++ b/testing/tests/ikev2/alg-sha512/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-sha512/test.conf b/testing/tests/ikev2/alg-sha512/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-sha512/test.conf
+++ b/testing/tests/ikev2/alg-sha512/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/any-interface/pretest.dat b/testing/tests/ikev2/any-interface/pretest.dat
index b8e91194e..0a6ce8be4 100644
--- a/testing/tests/ikev2/any-interface/pretest.dat
+++ b/testing/tests/ikev2/any-interface/pretest.dat
@@ -1,5 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
 winnetou::ip route add 10.1.0.0/16 via PH_IP_MOON
 winnetou::ip route add 10.2.0.0/16 via PH_IP_SUN
 alice::ipsec start
diff --git a/testing/tests/ikev2/any-interface/test.conf b/testing/tests/ikev2/any-interface/test.conf
index 25e5cd872..cc04d45e6 100644
--- a/testing/tests/ikev2/any-interface/test.conf
+++ b/testing/tests/ikev2/any-interface/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice sun bob"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice moon sun bob"
diff --git a/testing/tests/ikev2/compress/pretest.dat b/testing/tests/ikev2/compress/pretest.dat
index 7d077c126..f5aa989fe 100644
--- a/testing/tests/ikev2/compress/pretest.dat
+++ b/testing/tests/ikev2/compress/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 moon::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev2/compress/test.conf b/testing/tests/ikev2/compress/test.conf
index 6abbb89a9..d7b71426c 100644
--- a/testing/tests/ikev2/compress/test.conf
+++ b/testing/tests/ikev2/compress/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/config-payload-swapped/evaltest.dat b/testing/tests/ikev2/config-payload-swapped/evaltest.dat
index 3c41a596c..b6a1c96a6 100644
--- a/testing/tests/ikev2/config-payload-swapped/evaltest.dat
+++ b/testing/tests/ikev2/config-payload-swapped/evaltest.dat
@@ -3,13 +3,13 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev2/config-payload-swapped/posttest.dat b/testing/tests/ikev2/config-payload-swapped/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/config-payload-swapped/posttest.dat
+++ b/testing/tests/ikev2/config-payload-swapped/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/config-payload-swapped/pretest.dat b/testing/tests/ikev2/config-payload-swapped/pretest.dat
index 014e80517..3864bdac3 100644
--- a/testing/tests/ikev2/config-payload-swapped/pretest.dat
+++ b/testing/tests/ikev2/config-payload-swapped/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/config-payload-swapped/test.conf b/testing/tests/ikev2/config-payload-swapped/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/config-payload-swapped/test.conf
+++ b/testing/tests/ikev2/config-payload-swapped/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/config-payload/evaltest.dat b/testing/tests/ikev2/config-payload/evaltest.dat
index a429e9b32..b46dfddf6 100644
--- a/testing/tests/ikev2/config-payload/evaltest.dat
+++ b/testing/tests/ikev2/config-payload/evaltest.dat
@@ -5,13 +5,13 @@ carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
 carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
 carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev2/config-payload/posttest.dat b/testing/tests/ikev2/config-payload/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/config-payload/posttest.dat
+++ b/testing/tests/ikev2/config-payload/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/config-payload/pretest.dat b/testing/tests/ikev2/config-payload/pretest.dat
index 014e80517..3864bdac3 100644
--- a/testing/tests/ikev2/config-payload/pretest.dat
+++ b/testing/tests/ikev2/config-payload/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/config-payload/test.conf b/testing/tests/ikev2/config-payload/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/config-payload/test.conf
+++ b/testing/tests/ikev2/config-payload/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/critical-extension/posttest.dat b/testing/tests/ikev2/critical-extension/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/ikev2/critical-extension/posttest.dat
+++ b/testing/tests/ikev2/critical-extension/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/ikev2/critical-extension/pretest.dat b/testing/tests/ikev2/critical-extension/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/ikev2/critical-extension/pretest.dat
+++ b/testing/tests/ikev2/critical-extension/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/critical-extension/test.conf b/testing/tests/ikev2/critical-extension/test.conf
index 41ee3037e..b286ef6eb 100644
--- a/testing/tests/ikev2/critical-extension/test.conf
+++ b/testing/tests/ikev2/critical-extension/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/crl-from-cache/test.conf b/testing/tests/ikev2/crl-from-cache/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/crl-from-cache/test.conf
+++ b/testing/tests/ikev2/crl-from-cache/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 999d0d183..000000000
--- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ldap crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/iptables.rules b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..debcc2181
--- /dev/null
+++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow ldap crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 4f4f3228b..000000000
--- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,80 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ldap crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..debcc2181
--- /dev/null
+++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow ldap crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/crl-ldap/posttest.dat b/testing/tests/ikev2/crl-ldap/posttest.dat
index bddd87424..8474bd3aa 100644
--- a/testing/tests/ikev2/crl-ldap/posttest.dat
+++ b/testing/tests/ikev2/crl-ldap/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 winnetou::/etc/init.d/slapd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/crls/*
 carol::rm /etc/ipsec.d/crls/*
diff --git a/testing/tests/ikev2/crl-ldap/pretest.dat b/testing/tests/ikev2/crl-ldap/pretest.dat
index 64fa8116b..8ffa9d3ed 100644
--- a/testing/tests/ikev2/crl-ldap/pretest.dat
+++ b/testing/tests/ikev2/crl-ldap/pretest.dat
@@ -1,6 +1,6 @@
 winnetou::/etc/init.d/slapd start
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev2/crl-ldap/test.conf b/testing/tests/ikev2/crl-ldap/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/crl-ldap/test.conf
+++ b/testing/tests/ikev2/crl-ldap/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/crl-revoked/test.conf b/testing/tests/ikev2/crl-revoked/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/crl-revoked/test.conf
+++ b/testing/tests/ikev2/crl-revoked/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/crl-to-cache/test.conf b/testing/tests/ikev2/crl-to-cache/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/crl-to-cache/test.conf
+++ b/testing/tests/ikev2/crl-to-cache/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/default-keys/description.txt b/testing/tests/ikev2/default-keys/description.txt
index 639e909da..889f8297a 100644
--- a/testing/tests/ikev2/default-keys/description.txt
+++ b/testing/tests/ikev2/default-keys/description.txt
@@ -1,8 +1,8 @@
 Because of the missing <b>/etc/ipsec.secrets</b> file, roadwarrior <b>carol</b>
 and gateway <b>moon</b> each automatically generate a PKCS#1 RSA private key
-and a self-signed X.509 certificate. Because the UML testing environment does
-not offer enough entropy, the non-blocking /dev/urandom device is used in place
-of /dev/random for generating the random primes.
+and a self-signed X.509 certificate. Because the virtual testing environment
+does not offer enough entropy, the non-blocking /dev/urandom device is used in
+place of /dev/random for generating the random primes.
 <p>
 The self-signed certificates are then distributed to the peers via scp
 and are used to set up a road warrior connection initiated by <b>carol</b> 
diff --git a/testing/tests/ikev2/default-keys/evaltest.dat b/testing/tests/ikev2/default-keys/evaltest.dat
index 1c206fff0..4df2d1e11 100644
--- a/testing/tests/ikev2/default-keys/evaltest.dat
+++ b/testing/tests/ikev2/default-keys/evaltest.dat
@@ -4,6 +4,6 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*CN=carol.*CN=moon::YES
 moon:: ipsec status 2> /dev/null::carol.*ESTABLISHED.*CN=moon.*CN=carol::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::carol.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 5a262c084..000000000
--- a/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,82 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A INPUT  -p tcp --sport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/default-keys/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..72a1c17c3
--- /dev/null
+++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/iptables.rules
@@ -0,0 +1,30 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --sport 22 -j ACCEPT
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+-A OUTPUT -p tcp --dport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/default-keys/posttest.dat b/testing/tests/ikev2/default-keys/posttest.dat
index 8cada5e7e..25f737ecc 100644
--- a/testing/tests/ikev2/default-keys/posttest.dat
+++ b/testing/tests/ikev2/default-keys/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
 carol::rm /etc/ipsec.d/private/*
 carol::rm /etc/ipsec.d/certs/*
 moon::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev2/default-keys/pretest.dat b/testing/tests/ikev2/default-keys/pretest.dat
index 88f9a2ca9..ef5f67097 100644
--- a/testing/tests/ikev2/default-keys/pretest.dat
+++ b/testing/tests/ikev2/default-keys/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 carol::rm /etc/ipsec.secrets
 carol::rm /etc/ipsec.d/private/*
 carol::rm /etc/ipsec.d/certs/*
@@ -10,9 +10,10 @@ moon::rm /etc/ipsec.d/private/*
 moon::rm /etc/ipsec.d/certs/*
 moon::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
-moon::sleep 5 
+moon::sleep 5
 moon::scp /etc/ipsec.d/certs/selfCert.der carol:/etc/ipsec.d/certs/peerCert.der
 moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/peerCert.der
-moon::ipsec reload 
-carol::ipsec reload 
+moon::ipsec reload
+carol::ipsec reload
+carol::sleep 1
 carol::ipsec up home
diff --git a/testing/tests/ikev2/default-keys/test.conf b/testing/tests/ikev2/default-keys/test.conf
index 0baa48d90..ce84ce41a 100644
--- a/testing/tests/ikev2/default-keys/test.conf
+++ b/testing/tests/ikev2/default-keys/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol"
+VIRTHOSTS="alice moon carol"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/dhcp-dynamic/evaltest.dat b/testing/tests/ikev2/dhcp-dynamic/evaltest.dat
index 4b0ddace7..9e536870e 100644
--- a/testing/tests/ikev2/dhcp-dynamic/evaltest.dat
+++ b/testing/tests/ikev2/dhcp-dynamic/evaltest.dat
@@ -1,11 +1,11 @@
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 10.1.0.50::64 bytes from 10.1.0.50: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::ping -c 1 10.1.0.50::64 bytes from 10.1.0.50: icmp_req=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 10.1.0.51::64 bytes from 10.1.0.51: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::ping -c 1 10.1.0.51::64 bytes from 10.1.0.51: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 === 10.1.0.50/32::YES
@@ -14,12 +14,12 @@ moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::arp reply carol3.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply carol3.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > carol3.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP carol3.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP carol3.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol3.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::arp reply dave3.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply dave3.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > dave3.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP dave3.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP dave3.strongswan.org > alice.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 058bebb2d..000000000
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow bootpc and bootps
-	iptables -A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
-	iptables -A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
-
-	# allow broadcasts from eth1
-	iptables -A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # log dropped packets
-        iptables -A INPUT  -j LOG --log-prefix " IN: "
-        iptables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..2d9a466b0
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/iptables.rules
@@ -0,0 +1,39 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow bootpc and bootps
+-A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
+-A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
+
+# allow broadcasts from eth1
+-A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf
index 2176af702..7a178505f 100644
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcpd.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf
@@ -4,11 +4,11 @@ ddns-update-style none;
 
 subnet 10.1.0.0 netmask 255.255.0.0 {
   option domain-name          "strongswan.org";
-  option domain-name-servers   10.1.0.20;
-  option netbios-name-servers  10.1.0.10;
-  option routers               10.1.0.1;
+  option domain-name-servers   PH_IP_VENUS;
+  option netbios-name-servers  PH_IP_ALICE;
+  option routers               PH_IP_MOON1;
   option broadcast-address     10.1.255.255;
-  next-server                  10.1.0.20;
+  next-server                  PH_IP_VENUS;
 
   range 10.1.0.50 10.1.0.60;
 }
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf
index 2d35dfd64..ec8c945a7 100644
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf
@@ -1,7 +1,7 @@
 interface=eth0
 dhcp-range=10.1.0.50,10.1.0.60,255.255.0.0,10.1.255.255
-dhcp-option=option:router,10.1.0.1
-dhcp-option=option:dns-server,10.1.0.20
-dhcp-option=option:netbios-ns,10.1.0.10
+dhcp-option=option:router,PH_IP_MOON1
+dhcp-option=option:dns-server,PH_IP_VENUS
+dhcp-option=option:netbios-ns,PH_IP_ALICE
 dhcp-option=option:domain-name,strongswan.org
 log-dhcp
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/init.d/dhcpd b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/init.d/dhcpd
deleted file mode 100755
index 4044dcc35..000000000
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/init.d/dhcpd
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop"
-
-depend() {
-	need net
-	need logger
-}
-
-start() {
-	ebegin "Starting DHCP server"
-	start-stop-daemon --start --quiet --exec /usr/sbin/dhcpd
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping DHCP server"
-	start-stop-daemon --stop --quiet --pidfile /var/run/dhcpd.pid
-	rm -f /var/state/dhcp/dhcpd.leases
-	touch /var/state/dhcp/dhcpd.leases
-	eend $?
-}
diff --git a/testing/tests/ikev2/dhcp-dynamic/posttest.dat b/testing/tests/ikev2/dhcp-dynamic/posttest.dat
index 1f5487596..f783127bf 100644
--- a/testing/tests/ikev2/dhcp-dynamic/posttest.dat
+++ b/testing/tests/ikev2/dhcp-dynamic/posttest.dat
@@ -2,9 +2,9 @@ moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
 venus::cat /var/state/dhcp/dhcpd.leases
-venus::/etc/init.d/dhcpd stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/isc-dhcp-server stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 alice::arp -d 10.1.0.50
 alice::arp -d 10.1.0.51
diff --git a/testing/tests/ikev2/dhcp-dynamic/pretest.dat b/testing/tests/ikev2/dhcp-dynamic/pretest.dat
index bd36b4fe3..5670a2e89 100644
--- a/testing/tests/ikev2/dhcp-dynamic/pretest.dat
+++ b/testing/tests/ikev2/dhcp-dynamic/pretest.dat
@@ -1,12 +1,12 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-venus::cat /etc/dhcpd.conf
-venus::/etc/init.d/dhcpd start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+venus::cat /etc/dhcp/dhcpd.conf
+venus::/etc/init.d/isc-dhcp-server start 2> /dev/null
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
-carol::sleep 2 
+carol::sleep 2
 carol::ipsec up home
 dave::ipsec up home
 carol::sleep 1
diff --git a/testing/tests/ikev2/dhcp-dynamic/test.conf b/testing/tests/ikev2/dhcp-dynamic/test.conf
index a2ad7b25f..fd8a59c90 100644
--- a/testing/tests/ikev2/dhcp-dynamic/test.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat b/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat
index 830094c7a..c95b69a11 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat
+++ b/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat
@@ -1,11 +1,11 @@
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_req=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 === 10.1.0.30/32::YES
@@ -14,12 +14,12 @@ moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::arp reply carol2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::arp reply dave2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 058bebb2d..000000000
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow bootpc and bootps
-	iptables -A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
-	iptables -A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
-
-	# allow broadcasts from eth1
-	iptables -A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # log dropped packets
-        iptables -A INPUT  -j LOG --log-prefix " IN: "
-        iptables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..2d9a466b0
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/iptables.rules
@@ -0,0 +1,39 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow bootpc and bootps
+-A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
+-A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
+
+# allow broadcasts from eth1
+-A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcp/dhcpd.conf
index 44ee681b6..334ea30e2 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcpd.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcp/dhcpd.conf
@@ -4,11 +4,11 @@ ddns-update-style none;
 
 subnet 10.1.0.0 netmask 255.255.0.0 {
   option domain-name            "strongswan.org";
-  option domain-name-servers     10.1.0.20;
-  option netbios-name-servers    10.1.0.10;
-  option routers                 10.1.0.1;
+  option domain-name-servers     PH_IP_VENUS;
+  option netbios-name-servers    PH_IP_ALICE;
+  option routers                 PH_IP_MOON1;
   option broadcast-address       10.1.255.255;
-  next-server                    10.1.0.20;
+  next-server                    PH_IP_VENUS;
 
   range 10.1.0.50 10.1.0.60;
 }
@@ -22,4 +22,3 @@ host dave {
   option dhcp-client-identifier "dave@strongswan.org";
   fixed-address                  10.1.0.40;
 }
-
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf
index 5672236a0..aca225955 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf
@@ -2,8 +2,8 @@ interface=eth0
 dhcp-range=10.1.0.50,10.1.0.60,255.255.0.0,10.1.255.255
 dhcp-host=id:carol@strongswan.org,10.1.0.30
 dhcp-host=id:dave@strongswan.org,10.1.0.40
-dhcp-option=option:router,10.1.0.1
-dhcp-option=option:dns-server,10.1.0.20
-dhcp-option=option:netbios-ns,10.1.0.10
+dhcp-option=option:router,PH_IP_MOON1
+dhcp-option=option:dns-server,PH_IP_VENUS
+dhcp-option=option:netbios-ns,PH_IP_ALICE
 dhcp-option=option:domain-name,strongswan.org
 log-dhcp
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/init.d/dhcpd b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/init.d/dhcpd
deleted file mode 100755
index 4044dcc35..000000000
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/init.d/dhcpd
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop"
-
-depend() {
-	need net
-	need logger
-}
-
-start() {
-	ebegin "Starting DHCP server"
-	start-stop-daemon --start --quiet --exec /usr/sbin/dhcpd
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping DHCP server"
-	start-stop-daemon --stop --quiet --pidfile /var/run/dhcpd.pid
-	rm -f /var/state/dhcp/dhcpd.leases
-	touch /var/state/dhcp/dhcpd.leases
-	eend $?
-}
diff --git a/testing/tests/ikev2/dhcp-static-client-id/posttest.dat b/testing/tests/ikev2/dhcp-static-client-id/posttest.dat
index e1aadc618..7fff9981b 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/posttest.dat
+++ b/testing/tests/ikev2/dhcp-static-client-id/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-venus::/etc/init.d/dhcpd stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/isc-dhcp-server stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 alice::arp -d 10.1.0.30
 alice::arp -d 10.1.0.40
diff --git a/testing/tests/ikev2/dhcp-static-client-id/pretest.dat b/testing/tests/ikev2/dhcp-static-client-id/pretest.dat
index bd36b4fe3..5670a2e89 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/pretest.dat
+++ b/testing/tests/ikev2/dhcp-static-client-id/pretest.dat
@@ -1,12 +1,12 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-venus::cat /etc/dhcpd.conf
-venus::/etc/init.d/dhcpd start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+venus::cat /etc/dhcp/dhcpd.conf
+venus::/etc/init.d/isc-dhcp-server start 2> /dev/null
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
-carol::sleep 2 
+carol::sleep 2
 carol::ipsec up home
 dave::ipsec up home
 carol::sleep 1
diff --git a/testing/tests/ikev2/dhcp-static-client-id/test.conf b/testing/tests/ikev2/dhcp-static-client-id/test.conf
index a2ad7b25f..fd8a59c90 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/test.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/dhcp-static-mac/evaltest.dat b/testing/tests/ikev2/dhcp-static-mac/evaltest.dat
index 830094c7a..c95b69a11 100644
--- a/testing/tests/ikev2/dhcp-static-mac/evaltest.dat
+++ b/testing/tests/ikev2/dhcp-static-mac/evaltest.dat
@@ -1,11 +1,11 @@
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_req=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 === 10.1.0.30/32::YES
@@ -14,12 +14,12 @@ moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::arp reply carol2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::arp reply dave2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 058bebb2d..000000000
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow bootpc and bootps
-	iptables -A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
-	iptables -A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
-
-	# allow broadcasts from eth1
-	iptables -A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # log dropped packets
-        iptables -A INPUT  -j LOG --log-prefix " IN: "
-        iptables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..2d9a466b0
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/iptables.rules
@@ -0,0 +1,39 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow bootpc and bootps
+-A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
+-A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
+
+# allow broadcasts from eth1
+-A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf
index 20666f701..cdade2f2e 100644
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcpd.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf
@@ -4,11 +4,11 @@ ddns-update-style none;
 
 subnet 10.1.0.0 netmask 255.255.0.0 {
   option domain-name          "strongswan.org";
-  option domain-name-servers   10.1.0.20;
-  option netbios-name-servers  10.1.0.10;
-  option routers               10.1.0.1;
+  option domain-name-servers   PH_IP_VENUS;
+  option netbios-name-servers  PH_IP_ALICE;
+  option routers               PH_IP_MOON1;
   option broadcast-address     10.1.255.255;
-  next-server                  10.1.0.20;
+  next-server                  PH_IP_VENUS;
 
   range 10.1.0.50 10.1.0.60;
 }
@@ -22,4 +22,3 @@ host dave {
   hardware ethernet            7a:a7:35:78:bc:85;
   fixed-address                10.1.0.40;
 }
-
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf
index e3729081f..61d31a0ba 100644
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf
@@ -2,8 +2,8 @@ interface=eth0
 dhcp-range=10.1.0.50,10.1.0.60,255.255.0.0,10.1.255.255
 dhcp-host=7a:a7:8f:fc:db:3b,10.1.0.30
 dhcp-host=7a:a7:35:78:bc:85,10.1.0.40
-dhcp-option=option:router,10.1.0.1
-dhcp-option=option:dns-server,10.1.0.20
-dhcp-option=option:netbios-ns,10.1.0.10
+dhcp-option=option:router,PH_IP_MOON1
+dhcp-option=option:dns-server,PH_IP_VENUS
+dhcp-option=option:netbios-ns,PH_IP_ALICE
 dhcp-option=option:domain-name,strongswan.org
 log-dhcp
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/init.d/dhcpd b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/init.d/dhcpd
deleted file mode 100755
index 4044dcc35..000000000
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/init.d/dhcpd
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop"
-
-depend() {
-	need net
-	need logger
-}
-
-start() {
-	ebegin "Starting DHCP server"
-	start-stop-daemon --start --quiet --exec /usr/sbin/dhcpd
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping DHCP server"
-	start-stop-daemon --stop --quiet --pidfile /var/run/dhcpd.pid
-	rm -f /var/state/dhcp/dhcpd.leases
-	touch /var/state/dhcp/dhcpd.leases
-	eend $?
-}
diff --git a/testing/tests/ikev2/dhcp-static-mac/posttest.dat b/testing/tests/ikev2/dhcp-static-mac/posttest.dat
index e1aadc618..7fff9981b 100644
--- a/testing/tests/ikev2/dhcp-static-mac/posttest.dat
+++ b/testing/tests/ikev2/dhcp-static-mac/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-venus::/etc/init.d/dhcpd stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/isc-dhcp-server stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 alice::arp -d 10.1.0.30
 alice::arp -d 10.1.0.40
diff --git a/testing/tests/ikev2/dhcp-static-mac/pretest.dat b/testing/tests/ikev2/dhcp-static-mac/pretest.dat
index bd36b4fe3..5670a2e89 100644
--- a/testing/tests/ikev2/dhcp-static-mac/pretest.dat
+++ b/testing/tests/ikev2/dhcp-static-mac/pretest.dat
@@ -1,12 +1,12 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-venus::cat /etc/dhcpd.conf
-venus::/etc/init.d/dhcpd start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+venus::cat /etc/dhcp/dhcpd.conf
+venus::/etc/init.d/isc-dhcp-server start 2> /dev/null
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
-carol::sleep 2 
+carol::sleep 2
 carol::ipsec up home
 dave::ipsec up home
 carol::sleep 1
diff --git a/testing/tests/ikev2/dhcp-static-mac/test.conf b/testing/tests/ikev2/dhcp-static-mac/test.conf
index a2ad7b25f..fd8a59c90 100644
--- a/testing/tests/ikev2/dhcp-static-mac/test.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/double-nat-net/evaltest.dat b/testing/tests/ikev2/double-nat-net/evaltest.dat
index 05dc82d70..52c561964 100644
--- a/testing/tests/ikev2/double-nat-net/evaltest.dat
+++ b/testing/tests/ikev2/double-nat-net/evaltest.dat
@@ -2,6 +2,6 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@
 bob::  ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
 alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
 bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
+alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/iptables.rules b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/double-nat-net/posttest.dat b/testing/tests/ikev2/double-nat-net/posttest.dat
index 484297418..63d4f98e7 100644
--- a/testing/tests/ikev2/double-nat-net/posttest.dat
+++ b/testing/tests/ikev2/double-nat-net/posttest.dat
@@ -1,7 +1,7 @@
 bob::ipsec stop
 alice::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-bob::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+bob::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 sun::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/ikev2/double-nat-net/pretest.dat b/testing/tests/ikev2/double-nat-net/pretest.dat
index 41b69aed6..17a4fe5eb 100644
--- a/testing/tests/ikev2/double-nat-net/pretest.dat
+++ b/testing/tests/ikev2/double-nat-net/pretest.dat
@@ -1,8 +1,5 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-bob::/etc/init.d/iptables start 2> /dev/null
-bob::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+bob::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
diff --git a/testing/tests/ikev2/double-nat-net/test.conf b/testing/tests/ikev2/double-nat-net/test.conf
index 1ca2ffe5a..d2e31d257 100644
--- a/testing/tests/ikev2/double-nat-net/test.conf
+++ b/testing/tests/ikev2/double-nat-net/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice bob"
diff --git a/testing/tests/ikev2/double-nat/evaltest.dat b/testing/tests/ikev2/double-nat/evaltest.dat
index b080482f9..9ddad2de5 100644
--- a/testing/tests/ikev2/double-nat/evaltest.dat
+++ b/testing/tests/ikev2/double-nat/evaltest.dat
@@ -2,6 +2,6 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@
 bob::  ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
 alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
 bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/iptables.rules b/testing/tests/ikev2/double-nat/hosts/bob/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/double-nat/posttest.dat b/testing/tests/ikev2/double-nat/posttest.dat
index 5d39e406d..aa806bfc9 100644
--- a/testing/tests/ikev2/double-nat/posttest.dat
+++ b/testing/tests/ikev2/double-nat/posttest.dat
@@ -1,7 +1,7 @@
 bob::ipsec stop
 alice::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-bob::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+bob::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 sun::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/ikev2/double-nat/pretest.dat b/testing/tests/ikev2/double-nat/pretest.dat
index 10ba6d735..65f18b756 100644
--- a/testing/tests/ikev2/double-nat/pretest.dat
+++ b/testing/tests/ikev2/double-nat/pretest.dat
@@ -1,7 +1,5 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-bob::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+bob::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
diff --git a/testing/tests/ikev2/double-nat/test.conf b/testing/tests/ikev2/double-nat/test.conf
index 1ca2ffe5a..d2e31d257 100644
--- a/testing/tests/ikev2/double-nat/test.conf
+++ b/testing/tests/ikev2/double-nat/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice bob"
diff --git a/testing/tests/ikev2/dpd-clear/test.conf b/testing/tests/ikev2/dpd-clear/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/dpd-clear/test.conf
+++ b/testing/tests/ikev2/dpd-clear/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/dpd-hold/test.conf b/testing/tests/ikev2/dpd-hold/test.conf
index 5442565f8..f8b62b953 100644
--- a/testing/tests/ikev2/dpd-hold/test.conf
+++ b/testing/tests/ikev2/dpd-hold/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/dpd-restart/test.conf b/testing/tests/ikev2/dpd-restart/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/dpd-restart/test.conf
+++ b/testing/tests/ikev2/dpd-restart/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/dynamic-initiator/evaltest.dat b/testing/tests/ikev2/dynamic-initiator/evaltest.dat
index 9d050ecde..3db70be71 100644
--- a/testing/tests/ikev2/dynamic-initiator/evaltest.dat
+++ b/testing/tests/ikev2/dynamic-initiator/evaltest.dat
@@ -5,6 +5,6 @@ dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
 moon:: cat /var/log/auth.log::IKE_SA carol\[1] established.*PH_IP_CAROL::YES
 moon:: cat /var/log/daemon.log::destroying duplicate IKE_SA for.*carol@strongswan.org.*received INITIAL_CONTACT::YES
 moon:: cat /var/log/auth.log::IKE_SA carol\[2] established.*PH_IP_DAVE::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/dynamic-initiator/posttest.dat b/testing/tests/ikev2/dynamic-initiator/posttest.dat
index 4dbf3d4a4..83063a23f 100644
--- a/testing/tests/ikev2/dynamic-initiator/posttest.dat
+++ b/testing/tests/ikev2/dynamic-initiator/posttest.dat
@@ -2,8 +2,8 @@ dave::ipsec stop
 carol::ipsec stop
 dave::sleep 1
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 dave::rm /etc/ipsec.d/certs/*
 dave::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev2/dynamic-initiator/pretest.dat b/testing/tests/ikev2/dynamic-initiator/pretest.dat
index 92681011f..3e1cfce77 100644
--- a/testing/tests/ikev2/dynamic-initiator/pretest.dat
+++ b/testing/tests/ikev2/dynamic-initiator/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/dynamic-initiator/test.conf b/testing/tests/ikev2/dynamic-initiator/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/dynamic-initiator/test.conf
+++ b/testing/tests/ikev2/dynamic-initiator/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/dynamic-two-peers/evaltest.dat b/testing/tests/ikev2/dynamic-two-peers/evaltest.dat
index 1d5ff68ec..82d2e7318 100644
--- a/testing/tests/ikev2/dynamic-two-peers/evaltest.dat
+++ b/testing/tests/ikev2/dynamic-two-peers/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::carol.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::dave.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev2/dynamic-two-peers/posttest.dat b/testing/tests/ikev2/dynamic-two-peers/posttest.dat
index e120b87db..7b2609846 100644
--- a/testing/tests/ikev2/dynamic-two-peers/posttest.dat
+++ b/testing/tests/ikev2/dynamic-two-peers/posttest.dat
@@ -3,6 +3,6 @@ dave::ipsec stop
 moon::sleep 1
 moon::ipsec stop
 moon::mv /etc/hosts.ori /etc/hosts
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/dynamic-two-peers/pretest.dat b/testing/tests/ikev2/dynamic-two-peers/pretest.dat
index 6596a2527..4bb2a4686 100644
--- a/testing/tests/ikev2/dynamic-two-peers/pretest.dat
+++ b/testing/tests/ikev2/dynamic-two-peers/pretest.dat
@@ -1,8 +1,8 @@
 moon::mv /etc/hosts /etc/hosts.ori
 moon::mv /etc/hosts.stale /etc/hosts
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/dynamic-two-peers/test.conf b/testing/tests/ikev2/dynamic-two-peers/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/dynamic-two-peers/test.conf
+++ b/testing/tests/ikev2/dynamic-two-peers/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat
index 74150fb04..d5d3bc0d3 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat
@@ -2,7 +2,7 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES
 carol::ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES
 carol::ip xfrm state::aead rfc4543(gcm(aes))::YES
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/test.conf b/testing/tests/ikev2/esp-alg-aes-gmac/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/test.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat b/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat
index a66edc5fe..366539936 100644
--- a/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat
@@ -2,10 +2,10 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::3DES_CBC/HMAC_MD5_128::YES
 carol::ipsec statusall 2> /dev/null::3DES_CBC/HMAC_MD5_128::YES
-moon:: ip xfrm state::auth hmac(md5)::YES
-carol::ip xfrm state::auth hmac(md5)::YES
+moon:: ip xfrm state::auth-trunc hmac(md5)::YES
+carol::ip xfrm state::auth-trunc hmac(md5)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev2/esp-alg-md5-128/posttest.dat b/testing/tests/ikev2/esp-alg-md5-128/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/esp-alg-md5-128/posttest.dat
+++ b/testing/tests/ikev2/esp-alg-md5-128/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/esp-alg-md5-128/pretest.dat b/testing/tests/ikev2/esp-alg-md5-128/pretest.dat
index 3c3df0196..886fdf55c 100644
--- a/testing/tests/ikev2/esp-alg-md5-128/pretest.dat
+++ b/testing/tests/ikev2/esp-alg-md5-128/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/esp-alg-md5-128/test.conf b/testing/tests/ikev2/esp-alg-md5-128/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/esp-alg-md5-128/test.conf
+++ b/testing/tests/ikev2/esp-alg-md5-128/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/esp-alg-null/evaltest.dat b/testing/tests/ikev2/esp-alg-null/evaltest.dat
index 937d85ed2..1b9c6c27e 100644
--- a/testing/tests/ikev2/esp-alg-null/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-null/evaltest.dat
@@ -2,7 +2,7 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
 carol::ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
 moon:: ip xfrm state::enc ecb(cipher_null)::YES
diff --git a/testing/tests/ikev2/esp-alg-null/posttest.dat b/testing/tests/ikev2/esp-alg-null/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/esp-alg-null/posttest.dat
+++ b/testing/tests/ikev2/esp-alg-null/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/esp-alg-null/pretest.dat b/testing/tests/ikev2/esp-alg-null/pretest.dat
index 3c3df0196..886fdf55c 100644
--- a/testing/tests/ikev2/esp-alg-null/pretest.dat
+++ b/testing/tests/ikev2/esp-alg-null/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/esp-alg-null/test.conf b/testing/tests/ikev2/esp-alg-null/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/esp-alg-null/test.conf
+++ b/testing/tests/ikev2/esp-alg-null/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat b/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat
index 52c27cba5..00c353686 100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat
@@ -2,10 +2,10 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA1_160::YES
 carol::ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA1_160::YES
-moon:: ip xfrm state::auth hmac(sha1)::YES
-carol::ip xfrm state::auth hmac(sha1)::YES
+moon:: ip xfrm state::auth-trunc hmac(sha1)::YES
+carol::ip xfrm state::auth-trunc hmac(sha1)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 204::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 204::YES
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat b/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat
+++ b/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat b/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat
index 3c3df0196..886fdf55c 100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat
+++ b/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/test.conf b/testing/tests/ikev2/esp-alg-sha1-160/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/test.conf
+++ b/testing/tests/ikev2/esp-alg-sha1-160/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/farp/evaltest.dat b/testing/tests/ikev2/farp/evaltest.dat
index 21b10d170..891ec20d5 100644
--- a/testing/tests/ikev2/farp/evaltest.dat
+++ b/testing/tests/ikev2/farp/evaltest.dat
@@ -1,11 +1,11 @@
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_req=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
@@ -14,12 +14,12 @@ moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::arp reply carol2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::arp reply dave2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev2/farp/posttest.dat b/testing/tests/ikev2/farp/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/farp/posttest.dat
+++ b/testing/tests/ikev2/farp/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/farp/pretest.dat b/testing/tests/ikev2/farp/pretest.dat
index 709931e1b..f0254da6c 100644
--- a/testing/tests/ikev2/farp/pretest.dat
+++ b/testing/tests/ikev2/farp/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 alice::arp -d 10.1.0.30
 alice::arp -d 10.1.0.40
 carol::ipsec start
diff --git a/testing/tests/ikev2/farp/test.conf b/testing/tests/ikev2/farp/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/farp/test.conf
+++ b/testing/tests/ikev2/farp/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/force-udp-encaps/evaltest.dat b/testing/tests/ikev2/force-udp-encaps/evaltest.dat
index d7fe707ab..36af646d2 100644
--- a/testing/tests/ikev2/force-udp-encaps/evaltest.dat
+++ b/testing/tests/ikev2/force-udp-encaps/evaltest.dat
@@ -3,6 +3,6 @@ sun::  ipsec status 2> /dev/null::nat.t.*ESTABLISHED.*sun.strongswan.org.*alice@
 alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL::YES
 alice::cat /var/log/daemon.log::faking NAT situation to enforce UDP encapsulation::YES
-alice:: ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP alice.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > alice.strongswan.org.*: UDP::YES
+alice:: ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::tcpdump::IP alice.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > alice.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/init.d/iptables b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 5bb63f5ac..000000000
--- a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
-
-        # allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/force-udp-encaps/posttest.dat b/testing/tests/ikev2/force-udp-encaps/posttest.dat
index 979f2fcd0..03edb42cb 100644
--- a/testing/tests/ikev2/force-udp-encaps/posttest.dat
+++ b/testing/tests/ikev2/force-udp-encaps/posttest.dat
@@ -1,6 +1,6 @@
 alice::ipsec stop
 sun::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 sun::ip route del 10.1.0.0/16 via PH_IP_MOON
 winnetou::ip route del 10.1.0.0/16 via PH_IP_MOON
diff --git a/testing/tests/ikev2/force-udp-encaps/pretest.dat b/testing/tests/ikev2/force-udp-encaps/pretest.dat
index 6f00cd387..7be66867a 100644
--- a/testing/tests/ikev2/force-udp-encaps/pretest.dat
+++ b/testing/tests/ikev2/force-udp-encaps/pretest.dat
@@ -1,8 +1,7 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+alice::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 sun::ip route add 10.1.0.0/16 via PH_IP_MOON
 winnetou::ip route add 10.1.0.0/16 via PH_IP_MOON
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 alice::ipsec start
 sun::ipsec start
 alice::sleep 4
diff --git a/testing/tests/ikev2/force-udp-encaps/test.conf b/testing/tests/ikev2/force-udp-encaps/test.conf
index d84149aaf..42fa97190 100644
--- a/testing/tests/ikev2/force-udp-encaps/test.conf
+++ b/testing/tests/ikev2/force-udp-encaps/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/host2host-cert/evaltest.dat b/testing/tests/ikev2/host2host-cert/evaltest.dat
index 53e5589ca..3305f4558 100644
--- a/testing/tests/ikev2/host2host-cert/evaltest.dat
+++ b/testing/tests/ikev2/host2host-cert/evaltest.dat
@@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*su
 sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
 sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/host2host-cert/posttest.dat b/testing/tests/ikev2/host2host-cert/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev2/host2host-cert/posttest.dat
+++ b/testing/tests/ikev2/host2host-cert/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/host2host-cert/pretest.dat b/testing/tests/ikev2/host2host-cert/pretest.dat
index 1fa70177c..3bce9f6e5 100644
--- a/testing/tests/ikev2/host2host-cert/pretest.dat
+++ b/testing/tests/ikev2/host2host-cert/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/host2host-cert/test.conf b/testing/tests/ikev2/host2host-cert/test.conf
index 305a67316..55d6e9fd6 100644
--- a/testing/tests/ikev2/host2host-cert/test.conf
+++ b/testing/tests/ikev2/host2host-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/host2host-swapped/evaltest.dat b/testing/tests/ikev2/host2host-swapped/evaltest.dat
index 53e5589ca..3305f4558 100644
--- a/testing/tests/ikev2/host2host-swapped/evaltest.dat
+++ b/testing/tests/ikev2/host2host-swapped/evaltest.dat
@@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*su
 sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
 sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/host2host-swapped/posttest.dat b/testing/tests/ikev2/host2host-swapped/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev2/host2host-swapped/posttest.dat
+++ b/testing/tests/ikev2/host2host-swapped/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/host2host-swapped/pretest.dat b/testing/tests/ikev2/host2host-swapped/pretest.dat
index 1fa70177c..3bce9f6e5 100644
--- a/testing/tests/ikev2/host2host-swapped/pretest.dat
+++ b/testing/tests/ikev2/host2host-swapped/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/host2host-swapped/test.conf b/testing/tests/ikev2/host2host-swapped/test.conf
index 305a67316..55d6e9fd6 100644
--- a/testing/tests/ikev2/host2host-swapped/test.conf
+++ b/testing/tests/ikev2/host2host-swapped/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/host2host-transport/evaltest.dat b/testing/tests/ikev2/host2host-transport/evaltest.dat
index 3021b5e04..fc49e57d8 100644
--- a/testing/tests/ikev2/host2host-transport/evaltest.dat
+++ b/testing/tests/ikev2/host2host-transport/evaltest.dat
@@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*su
 sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
 sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/host2host-transport/posttest.dat b/testing/tests/ikev2/host2host-transport/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev2/host2host-transport/posttest.dat
+++ b/testing/tests/ikev2/host2host-transport/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/host2host-transport/pretest.dat b/testing/tests/ikev2/host2host-transport/pretest.dat
index e2d98f2eb..99789b90f 100644
--- a/testing/tests/ikev2/host2host-transport/pretest.dat
+++ b/testing/tests/ikev2/host2host-transport/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 2
diff --git a/testing/tests/ikev2/host2host-transport/test.conf b/testing/tests/ikev2/host2host-transport/test.conf
index cf2e704fd..5a286c84f 100644
--- a/testing/tests/ikev2/host2host-transport/test.conf
+++ b/testing/tests/ikev2/host2host-transport/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/inactivity-timeout/evaltest.dat b/testing/tests/ikev2/inactivity-timeout/evaltest.dat
index dceceaef6..221c59318 100644
--- a/testing/tests/ikev2/inactivity-timeout/evaltest.dat
+++ b/testing/tests/ikev2/inactivity-timeout/evaltest.dat
@@ -1,8 +1,8 @@
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 carol::sleep 15::NO
 carol::cat /var/log/daemon.log::deleting CHILD_SA after 10 seconds of inactivity::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO
 carol::ipsec status 2> /dev/null::home.*INSTALLED::NO
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::NO
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/ikev2/inactivity-timeout/posttest.dat b/testing/tests/ikev2/inactivity-timeout/posttest.dat
index 94a400606..6ca9c5b35 100644
--- a/testing/tests/ikev2/inactivity-timeout/posttest.dat
+++ b/testing/tests/ikev2/inactivity-timeout/posttest.dat
@@ -1,4 +1,3 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/inactivity-timeout/pretest.dat b/testing/tests/ikev2/inactivity-timeout/pretest.dat
index 3c3df0196..b949aaeaf 100644
--- a/testing/tests/ikev2/inactivity-timeout/pretest.dat
+++ b/testing/tests/ikev2/inactivity-timeout/pretest.dat
@@ -1,7 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
-carol::sleep 1 
+carol::sleep 1
 carol::ipsec up home
 carol::sleep 1
diff --git a/testing/tests/ikev2/inactivity-timeout/test.conf b/testing/tests/ikev2/inactivity-timeout/test.conf
index acb73b06f..11423f723 100644
--- a/testing/tests/ikev2/inactivity-timeout/test.conf
+++ b/testing/tests/ikev2/inactivity-timeout/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ip-pool-db/evaltest.dat b/testing/tests/ikev2/ip-pool-db/evaltest.dat
index 941cb34c0..42e353084 100644
--- a/testing/tests/ikev2/ip-pool-db/evaltest.dat
+++ b/testing/tests/ikev2/ip-pool-db/evaltest.dat
@@ -6,7 +6,7 @@ carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
 dave:: cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
@@ -15,7 +15,7 @@ dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
 moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP::YES
diff --git a/testing/tests/ikev2/ip-pool-db/posttest.dat b/testing/tests/ikev2/ip-pool-db/posttest.dat
index 5b88b2163..c99f347e3 100644
--- a/testing/tests/ikev2/ip-pool-db/posttest.dat
+++ b/testing/tests/ikev2/ip-pool-db/posttest.dat
@@ -1,9 +1,9 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::ipsec pool --del bigpool 2> /dev/null
 moon::ipsec pool --del dns 2> /dev/null
 moon::ipsec pool --del nbns 2> /dev/null
diff --git a/testing/tests/ikev2/ip-pool-db/pretest.dat b/testing/tests/ikev2/ip-pool-db/pretest.dat
index 4a2add194..fce551c69 100644
--- a/testing/tests/ikev2/ip-pool-db/pretest.dat
+++ b/testing/tests/ikev2/ip-pool-db/pretest.dat
@@ -4,9 +4,9 @@ moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2>
 moon::ipsec pool --addattr dns  --server PH_IP_WINNETOU 2> /dev/null
 moon::ipsec pool --addattr dns  --server PH_IP_VENUS 2> /dev/null
 moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/ip-pool-db/test.conf b/testing/tests/ikev2/ip-pool-db/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/ip-pool-db/test.conf
+++ b/testing/tests/ikev2/ip-pool-db/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ip-pool-wish/evaltest.dat b/testing/tests/ikev2/ip-pool-wish/evaltest.dat
index fd15d5209..44310cd16 100644
--- a/testing/tests/ikev2/ip-pool-wish/evaltest.dat
+++ b/testing/tests/ikev2/ip-pool-wish/evaltest.dat
@@ -3,13 +3,13 @@ carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org.::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: cat /var/log/daemon.log::adding virtual IP address pool::YES
 moon:: cat /var/log/daemon.log::peer requested virtual IP PH_IP_CAROL1::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP::YES
diff --git a/testing/tests/ikev2/ip-pool-wish/posttest.dat b/testing/tests/ikev2/ip-pool-wish/posttest.dat
index 1777f439f..b757d8b15 100644
--- a/testing/tests/ikev2/ip-pool-wish/posttest.dat
+++ b/testing/tests/ikev2/ip-pool-wish/posttest.dat
@@ -1,6 +1,6 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/ip-pool-wish/pretest.dat b/testing/tests/ikev2/ip-pool-wish/pretest.dat
index 1f4ff286a..1466fd2f2 100644
--- a/testing/tests/ikev2/ip-pool-wish/pretest.dat
+++ b/testing/tests/ikev2/ip-pool-wish/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/ip-pool-wish/test.conf b/testing/tests/ikev2/ip-pool-wish/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/ip-pool-wish/test.conf
+++ b/testing/tests/ikev2/ip-pool-wish/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ip-pool/evaltest.dat b/testing/tests/ikev2/ip-pool/evaltest.dat
index db46646a6..8ea7960b5 100644
--- a/testing/tests/ikev2/ip-pool/evaltest.dat
+++ b/testing/tests/ikev2/ip-pool/evaltest.dat
@@ -3,19 +3,19 @@ carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: cat /var/log/daemon.log::adding virtual IP address pool::YES
 moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP::YES
 moon:: ipsec leases 10.3.0.0/28 2> /dev/null::2/14, 2 online::YES
-moon:: ipsec leases 10.3.0.0/28 10.3.0.1 2> /dev/null::carol@strongswan.org::YES
-moon:: ipsec leases 10.3.0.0/28 10.3.0.2 2> /dev/null::dave@strongswan.org::YES
+moon:: ipsec leases 10.3.0.0/28 PH_IP_CAROL1 2> /dev/null::carol@strongswan.org::YES
+moon:: ipsec leases 10.3.0.0/28 PH_IP_DAVE1 2> /dev/null::dave@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP
diff --git a/testing/tests/ikev2/ip-pool/posttest.dat b/testing/tests/ikev2/ip-pool/posttest.dat
index 1777f439f..b757d8b15 100644
--- a/testing/tests/ikev2/ip-pool/posttest.dat
+++ b/testing/tests/ikev2/ip-pool/posttest.dat
@@ -1,6 +1,6 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/ip-pool/pretest.dat b/testing/tests/ikev2/ip-pool/pretest.dat
index 014e80517..3864bdac3 100644
--- a/testing/tests/ikev2/ip-pool/pretest.dat
+++ b/testing/tests/ikev2/ip-pool/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/ip-pool/test.conf b/testing/tests/ikev2/ip-pool/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/ip-pool/test.conf
+++ b/testing/tests/ikev2/ip-pool/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ip-split-pools-db/test.conf b/testing/tests/ikev2/ip-split-pools-db/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/ip-split-pools-db/test.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ip-two-pools-db/evaltest.dat b/testing/tests/ikev2/ip-two-pools-db/evaltest.dat
index fd0413d11..fdc3d4d3f 100644
--- a/testing/tests/ikev2/ip-two-pools-db/evaltest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/evaltest.dat
@@ -28,10 +28,10 @@ carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/res
 dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES
 alice::cat /var/log/daemon.log::installing DNS server PH_IP_ALICE to /etc/resolv.conf::YES
 venus::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS to /etc/resolv.conf::YES
-alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
-alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_seq=1::YES
-dave:: ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_req=1::YES
+alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_req=1::YES
+dave:: ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_req=1::YES
 alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
 alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
 dave::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 97b773645..000000000
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index bb9d03acd..000000000
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# masquerade crl fetches to winnetou
-	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..a0ed9f0e6
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/iptables.rules
@@ -0,0 +1,43 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
+
+*nat
+
+# masquerade crl fetches to winnetou
+-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
+
+COMMIT
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/init.d/iptables
deleted file mode 100755
index 97b773645..000000000
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
index 7b0393ebd..9c0bb5cae 100644
--- a/testing/tests/ikev2/ip-two-pools-db/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
@@ -3,11 +3,11 @@ venus::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::ip route del 10.3.0.0/16 via PH_IP_MOON
 moon::ip route del 10.4.0.0/16 via PH_IP_MOON1
 moon::conntrack -F
diff --git a/testing/tests/ikev2/ip-two-pools-db/pretest.dat b/testing/tests/ikev2/ip-two-pools-db/pretest.dat
index e4eb8b0b9..3aba87994 100644
--- a/testing/tests/ikev2/ip-two-pools-db/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/pretest.dat
@@ -8,11 +8,11 @@ moon::ipsec pool --addattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/nu
 moon::ipsec pool --statusattr 2> /dev/null
 moon::ip route add 10.3.0.0/16 via PH_IP_MOON
 moon::ip route add 10.4.0.0/16 via PH_IP_MOON1
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 alice::ipsec start
 venus::ipsec start
 carol::ipsec start
diff --git a/testing/tests/ikev2/ip-two-pools-db/test.conf b/testing/tests/ikev2/ip-two-pools-db/test.conf
index ea1307b16..c88e11d28 100644
--- a/testing/tests/ikev2/ip-two-pools-db/test.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice venus carol dave"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice venus moon carol dave"
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat b/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat
index 3b09b32bd..0d7a36452 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat
+++ b/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat
@@ -13,8 +13,8 @@ moon:: ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*
 moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES
 carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
 alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
-carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
 carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 97b773645..000000000
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index bb9d03acd..000000000
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# masquerade crl fetches to winnetou
-	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..a0ed9f0e6
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/iptables.rules
@@ -0,0 +1,43 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
+
+*nat
+
+# masquerade crl fetches to winnetou
+-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
+
+COMMIT
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat
index db5e6237f..a3924b2f6 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat
@@ -1,9 +1,9 @@
 carol::ipsec stop
 alice::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-alice::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+alice::iptables-restore < /etc/iptables.flush
 moon::conntrack -F
 moon::ipsec pool --del intpool 2> /dev/null
 moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat b/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat
index b579464f2..b74c1e07a 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat
@@ -1,9 +1,9 @@
 moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout  0 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 moon::ipsec start
 alice::ipsec start
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/test.conf b/testing/tests/ikev2/ip-two-pools-mixed/test.conf
index 329774c0a..1ed3473ab 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/test.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice carol"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice moon carol"
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat
index 7a0c1ed6f..0bf3500b5 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat
@@ -5,5 +5,5 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
 carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES
 carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES
-carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=1::YES
 carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat
index fafe030c1..bb20cae05 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat
@@ -1,5 +1,4 @@
 alice::ip -6 route del default via fec1:\:1
 carol::ipsec stop
-moon::echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
 moon::ipsec stop
 moon::conntrack -F
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat
index f97ff54b5..04139badf 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat
@@ -1,5 +1,4 @@
 alice::ip -6 route add default via fec1:\:1
-moon::echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
 moon::ipsec start
 carol::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/test.conf b/testing/tests/ikev2/ip-two-pools-v4v6/test.conf
index c86dd1d66..cd03759f0 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6/test.conf
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="carol"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ip-two-pools/evaltest.dat b/testing/tests/ikev2/ip-two-pools/evaltest.dat
index 5de62e447..fad3781d7 100644
--- a/testing/tests/ikev2/ip-two-pools/evaltest.dat
+++ b/testing/tests/ikev2/ip-two-pools/evaltest.dat
@@ -10,12 +10,12 @@ moon:: cat /var/log/daemon.log::adding virtual IP address pool.*10.4.0.0/28::YES
 moon:: cat /var/log/daemon.log::adding virtual IP address pool.*10.3.0.0/28::YES
 moon:: ipsec leases 10.3.0.0/28 2> /dev/null::1/14, 1 online::YES
 moon:: ipsec leases 10.4.0.0/28 2> /dev/null::1/14, 1 online::YES
-moon:: ipsec leases 10.3.0.0/28 10.3.0.1 2> /dev/null::carol@strongswan.org::YES
+moon:: ipsec leases 10.3.0.0/28 PH_IP_CAROL1 2> /dev/null::carol@strongswan.org::YES
 moon:: ipsec leases 10.4.0.0/28 10.4.0.1 2> /dev/null::alice@strongswan.org::YES
-carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
 alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
-carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
 carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 97b773645..000000000
--- a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index bb9d03acd..000000000
--- a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# masquerade crl fetches to winnetou
-	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..a0ed9f0e6
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/iptables.rules
@@ -0,0 +1,43 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
+
+*nat
+
+# masquerade crl fetches to winnetou
+-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
+
+COMMIT
diff --git a/testing/tests/ikev2/ip-two-pools/posttest.dat b/testing/tests/ikev2/ip-two-pools/posttest.dat
index f41bb0fbc..2fbc2c3a0 100644
--- a/testing/tests/ikev2/ip-two-pools/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools/posttest.dat
@@ -1,8 +1,8 @@
 alice::ipsec stop
 carol::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-alice::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+alice::iptables-restore < /etc/iptables.flush
 moon::conntrack -F
 moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools/pretest.dat b/testing/tests/ikev2/ip-two-pools/pretest.dat
index db422a105..4e8b639f4 100644
--- a/testing/tests/ikev2/ip-two-pools/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 moon::ipsec start
 alice::ipsec start
diff --git a/testing/tests/ikev2/ip-two-pools/test.conf b/testing/tests/ikev2/ip-two-pools/test.conf
index 329774c0a..1ed3473ab 100644
--- a/testing/tests/ikev2/ip-two-pools/test.conf
+++ b/testing/tests/ikev2/ip-two-pools/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice carol"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice moon carol"
diff --git a/testing/tests/ikev2/mobike-nat/evaltest.dat b/testing/tests/ikev2/mobike-nat/evaltest.dat
index aded7a040..c71e3f7c1 100644
--- a/testing/tests/ikev2/mobike-nat/evaltest.dat
+++ b/testing/tests/ikev2/mobike-nat/evaltest.dat
@@ -2,14 +2,14 @@ alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_ALICE1.*PH_IP_SUN::
 sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE1::YES
 alice::ipsec statusall 2> /dev/null::10.3.0.3/32 === 10.2.0.0/16::YES
 sun::  ipsec statusall 2> /dev/null::10.2.0.0/16 === 10.3.0.3/32::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::/etc/init.d/net.eth1 stop::No output expected::NO
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ifdown eth1::No output expected::NO
 alice::sleep 1::No output expected::NO
 alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES
 sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*PH_IP_MOON::YES
 alice::ipsec statusall 2> /dev/null::10.3.0.3/32 === 10.2.0.0/16::YES
 sun::  ipsec statusall 2> /dev/null::10.2.0.0/16 === 10.3.0.3/32::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::alice1.strongswan.org.*sun.strongswan.org: ESP.*seq=0x1::YES
 sun::tcpdump::sun.strongswan.org.*alice1.strongswan.org: ESP.*seq=0x1::YES
 moon::tcpdump::moon.strongswan.org.*sun.strongswan.org.*: UDP-encap: ESP.*seq=0x2::YES
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index cf0d65c58..000000000
--- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,87 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow IPsec tunnel traffic
-        iptables -A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
-        iptables -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf
index efbce1fb2..ffb7f563a 100644
--- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf
@@ -10,7 +10,7 @@ conn %default
 	keyexchange=ikev2
 
 conn mobike
-	left=PH_IP_ALICE1
+	left=192.168.0.50
 	leftsourceip=%config
 	leftcert=aliceCert.pem
 	leftid=alice@strongswan.org
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..6dd261f20
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules
@@ -0,0 +1,38 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IPsec tunnel traffic
+-A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# allow ESP 
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/init.d/iptables b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 642c414d5..000000000
--- a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow IPsec tunnel traffic
-	iptables -A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
-	iptables -A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
-
-        # allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..0a7d1fa40
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IPsec tunnel traffic
+-A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# allow ESP 
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mobike-nat/posttest.dat b/testing/tests/ikev2/mobike-nat/posttest.dat
index cd0d4df25..f4e5316c9 100644
--- a/testing/tests/ikev2/mobike-nat/posttest.dat
+++ b/testing/tests/ikev2/mobike-nat/posttest.dat
@@ -1,6 +1,6 @@
 alice::ipsec stop
 sun::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/ikev2/mobike-nat/pretest.dat b/testing/tests/ikev2/mobike-nat/pretest.dat
index 08c2be95c..86ac6e7e0 100644
--- a/testing/tests/ikev2/mobike-nat/pretest.dat
+++ b/testing/tests/ikev2/mobike-nat/pretest.dat
@@ -1,12 +1,11 @@
-alice::/etc/init.d/net.eth1 start
-alice::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+alice::ifup eth1
+alice::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::conntrack -F
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 alice::ipsec start
 sun::ipsec start
-alice::sleep 2 
+alice::sleep 2
 alice::ipsec up mobike
 alice::sleep 1
diff --git a/testing/tests/ikev2/mobike-nat/test.conf b/testing/tests/ikev2/mobike-nat/test.conf
index 24a0cf3a4..70c64c503 100644
--- a/testing/tests/ikev2/mobike-nat/test.conf
+++ b/testing/tests/ikev2/mobike-nat/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="bob moon sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat b/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat
index c4c7b0b6f..17593ef82 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat
+++ b/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat
@@ -1,15 +1,15 @@
-alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_ALICE1.*PH_IP_SUN::YES
-sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE1::YES
+alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*192.168.0.50.*PH_IP_SUN::YES
+sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*192.168.0.50::YES
 alice::ipsec statusall 2> /dev/null::10.3.0.3/32 === 10.2.0.0/16::YES
 sun::  ipsec statusall 2> /dev/null::10.2.0.0/16 === 10.3.0.3/32::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::/etc/init.d/net.eth1 stop::No output expected::NO
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ifdown eth1::No output expected::NO
 alice::sleep 1::No output expected::NO
 alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES
 sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE::YES
 alice::ipsec statusall 2> /dev/null::10.3.0.3/32 === 10.2.0.0/16::YES
 sun::  ipsec statusall 2> /dev/null::10.2.0.0/16 === 10.3.0.3/32::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::alice1.strongswan.org.*sun.strongswan.org: ESP.*seq=0x1::YES
 sun::tcpdump::sun.strongswan.org.*alice1.strongswan.org: ESP.*seq=0x1::YES
 moon::tcpdump::alice.strongswan.org.*sun.strongswan.org.*: ESP.*seq=0x2::YES
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index cf0d65c58..000000000
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,87 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow IPsec tunnel traffic
-        iptables -A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
-        iptables -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf
index efbce1fb2..ffb7f563a 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf
@@ -10,7 +10,7 @@ conn %default
 	keyexchange=ikev2
 
 conn mobike
-	left=PH_IP_ALICE1
+	left=192.168.0.50
 	leftsourceip=%config
 	leftcert=aliceCert.pem
 	leftid=alice@strongswan.org
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..a238c8d19
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules
@@ -0,0 +1,38 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IPsec tunnel traffic
+-A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# allow ESP
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/init.d/iptables b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 642c414d5..000000000
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow IPsec tunnel traffic
-	iptables -A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
-	iptables -A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
-
-        # allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf
index eeee6ffb0..2b0c8aebd 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf
@@ -14,7 +14,7 @@ conn mobike
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
 	leftsubnet=10.2.0.0/16
-	right=PH_IP_ALICE1
+	right=192.168.0.50
 	rightsourceip=10.3.0.3
 	rightid=alice@strongswan.org
 	auto=add
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..d86a461ac
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IPsec tunnel traffic
+-A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# allow ESP
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mobike-virtual-ip/posttest.dat b/testing/tests/ikev2/mobike-virtual-ip/posttest.dat
index 32fdf0053..95c963091 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/posttest.dat
+++ b/testing/tests/ikev2/mobike-virtual-ip/posttest.dat
@@ -1,5 +1,5 @@
 alice::ipsec stop
 sun::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 sun::ip route del 10.1.0.0/16 via PH_IP_MOON
diff --git a/testing/tests/ikev2/mobike-virtual-ip/pretest.dat b/testing/tests/ikev2/mobike-virtual-ip/pretest.dat
index 6666e7794..067c1a1ec 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/pretest.dat
+++ b/testing/tests/ikev2/mobike-virtual-ip/pretest.dat
@@ -1,10 +1,9 @@
-alice::/etc/init.d/net.eth1 start
-alice::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::ifup eth1
+alice::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 sun::ip route add 10.1.0.0/16 via PH_IP_MOON
 alice::ipsec start
 sun::ipsec start
-alice::sleep 2 
+alice::sleep 2
 alice::ipsec up mobike
 alice::sleep 1
diff --git a/testing/tests/ikev2/mobike-virtual-ip/test.conf b/testing/tests/ikev2/mobike-virtual-ip/test.conf
index 24a0cf3a4..70c64c503 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/test.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="bob moon sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/mobike/evaltest.dat b/testing/tests/ikev2/mobike/evaltest.dat
index ebf5ad4cf..e3464040e 100644
--- a/testing/tests/ikev2/mobike/evaltest.dat
+++ b/testing/tests/ikev2/mobike/evaltest.dat
@@ -1,15 +1,15 @@
-alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_ALICE1.*PH_IP_SUN::YES
-sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE1::YES
-alice::ipsec statusall 2> /dev/null::PH_IP_ALICE1/32 === 10.2.0.0/16::YES
-sun::  ipsec statusall 2> /dev/null::10.2.0.0/16 === PH_IP_ALICE1/32::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::/etc/init.d/net.eth1 stop::No output expected::NO
+alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*192.168.0.50.*PH_IP_SUN::YES
+sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*192.168.0.50::YES
+alice::ipsec statusall 2> /dev/null::192.168.0.50/32 === 10.2.0.0/16::YES
+sun::  ipsec statusall 2> /dev/null::10.2.0.0/16 === 192.168.0.50/32::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ifdown eth1::No output expected::NO
 alice::sleep 1::No output expected::NO
 alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES
 sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE::YES
 alice::ipsec statusall 2> /dev/null::PH_IP_ALICE/32 === 10.2.0.0/16::YES
 sun::  ipsec statusall 2> /dev/null::10.2.0.0/16 === PH_IP_ALICE/32::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::alice1.strongswan.org.*sun.strongswan.org: ESP.*seq=0x1::YES
 sun::tcpdump::sun.strongswan.org.*alice1.strongswan.org: ESP.*seq=0x1::YES
 moon::tcpdump::alice.strongswan.org.*sun.strongswan.org: ESP.*seq=0x2::YES
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index cf0d65c58..000000000
--- a/testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,87 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow IPsec tunnel traffic
-        iptables -A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
-        iptables -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf
index 66cbce781..95683fdc3 100644
--- a/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf
@@ -10,7 +10,7 @@ conn %default
 	keyexchange=ikev2
 
 conn mobike
-	left=PH_IP_ALICE1
+	left=192.168.0.50
 	leftcert=aliceCert.pem
 	leftid=alice@strongswan.org
 	right=PH_IP_SUN
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..a238c8d19
--- /dev/null
+++ b/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules
@@ -0,0 +1,38 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IPsec tunnel traffic
+-A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# allow ESP
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/init.d/iptables b/testing/tests/ikev2/mobike/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 6934b1948..000000000
--- a/testing/tests/ikev2/mobike/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,90 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-        # enable IP forwarding
-        echo 1 > /proc/sys/net/ipv4/ip_forward
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow IPsec tunnel traffic
-        iptables -A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
-        iptables -A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf
index f3fa9209c..f7693106f 100644
--- a/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf
@@ -14,6 +14,6 @@ conn mobike
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
 	leftsubnet=10.2.0.0/16
-	right=PH_IP_ALICE1
+	right=192.168.0.50
 	rightid=alice@strongswan.org
 	auto=add
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/mobike/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..d86a461ac
--- /dev/null
+++ b/testing/tests/ikev2/mobike/hosts/sun/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IPsec tunnel traffic
+-A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# allow ESP
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mobike/posttest.dat b/testing/tests/ikev2/mobike/posttest.dat
index 32fdf0053..95c963091 100644
--- a/testing/tests/ikev2/mobike/posttest.dat
+++ b/testing/tests/ikev2/mobike/posttest.dat
@@ -1,5 +1,5 @@
 alice::ipsec stop
 sun::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 sun::ip route del 10.1.0.0/16 via PH_IP_MOON
diff --git a/testing/tests/ikev2/mobike/pretest.dat b/testing/tests/ikev2/mobike/pretest.dat
index 6666e7794..067c1a1ec 100644
--- a/testing/tests/ikev2/mobike/pretest.dat
+++ b/testing/tests/ikev2/mobike/pretest.dat
@@ -1,10 +1,9 @@
-alice::/etc/init.d/net.eth1 start
-alice::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::ifup eth1
+alice::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 sun::ip route add 10.1.0.0/16 via PH_IP_MOON
 alice::ipsec start
 sun::ipsec start
-alice::sleep 2 
+alice::sleep 2
 alice::ipsec up mobike
 alice::sleep 1
diff --git a/testing/tests/ikev2/mobike/test.conf b/testing/tests/ikev2/mobike/test.conf
index 24a0cf3a4..70c64c503 100644
--- a/testing/tests/ikev2/mobike/test.conf
+++ b/testing/tests/ikev2/mobike/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="bob moon sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
index 4a72b4392..65a003d23 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
@@ -6,7 +6,7 @@ moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
 moon:: cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES
 moon:: ipsec status 2> /dev/null::rw-mult.*ESTABLISHED.*228060123456001@strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*228060123456001@strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA signature successful::YES
@@ -18,4 +18,4 @@ moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer 22806012345600
 moon::ipsec status 2> /dev/null::rw-mult.*ESTABLISHED.*228060123456002@strongswan.org::NO
 dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
 dave::ipsec status 2> /dev/null::home.*ESTABLISHED::NO
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files
new file mode 100644
index 000000000..10c26aa15
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files
@@ -0,0 +1,3 @@
+sim_files {
+	simtriplets = "/etc/freeradius/triplets.dat"
+}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
index dfceb037d..91425f812 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
@@ -59,4 +59,3 @@ pre-proxy {
 post-proxy {
   eap
 }
-
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat
index 002ee94d1..aaabab89e 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat
@@ -4,4 +4,3 @@
 228060123456002,33000000000000000000000000000000,33112233,335566778899AABB
 228060123456002,34000000000000000000000000000000,34112233,345566778899AABB
 228060123456002,35000000000000000000000000000000,35112233,355566778899AABB
-
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
index e69de29bb..e69de29bb 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index a2020424e..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-eap {
-  default_eap_type = sim 
-  sim {
-  }
-}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index d77b818fe..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,123 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-  sim_files {
-    simtriplets = "/etc/raddb/triplets.dat"
-  }
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
index dbe56013a..6a4da6631 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
@@ -1,7 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
index b3fd4cbf1..2d54c6027 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
@@ -1,11 +1,8 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-alice::cat /etc/raddb/clients.conf
-alice::cat /etc/raddb/eap.conf
-alice::cat /etc/raddb/proxy.conf
-alice::cat /etc/raddb/triplets.dat
-alice::/etc/init.d/radiusd start
+alice::cat /etc/freeradius/clients.conf
+alice::cat /etc/freeradius/eap.conf
+alice::cat /etc/freeradius/proxy.conf
+alice::cat /etc/freeradius/triplets.dat
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf
index 70416826e..42d23a50b 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf
@@ -1,21 +1,25 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat b/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat
index c8e7adcb7..2eebc0f84 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/test.conf b/testing/tests/ikev2/multi-level-ca-cr-init/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat b/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat
index f15265e32..86dd31e83 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 4f4f3228b..000000000
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,80 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ldap crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..debcc2181
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow ldap crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat b/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat
index ec4ba6e10..6f0ec4b97 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat
+++ b/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat
@@ -3,5 +3,5 @@ carol::ipsec stop
 dave::ipsec stop
 moon::rm /etc/ipsec.d/cacerts/*
 winnetou::/etc/init.d/slapd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat b/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat
index 322f42102..41319ae4d 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat
@@ -1,5 +1,5 @@
 winnetou::/etc/init.d/slapd start
-moon::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/test.conf b/testing/tests/ikev2/multi-level-ca-ldap/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/multi-level-ca-loop/pretest.dat b/testing/tests/ikev2/multi-level-ca-loop/pretest.dat
index 0a0ec22bf..bb538c160 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-loop/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
 carol::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca-loop/test.conf b/testing/tests/ikev2/multi-level-ca-loop/test.conf
index 3189fdfc7..a24ec4f1d 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-loop/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat b/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat
index 9f0232a7b..e209e60ff 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 moon::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/test.conf b/testing/tests/ikev2/multi-level-ca-pathlen/test.conf
index b118cb7dc..587964390 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou"
+VIRTHOSTS="alice venus moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/test.conf b/testing/tests/ikev2/multi-level-ca-revoked/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/multi-level-ca-strict/pretest.dat b/testing/tests/ikev2/multi-level-ca-strict/pretest.dat
index 67c50c2ef..755564cbc 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-strict/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca-strict/test.conf b/testing/tests/ikev2/multi-level-ca-strict/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/multi-level-ca/pretest.dat b/testing/tests/ikev2/multi-level-ca/pretest.dat
index 67c50c2ef..755564cbc 100644
--- a/testing/tests/ikev2/multi-level-ca/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca/test.conf b/testing/tests/ikev2/multi-level-ca/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/multi-level-ca/test.conf
+++ b/testing/tests/ikev2/multi-level-ca/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/nat-rw-mark/description.txt b/testing/tests/ikev2/nat-rw-mark/description.txt
index 2a93d11d8..b8074e665 100644
--- a/testing/tests/ikev2/nat-rw-mark/description.txt
+++ b/testing/tests/ikev2/nat-rw-mark/description.txt
@@ -1,7 +1,7 @@
 The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
 tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
 Since both roadwarriors possess the same 10.1.0.0/25 subnet, gateway <b>sun</b> uses Source NAT
-after ESP decryption to map these subnets to 10.3.0.10 and 10.3.0.20, respectively.
+after ESP decryption to map these subnets to PH_IP_CAROL10 and PH_IP_DAVE10, respectively.
 <p/>
 In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
 <b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
diff --git a/testing/tests/ikev2/nat-rw-mark/evaltest.dat b/testing/tests/ikev2/nat-rw-mark/evaltest.dat
index db9e969d2..bb8e856cc 100644
--- a/testing/tests/ikev2/nat-rw-mark/evaltest.dat
+++ b/testing/tests/ikev2/nat-rw-mark/evaltest.dat
@@ -6,13 +6,13 @@ sun::  ipsec status 2> /dev/null::alice.*ESTABLISHED.*sun.strongswan.org.*alice@
 sun::  ipsec status 2> /dev/null::venus.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
 sun::  ipsec statusall 2> /dev/null::alice.*10.2.0.0/16 === 10.1.0.0/25::YES
 sun::  ipsec statusall 2> /dev/null::venus.*10.2.0.0/16 === 10.1.0.0/25::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4510.*: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4520.*: UDP::YES
-bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES
-bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4510.*: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4520.*: UDP::YES
+bob::tcpdump::PH_IP_CAROL10 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::PH_IP_DAVE10 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::bob.strongswan.org > PH_IP_CAROL10: ICMP echo reply::YES
+bob::tcpdump::bob.strongswan.org > PH_IP_DAVE10: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown
index 0d22e684d..421335ffb 100755
--- a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown
@@ -73,8 +73,12 @@
 #              just the host, this will be 255.255.255.255.
 #
 #       PLUTO_MY_SOURCEIP
-#              if non-empty, then the source address for the route will be
-#              set to this IP address.
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
 #
 #       PLUTO_MY_PROTOCOL
 #              is the IP protocol that will be transported.
@@ -128,9 +132,15 @@
 #              contains the remote UDP port in the case of ESP_IN_UDP
 #              encapsulation
 #
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
 
 # define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin"
 export PATH
 
 # uncomment to log VPN connections
diff --git a/testing/tests/ikev2/nat-rw-mark/posttest.dat b/testing/tests/ikev2/nat-rw-mark/posttest.dat
index 89d5f534b..72dff4e10 100644
--- a/testing/tests/ikev2/nat-rw-mark/posttest.dat
+++ b/testing/tests/ikev2/nat-rw-mark/posttest.dat
@@ -2,10 +2,11 @@ sun::iptables -t mangle -v -n -L PREROUTING
 sun::ipsec stop
 alice::ipsec stop
 venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::iptables -t nat -F
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables-restore < /etc/iptables.flush
 moon::conntrack -F
+sun::iptables-restore < /etc/iptables.flush
 sun::conntrack -F
 sun::rm /etc/mark_updown
diff --git a/testing/tests/ikev2/nat-rw-mark/pretest.dat b/testing/tests/ikev2/nat-rw-mark/pretest.dat
index 3ed13d5fa..6cddfd4fe 100644
--- a/testing/tests/ikev2/nat-rw-mark/pretest.dat
+++ b/testing/tests/ikev2/nat-rw-mark/pretest.dat
@@ -1,21 +1,20 @@
-sun::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+sun::iptables-restore < /etc/iptables.rules
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON
 moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 500  -j SNAT --to PH_IP_MOON:510
 moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 500  -j SNAT --to PH_IP_MOON:520
 moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4510
 moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4520
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 10
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 20
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to PH_IP_CAROL10
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to PH_IP_DAVE10
+sun::iptables -t mangle -A PREROUTING -d PH_IP_CAROL10 -j MARK --set-mark 10
+sun::iptables -t mangle -A PREROUTING -d PH_IP_DAVE10 -j MARK --set-mark 20
 sun::ipsec start
 alice::ipsec start
 venus::ipsec start
-alice::sleep 2 
+alice::sleep 2
 alice::ipsec up nat-t
-venus::sleep 2 
+venus::sleep 2
 venus::ipsec up nat-t
 venus::sleep 2
diff --git a/testing/tests/ikev2/nat-rw-mark/test.conf b/testing/tests/ikev2/nat-rw-mark/test.conf
index ae3c190b8..105472cbe 100644
--- a/testing/tests/ikev2/nat-rw-mark/test.conf
+++ b/testing/tests/ikev2/nat-rw-mark/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon bob"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/nat-rw-psk/evaltest.dat b/testing/tests/ikev2/nat-rw-psk/evaltest.dat
index 051db978a..6ec29c779 100644
--- a/testing/tests/ikev2/nat-rw-psk/evaltest.dat
+++ b/testing/tests/ikev2/nat-rw-psk/evaltest.dat
@@ -3,7 +3,7 @@ venus::ipsec status 2> /dev/null::nat-t.*INSTALLED. TUNNEL, ESP in UDP::YES
 sun::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
 sun::  ipsec status 2> /dev/null::nat-t.*\[PH_IP_ALICE\]::YES
 sun::  ipsec status 2> /dev/null::nat-t.*\[PH_IP_VENUS\]::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/nat-rw-psk/posttest.dat b/testing/tests/ikev2/nat-rw-psk/posttest.dat
index 52572ece8..4643a3a7b 100644
--- a/testing/tests/ikev2/nat-rw-psk/posttest.dat
+++ b/testing/tests/ikev2/nat-rw-psk/posttest.dat
@@ -1,8 +1,8 @@
 sun::ipsec stop
 alice::ipsec stop
 venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/ikev2/nat-rw-psk/pretest.dat b/testing/tests/ikev2/nat-rw-psk/pretest.dat
index 6a542ec8f..c5d091f32 100644
--- a/testing/tests/ikev2/nat-rw-psk/pretest.dat
+++ b/testing/tests/ikev2/nat-rw-psk/pretest.dat
@@ -1,7 +1,6 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 alice::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev2/nat-rw-psk/test.conf b/testing/tests/ikev2/nat-rw-psk/test.conf
index 84317fd70..f515d4bc7 100644
--- a/testing/tests/ikev2/nat-rw-psk/test.conf
+++ b/testing/tests/ikev2/nat-rw-psk/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/nat-rw/evaltest.dat b/testing/tests/ikev2/nat-rw/evaltest.dat
index e0b458dba..387dbae23 100644
--- a/testing/tests/ikev2/nat-rw/evaltest.dat
+++ b/testing/tests/ikev2/nat-rw/evaltest.dat
@@ -6,13 +6,13 @@ alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
 venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
 sun::  ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL, ESP in UDP::YES
 sun::  ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL, ESP in UDP::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 moon:: sleep 6::no output expected::NO
-bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP-encap: ESP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP-encap: ESP::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: isakmp-nat-keep-alive::YES
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: isakmp-nat-keep-alive::YES
 alice::cat /var/log/daemon.log::sending keep alive::YES
 venus::cat /var/log/daemon.log::sending keep alive::YES
diff --git a/testing/tests/ikev2/nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/nat-rw/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/nat-rw/posttest.dat b/testing/tests/ikev2/nat-rw/posttest.dat
index 52572ece8..4643a3a7b 100644
--- a/testing/tests/ikev2/nat-rw/posttest.dat
+++ b/testing/tests/ikev2/nat-rw/posttest.dat
@@ -1,8 +1,8 @@
 sun::ipsec stop
 alice::ipsec stop
 venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/ikev2/nat-rw/pretest.dat b/testing/tests/ikev2/nat-rw/pretest.dat
index e365ff5c5..d701a1d61 100644
--- a/testing/tests/ikev2/nat-rw/pretest.dat
+++ b/testing/tests/ikev2/nat-rw/pretest.dat
@@ -1,7 +1,6 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 alice::ipsec start
diff --git a/testing/tests/ikev2/nat-rw/test.conf b/testing/tests/ikev2/nat-rw/test.conf
index 84317fd70..f515d4bc7 100644
--- a/testing/tests/ikev2/nat-rw/test.conf
+++ b/testing/tests/ikev2/nat-rw/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/nat-virtual-ip/evaltest.dat b/testing/tests/ikev2/nat-virtual-ip/evaltest.dat
index 9c98e312a..c60ffc772 100644
--- a/testing/tests/ikev2/nat-virtual-ip/evaltest.dat
+++ b/testing/tests/ikev2/nat-virtual-ip/evaltest.dat
@@ -1,7 +1,7 @@
 moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: cat /var/log/daemon.log::inserted NAT rule mapping PH_IP_ALICE to virtual IP::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
 bob::tcpdump::IP alice2.strongswan.org > bob.strongswan.org: ICMP::YES
diff --git a/testing/tests/ikev2/nat-virtual-ip/posttest.dat b/testing/tests/ikev2/nat-virtual-ip/posttest.dat
index ee30e2c59..11bd19da7 100644
--- a/testing/tests/ikev2/nat-virtual-ip/posttest.dat
+++ b/testing/tests/ikev2/nat-virtual-ip/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::conntrack -F
 moon::rm /etc/nat_updown
diff --git a/testing/tests/ikev2/nat-virtual-ip/pretest.dat b/testing/tests/ikev2/nat-virtual-ip/pretest.dat
index abbca90d7..eb0c28c7f 100644
--- a/testing/tests/ikev2/nat-virtual-ip/pretest.dat
+++ b/testing/tests/ikev2/nat-virtual-ip/pretest.dat
@@ -1,7 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::conntrack -F
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/nat-virtual-ip/test.conf b/testing/tests/ikev2/nat-virtual-ip/test.conf
index 1971a33ab..f46f137b4 100644
--- a/testing/tests/ikev2/nat-virtual-ip/test.conf
+++ b/testing/tests/ikev2/nat-virtual-ip/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun bob"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-cert/evaltest.dat b/testing/tests/ikev2/net2net-cert/evaltest.dat
index c98f5d78d..2b37cad99 100644
--- a/testing/tests/ikev2/net2net-cert/evaltest.dat
+++ b/testing/tests/ikev2/net2net-cert/evaltest.dat
@@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.
 sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-cert/posttest.dat b/testing/tests/ikev2/net2net-cert/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/ikev2/net2net-cert/posttest.dat
+++ b/testing/tests/ikev2/net2net-cert/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/ikev2/net2net-cert/pretest.dat b/testing/tests/ikev2/net2net-cert/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/ikev2/net2net-cert/pretest.dat
+++ b/testing/tests/ikev2/net2net-cert/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/net2net-cert/test.conf b/testing/tests/ikev2/net2net-cert/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/ikev2/net2net-cert/test.conf
+++ b/testing/tests/ikev2/net2net-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-esn/posttest.dat b/testing/tests/ikev2/net2net-esn/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/ikev2/net2net-esn/posttest.dat
+++ b/testing/tests/ikev2/net2net-esn/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/ikev2/net2net-esn/pretest.dat b/testing/tests/ikev2/net2net-esn/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/ikev2/net2net-esn/pretest.dat
+++ b/testing/tests/ikev2/net2net-esn/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/net2net-esn/test.conf b/testing/tests/ikev2/net2net-esn/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/ikev2/net2net-esn/test.conf
+++ b/testing/tests/ikev2/net2net-esn/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-pgp-v3/evaltest.dat b/testing/tests/ikev2/net2net-pgp-v3/evaltest.dat
index 97dd63c5a..460c659d9 100644
--- a/testing/tests/ikev2/net2net-pgp-v3/evaltest.dat
+++ b/testing/tests/ikev2/net2net-pgp-v3/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*71:27:04:32:cd:76:3a:18:
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun <sun.strongswan.org>.*71:27:04:32:cd:76:3a:18:02:0a:c9:88:c0:e7:5a:ed::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-pgp-v3/posttest.dat b/testing/tests/ikev2/net2net-pgp-v3/posttest.dat
index fafcde975..9a9513dc3 100644
--- a/testing/tests/ikev2/net2net-pgp-v3/posttest.dat
+++ b/testing/tests/ikev2/net2net-pgp-v3/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/certs/*
 moon::rm /etc/ipsec.d/private/*
 sun::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev2/net2net-pgp-v3/pretest.dat b/testing/tests/ikev2/net2net-pgp-v3/pretest.dat
index 9e40684ab..0f4ae0f4f 100644
--- a/testing/tests/ikev2/net2net-pgp-v3/pretest.dat
+++ b/testing/tests/ikev2/net2net-pgp-v3/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev2/net2net-pgp-v3/test.conf b/testing/tests/ikev2/net2net-pgp-v3/test.conf
index f74d0f7d6..afa2accbe 100644
--- a/testing/tests/ikev2/net2net-pgp-v3/test.conf
+++ b/testing/tests/ikev2/net2net-pgp-v3/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-pgp-v4/evaltest.dat b/testing/tests/ikev2/net2net-pgp-v4/evaltest.dat
index 4615c3ed8..f74eb6a19 100644
--- a/testing/tests/ikev2/net2net-pgp-v4/evaltest.dat
+++ b/testing/tests/ikev2/net2net-pgp-v4/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*b4:
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*b4:2f:31:fe:c8:0a:e3:26:4a:10:1c:85:97:7a:04:ac:8d:16:38:d3.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-pgp-v4/posttest.dat b/testing/tests/ikev2/net2net-pgp-v4/posttest.dat
index fafcde975..9a9513dc3 100644
--- a/testing/tests/ikev2/net2net-pgp-v4/posttest.dat
+++ b/testing/tests/ikev2/net2net-pgp-v4/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/certs/*
 moon::rm /etc/ipsec.d/private/*
 sun::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev2/net2net-pgp-v4/pretest.dat b/testing/tests/ikev2/net2net-pgp-v4/pretest.dat
index 9e40684ab..0f4ae0f4f 100644
--- a/testing/tests/ikev2/net2net-pgp-v4/pretest.dat
+++ b/testing/tests/ikev2/net2net-pgp-v4/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev2/net2net-pgp-v4/test.conf b/testing/tests/ikev2/net2net-pgp-v4/test.conf
index f74d0f7d6..afa2accbe 100644
--- a/testing/tests/ikev2/net2net-pgp-v4/test.conf
+++ b/testing/tests/ikev2/net2net-pgp-v4/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat b/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat
index 1556143cf..113c3d9c0 100644
--- a/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat
+++ b/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat
@@ -2,7 +2,7 @@ moon:: ipsec status 2> /dev/null::dscp-be.*ESTABLISHED.*moon-be.*sun-be::YES
 moon:: ipsec status 2> /dev/null::dscp-ef.*ESTABLISHED.*moon-ef.*sun-ef::YES
 sun::  ipsec status 2> /dev/null::dscp-be.*ESTABLISHED.*sun-be.*moon-be::YES
 sun::  ipsec status 2> /dev/null::dscp-ef.*ESTABLISHED.*sun-ef.*moon-ef::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-psk-dscp/posttest.dat b/testing/tests/ikev2/net2net-psk-dscp/posttest.dat
index d070c1443..21a22bfb8 100644
--- a/testing/tests/ikev2/net2net-psk-dscp/posttest.dat
+++ b/testing/tests/ikev2/net2net-psk-dscp/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 alice::iptables -t mangle -F OUTPUT
 venus::iptables -t mangle -F OUTPUT
 bob::iptables -t mangle -F OUTPUT
diff --git a/testing/tests/ikev2/net2net-psk-dscp/pretest.dat b/testing/tests/ikev2/net2net-psk-dscp/pretest.dat
index 058c24f8f..0495890dd 100644
--- a/testing/tests/ikev2/net2net-psk-dscp/pretest.dat
+++ b/testing/tests/ikev2/net2net-psk-dscp/pretest.dat
@@ -1,7 +1,7 @@
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 alice::iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class BE
 venus::iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class EF
 moon::iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK --set-mark 10
diff --git a/testing/tests/ikev2/net2net-psk-dscp/test.conf b/testing/tests/ikev2/net2net-psk-dscp/test.conf
index 13a8a2a48..10c582c9b 100644
--- a/testing/tests/ikev2/net2net-psk-dscp/test.conf
+++ b/testing/tests/ikev2/net2net-psk-dscp/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-psk-fail/posttest.dat b/testing/tests/ikev2/net2net-psk-fail/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev2/net2net-psk-fail/posttest.dat
+++ b/testing/tests/ikev2/net2net-psk-fail/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/net2net-psk-fail/pretest.dat b/testing/tests/ikev2/net2net-psk-fail/pretest.dat
index 976a196db..cb9282595 100644
--- a/testing/tests/ikev2/net2net-psk-fail/pretest.dat
+++ b/testing/tests/ikev2/net2net-psk-fail/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev2/net2net-psk-fail/test.conf b/testing/tests/ikev2/net2net-psk-fail/test.conf
index f6e064e7d..eb4822b5d 100644
--- a/testing/tests/ikev2/net2net-psk-fail/test.conf
+++ b/testing/tests/ikev2/net2net-psk-fail/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-psk/evaltest.dat b/testing/tests/ikev2/net2net-psk/evaltest.dat
index c98f5d78d..2b37cad99 100644
--- a/testing/tests/ikev2/net2net-psk/evaltest.dat
+++ b/testing/tests/ikev2/net2net-psk/evaltest.dat
@@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.
 sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets
index cbdddfb18..ba909a234 100644
--- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets
@@ -8,5 +8,5 @@
 
 : PSK 'My "home" is my "castle"!'
 
-192.168.0.1 : PSK   "Andi's home"
+PH_IP_MOON : PSK   "Andi's home"
 
diff --git a/testing/tests/ikev2/net2net-psk/posttest.dat b/testing/tests/ikev2/net2net-psk/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev2/net2net-psk/posttest.dat
+++ b/testing/tests/ikev2/net2net-psk/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/net2net-psk/pretest.dat b/testing/tests/ikev2/net2net-psk/pretest.dat
index 976a196db..cb9282595 100644
--- a/testing/tests/ikev2/net2net-psk/pretest.dat
+++ b/testing/tests/ikev2/net2net-psk/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev2/net2net-psk/test.conf b/testing/tests/ikev2/net2net-psk/test.conf
index f74d0f7d6..afa2accbe 100644
--- a/testing/tests/ikev2/net2net-psk/test.conf
+++ b/testing/tests/ikev2/net2net-psk/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-pubkey/evaltest.dat b/testing/tests/ikev2/net2net-pubkey/evaltest.dat
index e47e709e2..bc03a39fb 100644
--- a/testing/tests/ikev2/net2net-pubkey/evaltest.dat
+++ b/testing/tests/ikev2/net2net-pubkey/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-pubkey/posttest.dat b/testing/tests/ikev2/net2net-pubkey/posttest.dat
index 65b18b7ca..675b02976 100644
--- a/testing/tests/ikev2/net2net-pubkey/posttest.dat
+++ b/testing/tests/ikev2/net2net-pubkey/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/private/moonKey.der
 sun::rm /etc/ipsec.d/private/sunKey.der
 moon::rm /etc/ipsec.d/certs/*.der
diff --git a/testing/tests/ikev2/net2net-pubkey/pretest.dat b/testing/tests/ikev2/net2net-pubkey/pretest.dat
index 9e40684ab..0f4ae0f4f 100644
--- a/testing/tests/ikev2/net2net-pubkey/pretest.dat
+++ b/testing/tests/ikev2/net2net-pubkey/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev2/net2net-pubkey/test.conf b/testing/tests/ikev2/net2net-pubkey/test.conf
index f74d0f7d6..afa2accbe 100644
--- a/testing/tests/ikev2/net2net-pubkey/test.conf
+++ b/testing/tests/ikev2/net2net-pubkey/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-rfc3779/evaltest.dat b/testing/tests/ikev2/net2net-rfc3779/evaltest.dat
index 59d0372dc..e8e1a46e4 100644
--- a/testing/tests/ikev2/net2net-rfc3779/evaltest.dat
+++ b/testing/tests/ikev2/net2net-rfc3779/evaltest.dat
@@ -1,15 +1,15 @@
 moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: cat /var/log/daemon.log::subject address block 10.2.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES 
-moon:: cat /var/log/daemon.log::subject address block 192.168.0.2/32 is contained in issuer address block 192.168.0.0/24::YES 
+moon:: cat /var/log/daemon.log::subject address block PH_IP_SUN/32 is contained in issuer address block 192.168.0.0/24::YES
 moon:: cat /var/log/daemon.log::subject address block fec0:\:2/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
 moon:: cat /var/log/daemon.log::subject address block fec2:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
 sun::  cat /var/log/daemon.log::subject address block 10.1.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES 
-sun::  cat /var/log/daemon.log::subject address block 192.168.0.1/32 is contained in issuer address block 192.168.0.0/24::YES 
+sun::  cat /var/log/daemon.log::subject address block PH_IP_MOON/32 is contained in issuer address block 192.168.0.0/24::YES
 sun::  cat /var/log/daemon.log::subject address block fec0:\:1/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
 sun::  cat /var/log/daemon.log::subject address block fec1:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
 moon:: cat /var/log/daemon.log::TS 10.2.0.0/16 is contained in address block constraint 10.2.0.0/16::YES
 sun::  cat /var/log/daemon.log::TS 10.1.0.0/16 is contained in address block constraint 10.1.0.0/16::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-rfc3779/posttest.dat b/testing/tests/ikev2/net2net-rfc3779/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/ikev2/net2net-rfc3779/posttest.dat
+++ b/testing/tests/ikev2/net2net-rfc3779/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/ikev2/net2net-rfc3779/pretest.dat b/testing/tests/ikev2/net2net-rfc3779/pretest.dat
index 545a3690e..9fe2860b9 100644
--- a/testing/tests/ikev2/net2net-rfc3779/pretest.dat
+++ b/testing/tests/ikev2/net2net-rfc3779/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/net2net-rfc3779/test.conf b/testing/tests/ikev2/net2net-rfc3779/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/ikev2/net2net-rfc3779/test.conf
+++ b/testing/tests/ikev2/net2net-rfc3779/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-route/evaltest.dat b/testing/tests/ikev2/net2net-route/evaltest.dat
index 63d1cde24..77ab6e7c6 100644
--- a/testing/tests/ikev2/net2net-route/evaltest.dat
+++ b/testing/tests/ikev2/net2net-route/evaltest.dat
@@ -3,6 +3,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-route/posttest.dat b/testing/tests/ikev2/net2net-route/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev2/net2net-route/posttest.dat
+++ b/testing/tests/ikev2/net2net-route/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/net2net-route/pretest.dat b/testing/tests/ikev2/net2net-route/pretest.dat
index 2eef7de19..e4ee3fac2 100644
--- a/testing/tests/ikev2/net2net-route/pretest.dat
+++ b/testing/tests/ikev2/net2net-route/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 2 
diff --git a/testing/tests/ikev2/net2net-route/test.conf b/testing/tests/ikev2/net2net-route/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/ikev2/net2net-route/test.conf
+++ b/testing/tests/ikev2/net2net-route/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-rsa/evaltest.dat b/testing/tests/ikev2/net2net-rsa/evaltest.dat
index e47e709e2..bc03a39fb 100644
--- a/testing/tests/ikev2/net2net-rsa/evaltest.dat
+++ b/testing/tests/ikev2/net2net-rsa/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-rsa/posttest.dat b/testing/tests/ikev2/net2net-rsa/posttest.dat
index a199946aa..f7fe7dc48 100644
--- a/testing/tests/ikev2/net2net-rsa/posttest.dat
+++ b/testing/tests/ikev2/net2net-rsa/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/private/moonKey.der
 sun::rm /etc/ipsec.d/private/sunKey.der
diff --git a/testing/tests/ikev2/net2net-rsa/pretest.dat b/testing/tests/ikev2/net2net-rsa/pretest.dat
index 9e40684ab..0f4ae0f4f 100644
--- a/testing/tests/ikev2/net2net-rsa/pretest.dat
+++ b/testing/tests/ikev2/net2net-rsa/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev2/net2net-rsa/test.conf b/testing/tests/ikev2/net2net-rsa/test.conf
index f74d0f7d6..afa2accbe 100644
--- a/testing/tests/ikev2/net2net-rsa/test.conf
+++ b/testing/tests/ikev2/net2net-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-same-nets/evaltest.dat b/testing/tests/ikev2/net2net-same-nets/evaltest.dat
index 1ca7e2d60..3b479cefa 100644
--- a/testing/tests/ikev2/net2net-same-nets/evaltest.dat
+++ b/testing/tests/ikev2/net2net-same-nets/evaltest.dat
@@ -2,8 +2,8 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_seq=1::YES
-bob::  ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_seq=1::YES
+alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_req=1::YES
+bob::  ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
 bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
index c64158a2f..bdba3fb05 100755
--- a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
@@ -73,8 +73,12 @@
 #              just the host, this will be 255.255.255.255.
 #
 #       PLUTO_MY_SOURCEIP
-#              if non-empty, then the source address for the route will be
-#              set to this IP address.
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
 #
 #       PLUTO_MY_PROTOCOL
 #              is the IP protocol that will be transported.
@@ -128,9 +132,15 @@
 #              contains the remote UDP port in the case of ESP_IN_UDP
 #              encapsulation
 #
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
 
 # define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin"
 export PATH
 
 # check parameter(s)
@@ -196,8 +206,8 @@ up-client:)
 	    iptables -t nat -A PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
 	             -d $OUT_NET -j NETMAP --to $SAME_NET
 	    iptables -I FORWARD 1 -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT
-            iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
-                     -s $SAME_NET -j NETMAP --to $IN_NET
+	    iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
+	             -s $SAME_NET -j NETMAP --to $IN_NET
 	fi
 	;;
 down-client:)
@@ -215,7 +225,11 @@ down-client:)
 	if [ -n "$PLUTO_MARK_OUT" ]
 	then
 	    iptables -t mangle -D PREROUTING $SET_MARK_OUT
+	    iptables -t nat -D PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
+	             -d $OUT_NET -j NETMAP --to $SAME_NET
 	    iptables -D FORWARD -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT
+	    iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
+	             -s $SAME_NET -j NETMAP --to $IN_NET
 	fi
 	;;
 *)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
diff --git a/testing/tests/ikev2/net2net-same-nets/posttest.dat b/testing/tests/ikev2/net2net-same-nets/posttest.dat
index e75e66650..b0225c37e 100644
--- a/testing/tests/ikev2/net2net-same-nets/posttest.dat
+++ b/testing/tests/ikev2/net2net-same-nets/posttest.dat
@@ -2,6 +2,6 @@ sun::iptables -t mangle -n -v -L PREROUTING
 sun::iptables -t nat -n -v -L
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 sun::conntrack -F
diff --git a/testing/tests/ikev2/net2net-same-nets/pretest.dat b/testing/tests/ikev2/net2net-same-nets/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/ikev2/net2net-same-nets/pretest.dat
+++ b/testing/tests/ikev2/net2net-same-nets/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/net2net-same-nets/test.conf b/testing/tests/ikev2/net2net-same-nets/test.conf
index 1971a33ab..f46f137b4 100644
--- a/testing/tests/ikev2/net2net-same-nets/test.conf
+++ b/testing/tests/ikev2/net2net-same-nets/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun bob"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-start/evaltest.dat b/testing/tests/ikev2/net2net-start/evaltest.dat
index dbd06104f..f003f822f 100644
--- a/testing/tests/ikev2/net2net-start/evaltest.dat
+++ b/testing/tests/ikev2/net2net-start/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-start/posttest.dat b/testing/tests/ikev2/net2net-start/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev2/net2net-start/posttest.dat
+++ b/testing/tests/ikev2/net2net-start/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/net2net-start/pretest.dat b/testing/tests/ikev2/net2net-start/pretest.dat
index 8f3d17207..9d23c553e 100644
--- a/testing/tests/ikev2/net2net-start/pretest.dat
+++ b/testing/tests/ikev2/net2net-start/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 sun::ipsec start
 sun::sleep 2
 moon::ipsec start
diff --git a/testing/tests/ikev2/net2net-start/test.conf b/testing/tests/ikev2/net2net-start/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/ikev2/net2net-start/test.conf
+++ b/testing/tests/ikev2/net2net-start/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
index dda793f44..4e2cc2860 100755
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -5,7 +5,7 @@ cd /etc/openssl
 echo "Content-type: application/ocsp-response"
 echo ""
 
-/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-                      -rkey ocspKey-self.pem -rsigner ocspCert-self.pem \
-		      -resp_no_certs -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+	-rkey ocspKey-self.pem -rsigner ocspCert-self.pem \
+	-resp_no_certs -nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/tests/ikev2/ocsp-local-cert/test.conf b/testing/tests/ikev2/ocsp-local-cert/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-local-cert/test.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-multi-level/pretest.dat b/testing/tests/ikev2/ocsp-multi-level/pretest.dat
index f15265e32..86dd31e83 100644
--- a/testing/tests/ikev2/ocsp-multi-level/pretest.dat
+++ b/testing/tests/ikev2/ocsp-multi-level/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/ocsp-multi-level/test.conf b/testing/tests/ikev2/ocsp-multi-level/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/ocsp-multi-level/test.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
index 74d22b90d..429061376 100755
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -5,7 +5,7 @@ cd /etc/openssl
 echo "Content-type: application/ocsp-response"
 echo ""
 
-/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-                      -rkey winnetouKey.pem -rsigner winnetouCert.pem \
-		      -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+	-rkey winnetouKey.pem -rsigner winnetouCert.pem \
+	-nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/test.conf b/testing/tests/ikev2/ocsp-no-signer-cert/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/test.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-revoked/test.conf b/testing/tests/ikev2/ocsp-revoked/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-revoked/test.conf
+++ b/testing/tests/ikev2/ocsp-revoked/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
index e998b6ad0..59c356302 100755
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -5,7 +5,7 @@ cd /etc/openssl
 echo "Content-type: application/ocsp-response"
 echo ""
 
-/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-                      -rkey strongswanKey.pem -rsigner strongswanCert.pem \
-		      -resp_no_certs -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+	-rkey strongswanKey.pem -rsigner strongswanCert.pem \
+	-resp_no_certs -nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/tests/ikev2/ocsp-root-cert/test.conf b/testing/tests/ikev2/ocsp-root-cert/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-root-cert/test.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-signer-cert/test.conf b/testing/tests/ikev2/ocsp-signer-cert/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/test.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat
index f15265e32..86dd31e83 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/test.conf b/testing/tests/ikev2/ocsp-strict-ifuri/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/test.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
index 92aa920aa..aa70321d5 100755
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -6,9 +6,9 @@ echo "Content-type: application/ocsp-response"
 echo ""
 
 # simulate a delayed response
-sleep 5 
+sleep 5
 
-/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-                      -rkey ocspKey.pem -rsigner ocspCert.pem \
-		      -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+	-rkey ocspKey.pem -rsigner ocspCert.pem \
+	-nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/test.conf b/testing/tests/ikev2/ocsp-timeouts-good/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/test.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
index 20c4b2a22..72aa7a6c4 100755
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -5,7 +5,7 @@ cd /etc/openssl
 echo "Content-type: application/ocsp-response"
 echo ""
 
-/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-                      -rkey ocspKey-self.pem -rsigner ocspCert-self.pem \
-		      -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+	-rkey ocspKey-self.pem -rsigner ocspCert-self.pem \
+	-nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/test.conf b/testing/tests/ikev2/ocsp-untrusted-cert/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/test.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/protoport-dual/evaltest.dat b/testing/tests/ikev2/protoport-dual/evaltest.dat
index a65460cc8..cf45f3b52 100644
--- a/testing/tests/ikev2/protoport-dual/evaltest.dat
+++ b/testing/tests/ikev2/protoport-dual/evaltest.dat
@@ -2,8 +2,8 @@ carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
 carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/protoport-dual/posttest.dat b/testing/tests/ikev2/protoport-dual/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/protoport-dual/posttest.dat
+++ b/testing/tests/ikev2/protoport-dual/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/protoport-dual/pretest.dat b/testing/tests/ikev2/protoport-dual/pretest.dat
index d3d0061c3..efb2e5712 100644
--- a/testing/tests/ikev2/protoport-dual/pretest.dat
+++ b/testing/tests/ikev2/protoport-dual/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev2/protoport-dual/test.conf b/testing/tests/ikev2/protoport-dual/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/protoport-dual/test.conf
+++ b/testing/tests/ikev2/protoport-dual/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/protoport-route/evaltest.dat b/testing/tests/ikev2/protoport-route/evaltest.dat
index 83a5e1bde..75c547995 100644
--- a/testing/tests/ikev2/protoport-route/evaltest.dat
+++ b/testing/tests/ikev2/protoport-route/evaltest.dat
@@ -1,5 +1,5 @@
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req::YES
 carol::ssh PH_IP_ALICE hostname::alice::YES
 carol::cat /var/log/daemon.log::creating acquire job::YES
 carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED::YES
diff --git a/testing/tests/ikev2/protoport-route/posttest.dat b/testing/tests/ikev2/protoport-route/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/protoport-route/posttest.dat
+++ b/testing/tests/ikev2/protoport-route/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/protoport-route/pretest.dat b/testing/tests/ikev2/protoport-route/pretest.dat
index 0aded0f4d..5a15574d6 100644
--- a/testing/tests/ikev2/protoport-route/pretest.dat
+++ b/testing/tests/ikev2/protoport-route/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/protoport-route/test.conf b/testing/tests/ikev2/protoport-route/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/protoport-route/test.conf
+++ b/testing/tests/ikev2/protoport-route/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/reauth-early/evaltest.dat b/testing/tests/ikev2/reauth-early/evaltest.dat
index 1d3a35916..dbc6f8d97 100644
--- a/testing/tests/ikev2/reauth-early/evaltest.dat
+++ b/testing/tests/ikev2/reauth-early/evaltest.dat
@@ -1,6 +1,6 @@
 moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 30s, scheduling reauthentication in 25s::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/reauth-early/posttest.dat b/testing/tests/ikev2/reauth-early/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/reauth-early/posttest.dat
+++ b/testing/tests/ikev2/reauth-early/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/reauth-early/pretest.dat b/testing/tests/ikev2/reauth-early/pretest.dat
index 7ed2423be..153ea7c43 100644
--- a/testing/tests/ikev2/reauth-early/pretest.dat
+++ b/testing/tests/ikev2/reauth-early/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/reauth-early/test.conf b/testing/tests/ikev2/reauth-early/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/reauth-early/test.conf
+++ b/testing/tests/ikev2/reauth-early/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/reauth-late/evaltest.dat b/testing/tests/ikev2/reauth-late/evaltest.dat
index d86758f9a..205a4d9e7 100644
--- a/testing/tests/ikev2/reauth-late/evaltest.dat
+++ b/testing/tests/ikev2/reauth-late/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*caro
 carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::cat /var/log/daemon.log::scheduling reauthentication in 2[0-5]s::YES
 carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 360[01]s, reauthentication already scheduled in 2[0-5]s::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/reauth-late/posttest.dat b/testing/tests/ikev2/reauth-late/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/reauth-late/posttest.dat
+++ b/testing/tests/ikev2/reauth-late/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/reauth-late/pretest.dat b/testing/tests/ikev2/reauth-late/pretest.dat
index 7ed2423be..153ea7c43 100644
--- a/testing/tests/ikev2/reauth-late/pretest.dat
+++ b/testing/tests/ikev2/reauth-late/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/reauth-late/test.conf b/testing/tests/ikev2/reauth-late/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/reauth-late/test.conf
+++ b/testing/tests/ikev2/reauth-late/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-cert/evaltest.dat b/testing/tests/ikev2/rw-cert/evaltest.dat
index f8cfb111b..ba661975b 100644
--- a/testing/tests/ikev2/rw-cert/evaltest.dat
+++ b/testing/tests/ikev2/rw-cert/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-cert/posttest.dat b/testing/tests/ikev2/rw-cert/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-cert/posttest.dat
+++ b/testing/tests/ikev2/rw-cert/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-cert/pretest.dat b/testing/tests/ikev2/rw-cert/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev2/rw-cert/pretest.dat
+++ b/testing/tests/ikev2/rw-cert/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-cert/test.conf b/testing/tests/ikev2/rw-cert/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-cert/test.conf
+++ b/testing/tests/ikev2/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
index a39bf3afe..d59eef513 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
@@ -7,7 +7,7 @@ moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*caro
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat
index ed5498bfe..388339fb8 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
index 2abfdd19b..0ea4e21ab 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
@@ -6,7 +6,7 @@ moon:: ipsec status 2> /dev/null::rw-eap-aka.*ESTABLISHED.*moon.strongswan.org.*
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-eap-aka.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat
index ed5498bfe..388339fb8 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/test.conf b/testing/tests/ikev2/rw-eap-aka-rsa/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/test.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat b/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat
index 9c6ae73e9..6a20b8e8c 100644
--- a/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat
@@ -15,8 +15,8 @@ moon:: ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-dynamic/posttest.dat b/testing/tests/ikev2/rw-eap-dynamic/posttest.dat
index 1777f439f..b757d8b15 100644
--- a/testing/tests/ikev2/rw-eap-dynamic/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-dynamic/posttest.dat
@@ -1,6 +1,6 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-dynamic/pretest.dat b/testing/tests/ikev2/rw-eap-dynamic/pretest.dat
index 369596177..17f1b5f2b 100644
--- a/testing/tests/ikev2/rw-eap-dynamic/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-dynamic/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-dynamic/test.conf b/testing/tests/ikev2/rw-eap-dynamic/test.conf
index a71d09e9d..a5525e6aa 100644
--- a/testing/tests/ikev2/rw-eap-dynamic/test.conf
+++ b/testing/tests/ikev2/rw-eap-dynamic/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice  moon carol winnetou dave"
+VIRTHOSTS="alice  moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/description.txt b/testing/tests/ikev2/rw-eap-md5-class-radius/description.txt
new file mode 100644
index 000000000..6860700db
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/description.txt
@@ -0,0 +1,9 @@
+The roadwarriors <b>carol</b> an <b>dave</b> set up a connection to gateway
+<b>moon</b>. At the outset the gateway authenticates itself to the client by
+sending an IKEv2 <b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> and <b>dave</b> then use the <b>EAP-MD5</b> protocol to authenticate
+against the gateway <b>moon</b>. The user credentials of <b>carol</b>
+and <b>dave</b> are kept both on the local clients and the RADIUS server <b>alice</b>.
+<b>carol</b> possesses the RADIUS class attribute <b>Research</b> and therefore obtains
+access to the <b>research</b> subnet behind gateway <b>moon</b> whereas <b>dave</b>
+belongs to the class <b>Accounting</b> and has access to the <b>acccess</b> subnet.
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat
new file mode 100644
index 000000000..aa6d4291b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat
@@ -0,0 +1,26 @@
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES
+moon ::ipsec status 2> /dev/null::research.*ESTABLISHED.*moon.strongswan.org.*PH_IP_CAROL::YES
+carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswan.org::YES
+moon ::ipsec status 2> /dev/null::research.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::NO
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES
+dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*PH_IP_DAVE.* with EAP successful::YES
+moon ::ipsec status 2> /dev/null::accounting.*ESTABLISHED.*moon.strongswan.org.*PH_IP_DAVE::YES
+dave ::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_DAVE.*moon.strongswan.org::YES
+moon ::ipsec status 2> /dev/null::accounting.*INSTALLED, TUNNEL::YES
+dave ::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::NO
+dave ::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf
index 623f42904..623f42904 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/proxy.conf
index 783587b55..783587b55 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/sites-available/default
index 2de32a6f2..a67a5dcb4 100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -40,4 +40,3 @@ pre-proxy {
 post-proxy {
   eap
 }
-
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..62d459115
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,4 @@
+carol	Cleartext-Password := "Ar3etTnp"
+		Class = "Research"
+dave	Cleartext-Password := "W7R0g3do"
+		Class = "Accounting"
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..53e2be638
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn alice
+	rightsubnet=10.1.0.10/32
+	also=home
+	auto=add
+
+conn venus
+	rightsubnet=10.1.0.20/32
+	also=home
+	auto=add
+
+conn home
+	left=%any
+	leftauth=eap
+	leftfirewall=yes
+	eap_identity=carol
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..23d79cf2e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..b1b418060
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..9428f323a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn alice
+	rightsubnet=10.1.0.10/32
+	also=home
+	auto=add
+
+conn venus
+	rightsubnet=10.1.0.20/32
+	also=home
+	auto=add
+
+conn home
+	left=%any
+	leftauth=eap
+	leftfirewall=yes
+	eap_identity=dave
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..02e0c9963
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..b1b418060
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..9dcbcca75
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,33 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn research
+	rightgroups=Research
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn accounting
+	rightgroups=Accounting
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftauth=pubkey
+	leftfirewall=yes
+	rightsendcert=never
+	rightauth=eap-radius
+	eap_identity=%any
+	right=%any
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4297a3056
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+  plugins {
+    eap-radius {
+      class_group = yes
+      secret = gv6URkSs
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat
new file mode 100644
index 000000000..670d2e72f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat
new file mode 100644
index 000000000..a2704e833
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat
@@ -0,0 +1,13 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::radiusd
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up alice
+carol::ipsec up venus
+dave::ipsec up alice
+dave::ipsec up venus
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/test.conf
new file mode 100644
index 000000000..5dfb41723
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
index a239b56e7..42d2c319e 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
@@ -2,13 +2,13 @@ carol::cat /var/log/daemon.log::configured EAP-Identity carol::YES
 carol::cat /var/log/daemon.log::added EAP secret for carol moon.strongswan.org::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'PH_IP_CAROL' with EAP successful::YES
 moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*\[192.168.0.100]::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.100].*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*\[PH_IP_CAROL]::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_CAROL].*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat
index 9c301f484..180537f5f 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf b/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
index 73f606be3..8f813395a 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
@@ -7,7 +7,7 @@ moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*caro
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf
index 623f42904..623f42904 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf
index 783587b55..783587b55 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default
index 2de32a6f2..a67a5dcb4 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -40,4 +40,3 @@ pre-proxy {
 post-proxy {
   eap
 }
-
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users
index 247b918e3..247b918e3 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat
index 920d6a20d..181949fb5 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 carol::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
index 280d62e3c..9adc43d3e 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/radiusd start 
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf
index e0d77b583..eb1e15dd2 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
index 525d987af..a8019b3e7 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
@@ -6,6 +6,6 @@ moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*caro
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf
index 623f42904..623f42904 100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default
index 802fcfd8d..dd0825858 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -41,4 +41,3 @@ pre-proxy {
 post-proxy {
   eap
 }
-
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/users
index 247b918e3..247b918e3 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat
index 920d6a20d..181949fb5 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 carol::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
index 280d62e3c..9adc43d3e 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/radiusd start 
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-radius/test.conf
index e0d77b583..eb1e15dd2 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
index dd67704eb..84f41fd93 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
@@ -5,7 +5,7 @@ moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*caro
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat
index ed5498bfe..388339fb8 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/test.conf b/testing/tests/ikev2/rw-eap-md5-rsa/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
index eafd09b80..010f48315 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
@@ -3,11 +3,11 @@ carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YE
 carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
 moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
 moon:: cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES
-moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*\[192.168.0.100]::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.100].*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*\[PH_IP_CAROL]::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_CAROL].*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat
index ed5498bfe..388339fb8 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat
index 871d3b931..4ed5257b1 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat
@@ -18,6 +18,6 @@ moon:: ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED::NO
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED::NO 
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat b/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat b/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat
index 369596177..17f1b5f2b 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/test.conf b/testing/tests/ikev2/rw-eap-peap-md5/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/test.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat
index 643b2c39d..fc75e1c9a 100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat
@@ -14,6 +14,6 @@ moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*caro
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@stronswan.org::NO
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat
index 369596177..17f1b5f2b 100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
index 81244bd85..95c29b7f5 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
@@ -14,6 +14,6 @@ moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*caro
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf
index df50901d5..11d3e2acd 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf
@@ -1,7 +1,7 @@
 eap {
   md5 {
   }
-  default_eap_type = peap 
+  default_eap_type = peap
   tls {
     private_key_file = /etc/raddb/certs/aaaKey.pem
     certificate_file = /etc/raddb/certs/aaaCert.pem
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default
index 802fcfd8d..dd0825858 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -41,4 +41,3 @@ pre-proxy {
 post-proxy {
   eap
 }
-
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
index e088fae14..e088fae14 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat
index dbe56013a..670d2e72f 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
index cbe1ae229..3e7fc0bb1 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
@@ -1,7 +1,7 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/radiusd start 
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/test.conf b/testing/tests/ikev2/rw-eap-peap-radius/test.conf
index e6a786a94..20d586309 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol winnetou dave moon"
+VIRTHOSTS="alice carol winnetou dave moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
index 7f1def4a5..f1a68bc19 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
@@ -7,6 +7,6 @@ moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*caro
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files
new file mode 100644
index 000000000..10c26aa15
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files
@@ -0,0 +1,3 @@
+sim_files {
+	simtriplets = "/etc/freeradius/triplets.dat"
+}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf
index 783587b55..783587b55 100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default
index 92896b11e..893529324 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -40,4 +40,3 @@ pre-proxy {
 post-proxy {
   eap
 }
-
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat
index c167ba940..c167ba940 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users
index e69de29bb..e69de29bb 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index a2020424e..000000000
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-eap {
-  default_eap_type = sim 
-  sim {
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index d77b818fe..000000000
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,123 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-  sim_files {
-    simtriplets = "/etc/raddb/triplets.dat"
-  }
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat
index 920d6a20d..181949fb5 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 carol::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
index 0da980c07..b9117af36 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
@@ -1,7 +1,7 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::cat /etc/raddb/triplets.dat
-alice::/etc/init.d/radiusd start
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::cat /etc/freeradius/triplets.dat
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf
index e0d77b583..eb1e15dd2 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
index f2654766a..f434ddfc6 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
@@ -4,7 +4,7 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
@@ -12,4 +12,4 @@ moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongsw
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
 dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files
new file mode 100644
index 000000000..10c26aa15
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files
@@ -0,0 +1,3 @@
+sim_files {
+	simtriplets = "/etc/freeradius/triplets.dat"
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
index 126d61d05..fbdf75f4c 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -41,4 +41,3 @@ pre-proxy {
 post-proxy {
   eap
 }
-
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat
index fd0eb19b9..3e9a644eb 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/triplets.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat
@@ -4,4 +4,3 @@ carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
 dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB
 dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB
 dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB
-
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users
index e69de29bb..e69de29bb 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index a2020424e..000000000
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-eap {
-  default_eap_type = sim 
-  sim {
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index d77b818fe..000000000
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,123 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-  sim_files {
-    simtriplets = "/etc/raddb/triplets.dat"
-  }
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat
index dbe56013a..670d2e72f 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
index 5a51733dc..0b3e901c2 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
@@ -1,11 +1,11 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
-alice::cat /etc/raddb/triplets.dat
-alice::/etc/init.d/radiusd start
+alice::cat /etc/freeradius/triplets.dat
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf
index bb6b68687..29bfaa78c 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
index 8e12c29d0..21cfe429a 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
@@ -4,7 +4,7 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
@@ -12,4 +12,4 @@ moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongsw
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
 dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default
index dfceb037d..91425f812 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -59,4 +59,3 @@ pre-proxy {
 post-proxy {
   eap
 }
-
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat
index fd0eb19b9..3e9a644eb 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/triplets.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat
@@ -4,4 +4,3 @@ carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
 dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB
 dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB
 dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB
-
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users
index e69de29bb..e69de29bb 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index a2020424e..000000000
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-eap {
-  default_eap_type = sim 
-  sim {
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index d77b818fe..000000000
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,123 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-  sim_files {
-    simtriplets = "/etc/raddb/triplets.dat"
-  }
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
index dbe56013a..670d2e72f 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
index b3fd4cbf1..c17bec0f7 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
@@ -1,11 +1,11 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-alice::cat /etc/raddb/clients.conf
-alice::cat /etc/raddb/eap.conf
-alice::cat /etc/raddb/proxy.conf
-alice::cat /etc/raddb/triplets.dat
-alice::/etc/init.d/radiusd start
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::cat /etc/freeradius/clients.conf
+alice::cat /etc/freeradius/eap.conf
+alice::cat /etc/freeradius/proxy.conf
+alice::cat /etc/freeradius/triplets.dat
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-radius/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
index ade9306cf..ab27b4510 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
@@ -5,6 +5,6 @@ moon:: ipsec status 2> /dev/null::rw-eap-sim.*ESTABLISHED.*moon.strongswan.org.*
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-eap-sim.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat
index 23c7a62b2..ae464b51c 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::cat /etc/ipsec.d/triplets.dat
 carol::cat /etc/ipsec.d/triplets.dat
 moon::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/test.conf b/testing/tests/ikev2/rw-eap-sim-rsa/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat
index 4db0a30b4..314769b3e 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat
@@ -4,6 +4,6 @@ carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, C
 moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=carol@d.strongswan.org' with EAP successful::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat
index 085b19509..e8156ea70 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/cacerts/*
 moon::rm /etc/ipsec.d/certs/*
 moon::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat
index 35d35dc86..3d680ab78 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat
@@ -1,7 +1,7 @@
 moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
 carol::rm /etc/ipsec.d/cacerts/strongswanCert.pem
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/test.conf b/testing/tests/ikev2/rw-eap-tls-fragments/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/test.conf
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
index 96417face..a436131bf 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
@@ -4,6 +4,6 @@ carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=
 moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-only/posttest.dat b/testing/tests/ikev2/rw-eap-tls-only/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-only/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/ikev2/rw-eap-tls-only/pretest.dat
index ed5498bfe..388339fb8 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-only/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tls-only/test.conf b/testing/tests/ikev2/rw-eap-tls-only/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/test.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
index 21190669e..7584e14dc 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
@@ -4,6 +4,6 @@ carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=
 moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf
index 92f96ad66..92f96ad66 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default
index 990184919..18ebf9e9d 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -39,4 +39,3 @@ pre-proxy {
 post-proxy {
   eap
 }
-
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/users
index 247b918e3..247b918e3 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
index 920d6a20d..181949fb5 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 carol::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
index 280d62e3c..9adc43d3e 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/radiusd start 
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/test.conf b/testing/tests/ikev2/rw-eap-tls-radius/test.conf
index e0d77b583..eb1e15dd2 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat
index 941bb2985..d22dd18db 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat
@@ -14,6 +14,6 @@ moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat
index 369596177..589d478e7 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat
@@ -1,10 +1,10 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
-carol::sleep 1
+carol::sleep 2
 carol::ipsec up home
 dave::ipsec up home
-dave::sleep 1
+dave::sleep 2
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/test.conf b/testing/tests/ikev2/rw-eap-ttls-only/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/test.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat
index 941bb2985..d22dd18db 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat
@@ -14,6 +14,6 @@ moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
index 369596177..17f1b5f2b 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
index ff08ae792..a471a2cfa 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
@@ -14,7 +14,7 @@ moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf
index c91cd40fb..c91cd40fb 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default
index 802fcfd8d..dd0825858 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -41,4 +41,3 @@ pre-proxy {
 post-proxy {
   eap
 }
-
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
index e088fae14..e088fae14 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
index dbe56013a..670d2e72f 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
index cbe1ae229..3e7fc0bb1 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
@@ -1,7 +1,7 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/radiusd start 
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/test.conf b/testing/tests/ikev2/rw-eap-ttls-radius/test.conf
index e6a786a94..20d586309 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol winnetou dave moon"
+VIRTHOSTS="alice carol winnetou dave moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-hash-and-url/evaltest.dat b/testing/tests/ikev2/rw-hash-and-url/evaltest.dat
index c52036028..7a9a70939 100644
--- a/testing/tests/ikev2/rw-hash-and-url/evaltest.dat
+++ b/testing/tests/ikev2/rw-hash-and-url/evaltest.dat
@@ -10,8 +10,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-hash-and-url/posttest.dat b/testing/tests/ikev2/rw-hash-and-url/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-hash-and-url/posttest.dat
+++ b/testing/tests/ikev2/rw-hash-and-url/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-hash-and-url/pretest.dat b/testing/tests/ikev2/rw-hash-and-url/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev2/rw-hash-and-url/pretest.dat
+++ b/testing/tests/ikev2/rw-hash-and-url/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-hash-and-url/test.conf b/testing/tests/ikev2/rw-hash-and-url/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-hash-and-url/test.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-mark-in-out/description.txt b/testing/tests/ikev2/rw-mark-in-out/description.txt
index 4c35081b1..3012fc656 100644
--- a/testing/tests/ikev2/rw-mark-in-out/description.txt
+++ b/testing/tests/ikev2/rw-mark-in-out/description.txt
@@ -1,7 +1,7 @@
 The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the router <b>moon</b> set up
 tunnels to gateway <b>sun</b>. Since both roadwarriors possess the same 10.1.0.0/25 subnet,
-gateway <b>sun</b> uses Source NAT after ESP decryption to map these subnets to 10.3.0.10
-and 10.3.0.20, respectively.
+gateway <b>sun</b> uses Source NAT after ESP decryption to map these subnets to PH_IP_CAROL10
+and PH_IP_DAVE10, respectively.
 <p/>
 In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
 <b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
diff --git a/testing/tests/ikev2/rw-mark-in-out/evaltest.dat b/testing/tests/ikev2/rw-mark-in-out/evaltest.dat
index 4a93dc921..26b26204c 100644
--- a/testing/tests/ikev2/rw-mark-in-out/evaltest.dat
+++ b/testing/tests/ikev2/rw-mark-in-out/evaltest.dat
@@ -3,9 +3,9 @@ venus::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::alice.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
 sun::  ipsec status 2> /dev/null::venus.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
 sun::  ipsec statusall 2> /dev/null::alice.*10.2.0.0/16 === 10.1.0.0/25::YES
-sun::  ipsec statusall 2>::venus.*10.2.0.0/16 === 10.1.0.0/25::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::  ipsec statusall 2> /dev/null::venus.*10.2.0.0/16 === 10.1.0.0/25::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 moon::tcpdump::IP alice.strongswan.org > sun.strongswan.org: ESP::YES
 moon::tcpdump::IP venus.strongswan.org > sun.strongswan.org: ESP::YES
 moon::tcpdump::IP sun.strongswan.org > alice.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 5594bbf52..000000000
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
index 0d22e684d..421335ffb 100755
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
@@ -73,8 +73,12 @@
 #              just the host, this will be 255.255.255.255.
 #
 #       PLUTO_MY_SOURCEIP
-#              if non-empty, then the source address for the route will be
-#              set to this IP address.
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
 #
 #       PLUTO_MY_PROTOCOL
 #              is the IP protocol that will be transported.
@@ -128,9 +132,15 @@
 #              contains the remote UDP port in the case of ESP_IN_UDP
 #              encapsulation
 #
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
 
 # define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin"
 export PATH
 
 # uncomment to log VPN connections
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables
deleted file mode 100755
index 5594bbf52..000000000
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-mark-in-out/posttest.dat b/testing/tests/ikev2/rw-mark-in-out/posttest.dat
index fae79271b..283099acb 100644
--- a/testing/tests/ikev2/rw-mark-in-out/posttest.dat
+++ b/testing/tests/ikev2/rw-mark-in-out/posttest.dat
@@ -2,9 +2,9 @@ sun::iptables -t mangle -v -n -L PREROUTING
 sun::ipsec stop
 alice::ipsec stop
 venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 sun::ip route del 10.1.0.0/16 via PH_IP_MOON
 sun::conntrack -F
 sun::rm /etc/mark_updown
diff --git a/testing/tests/ikev2/rw-mark-in-out/pretest.dat b/testing/tests/ikev2/rw-mark-in-out/pretest.dat
index 3d9a5f340..8e9dd2f51 100644
--- a/testing/tests/ikev2/rw-mark-in-out/pretest.dat
+++ b/testing/tests/ikev2/rw-mark-in-out/pretest.dat
@@ -1,13 +1,12 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON 
 sun::ip route add 10.1.0.0/16 via PH_IP_MOON 
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 11
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 21
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to PH_IP_CAROL10
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to PH_IP_DAVE10
+sun::iptables -t mangle -A PREROUTING -d PH_IP_CAROL10 -j MARK --set-mark 11
+sun::iptables -t mangle -A PREROUTING -d PH_IP_DAVE10 -j MARK --set-mark 21
 alice::ipsec start
 venus::ipsec start
 sun::ipsec start
diff --git a/testing/tests/ikev2/rw-mark-in-out/test.conf b/testing/tests/ikev2/rw-mark-in-out/test.conf
index ae3c190b8..105472cbe 100644
--- a/testing/tests/ikev2/rw-mark-in-out/test.conf
+++ b/testing/tests/ikev2/rw-mark-in-out/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon bob"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/rw-pkcs8/evaltest.dat b/testing/tests/ikev2/rw-pkcs8/evaltest.dat
index b545c2289..2342d024b 100644
--- a/testing/tests/ikev2/rw-pkcs8/evaltest.dat
+++ b/testing/tests/ikev2/rw-pkcs8/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-pkcs8/posttest.dat b/testing/tests/ikev2/rw-pkcs8/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-pkcs8/posttest.dat
+++ b/testing/tests/ikev2/rw-pkcs8/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-pkcs8/pretest.dat b/testing/tests/ikev2/rw-pkcs8/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev2/rw-pkcs8/pretest.dat
+++ b/testing/tests/ikev2/rw-pkcs8/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-pkcs8/test.conf b/testing/tests/ikev2/rw-pkcs8/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-pkcs8/test.conf
+++ b/testing/tests/ikev2/rw-pkcs8/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat b/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat
index 683173c30..2fbcc474f 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat
@@ -7,8 +7,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-psk-fqdn/posttest.dat b/testing/tests/ikev2/rw-psk-fqdn/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/posttest.dat
+++ b/testing/tests/ikev2/rw-psk-fqdn/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-psk-fqdn/pretest.dat b/testing/tests/ikev2/rw-psk-fqdn/pretest.dat
index 282b2aec0..64ce593fb 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-fqdn/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev2/rw-psk-fqdn/test.conf b/testing/tests/ikev2/rw-psk-fqdn/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/test.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat b/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat
index 1ad36fcaf..2bd97b76c 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat
@@ -1,13 +1,13 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.100].*\[192.168.0.1]::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.200].*\[192.168.0.1]::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[192.168.0.1].*\[192.168.0.100]::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[192.168.0.1].*\[192.168.0.200]::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_CAROL].*\[PH_IP_MOON]::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_DAVE].*\[PH_IP_MOON]::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[PH_IP_MOON].*\[PH_IP_CAROL]::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[PH_IP_MOON].*\[PH_IP_DAVE]::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
index 18a074472..57ce85d61 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-192.168.0.100 : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+PH_IP_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets
index e989540e9..111de272b 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-192.168.0.200  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
+PH_IP_DAVE  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
index ab3fb129b..6706534eb 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
@@ -1,5 +1,5 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-192.168.0.100 : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+PH_IP_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
 
-192.168.0.200 : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
+PH_IP_DAVE : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev2/rw-psk-ipv4/posttest.dat b/testing/tests/ikev2/rw-psk-ipv4/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/posttest.dat
+++ b/testing/tests/ikev2/rw-psk-ipv4/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-psk-ipv4/pretest.dat b/testing/tests/ikev2/rw-psk-ipv4/pretest.dat
index 282b2aec0..64ce593fb 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-ipv4/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev2/rw-psk-ipv4/test.conf b/testing/tests/ikev2/rw-psk-ipv4/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/test.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat b/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat
index b545c2289..2342d024b 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-psk-no-idr/posttest.dat b/testing/tests/ikev2/rw-psk-no-idr/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/posttest.dat
+++ b/testing/tests/ikev2/rw-psk-no-idr/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-psk-no-idr/pretest.dat b/testing/tests/ikev2/rw-psk-no-idr/pretest.dat
index 282b2aec0..64ce593fb 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-no-idr/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev2/rw-psk-no-idr/test.conf b/testing/tests/ikev2/rw-psk-no-idr/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/test.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
index 51e868760..ab398a3bb 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
@@ -1,13 +1,13 @@
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
 moon:: cat /var/log/daemon.log::authentication of 'PH_IP_MOON' (myself) with pre-shared key::YES
 moon:: ipsec status 2> /dev/null::rw-psk.*INSTALLED, TUNNEL::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*\[192.168.0.1]::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*\[PH_IP_MOON]::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES
 moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
 moon:: ipsec status 2> /dev/null::rw-rsasig.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat
index e48d11e42..446f81426 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
 carol::ipsec start
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
index 9a1ab3f8f..1648c9557 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
@@ -9,8 +9,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat b/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat b/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/test.conf b/testing/tests/ikev2/rw-psk-rsa-split/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/test.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-radius-accounting/evaltest.dat b/testing/tests/ikev2/rw-radius-accounting/evaltest.dat
index 5c453f8b4..ccbc769e2 100644
--- a/testing/tests/ikev2/rw-radius-accounting/evaltest.dat
+++ b/testing/tests/ikev2/rw-radius-accounting/evaltest.dat
@@ -9,6 +9,6 @@ carol::ping -c 5 -s 1392 PH_IP_ALICE::1400 bytes from PH_IP_ALICE::YES
 carol::ipsec down home 2> /dev/null::no output expected::NO
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-alice::cat /var/log/radius/radacct/10.1.0.1/*::User-Name =.*carol::YES
-alice::cat /var/log/radius/radacct/10.1.0.1/*::Acct-Output-Octets = 7100::YES
-alice::cat /var/log/radius/radacct/10.1.0.1/*::Acct-Input-Octets = 7100::YES
+alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::User-Name =.*carol::YES
+alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::Acct-Output-Octets = 7100::YES
+alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::Acct-Input-Octets = 7100::YES
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..783587b55
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm LOCAL {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..a67a5dcb4
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,42 @@
+authorize {
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/users
index 247b918e3..247b918e3 100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 962a418d9..000000000
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,88 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow RADIUS accounting protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1813 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1813 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..b9560a38e
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/iptables.rules
@@ -0,0 +1,36 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+# allow RADIUS accounting protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1813 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1813 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-radius-accounting/posttest.dat b/testing/tests/ikev2/rw-radius-accounting/posttest.dat
index b1f971402..98f7a6954 100644
--- a/testing/tests/ikev2/rw-radius-accounting/posttest.dat
+++ b/testing/tests/ikev2/rw-radius-accounting/posttest.dat
@@ -1,7 +1,6 @@
 carol::ipsec stop
 moon::ipsec stop
-alice::/etc/init.d/radiusd stop
-alice::cat /var/log/radius/radacct/10.1.0.1/*
-carol::/etc/init.d/iptables stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-
+alice::killall radiusd
+alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*
+carol::iptables-restore < /etc/iptables.flush
+moon::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-radius-accounting/pretest.dat b/testing/tests/ikev2/rw-radius-accounting/pretest.dat
index 30c8bd573..9f437fe85 100644
--- a/testing/tests/ikev2/rw-radius-accounting/pretest.dat
+++ b/testing/tests/ikev2/rw-radius-accounting/pretest.dat
@@ -1,7 +1,7 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::rm /var/log/radius/radacct/10.1.0.1/*
-alice::/etc/init.d/radiusd start 
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::rm /var/log/freeradius/radacct/PH_IP_MOON1/*
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-radius-accounting/test.conf b/testing/tests/ikev2/rw-radius-accounting/test.conf
index f2d20e984..6dbb1c7fd 100644
--- a/testing/tests/ikev2/rw-radius-accounting/test.conf
+++ b/testing/tests/ikev2/rw-radius-accounting/test.conf
@@ -1,25 +1,25 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
diff --git a/testing/tests/ikev2/rw-whitelist/evaltest.dat b/testing/tests/ikev2/rw-whitelist/evaltest.dat
index d6f71d7c0..9418d6ee1 100644
--- a/testing/tests/ikev2/rw-whitelist/evaltest.dat
+++ b/testing/tests/ikev2/rw-whitelist/evaltest.dat
@@ -3,10 +3,10 @@ moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RS
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES
 moon:: cat /var/log/daemon.log::peer identity 'dave@strongswan.org' not whitelisted::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: cat /var/log/daemon.log:: received AUTHENTICATION_FAILED notify error::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED::NO
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
 moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-whitelist/posttest.dat b/testing/tests/ikev2/rw-whitelist/posttest.dat
index 1777f439f..b757d8b15 100644
--- a/testing/tests/ikev2/rw-whitelist/posttest.dat
+++ b/testing/tests/ikev2/rw-whitelist/posttest.dat
@@ -1,6 +1,6 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-whitelist/pretest.dat b/testing/tests/ikev2/rw-whitelist/pretest.dat
index c4ac77d77..87760775a 100644
--- a/testing/tests/ikev2/rw-whitelist/pretest.dat
+++ b/testing/tests/ikev2/rw-whitelist/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/rw-whitelist/test.conf b/testing/tests/ikev2/rw-whitelist/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/rw-whitelist/test.conf
+++ b/testing/tests/ikev2/rw-whitelist/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/shunt-policies/evaltest.dat b/testing/tests/ikev2/shunt-policies/evaltest.dat
index f40437e3e..a6e40a817 100644
--- a/testing/tests/ikev2/shunt-policies/evaltest.dat
+++ b/testing/tests/ikev2/shunt-policies/evaltest.dat
@@ -1,15 +1,15 @@
 moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::NO
-venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::NO
+venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
 venus::ssh PH_IP_BOB hostname::bob::YES
diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 2b90a14c7..000000000
--- a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# allow icmp in local net
-	iptables -A INPUT  -i eth1 -p icmp -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p icmp -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf
index 90a5d61b1..46ca4cdc3 100644
--- a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf
@@ -18,7 +18,7 @@ conn local-net
 	auto=route
 
 conn venus-icmp
-	leftsubnet=10.1.0.20/32
+	leftsubnet=PH_IP_VENUS/32
 	rightsubnet=0.0.0.0/0
 	leftprotoport=icmp
 	rightprotoport=icmp
diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..af0f25209
--- /dev/null
+++ b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow icmp in local net
+-A INPUT  -i eth1 -p icmp -j ACCEPT
+-A OUTPUT -o eth1 -p icmp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/shunt-policies/posttest.dat b/testing/tests/ikev2/shunt-policies/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/ikev2/shunt-policies/posttest.dat
+++ b/testing/tests/ikev2/shunt-policies/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/ikev2/shunt-policies/pretest.dat b/testing/tests/ikev2/shunt-policies/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/ikev2/shunt-policies/pretest.dat
+++ b/testing/tests/ikev2/shunt-policies/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/shunt-policies/test.conf b/testing/tests/ikev2/shunt-policies/test.conf
index cf2ef7424..6b7432ca6 100644
--- a/testing/tests/ikev2/shunt-policies/test.conf
+++ b/testing/tests/ikev2/shunt-policies/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/strong-keys-certs/evaltest.dat b/testing/tests/ikev2/strong-keys-certs/evaltest.dat
index b545c2289..2342d024b 100644
--- a/testing/tests/ikev2/strong-keys-certs/evaltest.dat
+++ b/testing/tests/ikev2/strong-keys-certs/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/strong-keys-certs/posttest.dat b/testing/tests/ikev2/strong-keys-certs/posttest.dat
index 9ccbaa1c2..3fd6a690e 100644
--- a/testing/tests/ikev2/strong-keys-certs/posttest.dat
+++ b/testing/tests/ikev2/strong-keys-certs/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/private/*
 carol::rm /etc/ipsec.d/private/*
 dave::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev2/strong-keys-certs/pretest.dat b/testing/tests/ikev2/strong-keys-certs/pretest.dat
index de51ccdfa..dea5fc162 100644
--- a/testing/tests/ikev2/strong-keys-certs/pretest.dat
+++ b/testing/tests/ikev2/strong-keys-certs/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/strong-keys-certs/test.conf b/testing/tests/ikev2/strong-keys-certs/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/strong-keys-certs/test.conf
+++ b/testing/tests/ikev2/strong-keys-certs/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/two-certs/evaltest.dat b/testing/tests/ikev2/two-certs/evaltest.dat
index f50e7c30d..2b4476afa 100644
--- a/testing/tests/ikev2/two-certs/evaltest.dat
+++ b/testing/tests/ikev2/two-certs/evaltest.dat
@@ -1,11 +1,11 @@
 moon:: cat /var/log/daemon.log::using certificate.*OU=Research, CN=carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: cat /var/log/daemon.log::signature validation failed, looking for another key::YES
 moon:: cat /var/log/daemon.log::using certificate.*OU=Research, SN=002, CN=carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::venus.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
index a0f44e312..9ec202e3d 100644
--- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
@@ -18,11 +18,11 @@ conn %default
 
 conn alice 
 	leftcert=carolCert.pem
-	rightsubnet=10.1.0.10/32
+	rightsubnet=PH_IP_ALICE/32
 	auto=add
 
 conn venus
 	leftcert=carolCert-002.pem
-	rightsubnet=10.1.0.20/32
+	rightsubnet=PH_IP_VENUS/32
 	auto=add
 
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
index dac656243..d8f1443ac 100644
--- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
@@ -23,10 +23,10 @@ conn %default
 	keyexchange=ikev2
 
 conn alice 
-	leftsubnet=10.1.0.10/32
+	leftsubnet=PH_IP_ALICE/32
 	auto=add
 
 conn venus 
-	leftsubnet=10.1.0.20/32
+	leftsubnet=PH_IP_VENUS/32
 	auto=add
 
diff --git a/testing/tests/ikev2/two-certs/posttest.dat b/testing/tests/ikev2/two-certs/posttest.dat
index a1f067838..eae8c27d4 100644
--- a/testing/tests/ikev2/two-certs/posttest.dat
+++ b/testing/tests/ikev2/two-certs/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
 carol::rm /etc/ipsec.d/private/*
 carol::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev2/two-certs/pretest.dat b/testing/tests/ikev2/two-certs/pretest.dat
index 716cf71e8..fe2aaec19 100644
--- a/testing/tests/ikev2/two-certs/pretest.dat
+++ b/testing/tests/ikev2/two-certs/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/two-certs/test.conf b/testing/tests/ikev2/two-certs/test.conf
index d0306cd25..3f6afa02e 100644
--- a/testing/tests/ikev2/two-certs/test.conf
+++ b/testing/tests/ikev2/two-certs/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou"
+VIRTHOSTS="alice venus moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/virtual-ip-override/posttest.dat b/testing/tests/ikev2/virtual-ip-override/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/virtual-ip-override/posttest.dat
+++ b/testing/tests/ikev2/virtual-ip-override/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/virtual-ip-override/pretest.dat b/testing/tests/ikev2/virtual-ip-override/pretest.dat
index 5ec37aae1..1765a83cd 100644
--- a/testing/tests/ikev2/virtual-ip-override/pretest.dat
+++ b/testing/tests/ikev2/virtual-ip-override/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/virtual-ip-override/test.conf b/testing/tests/ikev2/virtual-ip-override/test.conf
index 01c94f7fb..5139506ac 100644
--- a/testing/tests/ikev2/virtual-ip-override/test.conf
+++ b/testing/tests/ikev2/virtual-ip-override/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/virtual-ip/evaltest.dat b/testing/tests/ikev2/virtual-ip/evaltest.dat
index dd3143ae7..0f5df71d7 100644
--- a/testing/tests/ikev2/virtual-ip/evaltest.dat
+++ b/testing/tests/ikev2/virtual-ip/evaltest.dat
@@ -14,12 +14,12 @@ carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::src PH_IP_CAROL1::YES
 dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::src PH_IP_DAVE1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-moon:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
-moon:: ping -c 1 PH_IP_DAVE1::64 bytes from PH_IP_DAVE1: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_DAVE1::64 bytes from PH_IP_DAVE1: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/virtual-ip/posttest.dat b/testing/tests/ikev2/virtual-ip/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/virtual-ip/posttest.dat
+++ b/testing/tests/ikev2/virtual-ip/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/virtual-ip/pretest.dat b/testing/tests/ikev2/virtual-ip/pretest.dat
index 5ec37aae1..1765a83cd 100644
--- a/testing/tests/ikev2/virtual-ip/pretest.dat
+++ b/testing/tests/ikev2/virtual-ip/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/virtual-ip/test.conf b/testing/tests/ikev2/virtual-ip/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/virtual-ip/test.conf
+++ b/testing/tests/ikev2/virtual-ip/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/wildcards/pretest.dat b/testing/tests/ikev2/wildcards/pretest.dat
index e3da87520..3c4832e5e 100644
--- a/testing/tests/ikev2/wildcards/pretest.dat
+++ b/testing/tests/ikev2/wildcards/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/wildcards/test.conf b/testing/tests/ikev2/wildcards/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/wildcards/test.conf
+++ b/testing/tests/ikev2/wildcards/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 47db6db82..000000000
--- a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow last IPv6 UDP fragments
-	ip6tables -A INPUT  -p udp -m frag --fraglast -j ACCEPT
-	ip6tables -A OUTPUT -p udp -m frag --fraglast -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 47db6db82..000000000
--- a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow last IPv6 UDP fragments
-	ip6tables -A INPUT  -p udp -m frag --fraglast -j ACCEPT
-	ip6tables -A OUTPUT -p udp -m frag --fraglast -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/host2host-ikev1/posttest.dat b/testing/tests/ipv6/host2host-ikev1/posttest.dat
index 5a9150bc8..d3bebd0c6 100644
--- a/testing/tests/ipv6/host2host-ikev1/posttest.dat
+++ b/testing/tests/ipv6/host2host-ikev1/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/host2host-ikev1/pretest.dat b/testing/tests/ipv6/host2host-ikev1/pretest.dat
index 7e97e7783..46c015387 100644
--- a/testing/tests/ipv6/host2host-ikev1/pretest.dat
+++ b/testing/tests/ipv6/host2host-ikev1/pretest.dat
@@ -1,7 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection host-host
+sun::expect-connection host-host
 moon::ipsec up host-host
-moon::sleep 1
diff --git a/testing/tests/ipv6/host2host-ikev1/test.conf b/testing/tests/ipv6/host2host-ikev1/test.conf
index 6ab5b8a96..56df1a0da 100644
--- a/testing/tests/ipv6/host2host-ikev1/test.conf
+++ b/testing/tests/ipv6/host2host-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/host2host-ikev2/posttest.dat b/testing/tests/ipv6/host2host-ikev2/posttest.dat
index 5a9150bc8..d3bebd0c6 100644
--- a/testing/tests/ipv6/host2host-ikev2/posttest.dat
+++ b/testing/tests/ipv6/host2host-ikev2/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/host2host-ikev2/pretest.dat b/testing/tests/ipv6/host2host-ikev2/pretest.dat
index 7e97e7783..46c015387 100644
--- a/testing/tests/ipv6/host2host-ikev2/pretest.dat
+++ b/testing/tests/ipv6/host2host-ikev2/pretest.dat
@@ -1,7 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection host-host
+sun::expect-connection host-host
 moon::ipsec up host-host
-moon::sleep 1
diff --git a/testing/tests/ipv6/host2host-ikev2/test.conf b/testing/tests/ipv6/host2host-ikev2/test.conf
index 6ab5b8a96..56df1a0da 100644
--- a/testing/tests/ipv6/host2host-ikev2/test.conf
+++ b/testing/tests/ipv6/host2host-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 47db6db82..000000000
--- a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow last IPv6 UDP fragments
-	ip6tables -A INPUT  -p udp -m frag --fraglast -j ACCEPT
-	ip6tables -A OUTPUT -p udp -m frag --fraglast -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 47db6db82..000000000
--- a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow last IPv6 UDP fragments
-	ip6tables -A INPUT  -p udp -m frag --fraglast -j ACCEPT
-	ip6tables -A OUTPUT -p udp -m frag --fraglast -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ikev1/posttest.dat b/testing/tests/ipv6/net2net-ikev1/posttest.dat
index 4c95e2afe..078fca541 100644
--- a/testing/tests/ipv6/net2net-ikev1/posttest.dat
+++ b/testing/tests/ipv6/net2net-ikev1/posttest.dat
@@ -4,5 +4,7 @@ alice::"ip route del fec2:\:/16 via fec1:\:1"
 moon::"ip route del fec2:\:/16 via fec0:\:2"
 sun::"ip route del fec1:\:/16 via fec0:\:1"
 bob::"ip route del fec1:\:/16 via fec2:\:1"
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-ikev1/pretest.dat b/testing/tests/ipv6/net2net-ikev1/pretest.dat
index 8a8af2ccb..a14b3cf79 100644
--- a/testing/tests/ipv6/net2net-ikev1/pretest.dat
+++ b/testing/tests/ipv6/net2net-ikev1/pretest.dat
@@ -1,11 +1,13 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec2:\:/16 via fec1:\:1"
 moon::"ip route add fec2:\:/16 via fec0:\:2"
 sun::"ip route add fec1:\:/16 via fec0:\:1"
 bob::"ip route add fec1:\:/16 via fec2:\:1"
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
-moon::sleep 1
diff --git a/testing/tests/ipv6/net2net-ikev1/test.conf b/testing/tests/ipv6/net2net-ikev1/test.conf
index 991d884db..55b90befe 100644
--- a/testing/tests/ipv6/net2net-ikev1/test.conf
+++ b/testing/tests/ipv6/net2net-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ikev2/posttest.dat
index 4c95e2afe..078fca541 100644
--- a/testing/tests/ipv6/net2net-ikev2/posttest.dat
+++ b/testing/tests/ipv6/net2net-ikev2/posttest.dat
@@ -4,5 +4,7 @@ alice::"ip route del fec2:\:/16 via fec1:\:1"
 moon::"ip route del fec2:\:/16 via fec0:\:2"
 sun::"ip route del fec1:\:/16 via fec0:\:1"
 bob::"ip route del fec1:\:/16 via fec2:\:1"
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ikev2/pretest.dat
index 8a8af2ccb..a14b3cf79 100644
--- a/testing/tests/ipv6/net2net-ikev2/pretest.dat
+++ b/testing/tests/ipv6/net2net-ikev2/pretest.dat
@@ -1,11 +1,13 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec2:\:/16 via fec1:\:1"
 moon::"ip route add fec2:\:/16 via fec0:\:2"
 sun::"ip route add fec1:\:/16 via fec0:\:1"
 bob::"ip route add fec1:\:/16 via fec2:\:1"
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
-moon::sleep 1
diff --git a/testing/tests/ipv6/net2net-ikev2/test.conf b/testing/tests/ipv6/net2net-ikev2/test.conf
index 991d884db..55b90befe 100644
--- a/testing/tests/ipv6/net2net-ikev2/test.conf
+++ b/testing/tests/ipv6/net2net-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat
index 3b3200418..151b73c27 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 47db6db82..000000000
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow last IPv6 UDP fragments
-	ip6tables -A INPUT  -p udp -m frag --fraglast -j ACCEPT
-	ip6tables -A OUTPUT -p udp -m frag --fraglast -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 47db6db82..000000000
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow last IPv6 UDP fragments
-	ip6tables -A INPUT  -p udp -m frag --fraglast -j ACCEPT
-	ip6tables -A OUTPUT -p udp -m frag --fraglast -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat
index 5a9150bc8..d3bebd0c6 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat
index a88456d52..812ccd162 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat
@@ -1,7 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
-moon::sleep 2 
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf
index cab801a1c..8f8d9222d 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip4-in-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat
index 3b3200418..151b73c27 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat
index 5a9150bc8..d3bebd0c6 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat
index a88456d52..812ccd162 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat
@@ -1,7 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
-moon::sleep 2 
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf
index cab801a1c..8f8d9222d 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip4-in-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index d556762b7..000000000
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # allow ICMPv6 neighbor-solicitations
-        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-
-        # allow ICMPv6 neighbor-advertisements
-        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 21ff88d0d..000000000
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # allow ICMPv6 neighbor-solicitations
-        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-
-        # allow ICMPv6 neighbor-advertisements
-        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-        # allow crl fetch from winnetou
-        iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ip6tables.rules b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat
index c78d884ee..078fca541 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat
@@ -1,8 +1,10 @@
 moon::ipsec stop
 sun::ipsec stop
 alice::"ip route del fec2:\:/16 via fec1:\:1"
-moon::"ip route del fec2:\:/16 via fec0:\:2" 
-sun::"ip route del fec1:\:/16 via fec0:\:1" 
+moon::"ip route del fec2:\:/16 via fec0:\:2"
+sun::"ip route del fec1:\:/16 via fec0:\:1"
 bob::"ip route del fec1:\:/16 via fec2:\:1"
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat
index 7781f9b9f..58711bc06 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat
@@ -1,11 +1,13 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec2:\:/16 via fec1:\:1"
-moon::"ip route add fec2:\:/16 via fec0:\:2" 
-sun::"ip route add fec1:\:/16 via fec0:\:1" 
+moon::"ip route add fec2:\:/16 via fec0:\:2"
+sun::"ip route add fec1:\:/16 via fec0:\:1"
 bob::"ip route add fec1:\:/16 via fec2:\:1"
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
-moon::sleep 1
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf
index d5d55c749..fe141076d 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip6-in-ip4.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index d556762b7..000000000
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # allow ICMPv6 neighbor-solicitations
-        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-
-        # allow ICMPv6 neighbor-advertisements
-        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 21ff88d0d..000000000
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # allow ICMPv6 neighbor-solicitations
-        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-
-        # allow ICMPv6 neighbor-advertisements
-        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-        # allow crl fetch from winnetou
-        iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ip6tables.rules b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat
index c78d884ee..078fca541 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat
@@ -1,8 +1,10 @@
 moon::ipsec stop
 sun::ipsec stop
 alice::"ip route del fec2:\:/16 via fec1:\:1"
-moon::"ip route del fec2:\:/16 via fec0:\:2" 
-sun::"ip route del fec1:\:/16 via fec0:\:1" 
+moon::"ip route del fec2:\:/16 via fec0:\:2"
+sun::"ip route del fec1:\:/16 via fec0:\:1"
 bob::"ip route del fec1:\:/16 via fec2:\:1"
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat
index 7781f9b9f..58711bc06 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat
@@ -1,11 +1,13 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec2:\:/16 via fec1:\:1"
-moon::"ip route add fec2:\:/16 via fec0:\:2" 
-sun::"ip route add fec1:\:/16 via fec0:\:1" 
+moon::"ip route add fec2:\:/16 via fec0:\:2"
+sun::"ip route add fec1:\:/16 via fec0:\:1"
 bob::"ip route add fec1:\:/16 via fec2:\:1"
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
-moon::sleep 1
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf
index d5d55c749..fe141076d 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip6-in-ip4.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat
index 4c95e2afe..078fca541 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat
@@ -4,5 +4,7 @@ alice::"ip route del fec2:\:/16 via fec1:\:1"
 moon::"ip route del fec2:\:/16 via fec0:\:2"
 sun::"ip route del fec1:\:/16 via fec0:\:1"
 bob::"ip route del fec1:\:/16 via fec2:\:1"
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat
index 8a8af2ccb..a14b3cf79 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat
@@ -1,11 +1,13 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec2:\:/16 via fec1:\:1"
 moon::"ip route add fec2:\:/16 via fec0:\:2"
 sun::"ip route add fec1:\:/16 via fec0:\:1"
 bob::"ip route add fec1:\:/16 via fec2:\:1"
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
-moon::sleep 1
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf
index 991d884db..55b90befe 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/init.d/iptables b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 47db6db82..000000000
--- a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow last IPv6 UDP fragments
-	ip6tables -A INPUT  -p udp -m frag --fraglast -j ACCEPT
-	ip6tables -A OUTPUT -p udp -m frag --fraglast -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ikev1/posttest.dat b/testing/tests/ipv6/rw-ikev1/posttest.dat
index 07e89d7da..4e59395e3 100644
--- a/testing/tests/ipv6/rw-ikev1/posttest.dat
+++ b/testing/tests/ipv6/rw-ikev1/posttest.dat
@@ -1,9 +1,12 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec0:\:/16 via fec1:\:1"
 carol::"ip route del fec1:\:/16 via fec0:\:1"
 dave::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/ipv6/rw-ikev1/pretest.dat b/testing/tests/ipv6/rw-ikev1/pretest.dat
index 7da0c1028..f60be3887 100644
--- a/testing/tests/ipv6/rw-ikev1/pretest.dat
+++ b/testing/tests/ipv6/rw-ikev1/pretest.dat
@@ -1,13 +1,17 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+carol::iptables-restore < /etc/iptables.drop
+dave::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec0:\:/16 via fec1:\:1"
 carol::"ip route add fec1:\:/16 via fec0:\:1"
 dave::"ip route add fec1:\:/16 via fec0:\:1"
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
-carol::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
 carol::ipsec up home
 dave::ipsec up home
-dave::sleep 2 
diff --git a/testing/tests/ipv6/rw-ikev1/test.conf b/testing/tests/ipv6/rw-ikev1/test.conf
index 80cf5e3a1..05bb8ab6d 100644
--- a/testing/tests/ipv6/rw-ikev1/test.conf
+++ b/testing/tests/ipv6/rw-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/init.d/iptables b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ikev2/posttest.dat b/testing/tests/ipv6/rw-ikev2/posttest.dat
index 07e89d7da..4e59395e3 100644
--- a/testing/tests/ipv6/rw-ikev2/posttest.dat
+++ b/testing/tests/ipv6/rw-ikev2/posttest.dat
@@ -1,9 +1,12 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec0:\:/16 via fec1:\:1"
 carol::"ip route del fec1:\:/16 via fec0:\:1"
 dave::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/ipv6/rw-ikev2/pretest.dat b/testing/tests/ipv6/rw-ikev2/pretest.dat
index 7da0c1028..f60be3887 100644
--- a/testing/tests/ipv6/rw-ikev2/pretest.dat
+++ b/testing/tests/ipv6/rw-ikev2/pretest.dat
@@ -1,13 +1,17 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+carol::iptables-restore < /etc/iptables.drop
+dave::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec0:\:/16 via fec1:\:1"
 carol::"ip route add fec1:\:/16 via fec0:\:1"
 dave::"ip route add fec1:\:/16 via fec0:\:1"
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
-carol::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
 carol::ipsec up home
 dave::ipsec up home
-dave::sleep 2 
diff --git a/testing/tests/ipv6/rw-ikev2/test.conf b/testing/tests/ipv6/rw-ikev2/test.conf
index 80cf5e3a1..05bb8ab6d 100644
--- a/testing/tests/ipv6/rw-ikev2/test.conf
+++ b/testing/tests/ipv6/rw-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 7f904a693..000000000
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,96 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow ESP 
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ip6tables.rules b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/init.d/iptables b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index 7f904a693..000000000
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,96 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow ESP 
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ip6tables.rules b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index f5bd956ad..000000000
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow ESP 
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat
index 179b8fe58..ebe5e2a80 100644
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat
@@ -1,7 +1,10 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec3:\:/16 via fec1:\:1"
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat
index ca544e373..e73bde487 100644
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat
@@ -1,11 +1,15 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec3:\:/16 via fec1:\:1"
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
-carol::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
 carol::ipsec up home
 dave::ipsec up home
-dave::sleep 2 
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/description.txt b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/description.txt
deleted file mode 100644
index 9609ae268..000000000
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/description.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6-in-IPv4 tunnel connection each 
-to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
-Both <b>carol</b> and <b>dave</b> request a virtual IPv6 address from <b>moon</b> via
-the IKEvi1 mode config payload.
-<p/>
-Upon the successful establishment of the ESP tunnels, <b>leftfirewall=yes</b>
-automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> send
-an IPv6 ICMP request to the client <b>alice</b> behind the gateway <b>moon</b>
-using the ping6 command.
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/evaltest.dat
deleted file mode 100644
index f6dc9aa3e..000000000
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/evaltest.dat
+++ /dev/null
@@ -1,15 +0,0 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/posttest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/posttest.dat
deleted file mode 100644
index 179b8fe58..000000000
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/posttest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-alice::"ip route del fec3:\:/16 via fec1:\:1"
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/pretest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/pretest.dat
deleted file mode 100644
index ca544e373..000000000
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-alice::"ip route add fec3:\:/16 via fec1:\:1"
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
-dave::sleep 2 
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/test.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/test.conf
deleted file mode 100644
index 80cf5e3a1..000000000
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/rw-ip6-in-ip4-ikev1/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d-ip6.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf
index 80cf5e3a1..05bb8ab6d 100644
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 7f904a693..000000000
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,96 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow ESP 
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ip6tables.rules b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/init.d/iptables b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index 7f904a693..000000000
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,96 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow ESP 
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ip6tables.rules b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index f5bd956ad..000000000
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow ESP 
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat
index 179b8fe58..ebe5e2a80 100644
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat
@@ -1,7 +1,10 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec3:\:/16 via fec1:\:1"
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat
index ca544e373..e73bde487 100644
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat
@@ -1,11 +1,15 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec3:\:/16 via fec1:\:1"
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
-carol::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
 carol::ipsec up home
 dave::ipsec up home
-dave::sleep 2 
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf
index 80cf5e3a1..05bb8ab6d 100644
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 6c437fe03..000000000
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/init.d/iptables b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index 6c437fe03..000000000
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 6c437fe03..000000000
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-psk-ikev1/posttest.dat b/testing/tests/ipv6/rw-psk-ikev1/posttest.dat
index 07e89d7da..4e59395e3 100644
--- a/testing/tests/ipv6/rw-psk-ikev1/posttest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev1/posttest.dat
@@ -1,9 +1,12 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec0:\:/16 via fec1:\:1"
 carol::"ip route del fec1:\:/16 via fec0:\:1"
 dave::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/ipv6/rw-psk-ikev1/pretest.dat b/testing/tests/ipv6/rw-psk-ikev1/pretest.dat
index e3040d125..93a96ec36 100644
--- a/testing/tests/ipv6/rw-psk-ikev1/pretest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev1/pretest.dat
@@ -1,6 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+carol::iptables-restore < /etc/iptables.drop
+dave::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec0:\:/16 via fec1:\:1"
 carol::"ip route add fec1:\:/16 via fec0:\:1"
 dave::"ip route add fec1:\:/16 via fec0:\:1"
@@ -10,7 +13,8 @@ dave::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
-carol::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
 carol::ipsec up home
 dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/ipv6/rw-psk-ikev1/test.conf b/testing/tests/ipv6/rw-psk-ikev1/test.conf
index 80cf5e3a1..05bb8ab6d 100644
--- a/testing/tests/ipv6/rw-psk-ikev1/test.conf
+++ b/testing/tests/ipv6/rw-psk-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 6c437fe03..000000000
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/init.d/iptables b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index 6c437fe03..000000000
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 6c437fe03..000000000
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-psk-ikev2/posttest.dat b/testing/tests/ipv6/rw-psk-ikev2/posttest.dat
index 07e89d7da..4e59395e3 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/posttest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev2/posttest.dat
@@ -1,9 +1,12 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec0:\:/16 via fec1:\:1"
 carol::"ip route del fec1:\:/16 via fec0:\:1"
 dave::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/ipv6/rw-psk-ikev2/pretest.dat b/testing/tests/ipv6/rw-psk-ikev2/pretest.dat
index e3040d125..93a96ec36 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/pretest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev2/pretest.dat
@@ -1,6 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+carol::iptables-restore < /etc/iptables.drop
+dave::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec0:\:/16 via fec1:\:1"
 carol::"ip route add fec1:\:/16 via fec0:\:1"
 dave::"ip route add fec1:\:/16 via fec0:\:1"
@@ -10,7 +13,8 @@ dave::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
-carol::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
 carol::ipsec up home
 dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/ipv6/rw-psk-ikev2/test.conf b/testing/tests/ipv6/rw-psk-ikev2/test.conf
index 80cf5e3a1..05bb8ab6d 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/test.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/init.d/iptables b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat
index 07e89d7da..4e59395e3 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat
@@ -1,9 +1,12 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec0:\:/16 via fec1:\:1"
 carol::"ip route del fec1:\:/16 via fec0:\:1"
 dave::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat
index 7da0c1028..f60be3887 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat
@@ -1,13 +1,17 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+carol::iptables-restore < /etc/iptables.drop
+dave::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec0:\:/16 via fec1:\:1"
 carol::"ip route add fec1:\:/16 via fec0:\:1"
 dave::"ip route add fec1:\:/16 via fec0:\:1"
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
-carol::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
 carol::ipsec up home
 dave::ipsec up home
-dave::sleep 2 
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf
index 80cf5e3a1..05bb8ab6d 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 343fd49ed..000000000
--- a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certficate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow last IPv6 UDP fragments
-	ip6tables -A INPUT  -p udp -m frag --fraglast -j ACCEPT
-	ip6tables -A OUTPUT -p udp -m frag --fraglast -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 47db6db82..000000000
--- a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow last IPv6 UDP fragments
-	ip6tables -A INPUT  -p udp -m frag --fraglast -j ACCEPT
-	ip6tables -A OUTPUT -p udp -m frag --fraglast -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/transport-ikev1/posttest.dat b/testing/tests/ipv6/transport-ikev1/posttest.dat
index 5a9150bc8..d3bebd0c6 100644
--- a/testing/tests/ipv6/transport-ikev1/posttest.dat
+++ b/testing/tests/ipv6/transport-ikev1/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/transport-ikev1/pretest.dat b/testing/tests/ipv6/transport-ikev1/pretest.dat
index 7e97e7783..46c015387 100644
--- a/testing/tests/ipv6/transport-ikev1/pretest.dat
+++ b/testing/tests/ipv6/transport-ikev1/pretest.dat
@@ -1,7 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection host-host
+sun::expect-connection host-host
 moon::ipsec up host-host
-moon::sleep 1
diff --git a/testing/tests/ipv6/transport-ikev1/test.conf b/testing/tests/ipv6/transport-ikev1/test.conf
index 6ab5b8a96..56df1a0da 100644
--- a/testing/tests/ipv6/transport-ikev1/test.conf
+++ b/testing/tests/ipv6/transport-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b1e7073af..000000000
--- a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certficate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/transport-ikev2/posttest.dat b/testing/tests/ipv6/transport-ikev2/posttest.dat
index 5a9150bc8..d3bebd0c6 100644
--- a/testing/tests/ipv6/transport-ikev2/posttest.dat
+++ b/testing/tests/ipv6/transport-ikev2/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/transport-ikev2/pretest.dat b/testing/tests/ipv6/transport-ikev2/pretest.dat
index 7e97e7783..46c015387 100644
--- a/testing/tests/ipv6/transport-ikev2/pretest.dat
+++ b/testing/tests/ipv6/transport-ikev2/pretest.dat
@@ -1,7 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection host-host
+sun::expect-connection host-host
 moon::ipsec up host-host
-moon::sleep 1
diff --git a/testing/tests/ipv6/transport-ikev2/test.conf b/testing/tests/ipv6/transport-ikev2/test.conf
index 6ab5b8a96..56df1a0da 100644
--- a/testing/tests/ipv6/transport-ikev2/test.conf
+++ b/testing/tests/ipv6/transport-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
index 5b5c94fb1..4d614bf7e 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
+++ b/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
@@ -2,7 +2,7 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
 carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
 carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
 moon:: ip xfrm state::enc cbc(camellia)::YES
diff --git a/testing/tests/openssl-ikev1/alg-camellia/posttest.dat b/testing/tests/openssl-ikev1/alg-camellia/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/posttest.dat
+++ b/testing/tests/openssl-ikev1/alg-camellia/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat
index ed5498bfe..388339fb8 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat
+++ b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/openssl-ikev1/alg-camellia/test.conf b/testing/tests/openssl-ikev1/alg-camellia/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/test.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat
index 2ba48e5ce..ac7d8cd98 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat
@@ -8,8 +8,8 @@ moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES
 dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/test.conf b/testing/tests/openssl-ikev1/alg-ecp-high/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/test.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat
index 6cf2438d4..178d541da 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat
@@ -8,8 +8,8 @@ moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES
 dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/test.conf b/testing/tests/openssl-ikev1/alg-ecp-low/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/test.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
index 244ea0331..69c893f0c 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
@@ -12,8 +12,8 @@ moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with EC
 moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA successful::YES
 carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA successful::YES
 dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/test.conf b/testing/tests/openssl-ikev1/ecdsa-certs/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/test.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat b/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
index 3787bdb68..cd83c56b4 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
@@ -4,8 +4,8 @@ moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*caro
 moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
 carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
 dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_384_192,::YES
 dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA2_256_128,::YES
 carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat b/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat b/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/test.conf b/testing/tests/openssl-ikev2/alg-blowfish/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/test.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
index 5b5c94fb1..4d614bf7e 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
@@ -2,7 +2,7 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
 carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
 carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
 moon:: ip xfrm state::enc cbc(camellia)::YES
diff --git a/testing/tests/openssl-ikev2/alg-camellia/posttest.dat b/testing/tests/openssl-ikev2/alg-camellia/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-camellia/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat
index 3c3df0196..886fdf55c 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/openssl-ikev2/alg-camellia/test.conf b/testing/tests/openssl-ikev2/alg-camellia/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/test.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
index 2540eb106..375ed86a1 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
@@ -10,8 +10,8 @@ carol::cat /var/log/daemon.log::ECP_256.*ECP_384::YES
 dave:: cat /var/log/daemon.log::ECP_256.*ECP_521::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES
 dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/test.conf b/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
index f82159e7c..c46ed1dd2 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
@@ -10,8 +10,8 @@ carol::cat /var/log/daemon.log::ECP_192.*ECP_224::YES
 dave:: cat /var/log/daemon.log::ECP_192.*ECP_256::YES
 carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES
 dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/test.conf b/testing/tests/openssl-ikev2/alg-ecp-low/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/test.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/critical-extension/posttest.dat b/testing/tests/openssl-ikev2/critical-extension/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/openssl-ikev2/critical-extension/posttest.dat
+++ b/testing/tests/openssl-ikev2/critical-extension/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/openssl-ikev2/critical-extension/pretest.dat b/testing/tests/openssl-ikev2/critical-extension/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/openssl-ikev2/critical-extension/pretest.dat
+++ b/testing/tests/openssl-ikev2/critical-extension/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/openssl-ikev2/critical-extension/test.conf b/testing/tests/openssl-ikev2/critical-extension/test.conf
index 41ee3037e..b286ef6eb 100644
--- a/testing/tests/openssl-ikev2/critical-extension/test.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
index 5918faa8c..0110bb996 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
@@ -10,8 +10,8 @@ moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with EC
 moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
 carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
 dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/test.conf b/testing/tests/openssl-ikev2/ecdsa-certs/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/test.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
index 52913759f..8a4215dcc 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
@@ -6,8 +6,8 @@ moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with EC
 moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
 carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
 dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat
index f8cfb111b..ba661975b 100644
--- a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat
+++ b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-cert/posttest.dat b/testing/tests/openssl-ikev2/rw-cert/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev2/rw-cert/posttest.dat
+++ b/testing/tests/openssl-ikev2/rw-cert/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-cert/pretest.dat b/testing/tests/openssl-ikev2/rw-cert/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev2/rw-cert/pretest.dat
+++ b/testing/tests/openssl-ikev2/rw-cert/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev2/rw-cert/test.conf b/testing/tests/openssl-ikev2/rw-cert/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev2/rw-cert/test.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
index e476da03f..1ae780e4b 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
@@ -5,6 +5,6 @@ carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_W
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol@strongswan.org' with EAP successful::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat
index ed5498bfe..388339fb8 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/p2pnat/behind-same-nat/evaltest.dat b/testing/tests/p2pnat/behind-same-nat/evaltest.dat
index 8c79a28c1..378520596 100644
--- a/testing/tests/p2pnat/behind-same-nat/evaltest.dat
+++ b/testing/tests/p2pnat/behind-same-nat/evaltest.dat
@@ -7,5 +7,5 @@ alice::ipsec status 2> /dev/null::peer.*ESTABLISHED.*alice@strongswan.org.*venus
 venus::ipsec status 2> /dev/null::peer.*ESTABLISHED.*venus.strongswan.org.*alice@strongswan.org::YES
 alice::ipsec status 2> /dev/null::peer.*INSTALLED, TUNNEL::YES
 venus::ipsec status 2> /dev/null::peer.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/init.d/iptables b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 1eb88c15c..000000000
--- a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-	
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/iptables.rules b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..da385d22a
--- /dev/null
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/init.d/iptables b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 40510ce60..000000000
--- a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE behind NAT
-	iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
-
-	# allow NAT-T
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/iptables.rules b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/init.d/iptables b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/init.d/iptables
deleted file mode 100755
index 6fca87b4a..000000000
--- a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow NAT-T
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/iptables.rules b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/iptables.rules
new file mode 100644
index 000000000..da385d22a
--- /dev/null
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/p2pnat/behind-same-nat/posttest.dat b/testing/tests/p2pnat/behind-same-nat/posttest.dat
index 36cd0f36d..a1d5b4612 100644
--- a/testing/tests/p2pnat/behind-same-nat/posttest.dat
+++ b/testing/tests/p2pnat/behind-same-nat/posttest.dat
@@ -1,8 +1,8 @@
 venus::ipsec stop
 alice::ipsec stop
 carol::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+moon::iptables-restore < /etc/iptables.flush
 moon::conntrack -F
diff --git a/testing/tests/p2pnat/behind-same-nat/pretest.dat b/testing/tests/p2pnat/behind-same-nat/pretest.dat
index f1e33dc39..eb1d67fa2 100644
--- a/testing/tests/p2pnat/behind-same-nat/pretest.dat
+++ b/testing/tests/p2pnat/behind-same-nat/pretest.dat
@@ -1,7 +1,7 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1100-1200
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16  -j ACCEPT
@@ -10,5 +10,5 @@ carol::ipsec start
 carol::sleep 1
 alice::ipsec start
 alice::sleep 1
-venus::ipsec start 
-venus::sleep 4 
+venus::ipsec start
+venus::sleep 4
diff --git a/testing/tests/p2pnat/behind-same-nat/test.conf b/testing/tests/p2pnat/behind-same-nat/test.conf
index f98a0ab1b..fe44ff97b 100644
--- a/testing/tests/p2pnat/behind-same-nat/test.conf
+++ b/testing/tests/p2pnat/behind-same-nat/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou"
+VIRTHOSTS="alice venus moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-med.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice venus carol"
diff --git a/testing/tests/p2pnat/medsrv-psk/evaltest.dat b/testing/tests/p2pnat/medsrv-psk/evaltest.dat
index 1b89c7ebe..2c6080775 100644
--- a/testing/tests/p2pnat/medsrv-psk/evaltest.dat
+++ b/testing/tests/p2pnat/medsrv-psk/evaltest.dat
@@ -6,7 +6,7 @@ alice::ipsec status 2> /dev/null::peer.*ESTABLISHED.*alice@strongswan.org.*bob@s
 bob::  ipsec status 2> /dev/null::peer.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
 alice::ipsec status 2> /dev/null::peer.*INSTALLED, TUNNEL::YES
 bob::  ipsec status 2> /dev/null::peer.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.*: UDP::YES
 moon::tcpdump::IP sun.strongswan.org.* > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/init.d/iptables b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index c6371c745..000000000
--- a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,74 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow NAT-T
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/iptables.rules b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/iptables.rules b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/init.d/iptables b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 40510ce60..000000000
--- a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE behind NAT
-	iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
-
-	# allow NAT-T
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/iptables.rules b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/p2pnat/medsrv-psk/posttest.dat b/testing/tests/p2pnat/medsrv-psk/posttest.dat
index ca3cebc0a..4b696b90f 100644
--- a/testing/tests/p2pnat/medsrv-psk/posttest.dat
+++ b/testing/tests/p2pnat/medsrv-psk/posttest.dat
@@ -1,10 +1,10 @@
 bob::ipsec stop
 alice::ipsec stop
 carol::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-bob::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+bob::iptables-restore < /etc/iptables.flush
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::conntrack -F
 sun::conntrack -F
diff --git a/testing/tests/p2pnat/medsrv-psk/pretest.dat b/testing/tests/p2pnat/medsrv-psk/pretest.dat
index fba7be01d..09b658318 100644
--- a/testing/tests/p2pnat/medsrv-psk/pretest.dat
+++ b/testing/tests/p2pnat/medsrv-psk/pretest.dat
@@ -1,8 +1,8 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-bob::/etc/init.d/iptables start 2> /dev/null
+alice::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+bob::iptables-restore < /etc/iptables.rules
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1100-1200
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16  -j ACCEPT
@@ -15,5 +15,5 @@ carol::ipsec start
 carol::sleep 1
 bob::ipsec start
 bob::sleep 1
-alice::ipsec start 
-alice::sleep 4 
+alice::ipsec start
+alice::sleep 4
diff --git a/testing/tests/p2pnat/medsrv-psk/test.conf b/testing/tests/p2pnat/medsrv-psk/test.conf
index 2dc4cd8c1..a1c6b8c15 100644
--- a/testing/tests/p2pnat/medsrv-psk/test.conf
+++ b/testing/tests/p2pnat/medsrv-psk/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou sun bob"
+VIRTHOSTS="alice moon carol winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-s-b-med.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice carol bob"
diff --git a/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat b/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
index 9ca168e82..590b7fe9c 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
+++ b/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
@@ -4,10 +4,10 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/AES_XCBC_96,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/AES_XCBC_96,::YES
-moon:: ip xfrm state::auth xcbc(aes)::YES
-carol::ip xfrm state::auth xcbc(aes)::YES
+moon:: ip xfrm state::auth-trunc xcbc(aes)::YES
+carol::ip xfrm state::auth-trunc xcbc(aes)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
diff --git a/testing/tests/pfkey/alg-aes-xcbc/posttest.dat b/testing/tests/pfkey/alg-aes-xcbc/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/posttest.dat
+++ b/testing/tests/pfkey/alg-aes-xcbc/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/alg-aes-xcbc/pretest.dat b/testing/tests/pfkey/alg-aes-xcbc/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/pretest.dat
+++ b/testing/tests/pfkey/alg-aes-xcbc/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/pfkey/alg-aes-xcbc/test.conf b/testing/tests/pfkey/alg-aes-xcbc/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/test.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/alg-sha384/evaltest.dat b/testing/tests/pfkey/alg-sha384/evaltest.dat
index 21b3d5a4f..3b24217c5 100644
--- a/testing/tests/pfkey/alg-sha384/evaltest.dat
+++ b/testing/tests/pfkey/alg-sha384/evaltest.dat
@@ -4,10 +4,10 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES
-moon:: ip xfrm state::auth hmac(sha384)::YES
-carol::ip xfrm state::auth hmac(sha384)::YES
+moon:: ip xfrm state::auth-trunc hmac(sha384)::YES
+carol::ip xfrm state::auth-trunc hmac(sha384)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/pfkey/alg-sha384/posttest.dat b/testing/tests/pfkey/alg-sha384/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/pfkey/alg-sha384/posttest.dat
+++ b/testing/tests/pfkey/alg-sha384/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/alg-sha384/pretest.dat b/testing/tests/pfkey/alg-sha384/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/pfkey/alg-sha384/pretest.dat
+++ b/testing/tests/pfkey/alg-sha384/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/pfkey/alg-sha384/test.conf b/testing/tests/pfkey/alg-sha384/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/pfkey/alg-sha384/test.conf
+++ b/testing/tests/pfkey/alg-sha384/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/alg-sha512/evaltest.dat b/testing/tests/pfkey/alg-sha512/evaltest.dat
index 7b94d2182..6bdceeb44 100644
--- a/testing/tests/pfkey/alg-sha512/evaltest.dat
+++ b/testing/tests/pfkey/alg-sha512/evaltest.dat
@@ -4,10 +4,10 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_256/HMAC_SHA2_512_256,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256,::YES
-moon:: ip xfrm state::auth hmac(sha512)::YES
-carol::ip xfrm state::auth hmac(sha512)::YES
+moon:: ip xfrm state::auth-trunc hmac(sha512)::YES
+carol::ip xfrm state::auth-trunc hmac(sha512)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES
diff --git a/testing/tests/pfkey/alg-sha512/posttest.dat b/testing/tests/pfkey/alg-sha512/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/pfkey/alg-sha512/posttest.dat
+++ b/testing/tests/pfkey/alg-sha512/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/alg-sha512/pretest.dat b/testing/tests/pfkey/alg-sha512/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/pfkey/alg-sha512/pretest.dat
+++ b/testing/tests/pfkey/alg-sha512/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/pfkey/alg-sha512/test.conf b/testing/tests/pfkey/alg-sha512/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/pfkey/alg-sha512/test.conf
+++ b/testing/tests/pfkey/alg-sha512/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/esp-alg-null/evaltest.dat b/testing/tests/pfkey/esp-alg-null/evaltest.dat
index 271e274c8..c50b188bb 100644
--- a/testing/tests/pfkey/esp-alg-null/evaltest.dat
+++ b/testing/tests/pfkey/esp-alg-null/evaltest.dat
@@ -2,7 +2,7 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
 carol::ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
 moon:: ip xfrm state::enc ecb(cipher_null)::YES
diff --git a/testing/tests/pfkey/esp-alg-null/posttest.dat b/testing/tests/pfkey/esp-alg-null/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/pfkey/esp-alg-null/posttest.dat
+++ b/testing/tests/pfkey/esp-alg-null/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/esp-alg-null/pretest.dat b/testing/tests/pfkey/esp-alg-null/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/pfkey/esp-alg-null/pretest.dat
+++ b/testing/tests/pfkey/esp-alg-null/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/pfkey/esp-alg-null/test.conf b/testing/tests/pfkey/esp-alg-null/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/pfkey/esp-alg-null/test.conf
+++ b/testing/tests/pfkey/esp-alg-null/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/host2host-transport/evaltest.dat b/testing/tests/pfkey/host2host-transport/evaltest.dat
index 5ef5bed9c..fbd0c1c96 100644
--- a/testing/tests/pfkey/host2host-transport/evaltest.dat
+++ b/testing/tests/pfkey/host2host-transport/evaltest.dat
@@ -5,6 +5,6 @@ sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
 moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES
 moon::ip xfrm state::mode transport::YES
 sun:: ip xfrm state::mode transport::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/pfkey/host2host-transport/posttest.dat b/testing/tests/pfkey/host2host-transport/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/pfkey/host2host-transport/posttest.dat
+++ b/testing/tests/pfkey/host2host-transport/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/host2host-transport/pretest.dat b/testing/tests/pfkey/host2host-transport/pretest.dat
index e2d98f2eb..99789b90f 100644
--- a/testing/tests/pfkey/host2host-transport/pretest.dat
+++ b/testing/tests/pfkey/host2host-transport/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 2
diff --git a/testing/tests/pfkey/host2host-transport/test.conf b/testing/tests/pfkey/host2host-transport/test.conf
index cf2e704fd..5a286c84f 100644
--- a/testing/tests/pfkey/host2host-transport/test.conf
+++ b/testing/tests/pfkey/host2host-transport/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/pfkey/nat-rw/evaltest.dat b/testing/tests/pfkey/nat-rw/evaltest.dat
index a0b9c678f..ac09e2d6b 100644
--- a/testing/tests/pfkey/nat-rw/evaltest.dat
+++ b/testing/tests/pfkey/nat-rw/evaltest.dat
@@ -6,7 +6,7 @@ alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL::YES
 venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/pfkey/nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/pfkey/nat-rw/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/pfkey/nat-rw/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/pfkey/nat-rw/posttest.dat b/testing/tests/pfkey/nat-rw/posttest.dat
index 52572ece8..4643a3a7b 100644
--- a/testing/tests/pfkey/nat-rw/posttest.dat
+++ b/testing/tests/pfkey/nat-rw/posttest.dat
@@ -1,8 +1,8 @@
 sun::ipsec stop
 alice::ipsec stop
 venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/pfkey/nat-rw/pretest.dat b/testing/tests/pfkey/nat-rw/pretest.dat
index e365ff5c5..d701a1d61 100644
--- a/testing/tests/pfkey/nat-rw/pretest.dat
+++ b/testing/tests/pfkey/nat-rw/pretest.dat
@@ -1,7 +1,6 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 alice::ipsec start
diff --git a/testing/tests/pfkey/nat-rw/test.conf b/testing/tests/pfkey/nat-rw/test.conf
index 84317fd70..f515d4bc7 100644
--- a/testing/tests/pfkey/nat-rw/test.conf
+++ b/testing/tests/pfkey/nat-rw/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/pfkey/net2net-route/evaltest.dat b/testing/tests/pfkey/net2net-route/evaltest.dat
index 9adb31e97..1de6ca8e1 100644
--- a/testing/tests/pfkey/net2net-route/evaltest.dat
+++ b/testing/tests/pfkey/net2net-route/evaltest.dat
@@ -4,6 +4,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/pfkey/net2net-route/posttest.dat b/testing/tests/pfkey/net2net-route/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/pfkey/net2net-route/posttest.dat
+++ b/testing/tests/pfkey/net2net-route/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/net2net-route/pretest.dat b/testing/tests/pfkey/net2net-route/pretest.dat
index 2eef7de19..e4ee3fac2 100644
--- a/testing/tests/pfkey/net2net-route/pretest.dat
+++ b/testing/tests/pfkey/net2net-route/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 2 
diff --git a/testing/tests/pfkey/net2net-route/test.conf b/testing/tests/pfkey/net2net-route/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/pfkey/net2net-route/test.conf
+++ b/testing/tests/pfkey/net2net-route/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/pfkey/protoport-dual/evaltest.dat b/testing/tests/pfkey/protoport-dual/evaltest.dat
index d2fc698f9..50b53cc00 100644
--- a/testing/tests/pfkey/protoport-dual/evaltest.dat
+++ b/testing/tests/pfkey/protoport-dual/evaltest.dat
@@ -4,8 +4,8 @@ carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
 carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/pfkey/protoport-dual/posttest.dat b/testing/tests/pfkey/protoport-dual/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/pfkey/protoport-dual/posttest.dat
+++ b/testing/tests/pfkey/protoport-dual/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/protoport-dual/pretest.dat b/testing/tests/pfkey/protoport-dual/pretest.dat
index d3d0061c3..efb2e5712 100644
--- a/testing/tests/pfkey/protoport-dual/pretest.dat
+++ b/testing/tests/pfkey/protoport-dual/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 2
diff --git a/testing/tests/pfkey/protoport-dual/test.conf b/testing/tests/pfkey/protoport-dual/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/pfkey/protoport-dual/test.conf
+++ b/testing/tests/pfkey/protoport-dual/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/protoport-route/evaltest.dat b/testing/tests/pfkey/protoport-route/evaltest.dat
index 09dfd8f42..9e970f055 100644
--- a/testing/tests/pfkey/protoport-route/evaltest.dat
+++ b/testing/tests/pfkey/protoport-route/evaltest.dat
@@ -1,5 +1,5 @@
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req::YES
 carol::ssh PH_IP_ALICE hostname::alice::YES
 carol::cat /var/log/daemon.log::creating acquire job::YES
 carol::ipsec status 2> /dev/null::home-icmp.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
diff --git a/testing/tests/pfkey/protoport-route/posttest.dat b/testing/tests/pfkey/protoport-route/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/pfkey/protoport-route/posttest.dat
+++ b/testing/tests/pfkey/protoport-route/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/protoport-route/pretest.dat b/testing/tests/pfkey/protoport-route/pretest.dat
index 0aded0f4d..5a15574d6 100644
--- a/testing/tests/pfkey/protoport-route/pretest.dat
+++ b/testing/tests/pfkey/protoport-route/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/pfkey/protoport-route/test.conf b/testing/tests/pfkey/protoport-route/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/pfkey/protoport-route/test.conf
+++ b/testing/tests/pfkey/protoport-route/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/rw-cert/evaltest.dat b/testing/tests/pfkey/rw-cert/evaltest.dat
index b545c2289..2342d024b 100644
--- a/testing/tests/pfkey/rw-cert/evaltest.dat
+++ b/testing/tests/pfkey/rw-cert/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/pfkey/rw-cert/posttest.dat b/testing/tests/pfkey/rw-cert/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/pfkey/rw-cert/posttest.dat
+++ b/testing/tests/pfkey/rw-cert/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/rw-cert/pretest.dat b/testing/tests/pfkey/rw-cert/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/pfkey/rw-cert/pretest.dat
+++ b/testing/tests/pfkey/rw-cert/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/pfkey/rw-cert/test.conf b/testing/tests/pfkey/rw-cert/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/pfkey/rw-cert/test.conf
+++ b/testing/tests/pfkey/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/pfkey/shunt-policies/evaltest.dat b/testing/tests/pfkey/shunt-policies/evaltest.dat
index 87368fb31..6ba3a988f 100644
--- a/testing/tests/pfkey/shunt-policies/evaltest.dat
+++ b/testing/tests/pfkey/shunt-policies/evaltest.dat
@@ -4,16 +4,16 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::NO
-venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::NO
+venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
 venus::ssh PH_IP_BOB hostname::bob::YES
diff --git a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/init.d/iptables b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 2b90a14c7..000000000
--- a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# allow icmp in local net
-	iptables -A INPUT  -i eth1 -p icmp -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p icmp -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/iptables.rules b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..af0f25209
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow icmp in local net
+-A INPUT  -i eth1 -p icmp -j ACCEPT
+-A OUTPUT -o eth1 -p icmp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/pfkey/shunt-policies/posttest.dat b/testing/tests/pfkey/shunt-policies/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/pfkey/shunt-policies/posttest.dat
+++ b/testing/tests/pfkey/shunt-policies/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/pfkey/shunt-policies/pretest.dat b/testing/tests/pfkey/shunt-policies/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/pfkey/shunt-policies/pretest.dat
+++ b/testing/tests/pfkey/shunt-policies/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/pfkey/shunt-policies/test.conf b/testing/tests/pfkey/shunt-policies/test.conf
index cf2ef7424..6b7432ca6 100644
--- a/testing/tests/pfkey/shunt-policies/test.conf
+++ b/testing/tests/pfkey/shunt-policies/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/sql/ip-pool-db-expired/evaltest.dat b/testing/tests/sql/ip-pool-db-expired/evaltest.dat
index 3239dfe1f..5ff5edbf8 100644
--- a/testing/tests/sql/ip-pool-db-expired/evaltest.dat
+++ b/testing/tests/sql/ip-pool-db-expired/evaltest.dat
@@ -3,13 +3,13 @@ carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
 moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP::YES
diff --git a/testing/tests/sql/ip-pool-db-expired/posttest.dat b/testing/tests/sql/ip-pool-db-expired/posttest.dat
index 40b1a403e..1b963fcec 100644
--- a/testing/tests/sql/ip-pool-db-expired/posttest.dat
+++ b/testing/tests/sql/ip-pool-db-expired/posttest.dat
@@ -1,9 +1,9 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/ip-pool-db-expired/pretest.dat b/testing/tests/sql/ip-pool-db-expired/pretest.dat
index 4df33509f..391785a1c 100644
--- a/testing/tests/sql/ip-pool-db-expired/pretest.dat
+++ b/testing/tests/sql/ip-pool-db-expired/pretest.dat
@@ -8,9 +8,9 @@ moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::ipsec pool --leases 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/ip-pool-db-expired/test.conf b/testing/tests/sql/ip-pool-db-expired/test.conf
index 75510b295..9b1ec0b54 100644
--- a/testing/tests/sql/ip-pool-db-expired/test.conf
+++ b/testing/tests/sql/ip-pool-db-expired/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/ip-pool-db-restart/evaltest.dat b/testing/tests/sql/ip-pool-db-restart/evaltest.dat
index 58706fa48..f70e2d2de 100644
--- a/testing/tests/sql/ip-pool-db-restart/evaltest.dat
+++ b/testing/tests/sql/ip-pool-db-restart/evaltest.dat
@@ -3,13 +3,13 @@ carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
 moon:: cat /var/log/daemon.log::acquired existing lease for address.*in pool.*bigpool::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP::YES
diff --git a/testing/tests/sql/ip-pool-db-restart/posttest.dat b/testing/tests/sql/ip-pool-db-restart/posttest.dat
index 40b1a403e..1b963fcec 100644
--- a/testing/tests/sql/ip-pool-db-restart/posttest.dat
+++ b/testing/tests/sql/ip-pool-db-restart/posttest.dat
@@ -1,9 +1,9 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/ip-pool-db-restart/pretest.dat b/testing/tests/sql/ip-pool-db-restart/pretest.dat
index b5108051c..20b1937b7 100644
--- a/testing/tests/sql/ip-pool-db-restart/pretest.dat
+++ b/testing/tests/sql/ip-pool-db-restart/pretest.dat
@@ -8,9 +8,9 @@ moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::ipsec pool --leases 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/ip-pool-db-restart/test.conf b/testing/tests/sql/ip-pool-db-restart/test.conf
index 75510b295..9b1ec0b54 100644
--- a/testing/tests/sql/ip-pool-db-restart/test.conf
+++ b/testing/tests/sql/ip-pool-db-restart/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/ip-pool-db/evaltest.dat b/testing/tests/sql/ip-pool-db/evaltest.dat
index 3910ab9c2..cfa87ae3f 100644
--- a/testing/tests/sql/ip-pool-db/evaltest.dat
+++ b/testing/tests/sql/ip-pool-db/evaltest.dat
@@ -7,7 +7,7 @@ carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
@@ -18,7 +18,7 @@ dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
 dave:: ipsec status 2> /dev/null::.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
 moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP::YES
diff --git a/testing/tests/sql/ip-pool-db/posttest.dat b/testing/tests/sql/ip-pool-db/posttest.dat
index 40b1a403e..1b963fcec 100644
--- a/testing/tests/sql/ip-pool-db/posttest.dat
+++ b/testing/tests/sql/ip-pool-db/posttest.dat
@@ -1,9 +1,9 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/ip-pool-db/pretest.dat b/testing/tests/sql/ip-pool-db/pretest.dat
index a5d786b3f..819aca3d9 100644
--- a/testing/tests/sql/ip-pool-db/pretest.dat
+++ b/testing/tests/sql/ip-pool-db/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/ip-pool-db/test.conf b/testing/tests/sql/ip-pool-db/test.conf
index 75510b295..9b1ec0b54 100644
--- a/testing/tests/sql/ip-pool-db/test.conf
+++ b/testing/tests/sql/ip-pool-db/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/ip-split-pools-db-restart/test.conf b/testing/tests/sql/ip-split-pools-db-restart/test.conf
index 75510b295..9b1ec0b54 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/test.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/ip-split-pools-db/test.conf b/testing/tests/sql/ip-split-pools-db/test.conf
index 75510b295..9b1ec0b54 100644
--- a/testing/tests/sql/ip-split-pools-db/test.conf
+++ b/testing/tests/sql/ip-split-pools-db/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/multi-level-ca/evaltest.dat b/testing/tests/sql/multi-level-ca/evaltest.dat
index dfdd36a51..72a555d4b 100644
--- a/testing/tests/sql/multi-level-ca/evaltest.dat
+++ b/testing/tests/sql/multi-level-ca/evaltest.dat
@@ -14,8 +14,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/multi-level-ca/posttest.dat b/testing/tests/sql/multi-level-ca/posttest.dat
index d4d57ad83..e9ad4bea6 100644
--- a/testing/tests/sql/multi-level-ca/posttest.dat
+++ b/testing/tests/sql/multi-level-ca/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/multi-level-ca/pretest.dat b/testing/tests/sql/multi-level-ca/pretest.dat
index 76316f33d..fdd4df5f9 100644
--- a/testing/tests/sql/multi-level-ca/pretest.dat
+++ b/testing/tests/sql/multi-level-ca/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/multi-level-ca/test.conf b/testing/tests/sql/multi-level-ca/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/sql/multi-level-ca/test.conf
+++ b/testing/tests/sql/multi-level-ca/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/net2net-cert/evaltest.dat b/testing/tests/sql/net2net-cert/evaltest.dat
index dbd06104f..f003f822f 100644
--- a/testing/tests/sql/net2net-cert/evaltest.dat
+++ b/testing/tests/sql/net2net-cert/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/net2net-cert/posttest.dat b/testing/tests/sql/net2net-cert/posttest.dat
index 13f7ede0a..329a572b2 100644
--- a/testing/tests/sql/net2net-cert/posttest.dat
+++ b/testing/tests/sql/net2net-cert/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/net2net-cert/pretest.dat b/testing/tests/sql/net2net-cert/pretest.dat
index 2ab18542f..a1777efb0 100644
--- a/testing/tests/sql/net2net-cert/pretest.dat
+++ b/testing/tests/sql/net2net-cert/pretest.dat
@@ -4,8 +4,8 @@ moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/sql/net2net-cert/test.conf b/testing/tests/sql/net2net-cert/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/sql/net2net-cert/test.conf
+++ b/testing/tests/sql/net2net-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/sql/net2net-psk/evaltest.dat b/testing/tests/sql/net2net-psk/evaltest.dat
index dbd06104f..f003f822f 100644
--- a/testing/tests/sql/net2net-psk/evaltest.dat
+++ b/testing/tests/sql/net2net-psk/evaltest.dat
@@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/net2net-psk/posttest.dat b/testing/tests/sql/net2net-psk/posttest.dat
index 13f7ede0a..329a572b2 100644
--- a/testing/tests/sql/net2net-psk/posttest.dat
+++ b/testing/tests/sql/net2net-psk/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/net2net-psk/pretest.dat b/testing/tests/sql/net2net-psk/pretest.dat
index 2ab18542f..a1777efb0 100644
--- a/testing/tests/sql/net2net-psk/pretest.dat
+++ b/testing/tests/sql/net2net-psk/pretest.dat
@@ -4,8 +4,8 @@ moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/sql/net2net-psk/test.conf b/testing/tests/sql/net2net-psk/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/sql/net2net-psk/test.conf
+++ b/testing/tests/sql/net2net-psk/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/sql/net2net-route-pem/evaltest.dat b/testing/tests/sql/net2net-route-pem/evaltest.dat
index 719ba09ff..3fd32907c 100644
--- a/testing/tests/sql/net2net-route-pem/evaltest.dat
+++ b/testing/tests/sql/net2net-route-pem/evaltest.dat
@@ -10,7 +10,7 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun
 sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::net-2.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-2.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/net2net-route-pem/posttest.dat b/testing/tests/sql/net2net-route-pem/posttest.dat
index 13f7ede0a..329a572b2 100644
--- a/testing/tests/sql/net2net-route-pem/posttest.dat
+++ b/testing/tests/sql/net2net-route-pem/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/net2net-route-pem/pretest.dat b/testing/tests/sql/net2net-route-pem/pretest.dat
index 5a537e15b..8ca573ee5 100644
--- a/testing/tests/sql/net2net-route-pem/pretest.dat
+++ b/testing/tests/sql/net2net-route-pem/pretest.dat
@@ -4,8 +4,8 @@ moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 sun::ipsec start
 moon::ipsec start
 moon::sleep 1
diff --git a/testing/tests/sql/net2net-route-pem/test.conf b/testing/tests/sql/net2net-route-pem/test.conf
index 13a8a2a48..10c582c9b 100644
--- a/testing/tests/sql/net2net-route-pem/test.conf
+++ b/testing/tests/sql/net2net-route-pem/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/sql/net2net-start-pem/evaltest.dat b/testing/tests/sql/net2net-start-pem/evaltest.dat
index e6b8890f9..6534adc07 100644
--- a/testing/tests/sql/net2net-start-pem/evaltest.dat
+++ b/testing/tests/sql/net2net-start-pem/evaltest.dat
@@ -6,7 +6,7 @@ moon:: ipsec status 2> /dev/null::net-2.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-2.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::net-3.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-3.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/net2net-start-pem/posttest.dat b/testing/tests/sql/net2net-start-pem/posttest.dat
index 13f7ede0a..329a572b2 100644
--- a/testing/tests/sql/net2net-start-pem/posttest.dat
+++ b/testing/tests/sql/net2net-start-pem/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/net2net-start-pem/pretest.dat b/testing/tests/sql/net2net-start-pem/pretest.dat
index c09d50f08..1c71f0c14 100644
--- a/testing/tests/sql/net2net-start-pem/pretest.dat
+++ b/testing/tests/sql/net2net-start-pem/pretest.dat
@@ -4,8 +4,8 @@ moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 sun::ipsec start
 moon::ipsec start
 moon::sleep 3
diff --git a/testing/tests/sql/net2net-start-pem/test.conf b/testing/tests/sql/net2net-start-pem/test.conf
index 13a8a2a48..10c582c9b 100644
--- a/testing/tests/sql/net2net-start-pem/test.conf
+++ b/testing/tests/sql/net2net-start-pem/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/sql/rw-cert/evaltest.dat b/testing/tests/sql/rw-cert/evaltest.dat
index b545c2289..2342d024b 100644
--- a/testing/tests/sql/rw-cert/evaltest.dat
+++ b/testing/tests/sql/rw-cert/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-cert/posttest.dat b/testing/tests/sql/rw-cert/posttest.dat
index d4d57ad83..e9ad4bea6 100644
--- a/testing/tests/sql/rw-cert/posttest.dat
+++ b/testing/tests/sql/rw-cert/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/rw-cert/pretest.dat b/testing/tests/sql/rw-cert/pretest.dat
index 76316f33d..fdd4df5f9 100644
--- a/testing/tests/sql/rw-cert/pretest.dat
+++ b/testing/tests/sql/rw-cert/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/rw-cert/test.conf b/testing/tests/sql/rw-cert/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/sql/rw-cert/test.conf
+++ b/testing/tests/sql/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat b/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
index 65a7c8e09..e1d33feb7 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
+++ b/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
@@ -5,7 +5,7 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.
 moon:: ipsec status 2> /dev/null::rw-eap-aka.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw-eap-aka.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/sql/rw-eap-aka-rsa/posttest.dat b/testing/tests/sql/rw-eap-aka-rsa/posttest.dat
index 23eeb0d17..584356d8e 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/posttest.dat
+++ b/testing/tests/sql/rw-eap-aka-rsa/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 ~
diff --git a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat
index b78fd480f..8f2387ba1 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat
+++ b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat
@@ -4,8 +4,8 @@ moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/sql/rw-eap-aka-rsa/test.conf b/testing/tests/sql/rw-eap-aka-rsa/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/test.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/sql/rw-psk-ipv4/evaltest.dat b/testing/tests/sql/rw-psk-ipv4/evaltest.dat
index 1ad36fcaf..eaf47395e 100644
--- a/testing/tests/sql/rw-psk-ipv4/evaltest.dat
+++ b/testing/tests/sql/rw-psk-ipv4/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-psk-ipv4/posttest.dat b/testing/tests/sql/rw-psk-ipv4/posttest.dat
index d4d57ad83..e9ad4bea6 100644
--- a/testing/tests/sql/rw-psk-ipv4/posttest.dat
+++ b/testing/tests/sql/rw-psk-ipv4/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/rw-psk-ipv4/pretest.dat b/testing/tests/sql/rw-psk-ipv4/pretest.dat
index 76316f33d..fdd4df5f9 100644
--- a/testing/tests/sql/rw-psk-ipv4/pretest.dat
+++ b/testing/tests/sql/rw-psk-ipv4/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/rw-psk-ipv4/test.conf b/testing/tests/sql/rw-psk-ipv4/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/sql/rw-psk-ipv4/test.conf
+++ b/testing/tests/sql/rw-psk-ipv4/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/init.d/iptables b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 25074a0f1..000000000
--- a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/iptables.rules b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..7362b2e25
--- /dev/null
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/iptables.rules
@@ -0,0 +1,16 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/init.d/iptables b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index 25074a0f1..000000000
--- a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/iptables.rules b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/iptables.rules
new file mode 100644
index 000000000..7362b2e25
--- /dev/null
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/iptables.rules
@@ -0,0 +1,16 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/init.d/iptables b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 25074a0f1..000000000
--- a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/iptables.rules b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..7362b2e25
--- /dev/null
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/iptables.rules
@@ -0,0 +1,16 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/sql/rw-psk-ipv6/posttest.dat b/testing/tests/sql/rw-psk-ipv6/posttest.dat
index bdfd9ed00..ab753507f 100644
--- a/testing/tests/sql/rw-psk-ipv6/posttest.dat
+++ b/testing/tests/sql/rw-psk-ipv6/posttest.dat
@@ -1,9 +1,12 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec0:\:/16 via fec1:\:1"
 carol::"ip route del fec1:\:/16 via fec0:\:1"
 dave::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/sql/rw-psk-ipv6/pretest.dat b/testing/tests/sql/rw-psk-ipv6/pretest.dat
index 253438dbf..587dd7f85 100644
--- a/testing/tests/sql/rw-psk-ipv6/pretest.dat
+++ b/testing/tests/sql/rw-psk-ipv6/pretest.dat
@@ -7,9 +7,12 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec0:\:/16 via fec1:\:1"
 carol::"ip route add fec1:\:/16 via fec0:\:1"
 dave::"ip route add fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/sql/rw-psk-ipv6/test.conf b/testing/tests/sql/rw-psk-ipv6/test.conf
index 80cf5e3a1..05bb8ab6d 100644
--- a/testing/tests/sql/rw-psk-ipv6/test.conf
+++ b/testing/tests/sql/rw-psk-ipv6/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/rw-psk-rsa-split/evaltest.dat b/testing/tests/sql/rw-psk-rsa-split/evaltest.dat
index 9a1ab3f8f..1648c9557 100644
--- a/testing/tests/sql/rw-psk-rsa-split/evaltest.dat
+++ b/testing/tests/sql/rw-psk-rsa-split/evaltest.dat
@@ -9,8 +9,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-psk-rsa-split/posttest.dat b/testing/tests/sql/rw-psk-rsa-split/posttest.dat
index d4d57ad83..e9ad4bea6 100644
--- a/testing/tests/sql/rw-psk-rsa-split/posttest.dat
+++ b/testing/tests/sql/rw-psk-rsa-split/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/rw-psk-rsa-split/pretest.dat b/testing/tests/sql/rw-psk-rsa-split/pretest.dat
index 76316f33d..fdd4df5f9 100644
--- a/testing/tests/sql/rw-psk-rsa-split/pretest.dat
+++ b/testing/tests/sql/rw-psk-rsa-split/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/rw-psk-rsa-split/test.conf b/testing/tests/sql/rw-psk-rsa-split/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/sql/rw-psk-rsa-split/test.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/rw-rsa-keyid/evaltest.dat b/testing/tests/sql/rw-rsa-keyid/evaltest.dat
index 26f82653a..4f5cd724c 100644
--- a/testing/tests/sql/rw-rsa-keyid/evaltest.dat
+++ b/testing/tests/sql/rw-rsa-keyid/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-rsa-keyid/posttest.dat b/testing/tests/sql/rw-rsa-keyid/posttest.dat
index b10aeb3aa..892650ccb 100644
--- a/testing/tests/sql/rw-rsa-keyid/posttest.dat
+++ b/testing/tests/sql/rw-rsa-keyid/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.db
 carol::rm /etc/ipsec.d/ipsec.db
 dave::rm /etc/ipsec.d/ipsec.db
diff --git a/testing/tests/sql/rw-rsa-keyid/pretest.dat b/testing/tests/sql/rw-rsa-keyid/pretest.dat
index 76316f33d..fdd4df5f9 100644
--- a/testing/tests/sql/rw-rsa-keyid/pretest.dat
+++ b/testing/tests/sql/rw-rsa-keyid/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/rw-rsa-keyid/test.conf b/testing/tests/sql/rw-rsa-keyid/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/sql/rw-rsa-keyid/test.conf
+++ b/testing/tests/sql/rw-rsa-keyid/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/rw-rsa/evaltest.dat b/testing/tests/sql/rw-rsa/evaltest.dat
index f8cfb111b..ba661975b 100644
--- a/testing/tests/sql/rw-rsa/evaltest.dat
+++ b/testing/tests/sql/rw-rsa/evaltest.dat
@@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-rsa/posttest.dat b/testing/tests/sql/rw-rsa/posttest.dat
index b10aeb3aa..892650ccb 100644
--- a/testing/tests/sql/rw-rsa/posttest.dat
+++ b/testing/tests/sql/rw-rsa/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.db
 carol::rm /etc/ipsec.d/ipsec.db
 dave::rm /etc/ipsec.d/ipsec.db
diff --git a/testing/tests/sql/rw-rsa/pretest.dat b/testing/tests/sql/rw-rsa/pretest.dat
index 76316f33d..fdd4df5f9 100644
--- a/testing/tests/sql/rw-rsa/pretest.dat
+++ b/testing/tests/sql/rw-rsa/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/rw-rsa/test.conf b/testing/tests/sql/rw-rsa/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/sql/rw-rsa/test.conf
+++ b/testing/tests/sql/rw-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/shunt-policies/evaltest.dat b/testing/tests/sql/shunt-policies/evaltest.dat
index 70aea411e..51dd9610b 100644
--- a/testing/tests/sql/shunt-policies/evaltest.dat
+++ b/testing/tests/sql/shunt-policies/evaltest.dat
@@ -4,16 +4,16 @@ moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::local-net.*PASS::YES
 moon:: ipsec status 2> /dev/null::venus-icmp.*DROP::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::NO
-venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::NO
+venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
 venus::ssh PH_IP_BOB hostname::bob::YES
diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/init.d/iptables b/testing/tests/sql/shunt-policies/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 2b90a14c7..000000000
--- a/testing/tests/sql/shunt-policies/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# allow icmp in local net
-	iptables -A INPUT  -i eth1 -p icmp -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p icmp -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/iptables.rules b/testing/tests/sql/shunt-policies/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..af0f25209
--- /dev/null
+++ b/testing/tests/sql/shunt-policies/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow icmp in local net
+-A INPUT  -i eth1 -p icmp -j ACCEPT
+-A OUTPUT -o eth1 -p icmp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/sql/shunt-policies/posttest.dat b/testing/tests/sql/shunt-policies/posttest.dat
index 13f7ede0a..329a572b2 100644
--- a/testing/tests/sql/shunt-policies/posttest.dat
+++ b/testing/tests/sql/shunt-policies/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/shunt-policies/pretest.dat b/testing/tests/sql/shunt-policies/pretest.dat
index 2ab18542f..a1777efb0 100644
--- a/testing/tests/sql/shunt-policies/pretest.dat
+++ b/testing/tests/sql/shunt-policies/pretest.dat
@@ -4,8 +4,8 @@ moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/sql/shunt-policies/test.conf b/testing/tests/sql/shunt-policies/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/sql/shunt-policies/test.conf
+++ b/testing/tests/sql/shunt-policies/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat b/testing/tests/tnc/tnccs-11-fhh/evaltest.dat
index b6663ea5e..6b7c713ef 100644
--- a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-fhh/evaltest.dat
@@ -1,9 +1,9 @@
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
@@ -12,8 +12,8 @@ moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-11-fhh/posttest.dat b/testing/tests/tnc/tnccs-11-fhh/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-11-fhh/posttest.dat
+++ b/testing/tests/tnc/tnccs-11-fhh/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-11-fhh/pretest.dat b/testing/tests/tnc/tnccs-11-fhh/pretest.dat
index c7a30ee7c..997c70a8e 100644
--- a/testing/tests/tnc/tnccs-11-fhh/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-fhh/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-11-fhh/test.conf b/testing/tests/tnc/tnccs-11-fhh/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-11-fhh/test.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
index b875eed49..d93407434 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
@@ -9,6 +9,6 @@ dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/3
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
 moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/eap.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/eap.conf
index 31556361e..31556361e 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/proxy.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..dd0825858
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,43 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel
index e088fae14..e088fae14 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
index 2d4961288..2d4961288 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/users b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/users
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/clients.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary
deleted file mode 100644
index 1a27a02fc..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary
+++ /dev/null
@@ -1,2 +0,0 @@
-$INCLUDE	/usr/share/freeradius/dictionary
-$INCLUDE	/etc/raddb/dictionary.tnc
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc
deleted file mode 100644
index f295467a9..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc
+++ /dev/null
@@ -1,5 +0,0 @@
-ATTRIBUTE	TNC-Status	3001	integer
-
-VALUE	TNC-Status	Access	0 
-VALUE	TNC-Status	Isolate	1
-VALUE	TNC-Status	None	2
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/default b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index 802fcfd8d..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,44 +0,0 @@
-authorize {
-  suffix
-  eap {
-    ok = return
-  }
-  files
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/init.d/iptables b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat b/testing/tests/tnc/tnccs-11-radius-block/posttest.dat
index 51d8ca1b3..5e5a8514d 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-block/posttest.dat
@@ -2,8 +2,8 @@ moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
 alice::killall radiusd
-alice::rm /etc/raddb/sites-enabled/inner-tunnel-second
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 dave::/etc/init.d/apache2 stop 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
index 0fa88dbc7..c8f2139a8 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
@@ -1,9 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 dave::/etc/init.d/apache2 start 2> /dev/null
-alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second
-alice::cat /etc/raddb/sites-enabled/inner-tunnel-second
+alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
+alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
 alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
 moon::ipsec start
 carol::LEAK_DETECTIVE_DISABLE=1 ipsec start
diff --git a/testing/tests/tnc/tnccs-11-radius-block/test.conf b/testing/tests/tnc/tnccs-11-radius-block/test.conf
index bb6b68687..29bfaa78c 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/test.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/tnc/tnccs-11-radius/evaltest.dat b/testing/tests/tnc/tnccs-11-radius/evaltest.dat
index d72239e8e..e22b767f7 100644
--- a/testing/tests/tnc/tnccs-11-radius/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-radius/evaltest.dat
@@ -1,10 +1,10 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
@@ -12,8 +12,8 @@ moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf
index 31556361e..31556361e 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..dd0825858
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,43 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
index e088fae14..e088fae14 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
index f91bccc72..c5bde6a9e 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
@@ -17,14 +17,14 @@ session {
 post-auth {
 	if (control:TNC-Status == "Access") {
 		update reply {
-			Tunnel-Type := ESP 
+			Tunnel-Type := ESP
 			Filter-Id := "allow"
 		}
 	}
 	elsif (control:TNC-Status == "Isolate") {
 		update reply {
-			Tunnel-Type := ESP 
-			Filter-Id := "isolate"	
+			Tunnel-Type := ESP
+			Filter-Id := "isolate"
 		}
 	}
 
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/users b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary
deleted file mode 100644
index 1a27a02fc..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary
+++ /dev/null
@@ -1,2 +0,0 @@
-$INCLUDE	/usr/share/freeradius/dictionary
-$INCLUDE	/etc/raddb/dictionary.tnc
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary.tnc
deleted file mode 100644
index f295467a9..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary.tnc
+++ /dev/null
@@ -1,5 +0,0 @@
-ATTRIBUTE	TNC-Status	3001	integer
-
-VALUE	TNC-Status	Access	0 
-VALUE	TNC-Status	Isolate	1
-VALUE	TNC-Status	None	2
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index 802fcfd8d..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,44 +0,0 @@
-authorize {
-  suffix
-  eap {
-    ok = return
-  }
-  files
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/init.d/iptables b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-11-radius/posttest.dat b/testing/tests/tnc/tnccs-11-radius/posttest.dat
index 86bd89dea..a64a9147c 100644
--- a/testing/tests/tnc/tnccs-11-radius/posttest.dat
+++ b/testing/tests/tnc/tnccs-11-radius/posttest.dat
@@ -2,7 +2,7 @@ moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
 alice::killall radiusd
-alice::rm /etc/raddb/sites-enabled/inner-tunnel-second
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-11-radius/pretest.dat b/testing/tests/tnc/tnccs-11-radius/pretest.dat
index b5d284278..8f79c776a 100644
--- a/testing/tests/tnc/tnccs-11-radius/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-radius/pretest.dat
@@ -1,8 +1,8 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second
-alice::cat /etc/raddb/sites-enabled/inner-tunnel-second
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
+alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
 alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
 alice::cat /etc/tnc_config
 carol::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-11-radius/test.conf b/testing/tests/tnc/tnccs-11-radius/test.conf
index 2a52df203..f23a19329 100644
--- a/testing/tests/tnc/tnccs-11-radius/test.conf
+++ b/testing/tests/tnc/tnccs-11-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/tnc/tnccs-11/evaltest.dat b/testing/tests/tnc/tnccs-11/evaltest.dat
index b6663ea5e..6b7c713ef 100644
--- a/testing/tests/tnc/tnccs-11/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11/evaltest.dat
@@ -1,9 +1,9 @@
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
@@ -12,8 +12,8 @@ moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-11/posttest.dat b/testing/tests/tnc/tnccs-11/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-11/posttest.dat
+++ b/testing/tests/tnc/tnccs-11/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-11/pretest.dat b/testing/tests/tnc/tnccs-11/pretest.dat
index dd729cb0b..7bfcf0d07 100644
--- a/testing/tests/tnc/tnccs-11/pretest.dat
+++ b/testing/tests/tnc/tnccs-11/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-11/test.conf b/testing/tests/tnc/tnccs-11/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-11/test.conf
+++ b/testing/tests/tnc/tnccs-11/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20-block/evaltest.dat b/testing/tests/tnc/tnccs-20-block/evaltest.dat
index 881f442b7..03b576efa 100644
--- a/testing/tests/tnc/tnccs-20-block/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-block/evaltest.dat
@@ -8,5 +8,5 @@ dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/3
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-block/posttest.dat b/testing/tests/tnc/tnccs-20-block/posttest.dat
index 50bb7e117..2258e03ff 100644
--- a/testing/tests/tnc/tnccs-20-block/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-block/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 dave::/etc/init.d/apache2 stop 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-20-block/pretest.dat b/testing/tests/tnc/tnccs-20-block/pretest.dat
index 7b0a42fcd..f5b3b2e8c 100644
--- a/testing/tests/tnc/tnccs-20-block/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-block/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 dave::/etc/init.d/apache2 start 2> /dev/null
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-block/test.conf b/testing/tests/tnc/tnccs-20-block/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-20-block/test.conf
+++ b/testing/tests/tnc/tnccs-20-block/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat b/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat
index 3d84f81e3..bac7294b2 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat
@@ -1,9 +1,9 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
@@ -12,8 +12,8 @@ moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-20-client-retry/posttest.dat b/testing/tests/tnc/tnccs-20-client-retry/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-client-retry/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-client-retry/pretest.dat b/testing/tests/tnc/tnccs-20-client-retry/pretest.dat
index 208f9daa9..b2b243ba3 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-client-retry/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-client-retry/test.conf b/testing/tests/tnc/tnccs-20-client-retry/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/test.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat b/testing/tests/tnc/tnccs-20-fhh/evaltest.dat
index 3d84f81e3..bac7294b2 100644
--- a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-fhh/evaltest.dat
@@ -1,9 +1,9 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
@@ -12,8 +12,8 @@ moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-20-fhh/posttest.dat b/testing/tests/tnc/tnccs-20-fhh/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-20-fhh/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-fhh/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-fhh/pretest.dat b/testing/tests/tnc/tnccs-20-fhh/pretest.dat
index 76ad91f98..72c9b1665 100644
--- a/testing/tests/tnc/tnccs-20-fhh/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-fhh/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-fhh/test.conf b/testing/tests/tnc/tnccs-20-fhh/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-20-fhh/test.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20-os/description.txt b/testing/tests/tnc/tnccs-20-os/description.txt
new file mode 100644
index 000000000..b5d12fc8c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/description.txt
@@ -0,0 +1,23 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+state of <b>carol</b>'s and <b>dave</b>'s operating system via the <b>TNCCS 2.0 </b>
+client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS IMC and OS IMV pair
+is using the <b>IF-M 1.0</b> measurement protocol defined by <b>RFC 5792 PA-TNC</b> to
+exchange PA-TNC attributes.
+<p>
+<b>carol</b> sends information on her operating system consisting of the PA-TNC attributes
+<em>Product Information</em>, <em>String Version</em>, <em>Numeric Version</em>,
+<em>Operational Status</em>, <em>Forwarding Enabled</em>, and
+<em>Factory Default Password Enabled</em> up-front, whereas <b>dave</b> must be prompted
+by the IMV to do so via an <em>Attribute Request</em> PA-TNC attribute. <b>carol</b> is
+then prompted to send a list of installed packages using the <em>Installed Packages</em>
+PA-TNC attribute whereas <b>dave</b>'s "Windows 1.2.3" operating system is not supported
+and thus <b>dave</b> receives a <em>Remediation Instructions</em> PA-TNC attribute.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these assessments
+which are communicated to the IMCs using the <em>Assessment Result</em> PA-TNC attribute,
+the clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate"
+subnets, respectively.
+</p>
diff --git a/testing/tests/tnc/tnccs-20-os/evaltest.dat b/testing/tests/tnc/tnccs-20-os/evaltest.dat
new file mode 100644
index 000000000..3c13e5ffa
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..e2bf349d9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=any
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..34941e52c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,19 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-os {
+      push_info = yes
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..25c28442f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..77446cbae
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=any
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..149f51d65
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,26 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+    tnc-imc {
+      preferred_language = de
+    }
+  }
+}
+
+libimcv {
+  os_info {
+    name = Windows
+    version = 1.2.3
+  }
+  plugins {
+    imc-os {
+      push_info = no
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..25c28442f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..e21ef0d14
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imv 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..b11617cb2
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,24 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imv-os {
+      request_installed_packages = yes 
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..b75a9cb1e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan client 
+
+IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
diff --git a/testing/tests/tnc/tnccs-20-os/posttest.dat b/testing/tests/tnc/tnccs-20-os/posttest.dat
new file mode 100644
index 000000000..74b902c69
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+carol::echo 1 > /proc/sys/net/ipv4/ip_forward
diff --git a/testing/tests/tnc/tnccs-20-os/pretest.dat b/testing/tests/tnc/tnccs-20-os/pretest.dat
new file mode 100644
index 000000000..8169afab2
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/pretest.dat
@@ -0,0 +1,14 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::echo 0 > /proc/sys/net/ipv4/ip_forward
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+moon::ipsec start
+carol::ipsec start 
+dave::ipsec start 
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/tnc/tnccs-20-os/test.conf b/testing/tests/tnc/tnccs-20-os/test.conf
new file mode 100644
index 000000000..a8a05af19
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/tnc/tnccs-20-pdp/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp/evaltest.dat
index 83739b70a..e969774c5 100644
--- a/testing/tests/tnc/tnccs-20-pdp/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp/evaltest.dat
@@ -1,10 +1,10 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
@@ -12,7 +12,7 @@ moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 moon:: ipsec statusall 2>/dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/init.d/iptables b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-20-pdp/posttest.dat b/testing/tests/tnc/tnccs-20-pdp/posttest.dat
index 16218f385..e7eecd5f4 100644
--- a/testing/tests/tnc/tnccs-20-pdp/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp/posttest.dat
@@ -2,6 +2,6 @@ moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
 alice::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-pdp/pretest.dat b/testing/tests/tnc/tnccs-20-pdp/pretest.dat
index 9b9d6b699..32ed4d854 100644
--- a/testing/tests/tnc/tnccs-20-pdp/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 alice::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-pdp/test.conf b/testing/tests/tnc/tnccs-20-pdp/test.conf
index 400628531..c4ca1a19f 100644
--- a/testing/tests/tnc/tnccs-20-pdp/test.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave alice"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat b/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat
index 3d84f81e3..bac7294b2 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat
@@ -1,9 +1,9 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
@@ -12,8 +12,8 @@ moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-20-server-retry/posttest.dat b/testing/tests/tnc/tnccs-20-server-retry/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-server-retry/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-server-retry/pretest.dat b/testing/tests/tnc/tnccs-20-server-retry/pretest.dat
index 208f9daa9..b2b243ba3 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-server-retry/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-server-retry/test.conf b/testing/tests/tnc/tnccs-20-server-retry/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/test.conf
+++ b/testing/tests/tnc/tnccs-20-server-retry/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-tls/evaltest.dat
index 3d84f81e3..bac7294b2 100644
--- a/testing/tests/tnc/tnccs-20-tls/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-tls/evaltest.dat
@@ -1,9 +1,9 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
@@ -12,8 +12,8 @@ moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-20-tls/posttest.dat b/testing/tests/tnc/tnccs-20-tls/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-20-tls/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-tls/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-tls/pretest.dat b/testing/tests/tnc/tnccs-20-tls/pretest.dat
index c332f131b..cac1cfafc 100644
--- a/testing/tests/tnc/tnccs-20-tls/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-tls/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-tls/test.conf b/testing/tests/tnc/tnccs-20-tls/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-20-tls/test.conf
+++ b/testing/tests/tnc/tnccs-20-tls/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20/evaltest.dat b/testing/tests/tnc/tnccs-20/evaltest.dat
index 3d84f81e3..bac7294b2 100644
--- a/testing/tests/tnc/tnccs-20/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20/evaltest.dat
@@ -1,9 +1,9 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
@@ -12,8 +12,8 @@ moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf
index a483d6df8..e2bf349d9 100644
--- a/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	charondebug="tnc 3, imc 2"
+	charondebug="tnc 3, imc 3"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf
index 11378131a..77446cbae 100644
--- a/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	charondebug="tnc 3, imc 2"
+	charondebug="tnc 3, imc 3"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf
index b1093d46d..e21ef0d14 100644
--- a/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	charondebug="tnc 3, imv 2"
+	charondebug="tnc 3, imv 3"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/tnc/tnccs-20/posttest.dat b/testing/tests/tnc/tnccs-20/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-20/posttest.dat
+++ b/testing/tests/tnc/tnccs-20/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20/pretest.dat b/testing/tests/tnc/tnccs-20/pretest.dat
index 208f9daa9..b2b243ba3 100644
--- a/testing/tests/tnc/tnccs-20/pretest.dat
+++ b/testing/tests/tnc/tnccs-20/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20/test.conf b/testing/tests/tnc/tnccs-20/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-20/test.conf
+++ b/testing/tests/tnc/tnccs-20/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-dynamic/evaltest.dat b/testing/tests/tnc/tnccs-dynamic/evaltest.dat
index 69baaf592..405298381 100644
--- a/testing/tests/tnc/tnccs-dynamic/evaltest.dat
+++ b/testing/tests/tnc/tnccs-dynamic/evaltest.dat
@@ -1,9 +1,9 @@
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::TNCCS 1.1 protocol detected dynamically::YES
@@ -20,8 +20,8 @@ moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP
 moon:: cat /var/log/daemon.log::removed TNCCS Connection ID 2::YES
 moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-dynamic/posttest.dat b/testing/tests/tnc/tnccs-dynamic/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-dynamic/posttest.dat
+++ b/testing/tests/tnc/tnccs-dynamic/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-dynamic/pretest.dat b/testing/tests/tnc/tnccs-dynamic/pretest.dat
index a7a3bf412..60775a11e 100644
--- a/testing/tests/tnc/tnccs-dynamic/pretest.dat
+++ b/testing/tests/tnc/tnccs-dynamic/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-dynamic/test.conf b/testing/tests/tnc/tnccs-dynamic/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-dynamic/test.conf
+++ b/testing/tests/tnc/tnccs-dynamic/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/ylwrap b/ylwrap
index 84d563405..92536350c 100755
--- a/ylwrap
+++ b/ylwrap
@@ -1,10 +1,10 @@
 #! /bin/sh
 # ylwrap - wrapper for lex/yacc invocations.
 
-scriptversion=2009-04-28.21; # UTC
+scriptversion=2011-08-25.18; # UTC
 
 # Copyright (C) 1996, 1997, 1998, 1999, 2001, 2002, 2003, 2004, 2005,
-# 2007, 2009 Free Software Foundation, Inc.
+# 2007, 2009, 2010, 2011 Free Software Foundation, Inc.
 #
 # Written by Tom Tromey <tromey@cygnus.com>.
 #
@@ -99,7 +99,11 @@ esac
 # FIXME: add hostname here for parallel makes that run commands on
 # other machines.  But that might take us over the 14-char limit.
 dirname=ylwrap$$
-trap "cd '`pwd`'; rm -rf $dirname > /dev/null 2>&1" 1 2 3 15
+do_exit="cd '`pwd`' && rm -rf $dirname > /dev/null 2>&1;"' (exit $ret); exit $ret'
+trap "ret=129; $do_exit" 1
+trap "ret=130; $do_exit" 2
+trap "ret=141; $do_exit" 13
+trap "ret=143; $do_exit" 15
 mkdir $dirname || exit 1
 
 cd $dirname
@@ -133,19 +137,19 @@ if test $ret -eq 0; then
     # Handle y_tab.c and y_tab.h output by DOS
     if test $y_tab_nodot = "yes"; then
       if test $from = "y.tab.c"; then
-    	from="y_tab.c"
+        from="y_tab.c"
       else
-    	if test $from = "y.tab.h"; then
-    	  from="y_tab.h"
-    	fi
+        if test $from = "y.tab.h"; then
+          from="y_tab.h"
+        fi
       fi
     fi
     if test -f "$from"; then
       # If $2 is an absolute path name, then just use that,
       # otherwise prepend `../'.
       case "$2" in
-    	[\\/]* | ?:[\\/]*) target="$2";;
-    	*) target="../$2";;
+        [\\/]* | ?:[\\/]*) target="$2";;
+        *) target="../$2";;
       esac
 
       # We do not want to overwrite a header file if it hasn't
@@ -155,8 +159,8 @@ if test $ret -eq 0; then
       # Makefile.  Divert the output of all other files to a temporary
       # file so we can compare them to existing versions.
       if test $first = no; then
-	realtarget="$target"
-	target="tmp-`echo $target | sed s/.*[\\/]//g`"
+        realtarget="$target"
+        target="tmp-`echo $target | sed s/.*[\\/]//g`"
       fi
       # Edit out `#line' or `#' directives.
       #
@@ -180,10 +184,10 @@ if test $ret -eq 0; then
 
       # Check whether header files must be updated.
       if test $first = no; then
-	if test -f "$realtarget" && cmp -s "$realtarget" "$target"; then
-	  echo "$2" is unchanged
-	  rm -f "$target"
-	else
+        if test -f "$realtarget" && cmp -s "$realtarget" "$target"; then
+          echo "$2" is unchanged
+          rm -f "$target"
+        else
           echo updating "$2"
           mv -f "$target" "$realtarget"
         fi